class PermissionsController(BaseController):

    """REST Controller styled on the Atom Publishing Protocol"""

    # To properly map this controller, ensure your config/routing.py

    # file has a resource setup:

    #     map.resource('permission', 'permissions')

    @LoginRequired()

    @HasPermissionAnyDecorator('hg.admin')

    def _before(self, *args, **kwargs):

        super(PermissionsController, self)._before(*args, **kwargs)

    def __load_data(self):

        c.repo_perms_choices = [('repository.none', _('None'),),

                                   ('repository.read', _('Read'),),

                                   ('repository.write', _('Write'),),

                                   ('repository.admin', _('Admin'),)]

        c.group_perms_choices = [('group.none', _('None'),),

                                 ('group.read', _('Read'),),

                                 ('group.write', _('Write'),),

                                 ('group.admin', _('Admin'),)]

        c.user_group_perms_choices = [('usergroup.none', _('None'),),

                                      ('usergroup.read', _('Read'),),

                                      ('usergroup.write', _('Write'),),

                                      ('usergroup.admin', _('Admin'),)]

        c.register_choices = [

            ('hg.register.none',

                _('Disabled')),

            ('hg.register.manual_activate',

                _('Allowed with manual account activation')),

            ('hg.register.auto_activate',

                _('Allowed with automatic account activation')), ]

        c.extern_activate_choices = [

            ('hg.extern_activate.manual', _('Manual activation of external account')),

            ('hg.extern_activate.auto', _('Automatic activation of external account')),

        ]

        c.repo_create_choices = [('hg.create.none', _('Disabled')),

                                 ('hg.create.repository', _('Enabled'))]

        c.repo_create_on_write_choices = [

            ('hg.create.write_on_repogroup.true', _('Enabled')),

            ('hg.create.write_on_repogroup.false', _('Disabled')),

        ]

        c.user_group_create_choices = [('hg.usergroup.create.false', _('Disabled')),

                                       ('hg.usergroup.create.true', _('Enabled'))]

        c.fork_choices = [('hg.fork.none', _('Disabled')),

                          ('hg.fork.repository', _('Enabled'))]

    def permission_globals(self):

        c.active = 'globals'

        self.__load_data()

        if request.POST:

            _form = DefaultPermissionsForm(

                [x[0] for x in c.repo_perms_choices],

                [x[0] for x in c.group_perms_choices],

                [x[0] for x in c.user_group_perms_choices],

                [x[0] for x in c.repo_create_choices],

                [x[0] for x in c.repo_create_on_write_choices],

                [x[0] for x in c.repo_group_create_choices],

                [x[0] for x in c.user_group_create_choices],

                [x[0] for x in c.fork_choices],

                [x[0] for x in c.register_choices],

                [x[0] for x in c.extern_activate_choices])()

            try:

                form_result = _form.to_python(dict(request.POST))

                form_result.update({'perm_user_name': 'default'})

                PermissionModel().update(form_result)

                Session().commit()

                h.flash(_('Global permissions updated successfully'),

                        category='success')

            except formencode.Invalid as errors:

                defaults = errors.value

                return htmlfill.render(

                    render('admin/permissions/permissions.html'),

                    defaults=defaults,

                    errors=errors.error_dict or {},

                    prefix_error=False,

                    encoding="UTF-8",

                    force_defaults=False)

            except Exception:

                log.error(traceback.format_exc())

                h.flash(_('Error occurred during update of permissions'),

                        category='error')

            raise HTTPFound(location=url('admin_permissions'))

        c.user = User.get_default_user()

        defaults = {'anonymous': c.user.active}

        for p in c.user.user_perms:

            if p.permission.permission_name.startswith('repository.'):

                defaults['default_repo_perm'] = p.permission.permission_name

            if p.permission.permission_name.startswith('group.'):

                defaults['default_group_perm'] = p.permission.permission_name

            if p.permission.permission_name.startswith('usergroup.'):

                defaults['default_user_group_perm'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.create.write_on_repogroup.'):

                defaults['create_on_write'] = p.permission.permission_name

            elif p.permission.permission_name.startswith('hg.create.'):

                defaults['default_repo_create'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.usergroup.'):

                defaults['default_user_group_create'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.register.'):

                defaults['default_register'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.extern_activate.'):

                defaults['default_extern_activate'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.fork.'):

                defaults['default_fork'] = p.permission.permission_name

        return htmlfill.render(

            render('admin/permissions/permissions.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False)

    def permission_ips(self):

        c.active = 'ips'

        c.user = User.get_default_user()

        c.user_ip_map = UserIpMap.query() \

                        .filter(UserIpMap.user == c.user).all()

        return render('admin/permissions/permissions.html')

    def permission_perms(self):

        c.active = 'perms'

        c.user = User.get_default_user()

        c.perm_user = AuthUser(dbuser=c.user)

        return render('admin/permissions/permissions.html')

        :param group_name:

        """

        path_prefix = (self.parent_group.full_path_splitted if

                       self.parent_group else [])

        return URL_SEP.join(path_prefix + [group_name])

    def get_api_data(self):

        """

        Common function for generating api data

        """

        group = self

        data = dict(

            group_id=group.group_id,

            group_name=group.group_name,

            group_description=group.group_description,

            parent_group=group.parent_group.group_name if group.parent_group else None,

            repositories=[x.repo_name for x in group.repositories],

            owner=group.owner.username

        )

        return data

class Permission(Base, BaseDbModel):

    __tablename__ = 'permissions'

    __table_args__ = (

        Index('p_perm_name_idx', 'permission_name'),

        _table_args_default_dict,

    )

    PERMS = (

        ('hg.admin', _('Kallithea Administrator')),

        ('repository.none', _('Default user has no access to new repositories')),

        ('repository.read', _('Default user has read access to new repositories')),

        ('repository.write', _('Default user has write access to new repositories')),

        ('repository.admin', _('Default user has admin access to new repositories')),

        ('group.none', _('Default user has no access to new repository groups')),

        ('group.read', _('Default user has read access to new repository groups')),

        ('group.write', _('Default user has write access to new repository groups')),

        ('group.admin', _('Default user has admin access to new repository groups')),

        ('usergroup.none', _('Default user has no access to new user groups')),

        ('usergroup.read', _('Default user has read access to new user groups')),

        ('usergroup.write', _('Default user has write access to new user groups')),

        ('usergroup.admin', _('Default user has admin access to new user groups')),

        ('hg.usergroup.create.false', _('Only admins can create user groups')),

        ('hg.usergroup.create.true', _('Non-admins can create user groups')),

        ('hg.create.none', _('Only admins can create top level repositories')),

        ('hg.create.repository', _('Non-admins can create top level repositories')),

        ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),

        ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),

        ('hg.fork.none', _('Only admins can fork repositories')),

        ('hg.fork.repository', _('Non-admins can fork repositories')),

        ('hg.register.none', _('Registration disabled')),

        ('hg.register.manual_activate', _('User registration with manual account activation')),

        ('hg.register.auto_activate', _('User registration with automatic account activation')),

        ('hg.extern_activate.manual', _('Manual activation of external account')),

        ('hg.extern_activate.auto', _('Automatic activation of external account')),

    )

    # definition of system default permissions for DEFAULT user

    DEFAULT_USER_PERMISSIONS = (

        'repository.read',

        'group.read',

        'usergroup.read',

        'hg.create.repository',

        'hg.create.write_on_repogroup.true',

        'hg.fork.repository',

        'hg.register.manual_activate',

        'hg.extern_activate.auto',

    )

    # defines which permissions are more important higher the more important

    # Weight defines which permissions are more important.

    # The higher number the more important.

    PERM_WEIGHTS = {

        'repository.none': 0,

        'repository.read': 1,

        'repository.write': 3,

        'repository.admin': 4,

        'group.none': 0,

        'group.read': 1,

        'group.write': 3,

        'group.admin': 4,

        'usergroup.none': 0,

        'usergroup.read': 1,

        'usergroup.write': 3,

        'usergroup.admin': 4,

        'hg.usergroup.create.false': 0,

        'hg.usergroup.create.true': 1,

        'hg.fork.none': 0,

        'hg.fork.repository': 1,

        'hg.create.none': 0,

        'hg.create.repository': 1,

        'hg.create.write_on_repogroup.false': 0,

        'hg.create.write_on_repogroup.true': 1,

        'hg.register.none': 0,

        'hg.register.manual_activate': 1,

        'hg.register.auto_activate': 2,

        'hg.extern_activate.manual': 0,

        'hg.extern_activate.auto': 1,

    }

    permission_id = Column(Integer(), primary_key=True)

    permission_name = Column(String(255), nullable=False)

    def __repr__(self):

        return "<%s %s: %r>" % (

            self.__class__.__name__, self.permission_id, self.permission_name

        )

    @classmethod

    def guess_instance(cls, value):

        return super(Permission, cls).guess_instance(value, Permission.get_by_key)

    @classmethod

    def get_by_key(cls, key):

        return cls.query().filter(cls.permission_name == key).scalar()

    @classmethod

    def get_default_perms(cls, default_user_id):

        q = Session().query(UserRepoToPerm) \

         .options(joinedload(UserRepoToPerm.repository)) \

         .options(joinedload(UserRepoToPerm.permission)) \

         .filter(UserRepoToPerm.user_id == default_user_id)

        return q.all()

    @classmethod

    def get_default_group_perms(cls, default_user_id):

        q = Session().query(UserRepoGroupToPerm) \

        dashboard_items = v.Int(min=5, not_empty=True)

        admin_grid_items = v.Int(min=5, not_empty=True)

        show_version = v.StringBoolean(if_missing=False)

        use_gravatar = v.StringBoolean(if_missing=False)

        gravatar_url = v.UnicodeString(min=3)

        clone_uri_tmpl = v.UnicodeString(min=3)

        clone_ssh_tmpl = v.UnicodeString()

    return _ApplicationVisualisationForm

def ApplicationUiSettingsForm():

    class _ApplicationUiSettingsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = False

        paths_root_path = All(

            v.ValidPath(),

            v.UnicodeString(strip=True, min=1, not_empty=True)

        )

        hooks_changegroup_update = v.StringBoolean(if_missing=False)

        hooks_changegroup_repo_size = v.StringBoolean(if_missing=False)

        extensions_largefiles = v.StringBoolean(if_missing=False)

        extensions_hgsubversion = v.StringBoolean(if_missing=False)

        extensions_hggit = v.StringBoolean(if_missing=False)

    return _ApplicationUiSettingsForm

def DefaultPermissionsForm(repo_perms_choices, group_perms_choices,

                           user_group_perms_choices, create_choices,

                           create_on_write_choices, repo_group_create_choices,

                           user_group_create_choices, fork_choices,

                           register_choices, extern_activate_choices):

    class _DefaultPermissionsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        overwrite_default_repo = v.StringBoolean(if_missing=False)

        overwrite_default_group = v.StringBoolean(if_missing=False)

        overwrite_default_user_group = v.StringBoolean(if_missing=False)

        anonymous = v.StringBoolean(if_missing=False)

        default_repo_perm = v.OneOf(repo_perms_choices)

        default_group_perm = v.OneOf(group_perms_choices)

        default_user_group_perm = v.OneOf(user_group_perms_choices)

        default_repo_create = v.OneOf(create_choices)

        create_on_write = v.OneOf(create_on_write_choices)

        default_user_group_create = v.OneOf(user_group_create_choices)

        default_fork = v.OneOf(fork_choices)

        default_register = v.OneOf(register_choices)

        default_extern_activate = v.OneOf(extern_activate_choices)

    return _DefaultPermissionsForm

def CustomDefaultPermissionsForm():

    class _CustomDefaultPermissionsForm(formencode.Schema):

        filter_extra_fields = True

        allow_extra_fields = True

        create_repo_perm = v.StringBoolean(if_missing=False)

        create_user_group_perm = v.StringBoolean(if_missing=False)

        #create_repo_group_perm Impl. later

        fork_repo_perm = v.StringBoolean(if_missing=False)

    return _CustomDefaultPermissionsForm

def DefaultsForm(edit=False, old_data=None, supported_backends=BACKENDS):

    class _DefaultsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        default_repo_type = v.OneOf(supported_backends)

        default_repo_private = v.StringBoolean(if_missing=False)

        default_repo_enable_statistics = v.StringBoolean(if_missing=False)

        default_repo_enable_downloads = v.StringBoolean(if_missing=False)

    return _DefaultsForm

def AuthSettingsForm(current_active_modules):

    class _AuthSettingsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        auth_plugins = All(v.ValidAuthPlugins(),

                           v.UniqueListFromString()(not_empty=True))

        def __init__(self, *args, **kwargs):

            # The auth plugins tell us what form validators they use

            if current_active_modules:

                import kallithea.lib.auth_modules

                from kallithea.lib.auth_modules import LazyFormencode

                for module in current_active_modules:

                    plugin = kallithea.lib.auth_modules.loadplugin(module)

                    plugin_name = plugin.name

        perms = UserToPerm.query().filter(UserToPerm.user == user).all()

        defined_perms_groups = set(_get_group(x.permission.permission_name) for x in perms)

        log.debug('GOT ALREADY DEFINED:%s', perms)

        if force:

            for perm in perms:

                Session().delete(perm)

            Session().commit()

            defined_perms_groups = []

        # For every default permission that needs to be created, we check if

        # its group is already defined. If it's not, we create default permission.

        for perm_name in Permission.DEFAULT_USER_PERMISSIONS:

            gr = _get_group(perm_name)

            if gr not in defined_perms_groups:

                log.debug('GR:%s not found, creating permission %s',

                          gr, perm_name)

                new_perm = _make_perm(perm_name)

                Session().add(new_perm)

    def update(self, form_result):

        perm_user = User.get_by_username(username=form_result['perm_user_name'])

        try:

            # stage 1 set anonymous access

            if perm_user.is_default_user:

                perm_user.active = asbool(form_result['anonymous'])

            # stage 2 reset defaults and set them from form data

            def _make_new(usr, perm_name):

                log.debug('Creating new permission:%s', perm_name)

                new = UserToPerm()

                new.user = usr

                new.permission = Permission.get_by_key(perm_name)

                return new

            # clear current entries, to make this function idempotent

            # it will fix even if we define more permissions or permissions

            # are somehow missing

            u2p = UserToPerm.query() \

                .filter(UserToPerm.user == perm_user) \

                .all()

            for p in u2p:

                Session().delete(p)

            # create fresh set of permissions

            for def_perm_key in ['default_repo_perm',

                                 'default_group_perm',

                                 'default_user_group_perm',

                                 'default_repo_create',

                                 'create_on_write', # special case for create repos on write access to group

                                 'default_user_group_create',

                                 'default_fork',

                                 'default_register',

                                 'default_extern_activate']:

                p = _make_new(perm_user, form_result[def_perm_key])

                Session().add(p)

            # stage 3 update all default permissions for repos if checked

            if form_result['overwrite_default_repo']:

                _def_name = form_result['default_repo_perm'].split('repository.')[-1]

                _def = Permission.get_by_key('repository.' + _def_name)

                # repos

                for r2p in UserRepoToPerm.query() \

                               .filter(UserRepoToPerm.user == perm_user) \

                               .all():

                    # don't reset PRIVATE repositories

                    if not r2p.repository.private:

                        r2p.permission = _def

            if form_result['overwrite_default_group']:

                _def_name = form_result['default_group_perm'].split('group.')[-1]

                # groups

                _def = Permission.get_by_key('group.' + _def_name)

                for g2p in UserRepoGroupToPerm.query() \

                               .filter(UserRepoGroupToPerm.user == perm_user) \

                               .all():

                    g2p.permission = _def

            if form_result['overwrite_default_user_group']:

                _def_name = form_result['default_user_group_perm'].split('usergroup.')[-1]

                # groups

                _def = Permission.get_by_key('usergroup.' + _def_name)

                for g2p in UserUserGroupToPerm.query() \

                               .filter(UserUserGroupToPerm.user == perm_user) \

                               .all():

                    g2p.permission = _def

            Session().commit()

        except (DatabaseError,):

            log.error(traceback.format_exc())

            Session().rollback()

            raise