Changeset - e27ff6a90076
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich (mads) - 3 years ago 2023-05-07 18:19:38
mads@kiilerich.com
auth: always consider the repo group owner an admin when computing it's permissions

When computing repo group permissions in repository_group_permissions(), always
give admin permissions to the group owner.

That is similar to how repository_permissions() gives admin permissions to the
repo owner.

The extra computation shouldn't cause any extra database hits or make the
computation more complex or expensive, so that should be fine for stable.

Note: This will leave behind some (automaticly added) explicit permissions. I
consider this a very minor glitch, not worth addressing.
1 file changed with 4 insertions and 1 deletions:
kallithea/lib/auth.py
4
1
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -169,193 +169,196 @@ class AuthUser(object):
 
            .filter(db.UserGroupMember.user_id == self.user_id) \
 
            .join((db.UserGroup, db.UserGroupMember.users_group_id ==
 
                   db.UserGroup.users_group_id)) \
 
            .filter(db.UserGroup.users_group_active == True) \
 
            .order_by(db.UserGroupToPerm.users_group_id) \
 
            .all()
 
        # need to group here by groups since user can be in more than
 
        # one group
 
        _grouped = [[x, list(y)] for x, y in
 
                    itertools.groupby(user_perms_from_users_groups,
 
                                      lambda x:x.users_group)]
 
        for gr, perms in _grouped:
 
            for perm in perms:
 
                global_permissions.add(perm.permission.permission_name)
 

			




	
	
	
		
 
        # user specific global permissions

			




	
	
	
		
 
        user_perms = meta.Session().query(db.UserToPerm) \

			




	
	
	
		
 
                .options(joinedload(db.UserToPerm.permission)) \

			




	
	
	
		
 
                .filter(db.UserToPerm.user_id == self.user_id).all()

			




	
	
	
		
 
        for perm in user_perms:

			




	
	
	
		
 
            global_permissions.add(perm.permission.permission_name)

			




	
	
	
		
 

			




	
	
	
		
 
        # for each kind of global permissions, only keep the one with heighest weight

			




	
	
	
		
 
        kind_max_perm = {}

			




	
	
	
		
 
        for perm in sorted(global_permissions, key=lambda n: PERM_WEIGHTS.get(n, -1)):

			




	
	
	
		
 
            kind = perm.rsplit('.', 1)[0]

			




	
	
	
		
 
            kind_max_perm[kind] = perm

			




	
	
	
		
 
        return set(kind_max_perm.values())

			




	
	
	
		
 

			




	
	
	
		
 
    @LazyProperty

			




	
	
	
		
 
    def repository_permissions(self):

			




	
	
	
		
 
        log.debug('Getting repository permissions for %s', self)

			




	
	
	
		
 
        repository_permissions = {}

			




	
	
	
		
 
        default_repo_perms = db.Permission.get_default_perms(kallithea.DEFAULT_USER_ID)

			




	
	
	
		
 

			




	
	
	
		
 
        if self.is_admin:

			




	
	
	
		
 
            for perm in default_repo_perms:

			




	
	
	
		
 
                r_k = perm.repository.repo_name

			




	
	
	
		
 
                p = 'repository.admin'

			




	
	
	
		
 
                repository_permissions[r_k] = p

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            # defaults for repositories from default user

			




	
	
	
		
 
            for perm in default_repo_perms:

			




	
	
	
		
 
                r_k = perm.repository.repo_name

			




	
	
	
		
 
                if perm.repository.owner_id == self.user_id:

			




	
	
	
		
 
                    p = 'repository.admin'

			




	
	
	
		
 
                elif perm.repository.private:

			




	
	
	
		
 
                    p = 'repository.none'

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    p = perm.permission.permission_name

			




	
	
	
		
 
                repository_permissions[r_k] = p

			




	
	
	
		
 

			




	
	
	
		
 
            # user group repository permissions

			




	
	
	
		
 
            user_repo_perms_from_users_groups = \

			




	
	
	
		
 
             meta.Session().query(db.UserGroupRepoToPerm) \

			




	
	
	
		
 
                .join((db.UserGroup, db.UserGroupRepoToPerm.users_group_id ==

			




	
	
	
		
 
                       db.UserGroup.users_group_id)) \

			




	
	
	
		
 
                .filter(db.UserGroup.users_group_active == True) \

			




	
	
	
		
 
                .join((db.UserGroupMember, db.UserGroupRepoToPerm.users_group_id ==

			




	
	
	
		
 
                       db.UserGroupMember.users_group_id)) \

			




	
	
	
		
 
                .filter(db.UserGroupMember.user_id == self.user_id) \

			




	
	
	
		
 
                .options(joinedload(db.UserGroupRepoToPerm.repository)) \

			




	
	
	
		
 
                .options(joinedload(db.UserGroupRepoToPerm.permission)) \

			




	
	
	
		
 
                .all()

			




	
	
	
		
 
            for perm in user_repo_perms_from_users_groups:

			




	
	
	
		
 
                bump_permission(repository_permissions,

			




	
	
	
		
 
                    perm.repository.repo_name,

			




	
	
	
		
 
                    perm.permission.permission_name)

			




	
	
	
		
 

			




	
	
	
		
 
            # user permissions for repositories

			




	
	
	
		
 
            user_repo_perms = db.Permission.get_default_perms(self.user_id)

			




	
	
	
		
 
            for perm in user_repo_perms:

			




	
	
	
		
 
                bump_permission(repository_permissions,

			




	
	
	
		
 
                    perm.repository.repo_name,

			




	
	
	
		
 
                    perm.permission.permission_name)

			




	
	
	
		
 

			




	
	
	
		
 
        return repository_permissions

			




	
	
	
		
 

			




	
	
	
		
 
    @LazyProperty

			




	
	
	
		
 
    def repository_group_permissions(self):

			




	
	
	
		
 
        log.debug('Getting repository group permissions for %s', self)

			




	
	
	
		
 
        repository_group_permissions = {}

			




	
	
	
		
 
        default_repo_groups_perms = db.Permission.get_default_group_perms(kallithea.DEFAULT_USER_ID)

			




	
	
	
		
 

			




	
	
	
		
 
        if self.is_admin:

			




	
	
	
		
 
            for perm in default_repo_groups_perms:

			




	
	
	
		
 
                rg_k = perm.group.group_name

			




	
	
	
		
 
                p = 'group.admin'

			




	
	
	
		
 
                repository_group_permissions[rg_k] = p

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            # defaults for repository groups taken from default user permission

			




	
	
	
		
 
            # on given group

			




	
	
	
		
 
            for perm in default_repo_groups_perms:

			




	
	
	
		
 
                rg_k = perm.group.group_name

			




	
	
	
		
 
                p = perm.permission.permission_name

			




	
	
	
		
 
                if perm.group.owner_id == self.user_id:

			




	
	
	
		
 
                    p = 'group.admin'

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    p = perm.permission.permission_name

			




	
	
	
		
 
                repository_group_permissions[rg_k] = p

			




	
	
	
		
 

			




	
	
	
		
 
            # user group for repo groups permissions

			




	
	
	
		
 
            user_repo_group_perms_from_users_groups = \

			




	
	
	
		
 
                meta.Session().query(db.UserGroupRepoGroupToPerm) \

			




	
	
	
		
 
                .join((db.UserGroup, db.UserGroupRepoGroupToPerm.users_group_id ==

			




	
	
	
		
 
                       db.UserGroup.users_group_id)) \

			




	
	
	
		
 
                .filter(db.UserGroup.users_group_active == True) \

			




	
	
	
		
 
                .join((db.UserGroupMember, db.UserGroupRepoGroupToPerm.users_group_id

			




	
	
	
		
 
                       == db.UserGroupMember.users_group_id)) \

			




	
	
	
		
 
                .filter(db.UserGroupMember.user_id == self.user_id) \

			




	
	
	
		
 
                .options(joinedload(db.UserGroupRepoGroupToPerm.permission)) \

			




	
	
	
		
 
                .all()

			




	
	
	
		
 
            for perm in user_repo_group_perms_from_users_groups:

			




	
	
	
		
 
                bump_permission(repository_group_permissions,

			




	
	
	
		
 
                    perm.group.group_name,

			




	
	
	
		
 
                    perm.permission.permission_name)

			




	
	
	
		
 

			




	
	
	
		
 
            # user explicit permissions for repository groups

			




	
	
	
		
 
            user_repo_groups_perms = db.Permission.get_default_group_perms(self.user_id)

			




	
	
	
		
 
            for perm in user_repo_groups_perms:

			




	
	
	
		
 
                bump_permission(repository_group_permissions,

			




	
	
	
		
 
                    perm.group.group_name,

			




	
	
	
		
 
                    perm.permission.permission_name)

			




	
	
	
		
 

			




	
	
	
		
 
        return repository_group_permissions

			




	
	
	
		
 

			




	
	
	
		
 
    @LazyProperty

			




	
	
	
		
 
    def user_group_permissions(self):

			




	
	
	
		
 
        log.debug('Getting user group permissions for %s', self)

			




	
	
	
		
 
        user_group_permissions = {}

			




	
	
	
		
 
        default_user_group_perms = db.Permission.get_default_user_group_perms(kallithea.DEFAULT_USER_ID)

			




	
	
	
		
 

			




	
	
	
		
 
        if self.is_admin:

			




	
	
	
		
 
            for perm in default_user_group_perms:

			




	
	
	
		
 
                u_k = perm.user_group.users_group_name

			




	
	
	
		
 
                p = 'usergroup.admin'

			




	
	
	
		
 
                user_group_permissions[u_k] = p

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            # defaults for user groups taken from default user permission

			




	
	
	
		
 
            # on given user group

			




	
	
	
		
 
            for perm in default_user_group_perms:

			




	
	
	
		
 
                u_k = perm.user_group.users_group_name

			




	
	
	
		
 
                p = perm.permission.permission_name

			




	
	
	
		
 
                user_group_permissions[u_k] = p

			




	
	
	
		
 

			




	
	
	
		
 
            # user group for user group permissions

			




	
	
	
		
 
            user_group_user_groups_perms = \

			




	
	
	
		
 
                meta.Session().query(db.UserGroupUserGroupToPerm) \

			




	
	
	
		
 
                .join((db.UserGroup, db.UserGroupUserGroupToPerm.target_user_group_id

			




	
	
	
		
 
                       == db.UserGroup.users_group_id)) \

			




	
	
	
		
 
                .join((db.UserGroupMember, db.UserGroupUserGroupToPerm.user_group_id

			




	
	
	
		
 
                       == db.UserGroupMember.users_group_id)) \

			




	
	
	
		
 
                .filter(db.UserGroupMember.user_id == self.user_id) \

			




	
	
	
		
 
                .join((db.UserGroup, db.UserGroupMember.users_group_id ==

			




	
	
	
		
 
                       db.UserGroup.users_group_id), aliased=True, from_joinpoint=True) \

			




	
	
	
		
 
                .filter(db.UserGroup.users_group_active == True) \

			




	
	
	
		
 
                .options(joinedload(db.UserGroupUserGroupToPerm.permission)) \

			




	
	
	
		
 
                .all()

			




	
	
	
		
 
            for perm in user_group_user_groups_perms:

			




	
	
	
		
 
                bump_permission(user_group_permissions,

			




	
	
	
		
 
                    perm.target_user_group.users_group_name,

			




	
	
	
		
 
                    perm.permission.permission_name)

			




	
	
	
		
 

			




	
	
	
		
 
            # user explicit permission for user groups

			




	
	
	
		
 
            user_user_groups_perms = db.Permission.get_default_user_group_perms(self.user_id)

			




	
	
	
		
 
            for perm in user_user_groups_perms:

			




	
	
	
		
 
                bump_permission(user_group_permissions,

			




	
	
	
		
 
                    perm.user_group.users_group_name,

			




	
	
	
		
 
                    perm.permission.permission_name)

			




	
	
	
		
 

			




	
	
	
		
 
        return user_group_permissions

			




	
	
	
		
 

			




	
	
	
		
 
    @LazyProperty

			




	
	
	
		
 
    def permissions(self):

			




	
	
	
		
 
        """dict with all 4 kind of permissions - mainly for backwards compatibility"""

			




	
	
	
		
 
        return {

			




	
	
	
		
 
            'global': self.global_permissions,

			




	
	
	
		
 
            'repositories': self.repository_permissions,

			




	
	
	
		
 
            'repositories_groups': self.repository_group_permissions,

			




	
	
	
		
 
            'user_groups': self.user_group_permissions,

			




	
	
	
		
 
        }

			




	
	
	
		
 

			




	
	
	
		
 
    def has_repository_permission_level(self, repo_name, level, purpose=None):

			




	
	
	
		
 
        required_perms = {

			




	
	
	
		
 
            'read': ['repository.read', 'repository.write', 'repository.admin'],

			




	
	
	
		
 
            'write': ['repository.write', 'repository.admin'],

			




	
	
	
		
 
            'admin': ['repository.admin'],

			




	
	
	
		
 
        }[level]

			




	
	
	
		
 
        actual_perm = self.repository_permissions.get(repo_name)

			




	
	
	
		
 
        ok = actual_perm in required_perms

			




	
	
	
		
 
        log.debug('Checking if user %r can %r repo %r (%s): %s (has %r)',

			




	
	
	
		
 
            self.username, level, repo_name, purpose, ok, actual_perm)

			




	
	
	
		
 
        return ok

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        Server instance: clio-14230
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.
            – Support