diff --git a/rhodecode/model/user.py b/rhodecode/model/user.py --- a/rhodecode/model/user.py +++ b/rhodecode/model/user.py @@ -39,7 +39,7 @@ from rhodecode.model import BaseModel from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \ UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \ Notification, RepoGroup, UserRepoGroupToPerm, UserGroupRepoGroupToPerm, \ - UserEmailMap, UserIpMap + UserEmailMap, UserIpMap, UserGroupUserGroupToPerm, UserGroup from rhodecode.lib.exceptions import DefaultUserException, \ UserOwnsReposException from rhodecode.model.meta import Session @@ -133,7 +133,7 @@ class UserModel(BaseModel): new_user.admin = admin # set password only if creating an user or password is changed if not edit or user.password != password: - new_user.password = get_crypt_password(password) + new_user.password = get_crypt_password(password) if password else None new_user.api_key = generate_api_key(username) new_user.email = email new_user.active = active @@ -425,9 +425,11 @@ class UserModel(BaseModel): """ RK = 'repositories' GK = 'repositories_groups' + UK = 'user_groups' GLOBAL = 'global' user.permissions[RK] = {} user.permissions[GK] = {} + user.permissions[UK] = {} user.permissions[GLOBAL] = set() def _choose_perm(new_perm, cur_perm): @@ -450,6 +452,7 @@ class UserModel(BaseModel): default_repo_perms = Permission.get_default_perms(default_user_id) default_repo_groups_perms = Permission.get_default_group_perms(default_user_id) + default_user_group_perms = Permission.get_default_user_group_perms(default_user_id) if user.is_admin: #================================================================== @@ -469,6 +472,12 @@ class UserModel(BaseModel): rg_k = perm.UserRepoGroupToPerm.group.group_name p = 'group.admin' user.permissions[GK][rg_k] = p + + # user groups + for perm in default_user_group_perms: + u_k = perm.UserUserGroupToPerm.user_group.users_group_name + p = 'usergroup.admin' + user.permissions[UK][u_k] = p return user #================================================================== @@ -504,12 +513,22 @@ class UserModel(BaseModel): p = perm.Permission.permission_name user.permissions[GK][rg_k] = p + # defaults for user groups taken from default user permission + # on given user group + for perm in default_user_group_perms: + u_k = perm.UserUserGroupToPerm.user_group.users_group_name + p = perm.Permission.permission_name + user.permissions[UK][u_k] = p + #====================================================================== # !! OVERRIDE GLOBALS !! with user permissions if any found #====================================================================== # those can be configured from groups or users explicitly - _configurable = set(['hg.fork.none', 'hg.fork.repository', - 'hg.create.none', 'hg.create.repository']) + _configurable = set([ + 'hg.fork.none', 'hg.fork.repository', + 'hg.create.none', 'hg.create.repository', + 'hg.usergroup.create.false', 'hg.usergroup.create.true' + ]) # USER GROUPS comes first # user group global permissions @@ -549,6 +568,7 @@ class UserModel(BaseModel): for perm in user_perms: user.permissions[GLOBAL].add(perm.permission.permission_name) + ## END GLOBAL PERMISSIONS #====================================================================== # !! PERMISSIONS FOR REPOSITORIES !! @@ -588,15 +608,7 @@ class UserModel(BaseModel): # user explicit permissions for repositories, overrides any specified # by the group permission - user_repo_perms = \ - self.sa.query(UserRepoToPerm, Permission, Repository)\ - .join((Repository, UserRepoToPerm.repository_id == - Repository.repo_id))\ - .join((Permission, UserRepoToPerm.permission_id == - Permission.permission_id))\ - .filter(UserRepoToPerm.user_id == uid)\ - .all() - + user_repo_perms = Permission.get_default_perms(uid) for perm in user_repo_perms: r_k = perm.UserRepoToPerm.repository.repo_name cur_perm = user.permissions[RK][r_k] @@ -639,14 +651,7 @@ class UserModel(BaseModel): user.permissions[GK][g_k] = p # user explicit permissions for repository groups - user_repo_groups_perms = \ - self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\ - .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\ - .join((Permission, UserRepoGroupToPerm.permission_id - == Permission.permission_id))\ - .filter(UserRepoGroupToPerm.user_id == uid)\ - .all() - + user_repo_groups_perms = Permission.get_default_group_perms(uid) for perm in user_repo_groups_perms: rg_k = perm.UserRepoGroupToPerm.group.group_name p = perm.Permission.permission_name @@ -655,6 +660,41 @@ class UserModel(BaseModel): p = _choose_perm(p, cur_perm) user.permissions[GK][rg_k] = p + #====================================================================== + # !! PERMISSIONS FOR USER GROUPS !! + #====================================================================== + # user group for user group permissions + user_group_user_groups_perms = \ + self.sa.query(UserGroupUserGroupToPerm, Permission, UserGroup)\ + .join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id + == UserGroup.users_group_id))\ + .join((Permission, UserGroupUserGroupToPerm.permission_id + == Permission.permission_id))\ + .join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id + == UserGroupMember.users_group_id))\ + .filter(UserGroupMember.user_id == uid)\ + .all() + + multiple_counter = collections.defaultdict(int) + for perm in user_group_user_groups_perms: + g_k = perm.UserGroupUserGroupToPerm.target_user_group.users_group_name + multiple_counter[g_k] += 1 + p = perm.Permission.permission_name + cur_perm = user.permissions[UK][g_k] + if multiple_counter[g_k] > 1: + p = _choose_perm(p, cur_perm) + user.permissions[UK][g_k] = p + + #user explicit permission for user groups + user_user_groups_perms = Permission.get_default_user_group_perms(uid) + for perm in user_user_groups_perms: + u_k = perm.UserUserGroupToPerm.user_group.users_group_name + p = perm.Permission.permission_name + cur_perm = user.permissions[UK][u_k] + if not explicit: + p = _choose_perm(p, cur_perm) + user.permissions[UK][u_k] = p + return user def has_perm(self, user, perm):