Files
@ f734d107296e
Branch filter:
Location: kallithea/docs/usage/email.rst - annotation
f734d107296e
3.8 KiB
text/prs.fallenstein.rst
auth: for default permissions, use existing explicit query result values instead of following dot references in ORM result objects
There has been reports of spurious crashes on resolving references like
.repository from Permissions:
File ".../kallithea/lib/auth.py", line 678, in __wrapper
if self.check_permissions(user):
File ".../kallithea/lib/auth.py", line 718, in check_permissions
return user.has_repository_permission_level(repo_name, self.required_perm)
File ".../kallithea/lib/auth.py", line 450, in has_repository_permission_level
actual_perm = self.permissions['repositories'].get(repo_name)
File ".../kallithea/lib/vcs/utils/lazy.py", line 41, in __get__
value = self._func(obj)
File ".../kallithea/lib/auth.py", line 442, in permissions
return self.__get_perms(user=self, cache=False)
File ".../kallithea/lib/auth.py", line 498, in __get_perms
return compute(user_id, user_is_admin)
File ".../kallithea/lib/auth.py", line 190, in _cached_perms_data
r_k = perm.UserRepoToPerm.repository.repo_name
File ".../sqlalchemy/orm/attributes.py", line 285, in __get__
return self.impl.get(instance_state(instance), dict_)
File ".../sqlalchemy/orm/attributes.py", line 721, in get
value = self.callable_(state, passive)
File ".../sqlalchemy/orm/strategies.py", line 710, in _load_for_state
% (orm_util.state_str(state), self.key)
sqlalchemy.orm.exc.DetachedInstanceError: Parent instance <UserRepoToPerm at ...> is not bound to a Session; lazy load operation of attribute 'repository' cannot proceed (Background on this error at: http://sqlalche.me/e/bhk3)
Permissions are cached between requests: SA result records are stored in in
beaker.cache.sql_cache_short and resued in following requests after the initial
session as been removed. References in Permission objects would usually give
lazy lookup ... but not outside the original session, where we would get an
error like this.
Permissions are indeed implemented/used incorrectly. That might explain a part
of the problem. Even if not fully explaining or fixing this problem, it is
still worth fixing:
Permissions are fetched from the database using Session().query with multiple
class/table names (joined together in way that happens to match the references
specified in the table definitions) - including Repository. The results are
thus "structs" with selected objects. If repositories always were retrieved
using this selected repository, everything would be fine. In some places, this
was what we did.
But in some places, the code happened to do what was more intuitive: just use
.repository and rely on "lazy" resolving. SA was not aware that this one
already was present in the result struct, and would try to fetch it again. Best
case, that could be inefficient. Worst case, it would fail as we see here.
Fix this by only querying from one table but use the "joinedload" option to
also fetch other referenced tables in the same select. (This might
inefficiently return the main record multiple times ... but that was already
the case with the previous approach.)
This change is thus doing multiple things with circular dependencies that can't
be split up in minor parts without taking detours:
The existing repository join like:
.join((Repository, UserGroupRepoToPerm.repository_id == Repository.repo_id))
is thus replaced by:
.options(joinedload(UserGroupRepoToPerm.repository))
Since we only are doing Session.query() on one table, the results will be of
that type instead of "structs" with multiple objects. If only querying for
UserRepoToPerm this means:
- perm.UserRepoToPerm.repository becomes perm.repository
- perm.Permission.permission_name looked at the explicitly queried Permission
in the result struct - instead it should look in the the dereferenced
repository as perm.permission.permission_name
There has been reports of spurious crashes on resolving references like
.repository from Permissions:
File ".../kallithea/lib/auth.py", line 678, in __wrapper
if self.check_permissions(user):
File ".../kallithea/lib/auth.py", line 718, in check_permissions
return user.has_repository_permission_level(repo_name, self.required_perm)
File ".../kallithea/lib/auth.py", line 450, in has_repository_permission_level
actual_perm = self.permissions['repositories'].get(repo_name)
File ".../kallithea/lib/vcs/utils/lazy.py", line 41, in __get__
value = self._func(obj)
File ".../kallithea/lib/auth.py", line 442, in permissions
return self.__get_perms(user=self, cache=False)
File ".../kallithea/lib/auth.py", line 498, in __get_perms
return compute(user_id, user_is_admin)
File ".../kallithea/lib/auth.py", line 190, in _cached_perms_data
r_k = perm.UserRepoToPerm.repository.repo_name
File ".../sqlalchemy/orm/attributes.py", line 285, in __get__
return self.impl.get(instance_state(instance), dict_)
File ".../sqlalchemy/orm/attributes.py", line 721, in get
value = self.callable_(state, passive)
File ".../sqlalchemy/orm/strategies.py", line 710, in _load_for_state
% (orm_util.state_str(state), self.key)
sqlalchemy.orm.exc.DetachedInstanceError: Parent instance <UserRepoToPerm at ...> is not bound to a Session; lazy load operation of attribute 'repository' cannot proceed (Background on this error at: http://sqlalche.me/e/bhk3)
Permissions are cached between requests: SA result records are stored in in
beaker.cache.sql_cache_short and resued in following requests after the initial
session as been removed. References in Permission objects would usually give
lazy lookup ... but not outside the original session, where we would get an
error like this.
Permissions are indeed implemented/used incorrectly. That might explain a part
of the problem. Even if not fully explaining or fixing this problem, it is
still worth fixing:
Permissions are fetched from the database using Session().query with multiple
class/table names (joined together in way that happens to match the references
specified in the table definitions) - including Repository. The results are
thus "structs" with selected objects. If repositories always were retrieved
using this selected repository, everything would be fine. In some places, this
was what we did.
But in some places, the code happened to do what was more intuitive: just use
.repository and rely on "lazy" resolving. SA was not aware that this one
already was present in the result struct, and would try to fetch it again. Best
case, that could be inefficient. Worst case, it would fail as we see here.
Fix this by only querying from one table but use the "joinedload" option to
also fetch other referenced tables in the same select. (This might
inefficiently return the main record multiple times ... but that was already
the case with the previous approach.)
This change is thus doing multiple things with circular dependencies that can't
be split up in minor parts without taking detours:
The existing repository join like:
.join((Repository, UserGroupRepoToPerm.repository_id == Repository.repo_id))
is thus replaced by:
.options(joinedload(UserGroupRepoToPerm.repository))
Since we only are doing Session.query() on one table, the results will be of
that type instead of "structs" with multiple objects. If only querying for
UserRepoToPerm this means:
- perm.UserRepoToPerm.repository becomes perm.repository
- perm.Permission.permission_name looked at the explicitly queried Permission
in the result struct - instead it should look in the the dereferenced
repository as perm.permission.permission_name
2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 a5ad2900985b a5ad2900985b a5ad2900985b a5ad2900985b a5ad2900985b a5ad2900985b a5ad2900985b a5ad2900985b a5ad2900985b a5ad2900985b a5ad2900985b 2079e864ce51 fbbe80e3322b 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 66f1b9745905 66f1b9745905 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 c935bcaf7086 c935bcaf7086 c935bcaf7086 c935bcaf7086 c935bcaf7086 c935bcaf7086 c935bcaf7086 c935bcaf7086 2079e864ce51 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 6b865fcfed20 fbbe80e3322b 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 e223c36e5b68 e223c36e5b68 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 2079e864ce51 fbbe80e3322b 2079e864ce51 2079e864ce51 22a3fa3c4254 2079e864ce51 2079e864ce51 2079e864ce51 fbbe80e3322b 84d8cff41282 | .. _email:
==============
Email settings
==============
The Kallithea configuration file has several email related settings. When
these contain correct values, Kallithea will send email in the situations
described below. If the email configuration is not correct so that emails
cannot be sent, all mails will show up in the log output.
Before any email can be sent, an SMTP server has to be configured using the
configuration file setting ``smtp_server``. If required for that server, specify
a username (``smtp_username``) and password (``smtp_password``), a non-standard
port (``smtp_port``), whether to use "SSL" when connecting (``smtp_use_ssl``)
or use STARTTLS (``smtp_use_tls``), and/or specify special ESMTP "auth" features
(``smtp_auth``).
For example, for sending through gmail, use::
smtp_server = smtp.gmail.com
smtp_username = username
smtp_password = password
smtp_port = 465
smtp_use_ssl = true
Application emails
------------------
Kallithea sends an email to `users` on several occasions:
- when comments are given on one of their changesets
- when comments are given on changesets they are reviewer on or on which they
commented regardless
- when they are invited as reviewer in pull requests
- when they request a password reset
Kallithea sends an email to all `administrators` upon new account registration.
Administrators are users with the ``Admin`` flag set on the *Admin > Users*
page.
When Kallithea wants to send an email but due to an error cannot correctly
determine the intended recipients, the administrators and the addresses
specified in ``email_to`` in the configuration file are used as fallback.
Recipients will see these emails originating from the sender specified in the
``app_email_from`` setting in the configuration file. This setting can either
contain only an email address, like `kallithea-noreply@example.com`, or both
a name and an address in the following format: `Kallithea
<kallithea-noreply@example.com>`. However, if the email is sent due to an
action of a particular user, for example when a comment is given or a pull
request created, the name of that user will be combined with the email address
specified in ``app_email_from`` to form the sender (and any name part in that
configuration setting disregarded).
The subject of these emails can optionally be prefixed with the value of
``email_prefix`` in the configuration file.
A Kallithea-specific header indicating the email type will be added to each
email. This header can be used for email filtering. The header is of the form:
X-Kallithea-Notification-Type: <type>
where ``<type>`` is one of:
- ``pull_request``: you are invited as reviewer in a pull request
- ``pull_request_comment``: a comment was given on a pull request
- ``cs_comment``: a comment was given on a changeset
- ``registration``: a new user was registered
- ``message``: another type of email
Error emails
------------
When an exception occurs in Kallithea -- and unless interactive debugging is
enabled using ``set debug = true`` in the ``[app:main]`` section of the
configuration file -- an email with exception details is sent by backlash_
to the addresses specified in ``email_to`` in the configuration file.
Recipients will see these emails originating from the sender specified in the
``error_email_from`` setting in the configuration file. This setting can either
contain only an email address, like `kallithea-noreply@example.com`, or both
a name and an address in the following format: `Kallithea Errors
<kallithea-noreply@example.com>`.
References
----------
- `Error Middleware (Pylons documentation) <http://pylons-webframework.readthedocs.org/en/latest/debugging.html#error-middleware>`_
- `ErrorHandler (Pylons modules documentation) <http://pylons-webframework.readthedocs.org/en/latest/modules/middleware.html#pylons.middleware.ErrorHandler>`_
.. _backlash: https://github.com/TurboGears/backlash
|