repo group: introduce editing of owner

The repo group owner concept was only partially implemented. Owners were shown
in the repo group listing, but couldn't be changed. Users owning repo groups
couldn't be deleted, with no other solution than deleting owned repo groups.

This also fixes the existing broken update_repo_group API, which tried to use
unimplemented functionality.

hooks: put repo_size and update hooks in kallithea namespace

Keep things separate.

Include missing migration steps for 642847355a10.

imports: always import the whole kallithea module to use top level kallithea variables

This is slightly more lazy and might avoid some depeendency issues.

permissions: drop hg.create.write_on_repogroup "Repository creation with group write access" setting

Simplify permissions system and get rid of some confusing tech debt.

Before, the global 'write_on_repogroup' setting controlled what write
permission on a repo group meant.

With this change, users can create repositories in a repo group if and only if
they have write access. Write access to a repo group will now mean the
permission to create repositories in it.

Write access to repo groups must be granted explicitly. There should not be any
other reason to grant write access than to allow users to create repos. There
is thus no upgrade concerns for this change.

An admin that doesn't want users to create repos in a repogroup should just not
give them write access.

These global settings might still exist in the database, but is ignored and no
longer used and do no harm.

cleanup: minor refactorings and simplification of dict usage

Makes it more py3 compatible.

ssh: show ssh URL on summary page

Original change has been heavily modified by Mads Kiilerich.

auth: global permissions given to the default user are the bare minimum and should apply to *all* other users too

Drop the "subtractive permission" config option "inherit_from_default" that
when set to false would give users less global permissions than the default
unauthenticated user.

Instead, think positive and merge all positive permissions.

At the end, filter the global permissions to make sure we for each kind of
permissions only keep the one with most weight.

hooks: make sure push and pull hooks always are enabled

Don't put things in the database when we pretty much assume they always have
exact content, without any reasonable use case for customization.

locking: drop the pull-to-lock / push-to-unlock functionality

The feature is not worth the maintenance cost. The locking is too coarse and
unflexible with insufficient UI and UX. The implementation is also quite
invasive in tricky areas of the code, and thus high maintenance.
Dropping this will enable other cleanup ... or at least make it easier.

less: use .label and .label-* style instead of custom .*tag

This reduces the code and makes it more consistent.

Visualy this results in bold texts (which in case of small fonts is easier to read)
and a bit more padding left and right.

For a proper spacing, this requires to remove whitespaces before and after
the texts inside the labels.

Since the name changed from tag to label, also rename the variables and functions.

codingstyle: trivial whitespace fixes

Reported by flake8.

tg: minimize future diff by some mocking and replacing some pylons imports with tg

No actual tg dependency yet, just a temporary hack faking tg as an alias for
pylons.

Based on work by Alessandro Molina.

settings: fix saving of visual settings of page size

After 19f15cde2cdb it was no longer to save page_size because formfill didn't
match. Back out a part of that changeset.

forms: wrap LoginForm inside function like other forms

All forms except LoginForm are wrapped inside a function. The original
purpose of this wrapping seems to be the ability to pass parameters to tweak
the form.

But, this also has another desired effect: translation of strings
wrapped with _ is no longer attempted when reading the class definition, but
only when the function is instantiated. In the former case, it is not
guaranteed that a translator is actually available because we are not
running in standard application context.

Align LoginForm with the others.

db: rename RepoGroup.group_parent_id to parent_group_id

Also for consistency with the existing parent_group relationship.

db: PullRequest/Repository/RepoGroup/UserGroup: change 'user' to 'owner'

Rename the 'user' and 'user_id' fields on the four classes to something
more informative. The database column names remain unchanged for now;
a later Alembic script can fix the name of these and other columns to
match their Python name.

This might break rcextensions, though, and external scripts that use
the HTML form interface.

hg: drop pointless push_ssl configuration setting - if there is a risk push can be compromised, credentials can also easily be stolen for pull

Everybody should have a ssl-only setup now. Alternatively, there is a use case
for 'only anonymous traffic on ssl - all authentication and authenticated
traffic must be on ssl'. That can be done with proper web server configuration.

auth: secure password reset implementation

This is a better implementation of password reset function, which
doesn't involve sending a new password to the user's email address
in clear text, and at the same time is stateless.

The old implementation generated a new password and sent it
in clear text to whatever email assigned to the user currently,
so that any user, possibly unauthenticated, could request a reset
for any username or email. Apart from potential insecurity, this
made it possible for anyone to disrupt users' workflow by repeatedly
resetting their passwords.

The idea behind this implementation is to generate
an authentication token which is dependent on the user state
at the time before the password change takes place, so the token
is one-time and can't be reused, and also to bind the token to
the browser session.

The token is calculated as SHA1 hash of the following:

* user's identifier (number, not a name)
* timestamp
* hashed user's password
* session identifier
* per-application secret

We use numeric user's identifier, as it's fixed and doesn't change,
so renaming users doesn't affect the mechanism. Timestamp is added
to make it possible to limit the token's validness (currently hard
coded to 24h), and we don't want users to be able to fake that field
easily. Hashed user's password is needed to prevent using the token
again once the password has been changed. Session identifier is
an additional security measure to ensure someone else stealing the
token can't use it. Finally, per-application secret is just another
way to make it harder for an attacker to guess all values in an
attempt to generate a valid token.

When the token is generated, an anonymous user is directed to a
confirmation page where the timestamp and the usernames are already
preloaded, so the user needs to specify the token. User can either
click the link in the email if it's really them reading it, or to type
the token manually.

Using the right token in the same session as it was requested directs
the user to a password change form, where the user is supposed to
specify a new password (twice, of course). Upon completing the form
(which is POSTed) the password change happens and a notification
mail is sent.

The test is updated to test the basic functionality with a bad and
a good token, but it doesn't (yet) cover all code paths.

The original work from Andrew has been thorougly reviewed and heavily
modified by Søren Løvborg.

users: cleanup of handling of the extern_type and extern_name fields in html forms

Note: There is controller support for editing extern_type and extern_name but no UI.

i18n: use plain strings on the english lookup side of translations

Unicode strings are unnecessarily complex and do not in any of our cases add
any value. It is thus better to consistently use plain strings.

remote: simplify clone_uri UI

The UI was a bit weird ... probably in an attempt of making it editable while
hiding passwords. Instead, just show the URL with password hidden, and only
save it back if it changed.

The UI only contains the clone_uri with passwords hidden. It will thus only be
saved when the form result is different from the value that was shown to the
user.

privacy: on password reset, don't tell strangers if email is valid or not

Password reset form might be used to check if users with specific email
addresses have accounts in the system by requesting their password to be
reset. It's probably not a good idea to give this sort of information to
complete strangers.

pullrequests: make top pane one big form with one save button

This will temporarily break the PR update functionality.

pull requests: use formencode.Set for initial reviewer list

This works with formencode 1.2.6 too.

This also makes it possible to have an empty initial reviewer list.

pull requests: don't make reviewers mandatory

It will be hard to get a review approved without reviewers, but they can be
added (or removed) later and there is no reason to fail because they are
missing in the initial version.

Second step in two-part process to rename directories.
This is the actual directory rename.