# HG changeset patch # User Søren Løvborg # Date 2016-07-28 13:57:16 # Node ID 09bcde0eee6d26b003d90f79e8f5aa3dee533ab6 # Parent 1952682be9f8b43b050744e9835fb3588cf940f0 auth: remove HasPermissionAll and variants First, find all calls to HasPermissionAll with only a single permission given, and convert to equivalent calls to HasPermissionAny. Next, observe that it's hard to envision situations requiring multiple permissions (of the same scope: global/repo/repo group) to be satisfied. Sufficiently hard that there are actually no such examples in the code. Finally, considering that (should it ever be needed) HasPermissionAll can be trivially built as a conjunction of HasPermissionAny calls (the decorators, too) with only a small performance impact, simply remove HasPermissionAll and related classes and functions. diff --git a/kallithea/controllers/admin/admin.py b/kallithea/controllers/admin/admin.py --- a/kallithea/controllers/admin/admin.py +++ b/kallithea/controllers/admin/admin.py @@ -36,7 +36,7 @@ from whoosh import query from sqlalchemy.sql.expression import or_, and_, func from kallithea.model.db import UserLog -from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator +from kallithea.lib.auth import LoginRequired, HasPermissionAnyDecorator from kallithea.lib.base import BaseController, render from kallithea.lib.utils2 import safe_int, remove_prefix, remove_suffix from kallithea.lib.indexers import JOURNAL_SCHEMA @@ -123,7 +123,7 @@ class AdminController(BaseController): def __before__(self): super(AdminController, self).__before__() - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def index(self): users_log = UserLog.query() \ .options(joinedload(UserLog.user)) \ diff --git a/kallithea/controllers/admin/auth_settings.py b/kallithea/controllers/admin/auth_settings.py --- a/kallithea/controllers/admin/auth_settings.py +++ b/kallithea/controllers/admin/auth_settings.py @@ -34,7 +34,7 @@ from webob.exc import HTTPFound from kallithea.lib import helpers as h from kallithea.lib.compat import formatted_json from kallithea.lib.base import BaseController, render -from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator +from kallithea.lib.auth import LoginRequired, HasPermissionAnyDecorator from kallithea.lib import auth_modules from kallithea.model.forms import AuthSettingsForm from kallithea.model.db import Setting @@ -46,7 +46,7 @@ log = logging.getLogger(__name__) class AuthSettingsController(BaseController): @LoginRequired() - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def __before__(self): super(AuthSettingsController, self).__before__() diff --git a/kallithea/controllers/admin/defaults.py b/kallithea/controllers/admin/defaults.py --- a/kallithea/controllers/admin/defaults.py +++ b/kallithea/controllers/admin/defaults.py @@ -35,7 +35,7 @@ from pylons.i18n.translation import _ from webob.exc import HTTPFound from kallithea.lib import helpers as h -from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator +from kallithea.lib.auth import LoginRequired, HasPermissionAnyDecorator from kallithea.lib.base import BaseController, render from kallithea.model.forms import DefaultsForm from kallithea.model.meta import Session @@ -52,7 +52,7 @@ class DefaultsController(BaseController) # map.resource('default', 'defaults') @LoginRequired() - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def __before__(self): super(DefaultsController, self).__before__() diff --git a/kallithea/controllers/admin/permissions.py b/kallithea/controllers/admin/permissions.py --- a/kallithea/controllers/admin/permissions.py +++ b/kallithea/controllers/admin/permissions.py @@ -36,7 +36,7 @@ from pylons.i18n.translation import _ from webob.exc import HTTPFound from kallithea.lib import helpers as h -from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator +from kallithea.lib.auth import LoginRequired, HasPermissionAnyDecorator from kallithea.lib.base import BaseController, render from kallithea.model.forms import DefaultPermissionsForm from kallithea.model.permission import PermissionModel @@ -53,7 +53,7 @@ class PermissionsController(BaseControll # map.resource('permission', 'permissions') @LoginRequired() - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def __before__(self): super(PermissionsController, self).__before__() diff --git a/kallithea/controllers/admin/repo_groups.py b/kallithea/controllers/admin/repo_groups.py --- a/kallithea/controllers/admin/repo_groups.py +++ b/kallithea/controllers/admin/repo_groups.py @@ -40,8 +40,8 @@ import kallithea from kallithea.lib import helpers as h from kallithea.lib.compat import json from kallithea.lib.auth import LoginRequired, \ - HasRepoGroupPermissionAnyDecorator, HasRepoGroupPermissionAll, \ - HasPermissionAll + HasRepoGroupPermissionAnyDecorator, HasRepoGroupPermissionAny, \ + HasPermissionAny from kallithea.lib.base import BaseController, render from kallithea.model.db import RepoGroup, Repository from kallithea.model.scm import RepoGroupList, AvailableRepoGroupChoices @@ -196,7 +196,7 @@ class RepoGroupsController(BaseControlle def new(self): """GET /repo_groups/new: Form to create a new item""" # url('new_repos_group') - if HasPermissionAll('hg.admin')('group create'): + if HasPermissionAny('hg.admin')('group create'): #we're global admin, we're ok and we can create TOP level groups pass else: @@ -205,7 +205,7 @@ class RepoGroupsController(BaseControlle group_id = safe_int(request.GET.get('parent_group')) group = RepoGroup.get(group_id) if group_id else None group_name = group.group_name if group else None - if HasRepoGroupPermissionAll('group.admin')(group_name, 'group create'): + if HasRepoGroupPermissionAny('group.admin')(group_name, 'group create'): pass else: raise HTTPForbidden() @@ -228,7 +228,7 @@ class RepoGroupsController(BaseControlle exclude=[c.repo_group]) # TODO: kill allow_empty_group - it is only used for redundant form validation! - if HasPermissionAll('hg.admin')('group edit'): + if HasPermissionAny('hg.admin')('group edit'): #we're global admin, we're ok and we can create TOP level groups allow_empty_group = True elif not c.repo_group.parent_group: diff --git a/kallithea/controllers/admin/repos.py b/kallithea/controllers/admin/repos.py --- a/kallithea/controllers/admin/repos.py +++ b/kallithea/controllers/admin/repos.py @@ -36,8 +36,7 @@ from webob.exc import HTTPFound, HTTPInt from kallithea.lib import helpers as h from kallithea.lib.auth import LoginRequired, \ - HasRepoPermissionAllDecorator, NotAnonymous, HasPermissionAny, \ - HasRepoPermissionAnyDecorator + HasRepoPermissionAnyDecorator, NotAnonymous, HasPermissionAny from kallithea.lib.base import BaseRepoController, render from kallithea.lib.utils import action_logger, jsonify from kallithea.lib.vcs import RepositoryError @@ -226,7 +225,7 @@ class ReposController(BaseRepoController return {'result': True} return {'result': False} - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def update(self, repo_name): """ PUT /repos/repo_name: Update an existing item""" @@ -283,7 +282,7 @@ class ReposController(BaseRepoController % repo_name, category='error') raise HTTPFound(location=url('edit_repo', repo_name=changed_name)) - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def delete(self, repo_name): """ DELETE /repos/repo_name: Delete an existing item""" @@ -329,7 +328,7 @@ class ReposController(BaseRepoController raise HTTPFound(location=url('repos_group_home', group_name=repo.group.group_name)) raise HTTPFound(location=url('repos')) - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit(self, repo_name): """GET /repo_name/settings: Form to edit an existing item""" # url('edit_repo', repo_name=ID) @@ -345,7 +344,7 @@ class ReposController(BaseRepoController encoding="UTF-8", force_defaults=False) - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit_permissions(self, repo_name): """GET /repo_name/settings: Form to edit an existing item""" # url('edit_repo', repo_name=ID) @@ -398,7 +397,7 @@ class ReposController(BaseRepoController category='error') raise HTTPInternalServerError() - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit_fields(self, repo_name): """GET /repo_name/settings: Form to edit an existing item""" # url('edit_repo', repo_name=ID) @@ -411,7 +410,7 @@ class ReposController(BaseRepoController raise HTTPFound(location=url('repo_edit_fields')) return render('admin/repos/repo_edit.html') - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def create_repo_field(self, repo_name): try: form_result = RepoFieldForm()().to_python(dict(request.POST)) @@ -432,7 +431,7 @@ class ReposController(BaseRepoController h.flash(msg, category='error') raise HTTPFound(location=url('edit_repo_fields', repo_name=repo_name)) - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def delete_repo_field(self, repo_name, field_id): field = RepositoryField.get_or_404(field_id) try: @@ -444,7 +443,7 @@ class ReposController(BaseRepoController h.flash(msg, category='error') raise HTTPFound(location=url('edit_repo_fields', repo_name=repo_name)) - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit_advanced(self, repo_name): """GET /repo_name/settings: Form to edit an existing item""" # url('edit_repo', repo_name=ID) @@ -474,7 +473,7 @@ class ReposController(BaseRepoController encoding="UTF-8", force_defaults=False) - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit_advanced_journal(self, repo_name): """ Sets this repository to be visible in public journal, @@ -497,7 +496,7 @@ class ReposController(BaseRepoController raise HTTPFound(location=url('edit_repo_advanced', repo_name=repo_name)) - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit_advanced_fork(self, repo_name): """ Mark given repository as a fork of another @@ -522,7 +521,7 @@ class ReposController(BaseRepoController raise HTTPFound(location=url('edit_repo_advanced', repo_name=repo_name)) - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit_advanced_locking(self, repo_name): """ Unlock repository when it is locked ! @@ -568,7 +567,7 @@ class ReposController(BaseRepoController category='error') raise HTTPFound(location=url('summary_home', repo_name=repo_name)) - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit_caches(self, repo_name): """GET /repo_name/settings: Form to edit an existing item""" # url('edit_repo', repo_name=ID) @@ -588,7 +587,7 @@ class ReposController(BaseRepoController raise HTTPFound(location=url('edit_repo_caches', repo_name=c.repo_name)) return render('admin/repos/repo_edit.html') - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit_remote(self, repo_name): """GET /repo_name/settings: Form to edit an existing item""" # url('edit_repo', repo_name=ID) @@ -605,7 +604,7 @@ class ReposController(BaseRepoController raise HTTPFound(location=url('edit_repo_remote', repo_name=c.repo_name)) return render('admin/repos/repo_edit.html') - @HasRepoPermissionAllDecorator('repository.admin') + @HasRepoPermissionAnyDecorator('repository.admin') def edit_statistics(self, repo_name): """GET /repo_name/settings: Form to edit an existing item""" # url('edit_repo', repo_name=ID) diff --git a/kallithea/controllers/admin/settings.py b/kallithea/controllers/admin/settings.py --- a/kallithea/controllers/admin/settings.py +++ b/kallithea/controllers/admin/settings.py @@ -35,7 +35,7 @@ from pylons.i18n.translation import _ from webob.exc import HTTPFound from kallithea.lib import helpers as h -from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator +from kallithea.lib.auth import LoginRequired, HasPermissionAnyDecorator from kallithea.lib.base import BaseController, render from kallithea.lib.celerylib import tasks, run_task from kallithea.lib.exceptions import HgsubversionImportError @@ -82,7 +82,7 @@ class SettingsController(BaseController) settings[k] = v return settings - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def settings_vcs(self): """GET /admin/settings: All items in the collection""" # url('admin_settings') @@ -160,7 +160,7 @@ class SettingsController(BaseController) encoding="UTF-8", force_defaults=False) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def settings_mapping(self): """GET /admin/settings/mapping: All items in the collection""" # url('admin_settings_mapping') @@ -200,7 +200,7 @@ class SettingsController(BaseController) encoding="UTF-8", force_defaults=False) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def settings_global(self): """GET /admin/settings/global: All items in the collection""" # url('admin_settings_global') @@ -260,7 +260,7 @@ class SettingsController(BaseController) encoding="UTF-8", force_defaults=False) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def settings_visual(self): """GET /admin/settings/visual: All items in the collection""" # url('admin_settings_visual') @@ -318,7 +318,7 @@ class SettingsController(BaseController) encoding="UTF-8", force_defaults=False) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def settings_email(self): """GET /admin/settings/email: All items in the collection""" # url('admin_settings_email') @@ -359,7 +359,7 @@ class SettingsController(BaseController) encoding="UTF-8", force_defaults=False) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def settings_hooks(self): """GET /admin/settings/hooks: All items in the collection""" # url('admin_settings_hooks') @@ -410,7 +410,7 @@ class SettingsController(BaseController) encoding="UTF-8", force_defaults=False) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def settings_search(self): """GET /admin/settings/search: All items in the collection""" # url('admin_settings_search') @@ -431,7 +431,7 @@ class SettingsController(BaseController) encoding="UTF-8", force_defaults=False) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def settings_system(self): """GET /admin/settings/system: All items in the collection""" # url('admin_settings_system') @@ -453,7 +453,7 @@ class SettingsController(BaseController) encoding="UTF-8", force_defaults=False) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def settings_system_update(self): """GET /admin/settings/system/updates: All items in the collection""" # url('admin_settings_system_update') diff --git a/kallithea/controllers/admin/users.py b/kallithea/controllers/admin/users.py --- a/kallithea/controllers/admin/users.py +++ b/kallithea/controllers/admin/users.py @@ -39,7 +39,7 @@ import kallithea from kallithea.lib.exceptions import DefaultUserException, \ UserOwnsReposException, UserCreationError from kallithea.lib import helpers as h -from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator, \ +from kallithea.lib.auth import LoginRequired, HasPermissionAnyDecorator, \ AuthUser from kallithea.lib import auth_modules from kallithea.lib.auth_modules import auth_internal @@ -61,7 +61,7 @@ class UsersController(BaseController): """REST Controller styled on the Atom Publishing Protocol""" @LoginRequired() - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def __before__(self): super(UsersController, self).__before__() c.available_permissions = config['available_permissions'] diff --git a/kallithea/controllers/api/api.py b/kallithea/controllers/api/api.py --- a/kallithea/controllers/api/api.py +++ b/kallithea/controllers/api/api.py @@ -33,7 +33,7 @@ from sqlalchemy import or_ from kallithea import EXTERN_TYPE_INTERNAL from kallithea.controllers.api import JSONRPCController, JSONRPCError from kallithea.lib.auth import ( - PasswordGenerator, AuthUser, HasPermissionAllDecorator, + PasswordGenerator, AuthUser, HasPermissionAnyDecorator, HasPermissionAnyDecorator, HasPermissionAnyApi, HasRepoPermissionAnyApi, HasRepoGroupPermissionAnyApi, HasUserGroupPermissionAny) from kallithea.lib.utils import map_groups, repo2db_mapper @@ -159,11 +159,11 @@ class ApiController(JSONRPCController): """ - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def test(self, apiuser, args): return args - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def pull(self, apiuser, repoid): """ Triggers a pull from remote location on given repo. Can be used to @@ -209,7 +209,7 @@ class ApiController(JSONRPCController): 'Unable to pull changes from `%s`' % repo.repo_name ) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def rescan_repos(self, apiuser, remove_obsolete=Optional(False)): """ Triggers rescan repositories action. If remove_obsolete is set @@ -470,7 +470,7 @@ class ApiController(JSONRPCController): return ret - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def get_ip(self, apiuser, userid=Optional(OAttr('apiuser'))): """ Shows IP address as seen from Kallithea server, together with all @@ -511,7 +511,7 @@ class ApiController(JSONRPCController): # alias for old show_ip = get_ip - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def get_server_info(self, apiuser): """ return server info, including Kallithea version and installed packages @@ -592,7 +592,7 @@ class ApiController(JSONRPCController): data['permissions'] = AuthUser(user_id=user.user_id).permissions return data - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def get_users(self, apiuser): """ Lists all existing users. This command can be executed only using api_key @@ -616,7 +616,7 @@ class ApiController(JSONRPCController): result.append(user.get_api_data()) return result - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def create_user(self, apiuser, username, email, password=Optional(''), firstname=Optional(''), lastname=Optional(''), active=Optional(True), admin=Optional(False), @@ -702,7 +702,7 @@ class ApiController(JSONRPCController): log.error(traceback.format_exc()) raise JSONRPCError('failed to create user `%s`' % (username,)) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def update_user(self, apiuser, userid, username=Optional(None), email=Optional(None), password=Optional(None), firstname=Optional(None), lastname=Optional(None), @@ -785,7 +785,7 @@ class ApiController(JSONRPCController): log.error(traceback.format_exc()) raise JSONRPCError('failed to update user `%s`' % (userid,)) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def delete_user(self, apiuser, userid): """ deletes given user if such user exists. This command can @@ -1767,7 +1767,7 @@ class ApiController(JSONRPCController): 'failed to delete repository `%s`' % (repo.repo_name,) ) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def grant_user_permission(self, apiuser, repoid, userid, perm): """ Grant permission for user on given repository, or update existing one @@ -1814,7 +1814,7 @@ class ApiController(JSONRPCController): ) ) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def revoke_user_permission(self, apiuser, repoid, userid): """ Revoke permission for user on given repository. This command can be executed @@ -1985,7 +1985,7 @@ class ApiController(JSONRPCController): ) ) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def get_repo_group(self, apiuser, repogroupid): """ Returns given repo group together with permissions, and repositories @@ -2023,7 +2023,7 @@ class ApiController(JSONRPCController): data["members"] = members return data - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def get_repo_groups(self, apiuser): """ Returns all repository groups @@ -2036,7 +2036,7 @@ class ApiController(JSONRPCController): result.append(repo_group.get_api_data()) return result - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def create_repo_group(self, apiuser, group_name, description=Optional(''), owner=Optional(OAttr('apiuser')), parent=Optional(None), @@ -2105,7 +2105,7 @@ class ApiController(JSONRPCController): log.error(traceback.format_exc()) raise JSONRPCError('failed to create repo group `%s`' % (group_name,)) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def update_repo_group(self, apiuser, repogroupid, group_name=Optional(''), description=Optional(''), owner=Optional(OAttr('apiuser')), @@ -2131,7 +2131,7 @@ class ApiController(JSONRPCController): raise JSONRPCError('failed to update repository group `%s`' % (repogroupid,)) - @HasPermissionAllDecorator('hg.admin') + @HasPermissionAnyDecorator('hg.admin') def delete_repo_group(self, apiuser, repogroupid): """ diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py --- a/kallithea/lib/auth.py +++ b/kallithea/lib/auth.py @@ -859,18 +859,6 @@ class PermsDecorator(object): raise Exception('You have to write this function in child class') -class HasPermissionAllDecorator(PermsDecorator): - """ - Checks for access permission for all given predicates. All of them - have to be meet in order to fulfill the request - """ - - def check_permissions(self): - if self.required_perms.issubset(self.user_perms.get('global')): - return True - return False - - class HasPermissionAnyDecorator(PermsDecorator): """ Checks for access permission for any of given predicates. In order to @@ -883,23 +871,6 @@ class HasPermissionAnyDecorator(PermsDec return False -class HasRepoPermissionAllDecorator(PermsDecorator): - """ - Checks for access permission for all given predicates for specific - repository. All of them have to be meet in order to fulfill the request - """ - - def check_permissions(self): - repo_name = get_repo_slug(request) - try: - user_perms = set([self.user_perms['repositories'][repo_name]]) - except KeyError: - return False - if self.required_perms.issubset(user_perms): - return True - return False - - class HasRepoPermissionAnyDecorator(PermsDecorator): """ Checks for access permission for any of given predicates for specific @@ -918,24 +889,6 @@ class HasRepoPermissionAnyDecorator(Perm return False -class HasRepoGroupPermissionAllDecorator(PermsDecorator): - """ - Checks for access permission for all given predicates for specific - repository group. All of them have to be meet in order to fulfill the request - """ - - def check_permissions(self): - group_name = get_repo_group_slug(request) - try: - user_perms = set([self.user_perms['repositories_groups'][group_name]]) - except KeyError: - return False - - if self.required_perms.issubset(user_perms): - return True - return False - - class HasRepoGroupPermissionAnyDecorator(PermsDecorator): """ Checks for access permission for any of given predicates for specific @@ -954,24 +907,6 @@ class HasRepoGroupPermissionAnyDecorator return False -class HasUserGroupPermissionAllDecorator(PermsDecorator): - """ - Checks for access permission for all given predicates for specific - user group. All of them have to be meet in order to fulfill the request - """ - - def check_permissions(self): - group_name = get_user_group_slug(request) - try: - user_perms = set([self.user_perms['user_groups'][group_name]]) - except KeyError: - return False - - if self.required_perms.issubset(user_perms): - return True - return False - - class HasUserGroupPermissionAnyDecorator(PermsDecorator): """ Checks for access permission for any of given predicates for specific @@ -1020,11 +955,8 @@ class PermsFunction(object): cls_name = self.__class__.__name__ check_scope = { - 'HasPermissionAll': '', 'HasPermissionAny': '', - 'HasRepoPermissionAll': 'repo:%s' % self.repo_name, 'HasRepoPermissionAny': 'repo:%s' % self.repo_name, - 'HasRepoGroupPermissionAll': 'group:%s' % self.group_name, 'HasRepoGroupPermissionAny': 'group:%s' % self.group_name, }.get(cls_name, '?') log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name, @@ -1051,13 +983,6 @@ class PermsFunction(object): raise Exception('You have to write this function in child class') -class HasPermissionAll(PermsFunction): - def check_permissions(self): - if self.required_perms.issubset(self.user_perms.get('global')): - return True - return False - - class HasPermissionAny(PermsFunction): def check_permissions(self): if self.required_perms.intersection(self.user_perms.get('global')): @@ -1065,26 +990,6 @@ class HasPermissionAny(PermsFunction): return False -class HasRepoPermissionAll(PermsFunction): - def __call__(self, repo_name=None, check_location='', user=None): - self.repo_name = repo_name - return super(HasRepoPermissionAll, self).__call__(check_location, user) - - def check_permissions(self): - if not self.repo_name: - self.repo_name = get_repo_slug(request) - - try: - self._user_perms = set( - [self.user_perms['repositories'][self.repo_name]] - ) - except KeyError: - return False - if self.required_perms.issubset(self._user_perms): - return True - return False - - class HasRepoPermissionAny(PermsFunction): def __call__(self, repo_name=None, check_location='', user=None): self.repo_name = repo_name @@ -1122,23 +1027,6 @@ class HasRepoGroupPermissionAny(PermsFun return False -class HasRepoGroupPermissionAll(PermsFunction): - def __call__(self, group_name=None, check_location='', user=None): - self.group_name = group_name - return super(HasRepoGroupPermissionAll, self).__call__(check_location, user) - - def check_permissions(self): - try: - self._user_perms = set( - [self.user_perms['repositories_groups'][self.group_name]] - ) - except KeyError: - return False - if self.required_perms.issubset(self._user_perms): - return True - return False - - class HasUserGroupPermissionAny(PermsFunction): def __call__(self, user_group_name=None, check_location='', user=None): self.user_group_name = user_group_name @@ -1156,23 +1044,6 @@ class HasUserGroupPermissionAny(PermsFun return False -class HasUserGroupPermissionAll(PermsFunction): - def __call__(self, user_group_name=None, check_location='', user=None): - self.user_group_name = user_group_name - return super(HasUserGroupPermissionAll, self).__call__(check_location, user) - - def check_permissions(self): - try: - self._user_perms = set( - [self.user_perms['user_groups'][self.user_group_name]] - ) - except KeyError: - return False - if self.required_perms.issubset(self._user_perms): - return True - return False - - #============================================================================== # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH #============================================================================== @@ -1252,13 +1123,6 @@ class _BaseApiPerm(object): raise NotImplementedError() -class HasPermissionAllApi(_BaseApiPerm): - def check_permissions(self, perm_defs, repo_name=None, group_name=None): - if self.required_perms.issubset(perm_defs.get('global')): - return True - return False - - class HasPermissionAnyApi(_BaseApiPerm): def check_permissions(self, perm_defs, repo_name=None, group_name=None): if self.required_perms.intersection(perm_defs.get('global')): @@ -1266,18 +1130,6 @@ class HasPermissionAnyApi(_BaseApiPerm): return False -class HasRepoPermissionAllApi(_BaseApiPerm): - def check_permissions(self, perm_defs, repo_name=None, group_name=None): - try: - _user_perms = set([perm_defs['repositories'][repo_name]]) - except KeyError: - log.warning(traceback.format_exc()) - return False - if self.required_perms.issubset(_user_perms): - return True - return False - - class HasRepoPermissionAnyApi(_BaseApiPerm): def check_permissions(self, perm_defs, repo_name=None, group_name=None): try: @@ -1301,16 +1153,6 @@ class HasRepoGroupPermissionAnyApi(_Base return True return False -class HasRepoGroupPermissionAllApi(_BaseApiPerm): - def check_permissions(self, perm_defs, repo_name=None, group_name=None): - try: - _user_perms = set([perm_defs['repositories_groups'][group_name]]) - except KeyError: - log.warning(traceback.format_exc()) - return False - if self.required_perms.issubset(_user_perms): - return True - return False def check_ip_access(source_ip, allowed_ips=None): """ diff --git a/kallithea/lib/helpers.py b/kallithea/lib/helpers.py --- a/kallithea/lib/helpers.py +++ b/kallithea/lib/helpers.py @@ -835,9 +835,8 @@ def action_parser(user_log, feed=False, #============================================================================== # PERMS #============================================================================== -from kallithea.lib.auth import HasPermissionAny, HasPermissionAll, \ -HasRepoPermissionAny, HasRepoPermissionAll, HasRepoGroupPermissionAll, \ -HasRepoGroupPermissionAny +from kallithea.lib.auth import HasPermissionAny, \ + HasRepoPermissionAny, HasRepoGroupPermissionAny #============================================================================== diff --git a/kallithea/model/scm.py b/kallithea/model/scm.py --- a/kallithea/model/scm.py +++ b/kallithea/model/scm.py @@ -50,7 +50,7 @@ from kallithea.lib import helpers as h from kallithea.lib.utils2 import safe_str, safe_unicode, get_server_url, \ _set_extras from kallithea.lib.auth import HasRepoPermissionAny, HasRepoGroupPermissionAny, \ - HasUserGroupPermissionAny, HasPermissionAny, HasPermissionAll + HasUserGroupPermissionAny, HasPermissionAny, HasPermissionAny from kallithea.lib.utils import get_filesystem_repos, make_ui, \ action_logger from kallithea.model import BaseModel @@ -794,7 +794,7 @@ def AvailableRepoGroupChoices(top_perms, Top level is -1. """ groups = RepoGroup.query().all() - if HasPermissionAll('hg.admin')('available repo groups'): + if HasPermissionAny('hg.admin')('available repo groups'): groups.append(None) else: groups = list(RepoGroupList(groups, perm_set=repo_group_perms)) diff --git a/kallithea/templates/base/base.html b/kallithea/templates/base/base.html --- a/kallithea/templates/base/base.html +++ b/kallithea/templates/base/base.html @@ -138,13 +138,13 @@
  • - %if h.HasRepoPermissionAll('repository.admin')(c.repo_name): + %if h.HasRepoPermissionAny('repository.admin')(c.repo_name): ${_('Options')} %else: ${_('Options')} %endif