return redirect(url('edit_permission', id=id))

    def delete(self, id):

        """DELETE /permissions/id: Delete an existing item"""

        # Forms posted to this method should contain a hidden field:

        #    <input type="hidden" name="_method" value="DELETE" />

        # Or using helpers:

        #    h.form(url('permission', id=ID),

        #           method='delete')

        # url('permission', id=ID)

    def show(self, id, format='html'):

        """GET /permissions/id: Show a specific item"""

        # url('permission', id=ID)

    def edit(self, id, format='html'):

        """GET /permissions/id/edit: Form to edit an existing item"""

        #url('edit_permission', id=ID)

        c.perms_choices = self.perms_choices

        c.register_choices = self.register_choices

        c.create_choices = self.create_choices

        if id == 'default':

            defaults = {'_method': 'put',

                        'anonymous': default_user.active}

            for p in default_user.user_perms:

                if p.permission.permission_name.startswith('repository.'):

                    defaults['default_perm'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.register.'):

                    defaults['default_register'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.create.'):

                    defaults['default_create'] = p.permission.permission_name

            return htmlfill.render(

                        render('admin/permissions/permissions.html'),

                        defaults=defaults,

                        encoding="UTF-8",

                        force_defaults=True,)

        else:

            return redirect(url('admin_home'))

        c.repo_groups = [('', '')]

        parents_link = lambda k: h.literal('»'.join(

                                    map(lambda k: k.group_name,

                                        k.parents + [k])

                                    )

                                )

        c.repo_groups.extend([(x.group_id, parents_link(x)) for \

                                            x in self.sa.query(Group).all()])

        c.repo_groups = sorted(c.repo_groups,

                               key=lambda t: t[1].split('»')[0])

        c.repo_groups_choices = map(lambda k: unicode(k[0]), c.repo_groups)

        c.users_array = repo_model.get_users_js()

        c.users_groups_array = repo_model.get_users_groups_js()

    def __load_data(self, repo_name=None):

        """

        Load defaults settings for edit, and update

        :param repo_name:

        """

        self.__load_defaults()

        repo = scm_repo = db_repo.scm_instance

        if c.repo_info is None:

            h.flash(_('%s repository is not mapped to db perhaps'

                      ' it was created or renamed from the filesystem'

                      ' please run the application again'

                      ' in order to rescan repositories') % repo_name,

                      category='error')

            return redirect(url('repos'))

        c.in_public_journal = self.sa.query(UserFollowing)\

            .filter(UserFollowing.user_id == c.default_user_id)\

            .filter(UserFollowing.follows_repository == c.repo_info).scalar()

        if c.repo_info.stats:

            last_rev = c.repo_info.stats.stat_on_revision

        else:

            last_rev = 0

        c.stats_revision = last_rev

        c.repo_last_rev = repo.count() - 1 if repo.revisions else 0

        if last_rev == 0 or c.repo_last_rev == 0:

            c.stats_percentage = 0

        else:

            c.stats_percentage = '%.2f' % ((float((last_rev)) /

                                            c.repo_last_rev) * 100)

        defaults = c.repo_info.get_dict()

        group, repo_name = c.repo_info.groups_and_repo

        defaults['repo_name'] = repo_name

        defaults['repo_group'] = getattr(group[-1] if group else None,

                                         'group_id', None)

        :param repo_name:

        """

        try:

            ScmModel().mark_for_invalidation(repo_name)

        except Exception, e:

            h.flash(_('An error occurred during cache invalidation'),

                    category='error')

        return redirect(url('edit_repo', repo_name=repo_name))

    @HasPermissionAllDecorator('hg.admin')

    def repo_public_journal(self, repo_name):

        """

        Set's this repository to be visible in public journal,

        in other words assing default user to follow this repo

        :param repo_name:

        """

        cur_token = request.POST.get('auth_token')

        token = get_token()

        if cur_token == token:

            try:

                self.scm_model.toggle_following_repo(repo_id, user_id)

                h.flash(_('Updated repository visibility in public journal'),

                        category='success')

            except:

                h.flash(_('An error occurred during setting this'

                          ' repository in public journal'),

                        category='error')

        else:

            h.flash(_('Token mismatch'), category='error')

        return redirect(url('edit_repo', repo_name=repo_name))

    @HasPermissionAllDecorator('hg.admin')

    def repo_pull(self, repo_name):

        """

        Runs task to update given repository with remote changes,

        ie. make pull on remote location

        :param repo_name:

        """

        try:

            ScmModel().pull_changes(repo_name, self.rhodecode_user.username)

            h.flash(_('Pulled from remote location'), category='success')

        except Exception, e:

log = logging.getLogger(__name__)

class LoginController(BaseController):

    def __before__(self):

        super(LoginController, self).__before__()

    def index(self):

        #redirect if already logged in

        c.came_from = request.GET.get('came_from', None)

        if self.rhodecode_user.is_authenticated \

                            and self.rhodecode_user.username != 'default':

            return redirect(url('home'))

        if request.POST:

            #import Login Form validator class

            login_form = LoginForm()

            try:

                c.form_result = login_form.to_python(dict(request.POST))

                #form checks for username/password, now we're authenticated

                username = c.form_result['username']

                auth_user = AuthUser(user.user_id)

                auth_user.set_authenticated()

                session['rhodecode_user'] = auth_user

                session.save()

                log.info('user %s is now authenticated and stored in session',

                         username)

                user.update_lastlogin()

                if c.came_from:

                    return redirect(c.came_from)

                else:

                    return redirect(url('home'))

            except formencode.Invalid, errors:

                return htmlfill.render(

                    render('/login.html'),

                    defaults=errors.value,

                    errors=errors.error_dict or {},

                    prefix_error=False,

                    encoding="UTF-8")

        return render('/login.html')

    @HasPermissionAnyDecorator('hg.admin', 'hg.register.auto_activate',

                               'hg.register.manual_activate')

    def register(self):

        user_model = UserModel()

        c.auto_active = False

            if perm.permission.permission_name == 'hg.register.auto_activate':

                c.auto_active = True

                break

        if request.POST:

            register_form = RegisterForm()()

            try:

                form_result = register_form.to_python(dict(request.POST))

                form_result['active'] = c.auto_active

                user_model.create_registration(form_result)

                h.flash(_('You have successfully registered into rhodecode'),

                            category='success')

                return redirect(url('login_home'))

            except formencode.Invalid, errors:

                return htmlfill.render(

                    render('/register.html'),

                    defaults=errors.value,

                    errors=errors.error_dict or {},

                    prefix_error=False,

                    encoding="UTF-8")

        return render('/register.html')

import traceback

import hashlib

from tempfile import _RandomNameSequence

from decorator import decorator

from pylons import config, session, url, request

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from rhodecode import __platform__, PLATFORM_WIN, PLATFORM_OTHERS

if __platform__ in PLATFORM_WIN:

    from hashlib import sha256

if __platform__ in PLATFORM_OTHERS:

    import bcrypt

from rhodecode.lib import str2bool, safe_unicode

from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError

from rhodecode.lib.utils import get_repo_slug

from rhodecode.lib.auth_ldap import AuthLdap

from rhodecode.model import meta

from rhodecode.model.user import UserModel

log = logging.getLogger(__name__)

class PasswordGenerator(object):

    """This is a simple class for generating password from

        different sets of characters

        usage:

        passwd_gen = PasswordGenerator()

        #print 8-letter password containing only big and small letters

            of alphabet

        print passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)

    """

    ALPHABETS_NUM = r'''1234567890'''

    ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''

    ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''

    ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''

    ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \

        + ALPHABETS_NUM + ALPHABETS_SPECIAL

    ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM

    ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL

    ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM

    ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM

    if salt is None:

        salt = _RandomNameSequence().next()

    return hashlib.sha1(username + salt).hexdigest()

def authfunc(environ, username, password):

    """Dummy authentication function used in Mercurial/Git/ and access control,

    :param environ: needed only for using in Basic auth

    """

    return authenticate(username, password)

def authenticate(username, password):

    """Authentication function used for access control,

    firstly checks for db authentication then if ldap is enabled for ldap

    authentication, also creates ldap user if not in database

    :param username: username

    :param password: password

    """

    user_model = UserModel()

    log.debug('Authenticating user using RhodeCode account')

    if user is not None and not user.ldap_dn:

        if user.active:

            if user.username == 'default' and user.active:

                log.info('user %s authenticated correctly as anonymous user',

                         username)

                return True

            elif user.username == username and check_password(password,

                                                              user.password):

                log.info('user %s authenticated correctly', username)

                return True

        else:

            log.warning('user %s is disabled', username)

    else:

        log.debug('Regular authentication failed')

        if user_obj is not None and not user_obj.ldap_dn:

            log.debug('this user already exists as non ldap')

            return False

        ldap_settings = RhodeCodeSettings.get_ldap_settings()

        #======================================================================

        # FALLBACK TO LDAP AUTH IF ENABLE

        #======================================================================

        if str2bool(ldap_settings.get('ldap_active')):

            log.debug("Authenticating user using ldap")

            kwargs = {

                  'server': ldap_settings.get('ldap_host', ''),

                  'base_dn': ldap_settings.get('ldap_base_dn', ''),

                  'port': ldap_settings.get('ldap_port'),

                  'bind_dn': ldap_settings.get('ldap_dn_user'),

                  'bind_pass': ldap_settings.get('ldap_dn_pass'),

                  'tls_kind': ldap_settings.get('ldap_tls_kind'),

                  'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),

                  'ldap_filter': ldap_settings.get('ldap_filter'),

                  'search_scope': ldap_settings.get('ldap_search_scope'),

                  'attr_login': ldap_settings.get('ldap_attr_login'),

                  'ldap_version': 3,

                  }

    It does lookup based on API key,given user, or user present in session

    Then it fills all required information for such user. It also checks if

    anonymous access is enabled and if so, it returns default user as logged

    in

    """

    def __init__(self, user_id=None, api_key=None):

        self.user_id = user_id

        self.api_key = None

        self.username = 'None'

        self.name = ''

        self.lastname = ''

        self.email = ''

        self.is_authenticated = False

        self.admin = False

        self.permissions = {}

        self._api_key = api_key

        self.propagate_data()

    def propagate_data(self):

        user_model = UserModel()

        if self._api_key and self._api_key != self.anonymous_user.api_key:

            #try go get user by api key

            log.debug('Auth User lookup by API KEY %s', self._api_key)

            user_model.fill_data(self, api_key=self._api_key)

        else:

            log.debug('Auth User lookup by USER ID %s', self.user_id)

            if self.user_id is not None \

                and self.user_id != self.anonymous_user.user_id:

                user_model.fill_data(self, user_id=self.user_id)

            else:

                if self.anonymous_user.active is True:

                    user_model.fill_data(self,

                                         user_id=self.anonymous_user.user_id)

                    #then we set this user is logged in

                    self.is_authenticated = True

                else:

                    self.is_authenticated = False

        log.debug('Auth User is now %s', self)

        user_model.fill_perms(self)

    @property

    def is_admin(self):

        return self.admin

            self.rhodecode_user = c.rhodecode_user = AuthUser(user_id, api_key)

            self.rhodecode_user.set_authenticated(

                                        getattr(session.get('rhodecode_user'),

                                       'is_authenticated', False))

            session['rhodecode_user'] = self.rhodecode_user

            session.save()

            return WSGIController.__call__(self, environ, start_response)

        finally:

            meta.Session.remove()

class BaseRepoController(BaseController):

    """

    Base class for controllers responsible for loading all needed data

    for those controllers, loaded items are

    c.rhodecode_repo: instance of scm repository (taken from cache)

    """

    def __before__(self):

        super(BaseRepoController, self).__before__()

        if c.repo_name:

            c.rhodecode_repo = c.rhodecode_db_repo.scm_instance

            if c.rhodecode_repo is None:

                log.error('%s this repository is present in database but it '

                          'cannot be created as an scm instance', c.repo_name)

                redirect(url('home'))

            c.repository_followers = \

                self.scm_model.get_followers(c.repo_name)

            c.repository_forks = self.scm_model.get_forks(c.repo_name)

                                              'repository.write',

                                              'repository.admin')(user,

                                                                  repo_name):

                return False

        return True

    def __get_repository(self, environ):

        """

        Get's repository name out of PATH_INFO header

        :param environ: environ where PATH_INFO is stored

        """

        try:

            repo_name = '/'.join(environ['PATH_INFO'].split('/')[1:])

            if repo_name.endswith('/'):

                repo_name = repo_name.rstrip('/')

        except:

            log.error(traceback.format_exc())

            raise

        repo_name = repo_name.split('/')[0]

        return repo_name

    def __get_user(self, username):

    def __get_action(self, environ):

        """Maps git request commands into a pull or push command.

        :param environ:

        """

        service = environ['QUERY_STRING'].split('=')

        if len(service) > 1:

            service_cmd = service[1]

            mapping = {'git-receive-pack': 'push',

                       'git-upload-pack': 'pull',

                       }

            return mapping.get(service_cmd,

                               service_cmd if service_cmd else 'other')

        else:

            return 'other'

    def __invalidate_cache(self, repo_name):

        """we know that some change was made to repositories and we should

        invalidate the cache to see the changes right away but only for

        push requests"""

        invalidate_cache('get_repo_cached_%s' % repo_name)

                                              'repository.write',

                                              'repository.admin')(user,

                                                                  repo_name):

                return False

        return True

    def __get_repository(self, environ):

        """

        Get's repository name out of PATH_INFO header

        :param environ: environ where PATH_INFO is stored

        """

        try:

            repo_name = '/'.join(environ['PATH_INFO'].split('/')[1:])

            if repo_name.endswith('/'):

                repo_name = repo_name.rstrip('/')

        except:

            log.error(traceback.format_exc())

            raise

        return repo_name

    def __get_user(self, username):

    def __get_action(self, environ):

        """

        Maps mercurial request commands into a clone,pull or push command.

        This should always return a valid command string

        :param environ:

        """

        mapping = {'changegroup': 'pull',

                   'changegroupsubset': 'pull',

                   'stream_out': 'pull',

                   'listkeys': 'pull',

                   'unbundle': 'push',

                   'pushkey': 'push', }

        for qry in environ['QUERY_STRING'].split('&'):

            if qry.startswith('cmd'):

                cmd = qry.split('=')[-1]

                if cmd in mapping:

                    return mapping[cmd]

                else:

                    return 'pull'

    def __invalidate_cache(self, repo_name):

        """we know that some change was made to repositories and we should

def action_logger(user, action, repo, ipaddr='', sa=None):

    """

    Action logger for various actions made by users

    :param user: user that made this action, can be a unique username string or

        object containing user_id attribute

    :param action: action to log, should be on of predefined unique actions for

        easy translations

    :param repo: string name of repository or object containing repo_id,

        that action was made on

    :param ipaddr: optional ip address from what the action was made

    :param sa: optional sqlalchemy session

    """

    if not sa:

        sa = meta.Session()

    try:

        if hasattr(user, 'user_id'):

            user_obj = user

        elif isinstance(user, basestring):

        else:

            raise Exception('You have to provide user object or username')

        rm = RepoModel()

        if hasattr(repo, 'repo_id'):

            repo_obj = rm.get(repo.repo_id, cache=False)

            repo_name = repo_obj.repo_name

        elif  isinstance(repo, basestring):

            repo_name = repo.lstrip('/')

            repo_obj = rm.get_by_repo_name(repo_name, cache=False)

        else:

            raise Exception('You have to provide repository to action logger')

        user_log = UserLog()

        user_log.user_id = user_obj.user_id

        user_log.action = action

        user_log.repository_id = repo_obj.repo_id

        user_log.repository_name = repo_name

        user_log.action_date = datetime.datetime.now()

        user_log.user_ip = ipaddr

        sa.add(user_log)

        sa.commit()

    repo_to_perm = relationship('RepoToPerm', primaryjoin='RepoToPerm.user_id==User.user_id', cascade='all')

    group_member = relationship('UsersGroupMember', cascade='all')

    @property

    def full_contact(self):

        return '%s %s <%s>' % (self.name, self.lastname, self.email)

    @property

    def short_contact(self):

        return '%s %s' % (self.name, self.lastname)

    @property

    def is_admin(self):

        return self.admin

    def __repr__(self):

        try:

            return "<%s('id:%s:%s')>" % (self.__class__.__name__,

                                             self.user_id, self.username)

        except:

            return self.__class__.__name__

    @classmethod

        if case_insensitive:

        else:

    @classmethod

    def get_by_api_key(cls, api_key):

        return Session.query(cls).filter(cls.api_key == api_key).one()

    def update_lastlogin(self):

        """Update user lastlogin"""

        self.last_login = datetime.datetime.now()

        Session.add(self)

        Session.commit()

        log.debug('updated user %s lastlogin', self.username)

    @classmethod

    def create(cls, form_data):

        from rhodecode.lib.auth import get_crypt_password

        try:

            new_user = cls()

            for k, v in form_data.items():

                if k == 'password':

                    v = get_crypt_password(v)

                setattr(new_user, k, v)

            new_user.api_key = generate_api_key(form_data['username'])

            Session.add(new_user)

            Session.commit()

            return new_user

        except:

    enable_downloads = Column("downloads", Boolean(), nullable=True, unique=None, default=True)

    description = Column("description", String(length=10000, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    created_on = Column('created_on', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)

    fork_id = Column("fork_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=False, default=None)

    group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=False, default=None)

    user = relationship('User')

    fork = relationship('Repository', remote_side=repo_id)

    group = relationship('Group')

    repo_to_perm = relationship('RepoToPerm', cascade='all', order_by='RepoToPerm.repo_to_perm_id')

    users_group_to_perm = relationship('UsersGroupRepoToPerm', cascade='all')

    stats = relationship('Statistics', cascade='all', uselist=False)

    followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_repo_id==Repository.repo_id', cascade='all')

    logs = relationship('UserLog', cascade='all')

    def __repr__(self):

        return "<%s('%s:%s')>" % (self.__class__.__name__,

                                  self.repo_id, self.repo_name)

    @classmethod

        q = Session.query(cls).filter(cls.repo_name == repo_name)

        q = q.options(joinedload(Repository.fork))\

            .options(joinedload(Repository.user))\

            .options(joinedload(Repository.group))\

        return q.one()

    @classmethod

    def get_repo_forks(cls, repo_id):

        return Session.query(cls).filter(Repository.fork_id == repo_id)

    @classmethod

    def base_path(cls):

        """

        Returns base path when all repos are stored

        :param cls:

        """

        q = Session.query(RhodeCodeUi).filter(RhodeCodeUi.ui_key == '/')

        q.options(FromCache("sql_cache_short", "repository_repo_path"))

        return q.one().ui_value

    @property

#==============================================================================

# VALIDATORS

#==============================================================================

class ValidAuthToken(formencode.validators.FancyValidator):

    messages = {'invalid_token':_('Token mismatch')}

    def validate_python(self, value, state):

        if value != authentication_token():

            raise formencode.Invalid(self.message('invalid_token', state,

                                            search_number=value), value, state)

def ValidUsername(edit, old_data):

    class _ValidUsername(formencode.validators.FancyValidator):

        def validate_python(self, value, state):

            if value in ['default', 'new_user']:

                raise formencode.Invalid(_('Invalid username'), value, state)

            #check if user is unique

            old_un = None

            if edit:

                old_un = UserModel().get(old_data.get('user_id')).username

            if old_un != value or not edit:

                    raise formencode.Invalid(_('This username already '

                                               'exists') , value, state)

            if re.match(r'^[a-zA-Z0-9]{1}[a-zA-Z0-9\-\_\.]+$', value) is None:

                raise formencode.Invalid(_('Username may only contain '

                                           'alphanumeric characters '

                                           'underscores, periods or dashes '

                                           'and must begin with alphanumeric '

                                           'character'), value, state)

    return _ValidUsername

def ValidUsersGroup(edit, old_data):

    class _ValidUsersGroup(formencode.validators.FancyValidator):

        def validate_python(self, value, state):

            if value in ['default']:

                raise formencode.Invalid(_('Invalid group name'), value, state)

            #check if group is unique

            old_ugname = None

            if edit:

                old_ugname = UsersGroup.get(

class ValidPasswordsMatch(formencode.validators.FancyValidator):

    def validate_python(self, value, state):

        if value['password'] != value['password_confirmation']:

            e_dict = {'password_confirmation':

                   _('Passwords do not match')}

            raise formencode.Invalid('', value, state, error_dict=e_dict)

class ValidAuth(formencode.validators.FancyValidator):

    messages = {

            'invalid_password':_('invalid password'),

            'invalid_login':_('invalid user name'),

            'disabled_account':_('Your account is disabled')

            }

    #error mapping

    e_dict = {'username':messages['invalid_login'],

              'password':messages['invalid_password']}

    e_dict_disable = {'username':messages['disabled_account']}

    def validate_python(self, value, state):

        password = value['password']

        username = value['username']

        if authenticate(username, password):

            return value

        else:

            if user and user.active is False:

                log.warning('user %s is disabled', username)

                raise formencode.Invalid(self.message('disabled_account',

                                         state=State_obj),

                                         value, state,

                                         error_dict=self.e_dict_disable)

            else:

                log.warning('user %s not authenticated', username)

                raise formencode.Invalid(self.message('invalid_password',

                                         state=State_obj), value, state,

                                         error_dict=self.e_dict)

class ValidRepoUser(formencode.validators.FancyValidator):

    def to_python(self, value, state):

        try:

            User.query().filter(User.active == True)\

                .filter(User.username == value).one()

        except Exception:

            raise formencode.Invalid(_('This username is not valid'),

                                                    u.lastname, u.username)

                                        for u in users])

        return users_array