'repository.admin')(authuser,

                                                                  repo_name):

                return False

        else:

            #any other action need at least read permission

            if not HasPermissionAnyMiddleware('repository.read',

                                              'repository.write',

                                              'repository.admin')(authuser,

                                                                  repo_name):

                return False

        return True

    def _get_ip_addr(self, environ):

        return _get_ip_addr(environ)

    def __call__(self, environ, start_response):

        start = time.time()

        try:

            parsed_request = self.parse_request(environ)

            if parsed_request is None:

                return self.application(environ, start_response)

            return self._handle_request(parsed_request, environ, start_response)

        finally:

            log = logging.getLogger('kallithea.' + self.__class__.__name__)

            log.debug('Request time: %.3fs', time.time() - start)

            meta.Session.remove()

class BaseController(TGController):

    def _before(self, *args, **kwargs):

        """

        _before is called before controller methods and after __call__

        """

        if request.needs_csrf_check:

            # CSRF protection: Whenever a request has ambient authority (whether

            # through a session cookie or its origin IP address), it must include

            # the correct token, unless the HTTP method is GET or HEAD (and thus

            # guaranteed to be side effect free. In practice, the only situation

            # where we allow side effects without ambient authority is when the

            # authority comes from an API key; and that is handled above.

            token = request.POST.get(secure_form.token_key)

            if not token or token != secure_form.authentication_token():

                log.error('CSRF check failed')

                raise webob.exc.HTTPForbidden()

class SimpleGit(BaseVCSController):

    @classmethod

    def parse_request(cls, environ):

        path_info = environ.get('PATH_INFO', '')

        m = GIT_PROTO_PAT.match(path_info)

        if m is None:

            return None

        class parsed_request(object):

            repo_name = safe_unicode(m.group(1).rstrip('/'))

            cmd = m.group(2)

        return parsed_request

    def _handle_request(self, parsed_request, environ, start_response):

        ip_addr = self._get_ip_addr(environ)

        # skip passing error to error controller

        environ['pylons.status_code_redirect'] = True

        # quick check if repo exists...

        if not is_valid_repo(parsed_request.repo_name, self.basepath, 'git'):

        #======================================================================

        # GET ACTION PULL or PUSH

        #======================================================================

        action = self.__get_action(environ)

        #======================================================================

        # CHECK PERMISSIONS

        #======================================================================

        user, response_app = self._authorize(environ, start_response, action, parsed_request.repo_name, ip_addr)

        if response_app is not None:

            return response_app(environ, start_response)

        # extras are injected into Mercurial UI object and later available

        # in hooks executed by Kallithea

        from kallithea import CONFIG

        server_url = get_server_url(environ)

        extras = {

            'ip': ip_addr,

            'username': user.username,

            'action': action,

            'repository': parsed_request.repo_name,

            'scm': 'git',

            'config': CONFIG['__file__'],

            'server_url': server_url,

        }

        #===================================================================

        # GIT REQUEST HANDLING

        #===================================================================

        log.debug('HOOKS extras is %s', extras)

        baseui = make_ui()

        _set_extras(extras or {})

        try:

            self._handle_githooks(parsed_request.repo_name, action, baseui, environ)

            log.info('%s action on Git repo "%s" by "%s" from %s',

                     action, parsed_request.repo_name, safe_str(user.username), ip_addr)

            app = self.__make_app(parsed_request.repo_name)

            return app(environ, start_response)

        except Exception:

            log.error(traceback.format_exc())

    def __make_app(self, repo_name):

        """

        Return a pygrack wsgi application.

        """

        return make_wsgi_app(repo_name, safe_str(self.basepath)) # FIXME: safe_str???

    def __get_action(self, environ):

        """

        Maps Git request commands into 'pull' or 'push'.

        Raises HTTPBadRequest if the request environment doesn't look like a git client.

        """

        mapping = {

            'git-receive-pack': 'push',

            'git-upload-pack': 'pull',

        }

        path_info = environ.get('PATH_INFO', '')

        m = GIT_PROTO_PAT.match(path_info)

        if m is None:

            action = None

        else:

            cmd = m.group(2)

            query_string = environ['QUERY_STRING']

class SimpleHg(BaseVCSController):

    @classmethod

    def parse_request(cls, environ):

        http_accept = environ.get('HTTP_ACCEPT', '')

        if not http_accept.startswith('application/mercurial'):

            return None

        path_info = environ.get('PATH_INFO', '')

        if not path_info.startswith('/'): # it must!

            return None

        class parsed_request(object):

            repo_name = safe_unicode(path_info[1:].rstrip('/'))

        return parsed_request

    def _handle_request(self, parsed_request, environ, start_response):

        ip_addr = self._get_ip_addr(environ)

        # skip passing error to error controller

        environ['pylons.status_code_redirect'] = True

        # quick check if repo exists...

        if not is_valid_repo(parsed_request.repo_name, self.basepath, 'hg'):

        #======================================================================

        # GET ACTION PULL or PUSH

        #======================================================================

        #======================================================================

        # CHECK PERMISSIONS

        #======================================================================

        user, response_app = self._authorize(environ, start_response, action, parsed_request.repo_name, ip_addr)

        if response_app is not None:

            return response_app(environ, start_response)

        # extras are injected into Mercurial UI object and later available

        # in hooks executed by Kallithea

        from kallithea import CONFIG

        server_url = get_server_url(environ)

        extras = {

            'ip': ip_addr,

            'username': user.username,

            'action': action,

            'repository': parsed_request.repo_name,

            'scm': 'hg',

            'config': CONFIG['__file__'],

            'server_url': server_url,

        }

        #======================================================================

        # MERCURIAL REQUEST HANDLING

        #======================================================================

        str_repo_name = safe_str(parsed_request.repo_name)

        repo_path = os.path.join(safe_str(self.basepath), str_repo_name)

        log.debug('Repository path is %s', repo_path)

        log.debug('HOOKS extras is %s', extras)

        baseui = make_ui(repo_path=repo_path)

        _set_extras(extras or {})

        try:

            log.info('%s action on Mercurial repo "%s" by "%s" from %s',

                     action, parsed_request.repo_name, safe_str(user.username), ip_addr)

            environ['REPO_NAME'] = str_repo_name # used by hgweb_mod.hgweb

            app = self.__make_app(repo_path, baseui)

            return app(environ, start_response)

        except Exception:

            log.error(traceback.format_exc())

    def __make_app(self, repo_name, baseui):

        """

        Make an hgweb wsgi application using baseui.

        """

        return hgweb_mod.hgweb(repo_name, name=repo_name, baseui=baseui)

    def __get_action(self, environ):

        """

        Maps Mercurial request commands into 'pull' or 'push'.

        Raises HTTPBadRequest if the request environment doesn't look like a hg client.

        """

        mapping = {

            # 'batch' is not in this list - it is handled explicitly

            'between': 'pull',

            'branches': 'pull',

            'branchmap': 'pull',

            'capabilities': 'pull',

            'changegroup': 'pull',

            'changegroupsubset': 'pull',

            'changesetdata': 'pull',

            'clonebundles': 'pull',

            'debugwireargs': 'pull',