It does lookup based on API key,given user, or user present in session

    Then it fills all required information for such user. It also checks if

    anonymous access is enabled and if so, it returns default user as logged

    in

    """

    def __init__(self, user_id=None, api_key=None, username=None):

        self.user_id = user_id

        self.api_key = None

        self.username = username

        self.name = ''

        self.lastname = ''

        self.email = ''

        self.is_authenticated = False

        self.admin = False

        self.permissions = {}

        self._api_key = api_key

        self.propagate_data()

    def propagate_data(self):

        user_model = UserModel()

        is_user_loaded = False

        # try go get user by api key

        if self._api_key and self._api_key != self.anonymous_user.api_key:

            log.debug('Auth User lookup by API KEY %s', self._api_key)

            is_user_loaded = user_model.fill_data(self, api_key=self._api_key)

        # lookup by userid    

        elif (self.user_id is not None and

              self.user_id != self.anonymous_user.user_id):

            log.debug('Auth User lookup by USER ID %s', self.user_id)

            is_user_loaded = user_model.fill_data(self, user_id=self.user_id)

        # lookup by username    

        elif self.username:

            log.debug('Auth User lookup by USER NAME %s', self.username)

            dbuser = login_container_auth(self.username)

            if dbuser is not None:

                for k, v in dbuser.get_dict().items():

                    setattr(self, k, v)

                self.set_authenticated()

                is_user_loaded = True

        if not is_user_loaded:

            # if we cannot authenticate user try anonymous

            if self.anonymous_user.active is True:

        available_perms = config['available_permissions']

        for perm in required_perms:

            if perm not in available_perms:

                raise Exception("'%s' permission is not defined" % perm)

        self.required_perms = set(required_perms)

        self.user_perms = None

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        self.user = cls.rhodecode_user

        self.user_perms = self.user.permissions

        log.debug('checking %s permissions %s for %s %s',

           self.__class__.__name__, self.required_perms, cls,

               self.user)

        if self.check_permissions():

            log.debug('Permission granted for %s %s', cls, self.user)

            return func(*fargs, **fkwargs)

        else:

            log.warning('Permission denied for %s %s', cls, self.user)

            anonymous = self.user.username == 'default'

            if anonymous:

                p = url.current()

                import rhodecode.lib.helpers as h

                h.flash(_('You need to be a signed in to '

                          'view this page'),

                        category='warning')

                return redirect(url('login_home', came_from=p))

            else:

                # redirect with forbidden ret code

                return abort(403)

    def check_permissions(self):

        """Dummy function for overriding"""

        raise Exception('You have to write this function in child class')

class HasPermissionAllDecorator(PermsDecorator):

    """

    Checks for access permission for all given predicates. All of them

    have to be meet in order to fulfill the request

            return False

        if self.required_perms.intersection(user_perms):

            return True

        return False

#==============================================================================

# CHECK FUNCTIONS

#==============================================================================

class PermsFunction(object):

    """Base function for other check functions"""

    def __init__(self, *perms):

        available_perms = config['available_permissions']

        for perm in perms:

            if perm not in available_perms:

                raise Exception("'%s' permission in not defined" % perm)

        self.required_perms = set(perms)

        self.user_perms = None

        self.granted_for = ''

        self.repo_name = None

    def __call__(self, check_Location=''):

        if not user:

            return False

        self.user_perms = user.permissions

        self.granted_for = user

        log.debug('checking %s %s %s', self.__class__.__name__,

                  self.required_perms, user)

        if self.check_permissions():

            log.debug('Permission granted %s @ %s', self.granted_for,

                      check_Location or 'unspecified location')

            return True

        else:

            log.warning('Permission denied for %s @ %s', self.granted_for,

                        check_Location or 'unspecified location')

            return False

    def check_permissions(self):

        """Dummy function for overriding"""

        raise Exception('You have to write this function in child class')

class HasPermissionAll(PermsFunction):

    def check_permissions(self):

        c.ga_code = config.get('rhodecode_ga_code')

        c.repo_name = get_repo_slug(request)

        c.backends = BACKENDS.keys()

        c.unread_notifications = NotificationModel()\

                        .get_unread_cnt_for_user(c.rhodecode_user.user_id)

        self.cut_off_limit = int(config.get('cut_off_limit'))

        self.sa = meta.Session()

        self.scm_model = ScmModel(self.sa)

    def __call__(self, environ, start_response):

        """Invoke the Controller"""

        # WSGIController.__call__ dispatches to the Controller method

        # the request is routed to. This routing information is

        # available in environ['pylons.routes_dict']

        start = time.time()

        try:

            # make sure that we update permissions each time we call controller

            api_key = request.GET.get('api_key')

            cookie_store = session.get('rhodecode_user') or {}

            user_id = cookie_store.get('user_id', None)

            username = get_container_username(environ, config)

            auth_user = AuthUser(user_id, api_key, username)

            self.rhodecode_user = c.rhodecode_user = auth_user

            if not self.rhodecode_user.is_authenticated and \

                       self.rhodecode_user.user_id is not None:

                self.rhodecode_user\

                    .set_authenticated(cookie_store.get('is_authenticated'))

            session['rhodecode_user'] = self.rhodecode_user.get_cookie_store()

            session.save()

            return WSGIController.__call__(self, environ, start_response)

        finally:

            log.debug('Request time: %.3fs' % (time.time() - start))

            meta.Session.remove()

class BaseRepoController(BaseController):

    """

    Base class for controllers responsible for loading all needed data for

    repository loaded items are

    c.rhodecode_repo: instance of scm repository

    c.rhodecode_db_repo: instance of db

    c.repository_followers: number of followers

    c.repository_forks: number of forks

    """

        run_task(send_email, user_email,

                 'Your new password',

                 'Your new RhodeCode password:%s' % (new_passwd))

        log.info('send new password mail to %s', user_email)

    except:

        log.error('Failed to update user password')

        log.error(traceback.format_exc())

    return True

@task(ignore_result=True)

def send_email(recipients, subject, body, html_body=''):

    """

    Sends an email with defined parameters from the .ini files.

    :param recipients: list of recipients, it this is empty the defined email

        address from field 'email_to' is used instead

    :param subject: subject of the mail

    :param body: body of the mail

    :param html_body: html version of body

    """

    log = get_logger(send_email)

    email_config = config

    subject = "%s %s" % (email_config.get('email_prefix'), subject)

    if not recipients:

        # if recipients are not defined we send to email_config + all admins

        admins = [u.email for u in User.query()

                  .filter(User.admin == True).all()]

        recipients = [email_config.get('email_to')] + admins

    mail_from = email_config.get('app_email_from', 'RhodeCode')

    user = email_config.get('smtp_username')

    passwd = email_config.get('smtp_password')

    mail_server = email_config.get('smtp_server')

    mail_port = email_config.get('smtp_port')

    tls = str2bool(email_config.get('smtp_use_tls'))

    ssl = str2bool(email_config.get('smtp_use_ssl'))

    debug = str2bool(config.get('debug'))

    smtp_auth = email_config.get('smtp_auth')

    try:

        m = SmtpMailer(mail_from, user, passwd, mail_server, smtp_auth,

                       mail_port, ssl, tls, debug=debug)

        m.send(recipients, subject, body, html_body)

    except:

        log.error('Mail sending failed')

        log.error(traceback.format_exc())

from rhodecode.lib.utils import BasePasterCommand, Command

from celery.app import app_or_default

from celery.bin import camqadm, celerybeat, celeryd, celeryev

from rhodecode.lib import str2bool

__all__ = ['CeleryDaemonCommand', 'CeleryBeatCommand',

           'CAMQPAdminCommand', 'CeleryEventCommand']

class CeleryCommand(BasePasterCommand):

    """Abstract class implements run methods needed for celery

    Starts the celery worker that uses a paste.deploy configuration

    file.

    """

    def update_parser(self):

        """

        Abstract method.  Allows for the class's parser to be updated

        before the superclass's `run` method is called.  Necessary to

        allow options/arguments to be passed through to the underlying

        celery command.

        """

        cmd = self.celery_command(app_or_default())

        for x in cmd.get_options():

            self.parser.add_option(x)

    def command(self):

        from pylons import config

        try:

            CELERY_ON = str2bool(config['app_conf'].get('use_celery'))

        except KeyError:

            CELERY_ON = False

        if CELERY_ON == False:

            raise Exception('Please enable celery_on in .ini config '

                            'file before running celeryd')

        cmd = self.celery_command(app_or_default())

        return cmd.run(**vars(self.options))

class CeleryDaemonCommand(CeleryCommand):

    """Start the celery worker

    Starts the celery worker that uses a paste.deploy configuration

    file.

    """

    usage = 'CONFIG_FILE [celeryd options...]'

    summary = __doc__.splitlines()[0]

    description = "".join(__doc__.splitlines()[2:])

    parser = Command.standard_parser(quiet=True)

    celery_command = celeryd.WorkerCommand

class CeleryBeatCommand(CeleryCommand):

    """Start the celery beat server

    Starts the celery beat server using a paste.deploy configuration

    file.

    """

    usage = 'CONFIG_FILE [celerybeat options...]'

    action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)

    @property

    def action_as_day(self):

        return datetime.date(*self.action_date.timetuple()[:3])

    user = relationship('User')

    repository = relationship('Repository')

class UsersGroup(Base, BaseModel):

    __tablename__ = 'users_groups'

    __table_args__ = {'extend_existing':True}

    users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    users_group_name = Column("users_group_name", String(length=255, convert_unicode=False, assert_unicode=None), nullable=False, unique=True, default=None)

    users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)

    members = relationship('UsersGroupMember', cascade="all, delete, delete-orphan", lazy="joined")

    def __repr__(self):

        return '<userGroup(%s)>' % (self.users_group_name)

    @classmethod

        if case_insensitive:

        else:

        if cache:

    @classmethod

    def get(cls, users_group_id, cache=False):

        users_group = cls.query()

        if cache:

            users_group = users_group.options(FromCache("sql_cache_short",

                                    "get_users_group_%s" % users_group_id))

        return users_group.get(users_group_id)

    @classmethod

    def create(cls, form_data):

        try:

            new_users_group = cls()

            for k, v in form_data.items():

                setattr(new_users_group, k, v)

            Session().add(new_users_group)

            Session().commit()

            return new_users_group

        except:

            log.error(traceback.format_exc())

            Session().rollback()

            raise

    @classmethod

    def url_sep(cls):

        return '/'

    @classmethod

    def get_by_repo_name(cls, repo_name):

        q = Session().query(cls).filter(cls.repo_name == repo_name)

        q = q.options(joinedload(Repository.fork))\

                .options(joinedload(Repository.user))\

                .options(joinedload(Repository.group))

        return q.one()

    @classmethod

    def get_repo_forks(cls, repo_id):

        return cls.query().filter(Repository.fork_id == repo_id)

    @classmethod

    def base_path(cls):

        """

        Returns base path when all repos are stored

        :param cls:

        """

        return q.one().ui_value

    @property

    def just_name(self):

        return self.repo_name.split(Repository.url_sep())[-1]

    @property

    def groups_with_parents(self):

        groups = []

        if self.group is None:

            return groups

        cur_gr = self.group

        groups.insert(0, cur_gr)

        while 1:

            gr = getattr(cur_gr, 'parent_group', None)

            cur_gr = cur_gr.parent_group

            if gr is None:

                break

            groups.insert(0, gr)

        return groups

    @property

        returns new full group name based on parent and new name

        :param group_name:

        """

        path_prefix = (self.parent_group.full_path_splitted if

                       self.parent_group else [])

        return RepoGroup.url_sep().join(path_prefix + [group_name])

class Permission(Base, BaseModel):

    __tablename__ = 'permissions'

    __table_args__ = {'extend_existing':True}

    permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    permission_name = Column("permission_name", String(length=255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    permission_longname = Column("permission_longname", String(length=255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    def __repr__(self):

        return "<%s('%s:%s')>" % (self.__class__.__name__,

                                  self.permission_id, self.permission_name)

    @classmethod

    def get_by_key(cls, key):

        return cls.query().filter(cls.permission_name == key).scalar()

class UserRepoToPerm(Base, BaseModel):

    __tablename__ = 'repo_to_perm'

    __table_args__ = (UniqueConstraint('user_id', 'repository_id'), {'extend_existing':True})

    repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)

    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)

    repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)

    user = relationship('User')

    permission = relationship('Permission')

    repository = relationship('Repository')

class UserToPerm(Base, BaseModel):

    __tablename__ = 'user_to_perm'

    __table_args__ = (UniqueConstraint('user_id', 'permission_id'), {'extend_existing':True})

    user_to_perm_id = Column("user_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)

    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)

    user = relationship('User')

    @classmethod

    def has_perm(cls, user_id, perm):

        if not isinstance(perm, Permission):

            raise Exception('perm needs to be an instance of Permission class')

        return cls.query().filter(cls.user_id == user_id)\

            .filter(cls.permission == perm).scalar() is not None

    @classmethod

    def grant_perm(cls, user_id, perm):

        if not isinstance(perm, Permission):

            raise Exception('perm needs to be an instance of Permission class')

        new = cls()

        new.user_id = user_id

        new.permission = perm

        try:

            Session().add(new)

            Session().commit()

        except:

            Session().rollback()

class RepoTemp(object):

    def __init__(self, repo_id):

        self.repo_id = repo_id

    def __repr__(self):

        return "<%s('id:%s')>" % (self.__class__.__name__, self.repo_id)

class CachedRepoList(object):

    def __init__(self, db_repo_list, repos_path, order_by=None):

        self.db_repo_list = db_repo_list

        self.repos_path = repos_path

        self.order_by = order_by

        self.reversed = (order_by or '').startswith('-')

    def __len__(self):

        return len(self.db_repo_list)

    def __repr__(self):

        return '<%s (%s)>' % (self.__class__.__name__, self.__len__())

    def __iter__(self):

        for dbr in self.db_repo_list:

            scmr = dbr.scm_instance_cached

            # check permission at this level

            if not HasRepoPermissionAny('repository.read', 'repository.write',

                                        'repository.admin')(dbr.repo_name,

                                                            'get repo check'):

                continue

            if scmr is None:

                log.error('%s this repository is present in database but it '

                          'cannot be created as an scm instance',

                          dbr.repo_name)

                continue

            last_change = scmr.last_change

            tip = h.get_changeset_safe(scmr, 'tip')

            tmp_d = {}

            tmp_d['name'] = dbr.repo_name

            tmp_d['name_sort'] = tmp_d['name'].lower()

            tmp_d['description'] = dbr.description

            tmp_d['description_sort'] = tmp_d['description']

            tmp_d['last_change'] = last_change

            tmp_d['tip'] = tip.raw_id

            tmp_d['tip_sort'] = tip.revision

            tmp_d['rev'] = tip.revision

            tmp_d['contact'] = dbr.user.full_contact

            tmp_d['contact_sort'] = tmp_d['contact']

            tmp_d['owner_sort'] = tmp_d['contact']

            tmp_d['repo_archives'] = list(scmr._get_archives())

            tmp_d['last_msg'] = tip.message

            tmp_d['author'] = tip.author

            tmp_d['dbrepo'] = dbr.get_dict()

            yield tmp_d

class ScmModel(BaseModel):

    """

    Generic Scm Model

    """

    @LazyProperty

    def repos_path(self):

        """

        Get's the repositories root path from database

        """

        q = self.sa.query(RhodeCodeUi).filter(RhodeCodeUi.ui_key == '/').one()

        return q.ui_value

    def repo_scan(self, repos_path=None):

        """

        Listing of repositories in given path. This path should not be a

        repository itself. Return a dictionary of repository objects

        :param repos_path: path to directory containing repositories

        """

        if cache:

            user = user.options(FromCache("sql_cache_short",

                                          "get_user_%s" % username))

        return user.scalar()

    def get_by_api_key(self, api_key, cache=False):

        return User.get_by_api_key(api_key, cache)

    def create(self, form_data):

        try:

            new_user = User()

            for k, v in form_data.items():

                setattr(new_user, k, v)

            new_user.api_key = generate_api_key(form_data['username'])

            self.sa.add(new_user)

            self.sa.commit()

            return new_user

        except:

            log.error(traceback.format_exc())

            self.sa.rollback()

            raise

                         active=True, admin=False, ldap_dn=None):

        """

        Creates a new instance if not found, or updates current one

        :param username:

        :param password:

        :param email:

        :param active:

        :param name:

        :param lastname:

        :param active:

        :param admin:

        :param ldap_dn:

        """

        from rhodecode.lib.auth import get_crypt_password

        log.debug('Checking for %s account in RhodeCode database', username)

        user = User.get_by_username(username, case_insensitive=True)

        if user is None:

            new_user = User()

        else:

            new_user = user

        try:

            new_user.username = username

            new_user.admin = admin

            new_user.password = get_crypt_password(password)

            new_user.api_key = generate_api_key(username)

            new_user.email = email

            new_user.active = active

            new_user.ldap_dn = safe_unicode(ldap_dn) if ldap_dn else None

            new_user.name = name

            new_user.lastname = lastname

            self.sa.add(new_user)

            self.sa.commit()

            return new_user

        except (DatabaseError,):

            log.error(traceback.format_exc())

            self.sa.rollback()

            raise

    def create_for_container_auth(self, username, attrs):

        """

        Creates the given user if it's not already in the database

        :param username:

        :param attrs:

        """

        if self.get_by_username(username, case_insensitive=True) is None:

            # autogenerate email for container account without one

            generate_email = lambda usr: '%s@container_auth.account' % usr

            try:

                new_user = User()

                new_user.username = username

                new_user.password = None

                new_user.api_key = generate_api_key(username)

                new_user.email = attrs['email']

                new_user.active = attrs.get('active', True)

                new_user.name = attrs['name'] or generate_email(username)

                new_user.lastname = attrs['lastname']

                self.sa.add(new_user)

                self.sa.commit()

                return False

        except:

            log.error(traceback.format_exc())

            auth_user.is_authenticated = False

            return False

        return True

    def fill_perms(self, user):

        """

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: user instance to fill his perms

        """

        user.permissions['repositories'] = {}

        user.permissions['global'] = set()

        #======================================================================

        # fetch default permissions

        #======================================================================

        if user.is_admin:

            #==================================================================

            # #admin have all default rights set to admin

            #==================================================================

            user.permissions['global'].add('hg.admin')

            for perm in default_perms:

                p = 'repository.admin'

                user.permissions['repositories'][perm.UserRepoToPerm.

                                                 repository.repo_name] = p

        else:

            #==================================================================

            # set default permissions

            #==================================================================

            uid = user.user_id

            #default global

            default_global_perms = self.sa.query(UserToPerm)\

            for perm in default_global_perms:

                user.permissions['global'].add(perm.permission.permission_name)

            #default for repositories

            for perm in default_perms:

                if perm.Repository.private and not (perm.Repository.user_id ==

                                                    uid):

                    p = 'repository.none'

                elif perm.Repository.user_id == uid:

                    #set admin if owner

                    p = 'repository.admin'

                else:

                    p = perm.Permission.permission_name

                user.permissions['repositories'][perm.UserRepoToPerm.

                                                 repository.repo_name] = p

            #==================================================================

            # overwrite default with user permissions if any

            #==================================================================

            #user global

            user_perms = self.sa.query(UserToPerm)\

                    .options(joinedload(UserToPerm.permission))\

                    .filter(UserToPerm.user_id == uid).all()

            for perm in user_perms:

                user.permissions['global'].add(perm.permission.

                                               permission_name)

            #user repositories

            user_repo_perms = self.sa.query(UserRepoToPerm, Permission,

                                            Repository)\

                .join((Repository, UserRepoToPerm.repository_id ==

                       Repository.repo_id))\

                .join((Permission, UserRepoToPerm.permission_id ==

                       Permission.permission_id))\

                .filter(UserRepoToPerm.user_id == uid).all()

            for perm in user_repo_perms:

                # set admin if owner

                if perm.Repository.user_id == uid:

                    p = 'repository.admin'

                else:

                    p = perm.Permission.permission_name

                user.permissions['repositories'][perm.UserRepoToPerm.

                                                 repository.repo_name] = p

            #==================================================================

            # check if user is part of groups for this repository and fill in

            # (or replace with higher) permissions

            #==================================================================

            user_perms_from_users_groups = self.sa.query(UsersGroupToPerm)\

                .options(joinedload(UsersGroupToPerm.permission))\

                .join((UsersGroupMember, UsersGroupToPerm.users_group_id ==

                       UsersGroupMember.users_group_id))\

                .filter(UsersGroupMember.user_id == uid).all()

            for perm in user_perms_from_users_groups:

                user.permissions['global'].add(perm.permission.permission_name)

            user_repo_perms_from_users_groups = self.sa.query(

                                                UsersGroupRepoToPerm,

                                                Permission, Repository,)\

                .join((Repository, UsersGroupRepoToPerm.repository_id ==

                       Repository.repo_id))\

                .join((Permission, UsersGroupRepoToPerm.permission_id ==