h.flash(_('Created repository group %s') % gr.group_name,

                category='success')

        raise HTTPFound(location=url('repos_group_home', group_name=gr.group_name))

    def new(self):

        if HasPermissionAny('hg.admin')('group create'):

            #we're global admin, we're ok and we can create TOP level groups

            pass

        else:

            # we pass in parent group into creation form, thus we know

            # what would be the group, we can check perms here !

            group_id = safe_int(request.GET.get('parent_group'))

            group = RepoGroup.get(group_id) if group_id else None

            group_name = group.group_name if group else None

            if HasRepoGroupPermissionAny('group.admin')(group_name, 'group create'):

                pass

            else:

                raise HTTPForbidden()

        self.__load_defaults()

        return render('admin/repo_groups/repo_group_add.html')

    @HasRepoGroupPermissionAnyDecorator('group.admin')

    def update(self, group_name):

        self.__load_defaults(extras=[c.repo_group.parent_group],

                             exclude=[c.repo_group])

        # TODO: kill allow_empty_group - it is only used for redundant form validation!

        if HasPermissionAny('hg.admin')('group edit'):

            #we're global admin, we're ok and we can create TOP level groups

            allow_empty_group = True

        elif not c.repo_group.parent_group:

            allow_empty_group = True

        else:

            allow_empty_group = False

        repo_group_form = RepoGroupForm(

            edit=True,

            old_data=c.repo_group.get_dict(),

            repo_groups=c.repo_groups,

            can_create_in_root=allow_empty_group,

        )()

        try:

            form_result = repo_group_form.to_python(dict(request.POST))

            new_gr = RepoGroupModel().update(group_name, form_result)

            Session().commit()

            h.flash(_('Updated repository group %s') \

                    % form_result['group_name'], category='success')

            # we now have new name !

            group_name = new_gr.group_name

            #TODO: in future action_logger(, '', '', '', self.sa)

        except formencode.Invalid as errors:

            c.active = 'settings'

            return htmlfill.render(

                render('admin/repo_groups/repo_group_edit.html'),

                defaults=errors.value,

                errors=errors.error_dict or {},

                prefix_error=False,

                encoding="UTF-8",

                force_defaults=False)

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('Error occurred during update of repository group %s') \

                    % request.POST.get('group_name'), category='error')

        raise HTTPFound(location=url('edit_repo_group', group_name=group_name))

    @HasRepoGroupPermissionAnyDecorator('group.admin')

    def delete(self, group_name):

        repos = gr.repositories.all()

        if repos:

            h.flash(_('This group contains %s repositories and cannot be '

                      'deleted') % len(repos), category='warning')

            raise HTTPFound(location=url('repos_groups'))

        children = gr.children.all()

        if children:

            h.flash(_('This group contains %s subgroups and cannot be deleted'

                      % (len(children))), category='warning')

            raise HTTPFound(location=url('repos_groups'))

        try:

            RepoGroupModel().delete(group_name)

            Session().commit()

            h.flash(_('Removed repository group %s') % group_name,

                    category='success')

            #TODO: in future action_logger(, '', '', '', self.sa)

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('Error occurred during deletion of repository group %s')

                    % group_name, category='error')

        if gr.parent_group:

            raise HTTPFound(location=url('repos_group_home', group_name=gr.parent_group.group_name))

        raise HTTPFound(location=url('repos_groups'))

    def show_by_name(self, group_name):

        """

        This is a proxy that does a lookup group_name -> id, and shows

        the group by id view instead

        """

        group_name = group_name.rstrip('/')

        id_ = RepoGroup.get_by_group_name(group_name)

        if id_:

            return self.show(group_name)

        raise HTTPNotFound

    @HasRepoGroupPermissionAnyDecorator('group.read', 'group.write',

                                         'group.admin')

    def show(self, group_name):

        c.active = 'settings'

        groups = RepoGroup.query(sorted=True).filter_by(parent_group=c.group).all()

        c.groups = self.scm_model.get_repo_groups(groups)

        repos_list = Repository.query(sorted=True).filter_by(group=c.group).all()

        repos_data = RepoModel().get_repos_as_dict(repos_list=repos_list,

                                                   admin=False, short_name=True)

        #json used to render the grid

        c.data = json.dumps(repos_data)

        return render('admin/repo_groups/repo_group_show.html')

    @HasRepoGroupPermissionAnyDecorator('group.admin')

    def edit(self, group_name):

        c.active = 'settings'

        self.__load_defaults(extras=[c.repo_group.parent_group],

                             exclude=[c.repo_group])

        defaults = self.__load_data(c.repo_group.group_id)

        return htmlfill.render(

            render('admin/repo_groups/repo_group_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False

        )

    @HasRepoGroupPermissionAnyDecorator('group.admin')

    def edit_repo_group_advanced(self, group_name):

        c.active = 'advanced'

        return render('admin/repo_groups/repo_group_edit.html')

    @HasRepoGroupPermissionAnyDecorator('group.admin')

    def edit_repo_group_perms(self, group_name):

        c.active = 'perms'

        self.__load_defaults()

        defaults = self.__load_data(c.repo_group.group_id)

        return htmlfill.render(

            render('admin/repo_groups/repo_group_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False

        )

    @HasRepoGroupPermissionAnyDecorator('group.admin')

    def update_perms(self, group_name):

        """

        Update permissions for given repository group

        :param group_name:

        """

        valid_recursive_choices = ['none', 'repos', 'groups', 'all']

        form_result = RepoGroupPermsForm(valid_recursive_choices)().to_python(request.POST)

        if not request.authuser.is_admin:

            if self._revoke_perms_on_yourself(form_result):

                msg = _('Cannot revoke permission for yourself as admin')

                h.flash(msg, category='warning')

                raise HTTPFound(location=url('edit_repo_group_perms', group_name=group_name))

        recursive = form_result['recursive']

        # iterate over all members(if in recursive mode) of this groups and

        # set the permissions !

        # this can be potentially heavy operation

        RepoGroupModel()._update_permissions(c.repo_group,

                                             form_result['perms_new'],

                                             form_result['perms_updates'],

                                             recursive)

        #TODO: implement this

        #action_logger(request.authuser, 'admin_changed_repo_permissions',

        #              repo_name, request.ip_addr, self.sa)

        Session().commit()

        h.flash(_('Repository group permissions updated'), category='success')

        raise HTTPFound(location=url('edit_repo_group_perms', group_name=group_name))

    @HasRepoGroupPermissionAnyDecorator('group.admin')

    def delete_perms(self, group_name):

    user = UserModel().get_user(userid)

    if user is None:

        raise JSONRPCError("user `%s` does not exist" % (userid,))

    return user

def get_repo_or_error(repoid):

    """

    Get repo by id or name or return JsonRPCError if not found

    :param repoid:

    """

    repo = RepoModel().get_repo(repoid)

    if repo is None:

        raise JSONRPCError('repository `%s` does not exist' % (repoid,))

    return repo

def get_repo_group_or_error(repogroupid):

    """

    Get repo group by id or name or return JsonRPCError if not found

    :param repogroupid:

    """

    if repo_group is None:

        raise JSONRPCError(

            'repository group `%s` does not exist' % (repogroupid,))

    return repo_group

def get_user_group_or_error(usergroupid):

    """

    Get user group by id or name or return JsonRPCError if not found

    :param usergroupid:

    """

    user_group = UserGroupModel().get_group(usergroupid)

    if user_group is None:

        raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

    return user_group

def get_perm_or_error(permid, prefix=None):

    """

    Get permission by id or name or return JsonRPCError if not found

    :param permid:

    """

:license: GPLv3, see LICENSE.md for more details.

"""

import os

import traceback

import logging

import rfc822

from time import mktime

from operator import itemgetter

from string import lower

from pylons import config

from kallithea import CELERY_ON

from kallithea.lib import celerylib

from kallithea.lib.helpers import person

from kallithea.lib.rcmail.smtp_mailer import SmtpMailer

from kallithea.lib.utils import setup_cache_regions, action_logger

from kallithea.lib.utils2 import str2bool

from kallithea.lib.vcs.utils import author_email

from kallithea.lib.compat import json, OrderedDict

from kallithea.lib.hooks import log_create_repository

setup_cache_regions(config)  # pragma: no cover

__all__ = ['whoosh_index', 'get_commits_stats', 'send_email']

log = logging.getLogger(__name__)

@celerylib.task

@celerylib.locked_task

@celerylib.dbsession

def whoosh_index(repo_location, full_index):

    from kallithea.lib.indexers.daemon import WhooshIndexingDaemon

    DBS = celerylib.get_session()

    index_location = config['index_dir']

    WhooshIndexingDaemon(index_location=index_location,

                         repo_location=repo_location, sa=DBS) \

                         .run(full_index=full_index)

@celerylib.task

            repo_type=repo_type,

            description=description,

            owner=owner,

            private=private,

            clone_uri=clone_uri,

            repo_group=repo_group,

            landing_rev=landing_rev,

            fork_of=fork_of,

            copy_fork_permissions=copy_fork_permissions,

            copy_group_permissions=copy_group_permissions,

            enable_statistics=enable_statistics,

            enable_locking=enable_locking,

            enable_downloads=enable_downloads,

            state=state

        )

        action_logger(cur_user, 'user_created_repo',

                      form_data['repo_name_full'], '', DBS)

        DBS.commit()

        # now create this repo on Filesystem

        RepoModel(DBS)._create_filesystem_repo(

            repo_name=repo_name,

            repo_type=repo_type,

            clone_uri=clone_uri,

        )

        repo = Repository.get_by_repo_name(repo_name_full)

        log_create_repository(repo.get_dict(), created_by=owner.username)

        # update repo changeset caches initially

        repo.update_changeset_cache()

        # set new created state

        repo.set_state(Repository.STATE_CREATED)

        DBS.commit()

    except Exception as e:

        log.warning('Exception %s occurred when forking repository, '

                    'doing cleanup...' % e)

        # rollback things manually !

        repo = Repository.get_by_repo_name(repo_name_full)

        if repo:

            Repository.delete(repo.repo_id)

            DBS.commit()

            RepoModel(DBS)._delete_filesystem_repo(repo)

        raise

    return True

        RepoModel(DBS)._create_repo(

            repo_name=repo_name_full,

            repo_type=repo_type,

            description=form_data['description'],

            owner=owner,

            private=private,

            clone_uri=clone_uri,

            repo_group=repo_group,

            landing_rev=landing_rev,

            fork_of=fork_of,

            copy_fork_permissions=copy_fork_permissions

        )

        action_logger(cur_user, 'user_forked_repo:%s' % repo_name_full,

                      fork_of.repo_name, '', DBS)

        DBS.commit()

        update_after_clone = form_data['update_after_clone'] # FIXME - unused!

        source_repo_path = os.path.join(base_path, fork_of.repo_name)

        # now create this repo on Filesystem

        RepoModel(DBS)._create_filesystem_repo(

            repo_name=repo_name,

            repo_type=repo_type,

            clone_uri=source_repo_path,

        )

        repo = Repository.get_by_repo_name(repo_name_full)

        log_create_repository(repo.get_dict(), created_by=owner.username)

        # update repo changeset caches initially

        repo.update_changeset_cache()

        # set new created state

        repo.set_state(Repository.STATE_CREATED)

        DBS.commit()

    except Exception as e:

        log.warning('Exception %s occurred when forking repository, '

                    'doing cleanup...' % e)

        #rollback things manually !

        repo = Repository.get_by_repo_name(repo_name_full)

        if repo:

            Repository.delete(repo.repo_id)

            DBS.commit()

            RepoModel(DBS)._delete_filesystem_repo(repo)

        raise

    return True

from kallithea.lib.vcs.backends import get_backend

from kallithea.lib.compat import json

from kallithea.lib.utils2 import LazyProperty, safe_str, safe_unicode, \

    remove_prefix, obfuscate_url_pw, get_current_authuser

from kallithea.lib.caching_query import FromCache

from kallithea.lib.hooks import log_delete_repository

from kallithea.model.base import BaseModel

from kallithea.model.db import Repository, UserRepoToPerm, UserGroupRepoToPerm, \

    UserRepoGroupToPerm, UserGroupRepoGroupToPerm, User, Permission, \

    Statistics, UserGroup, Ui, RepoGroup, RepositoryField

from kallithea.lib import helpers as h

from kallithea.lib.auth import HasRepoPermissionAny, HasUserGroupPermissionAny

from kallithea.lib.exceptions import AttachedForksError

from kallithea.model.scm import UserGroupList

log = logging.getLogger(__name__)

class RepoModel(BaseModel):

    URL_SEPARATOR = Repository.url_sep()

    def _create_default_perms(self, repository, private):

        # create default permission

        default = 'repository.read'

        def_user = User.get_default_user()

        for p in def_user.user_perms:

            if p.permission.permission_name.startswith('repository.'):

                default = p.permission.permission_name

                break

        default_perm = 'repository.none' if private else default

        repo_to_perm = UserRepoToPerm()

        repo_to_perm.permission = Permission.get_by_key(default_perm)

        repo_to_perm.repository = repository

        repo_to_perm.user_id = def_user.user_id

        return repo_to_perm

    @LazyProperty

    def repos_path(self):

        """

        Gets the repositories root path from database

        """

            if org_repo_name != cur_repo.repo_name:

                # rename repository

                self._rename_filesystem_repo(old=org_repo_name, new=cur_repo.repo_name)

            return cur_repo

        except Exception:

            log.error(traceback.format_exc())

            raise

    def _create_repo(self, repo_name, repo_type, description, owner,

                     private=False, clone_uri=None, repo_group=None,

                     landing_rev='rev:tip', fork_of=None,

                     copy_fork_permissions=False, enable_statistics=False,

                     enable_locking=False, enable_downloads=False,

                     copy_group_permissions=False, state=Repository.STATE_PENDING):

        """

        Create repository inside database with PENDING state. This should only be

        executed by create() repo, with exception of importing existing repos.

        """

        from kallithea.model.scm import ScmModel

        owner = User.guess_instance(owner)

        fork_of = Repository.guess_instance(fork_of)

        try:

            repo_name = safe_unicode(repo_name)

            description = safe_unicode(description)

            # repo name is just a name of repository

            # while repo_name_full is a full qualified name that is combined

            # with name and path of group

            repo_name_full = repo_name

            repo_name = repo_name.split(self.URL_SEPARATOR)[-1]

            new_repo = Repository()

            new_repo.repo_state = state

            new_repo.enable_statistics = False

            new_repo.repo_name = repo_name_full

            new_repo.repo_type = repo_type

            new_repo.owner = owner

            new_repo.group = repo_group

            new_repo.description = description or repo_name

            new_repo.private = private

            new_repo.clone_uri = clone_uri

            new_repo.landing_rev = landing_rev

            new_repo.enable_statistics = enable_statistics

            new_repo.enable_locking = enable_locking

            new_repo.enable_downloads = enable_downloads

        """

        user = User.guess_instance(user)

        repo = Repository.guess_instance(repo)

        obj = self.sa.query(UserRepoToPerm) \

            .filter(UserRepoToPerm.repository == repo) \

            .filter(UserRepoToPerm.user == user) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s', repo, user)

    def grant_user_group_permission(self, repo, group_name, perm):

        """

        Grant permission for user group on given repository, or update

        existing one if found

        :param repo: Instance of Repository, repository_id, or repository name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        :param perm: Instance of Permission, or permission_name

        """

        repo = Repository.guess_instance(repo)

        permission = Permission.guess_instance(perm)

        # check if we have that permission already

        obj = self.sa.query(UserGroupRepoToPerm) \

            .filter(UserGroupRepoToPerm.users_group == group_name) \

            .filter(UserGroupRepoToPerm.repository == repo) \

            .scalar()

        if obj is None:

            # create new

            obj = UserGroupRepoToPerm()

        obj.repository = repo

        obj.users_group = group_name

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s', perm, group_name, repo)

        return obj

    def revoke_user_group_permission(self, repo, group_name):

        """

        Revoke permission for user group on given repository

        :param repo: Instance of Repository, repository_id, or repository name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        """

        repo = Repository.guess_instance(repo)

        obj = self.sa.query(UserGroupRepoToPerm) \

            .filter(UserGroupRepoToPerm.repository == repo) \

            .filter(UserGroupRepoToPerm.users_group == group_name) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm to %s on %s', repo, group_name)

    def delete_stats(self, repo_name):

        """

        removes stats for given repo

        :param repo_name:

        """

        repo = Repository.guess_instance(repo_name)

        try:

            obj = self.sa.query(Statistics) \

                .filter(Statistics.repository == repo).scalar()

            if obj is not None:

                self.sa.delete(obj)

        except Exception:

            log.error(traceback.format_exc())

            raise

:created_on: Jan 25, 2011

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import os

import logging

import traceback

import shutil

import datetime

from kallithea.lib.utils2 import LazyProperty

from kallithea.model.base import BaseModel

from kallithea.model.db import RepoGroup, Ui, UserRepoGroupToPerm, \

    User, Permission, UserGroupRepoGroupToPerm, UserGroup, Repository

log = logging.getLogger(__name__)

class RepoGroupModel(BaseModel):

    @LazyProperty

    def repos_path(self):

        """

        Gets the repositories root path from database

        """

        q = Ui.get_by_key('paths', '/')

        return q.ui_value

    def _create_default_perms(self, new_group):

        # create default permission

        default_perm = 'group.read'

        def_user = User.get_default_user()

        for p in def_user.user_perms:

            if p.permission.permission_name.startswith('group.'):

                default_perm = p.permission.permission_name

                break

        repo_group_to_perm = UserRepoGroupToPerm()

        repo_group_to_perm.permission = Permission.get_by_key(default_perm)

        repo_group_to_perm.group = new_group

        repo_group_to_perm.user_id = def_user.user_id

        return repo_group_to_perm

        :param group: instance of group from database

        :param force_delete: use shutil rmtree to remove all objects

        """

        paths = group.full_path.split(RepoGroup.url_sep())

        paths = os.sep.join(paths)

        rm_path = os.path.join(self.repos_path, paths)

        log.info("Removing group %s", rm_path)

        # delete only if that path really exists

        if os.path.isdir(rm_path):

            if force_delete:

                shutil.rmtree(rm_path)

            else:

                #archive that group`

                _now = datetime.datetime.now()

                _ms = str(_now.microsecond).rjust(6, '0')

                _d = 'rm__%s_GROUP_%s' % (_now.strftime('%Y%m%d_%H%M%S_' + _ms),

                                          group.name)

                shutil.move(rm_path, os.path.join(self.repos_path, _d))

    def create(self, group_name, group_description, owner, parent=None,

               just_db=False, copy_permissions=False):

        try:

            owner = User.guess_instance(owner)

            new_repo_group = RepoGroup()

            new_repo_group.owner = owner

            new_repo_group.group_description = group_description or group_name

            new_repo_group.parent_group = parent_group

            new_repo_group.group_name = new_repo_group.get_new_name(group_name)

            self.sa.add(new_repo_group)

            # create an ADMIN permission for owner except if we're super admin,

            # later owner should go into the owner field of groups

            if not owner.is_admin:

                self.grant_user_permission(repo_group=new_repo_group,

                                           user=owner, perm='group.admin')

            if parent_group and copy_permissions:

                # copy permissions from parent

                user_perms = UserRepoGroupToPerm.query() \

                    .filter(UserRepoGroupToPerm.group == parent_group).all()

                group_perms = UserGroupRepoGroupToPerm.query() \

                    .filter(UserGroupRepoGroupToPerm.group == parent_group).all()

                for perm in user_perms:

                    # don't copy over the permission for user who is creating

                    #check if we have permissions to alter this usergroup

                    req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')

                    if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):

                        _set_perm_group(obj, users_group=member, perm=perm)

            # set new permissions

            for member, perm, member_type in perms_new:

                if member_type == 'user':

                    _set_perm_user(obj, user=member, perm=perm)

                else:

                    #check if we have permissions to alter this usergroup

                    req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')

                    if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):

                        _set_perm_group(obj, users_group=member, perm=perm)

            updates.append(obj)

            # if it's not recursive call for all,repos,groups

            # break the loop and don't proceed with other changes

            if recursive not in ['all', 'repos', 'groups']:

                break

        return updates

    def update(self, repo_group, form_data):

        try:

            old_path = repo_group.full_path

            # change properties

            repo_group.group_description = form_data['group_description']

            repo_group.parent_group_id = form_data['parent_group_id']

            repo_group.enable_locking = form_data['enable_locking']

            repo_group.parent_group = RepoGroup.get(form_data['parent_group_id'])

            repo_group.group_name = repo_group.get_new_name(form_data['group_name'])

            new_path = repo_group.full_path

            self.sa.add(repo_group)

            # iterate over all members of this groups and do fixes

            # set locking if given

            # if obj is a repoGroup also fix the name of the group according

            # to the parent

            # if obj is a Repo fix it's name

            # this can be potentially heavy operation

            for obj in repo_group.recursive_groups_and_repos():

                #set the value from it's parent

                obj.enable_locking = repo_group.enable_locking

                if isinstance(obj, RepoGroup):

                    new_name = obj.get_new_name(obj.name)

                    log.debug('Fixing group %s to new name %s' \

                                % (obj.group_name, new_name))

                    obj.group_name = new_name

                elif isinstance(obj, Repository):

                    # we need to get all repositories from this new group and

                    # rename them accordingly to new group path

                    new_name = obj.get_new_name(obj.just_name)

                    log.debug('Fixing repo %s to new name %s' \

                                % (obj.repo_name, new_name))

                    obj.repo_name = new_name

                self.sa.add(obj)

            self._rename_group(old_path, new_path)

            return repo_group

        except Exception:

            log.error(traceback.format_exc())

            raise

    def delete(self, repo_group, force_delete=False):

        try:

            self.sa.delete(repo_group)

            self._delete_group(repo_group, force_delete)

        except Exception:

            log.error('Error removing repo_group %s', repo_group)

            raise

    def add_permission(self, repo_group, obj, obj_type, perm, recursive):

        from kallithea.model.repo import RepoModel

        perm = Permission.guess_instance(perm)

        for el in repo_group.recursive_groups_and_repos():

            # iterated obj is an instance of a repos group or repository in

            # that group, recursive option can be: none, repos, groups, all

            if recursive == 'all':

                pass

            elif recursive == 'repos':

                # skip groups, other than this one

                if isinstance(el, RepoGroup) and not el == repo_group:

                    continue

            elif recursive == 'groups':

                # skip repos

                if isinstance(el, Repository):

                    continue

            else:  # recursive == 'none': # DEFAULT don't apply to iterated objects

                el = repo_group

                # also we do a break at the end of this loop.

            if isinstance(el, RepoGroup):

                if obj_type == 'user':

                    RepoGroupModel().grant_user_permission(el, user=obj, perm=perm)

                elif obj_type == 'user_group':

                    RepoGroupModel().grant_user_group_permission(el, group_name=obj, perm=perm)

                elif obj_type == 'user_group':

                    RepoModel().grant_user_group_permission(el, group_name=obj, perm=_perm)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            else:

                raise Exception('el should be instance of Repository or '

                                'RepositoryGroup got %s instead' % type(el))

            # if it's not recursive call for all,repos,groups

            # break the loop and don't proceed with other changes

            if recursive not in ['all', 'repos', 'groups']:

                break

    def delete_permission(self, repo_group, obj, obj_type, recursive):

        """

        Revokes permission for repo_group for given obj(user or users_group),

        obj_type can be user or user group

        :param repo_group:

        :param obj: user or user group id

        :param obj_type: user or user group type

        :param recursive: recurse to all children of group

        """

        from kallithea.model.repo import RepoModel

        for el in repo_group.recursive_groups_and_repos():

            # iterated obj is an instance of a repos group or repository in

            # that group, recursive option can be: none, repos, groups, all

            if recursive == 'all':

                pass

            elif recursive == 'repos':

                # skip groups, other than this one

                if isinstance(el, RepoGroup) and not el == repo_group:

                    continue

            elif recursive == 'groups':

                # skip repos

                if isinstance(el, Repository):

                    continue

            else:  # recursive == 'none': # DEFAULT don't apply to iterated objects

                el = repo_group

                # also we do a break at the end of this loop.

            if isinstance(el, RepoGroup):

                if obj_type == 'user':

                    RepoGroupModel().revoke_user_permission(el, user=obj)