log.debug('redirecting to login page with %s' % p)

            return redirect(url('login_home', came_from=p))

class NotAnonymous(object):

    """

    Must be logged in to execute this function else

    redirect to login page"""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        self.user = cls.rhodecode_user

        log.debug('Checking if user is not anonymous @%s' % cls)

        anonymous = self.user.username == 'default'

        if anonymous:

            p = url.current()

            import rhodecode.lib.helpers as h

            h.flash(_('You need to be a registered user to '

                      'perform this action'),

                    category='warning')

            return redirect(url('login_home', came_from=p))

        else:

            return func(*fargs, **fkwargs)

class PermsDecorator(object):

    """Base class for controller decorators"""

    def __init__(self, *required_perms):

        available_perms = config['available_permissions']

        for perm in required_perms:

            if perm not in available_perms:

                raise Exception("'%s' permission is not defined" % perm)

        self.required_perms = set(required_perms)

        self.user_perms = None

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        self.user = cls.rhodecode_user

        self.user_perms = self.user.permissions

        log.debug('checking %s permissions %s for %s %s',

           self.__class__.__name__, self.required_perms, cls, self.user)

        if self.check_permissions():

            log.debug('Permission granted for %s %s' % (cls, self.user))

            return func(*fargs, **fkwargs)

        else:

            log.debug('Permission denied for %s %s' % (cls, self.user))

            anonymous = self.user.username == 'default'

            if anonymous:

                p = url.current()

                import rhodecode.lib.helpers as h

                h.flash(_('You need to be a signed in to '

                          'view this page'),

                        category='warning')

                return redirect(url('login_home', came_from=p))

            else:

                # redirect with forbidden ret code

                return abort(403)

    def check_permissions(self):

        """Dummy function for overriding"""

        raise Exception('You have to write this function in child class')

class HasPermissionAllDecorator(PermsDecorator):

    """

    Checks for access permission for all given predicates. All of them

    have to be meet in order to fulfill the request

    """

    def check_permissions(self):

        if self.required_perms.issubset(self.user_perms.get('global')):

            return True

        return False

class HasPermissionAnyDecorator(PermsDecorator):

    """

    Checks for access permission for any of given predicates. In order to

    fulfill the request any of predicates must be meet

    """

    def check_permissions(self):

        if self.required_perms.intersection(self.user_perms.get('global')):

            return True

        return False

class HasRepoPermissionAllDecorator(PermsDecorator):

    """

    Checks for access permission for all given predicates for specific

    repository. All of them have to be meet in order to fulfill the request

    """

    def check_permissions(self):

        repo_name = get_repo_slug(request)

        try:

            user_perms = set([self.user_perms['repositories'][repo_name]])

        except KeyError:

            return False

        if self.required_perms.issubset(user_perms):

            return True

        return False

class HasRepoPermissionAnyDecorator(PermsDecorator):

    """

    Checks for access permission for any of given predicates for specific

    repository. In order to fulfill the request any of predicates must be meet

    """

    def check_permissions(self):

        repo_name = get_repo_slug(request)

        try:

            user_perms = set([self.user_perms['repositories'][repo_name]])

        except KeyError:

            return False

        if self.required_perms.intersection(user_perms):

            return True

        return False

class HasReposGroupPermissionAllDecorator(PermsDecorator):

    """

    Checks for access permission for all given predicates for specific

    repository. All of them have to be meet in order to fulfill the request

    """

    def check_permissions(self):

        group_name = get_repos_group_slug(request)

        try:

            user_perms = set([self.user_perms['repositories_groups'][group_name]])

        except KeyError:

            return False

        if self.required_perms.issubset(user_perms):

            return True

        return False

class HasReposGroupPermissionAnyDecorator(PermsDecorator):

    """

    Checks for access permission for any of given predicates for specific

    repository. In order to fulfill the request any of predicates must be meet

    """

    def check_permissions(self):

        group_name = get_repos_group_slug(request)

        try:

            user_perms = set([self.user_perms['repositories_groups'][group_name]])

        except KeyError:

            return False

        if self.required_perms.intersection(user_perms):

            return True

        return False

#==============================================================================

# CHECK FUNCTIONS

#==============================================================================

class PermsFunction(object):

    """Base function for other check functions"""

    def __init__(self, *perms):

        available_perms = config['available_permissions']

        for perm in perms:

            if perm not in available_perms:

                raise Exception("'%s' permission is not defined" % perm)

        self.required_perms = set(perms)

        self.user_perms = None

        self.repo_name = None

        self.group_name = None

        user = request.user

        cls_name = self.__class__.__name__

        check_scope = {

            'HasPermissionAll': '',

            'HasPermissionAny': '',

            'HasRepoPermissionAll': 'repo:%s' % self.repo_name,

            'HasRepoPermissionAny': 'repo:%s' % self.repo_name,

            'HasReposGroupPermissionAll': 'group:%s' % self.group_name,

            'HasReposGroupPermissionAny': 'group:%s' % self.group_name,

        }.get(cls_name, '?')

        log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,

                  self.required_perms, user, check_scope,

        if not user:

            log.debug('Empty request user')

            return False

        self.user_perms = user.permissions

        if self.check_permissions():

            log.debug('Permission to %s granted for user: %s @ %s', self.repo_name, user,

            return True

        else:

            log.debug('Permission to %s denied for user: %s @ %s', self.repo_name, user,

            return False

    def check_permissions(self):

        """Dummy function for overriding"""

        raise Exception('You have to write this function in child class')

class HasPermissionAll(PermsFunction):

    def check_permissions(self):

        if self.required_perms.issubset(self.user_perms.get('global')):

            return True

        return False

class HasPermissionAny(PermsFunction):

    def check_permissions(self):

        if self.required_perms.intersection(self.user_perms.get('global')):

            return True

        return False

class HasRepoPermissionAll(PermsFunction):

        self.repo_name = repo_name

    def check_permissions(self):

        if not self.repo_name:

            self.repo_name = get_repo_slug(request)

        try:

            self._user_perms = set(

                [self.user_perms['repositories'][self.repo_name]]

            )

        except KeyError:

            return False

        if self.required_perms.issubset(self._user_perms):

            return True

        return False

class HasRepoPermissionAny(PermsFunction):

        self.repo_name = repo_name

    def check_permissions(self):

        if not self.repo_name:

            self.repo_name = get_repo_slug(request)

        try:

            self._user_perms = set(

                [self.user_perms['repositories'][self.repo_name]]

            )

        except KeyError:

            return False

        if self.required_perms.intersection(self._user_perms):

            return True

        return False

class HasReposGroupPermissionAny(PermsFunction):

        self.group_name = group_name

    def check_permissions(self):

        try:

            self._user_perms = set(

                [self.user_perms['repositories_groups'][self.group_name]]

            )

        except KeyError:

            return False

        if self.required_perms.intersection(self._user_perms):

            return True

        return False

class HasReposGroupPermissionAll(PermsFunction):

        self.group_name = group_name

    def check_permissions(self):

        try:

            self._user_perms = set(

                [self.user_perms['repositories_groups'][self.group_name]]

            )

        except KeyError:

            return False

        if self.required_perms.issubset(self._user_perms):

            return True

        return False

#==============================================================================

# SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH

#==============================================================================

class HasPermissionAnyMiddleware(object):

    def __init__(self, *perms):

        self.required_perms = set(perms)

    def __call__(self, user, repo_name):

        # repo_name MUST be unicode, since we handle keys in permission

        # dict by unicode

        repo_name = safe_unicode(repo_name)

        usr = AuthUser(user.user_id)

        try:

            self.user_perms = set([usr.permissions['repositories'][repo_name]])

        except Exception:

            log.error('Exception while accessing permissions %s' %

                      traceback.format_exc())

            self.user_perms = set()

        self.username = user.username

        self.repo_name = repo_name

        return self.check_permissions()

    def check_permissions(self):

        log.debug('checking VCS protocol '

                  'permissions %s for user:%s repository:%s', self.user_perms,

                                                self.username, self.repo_name)

        if self.required_perms.intersection(self.user_perms):

            log.debug('permission granted for user:%s on repo:%s' % (

                          self.username, self.repo_name

                     )

            )

            return True

        log.debug('permission denied for user:%s on repo:%s' % (

                      self.username, self.repo_name

                 )

        )

        return False

#==============================================================================

# SPECIAL VERSION TO HANDLE API AUTH

#==============================================================================

class _BaseApiPerm(object):

    def __init__(self, *perms):

        self.required_perms = set(perms)

    def __call__(self, check_location='unspecified', user=None, repo_name=None):

        cls_name = self.__class__.__name__

        check_scope = 'user:%s, repo:%s' % (user, repo_name)

        log.debug('checking cls:%s %s %s @ %s', cls_name,

                  self.required_perms, check_scope, check_location)

        if not user:

            log.debug('Empty User passed into arguments')

            return False

        ## process user

        if not isinstance(user, AuthUser):

            user = AuthUser(user.user_id)

        if self.check_permissions(user.permissions, repo_name):

            log.debug('Permission to %s granted for user: %s @ %s', repo_name,

                      user, check_location)

            return True

        else:

            log.debug('Permission to %s denied for user: %s @ %s', repo_name,

                      user, check_location)

            return False

    def check_permissions(self, perm_defs, repo_name):

        """

        implement in child class should return True if permissions are ok,

        False otherwise

        :param perm_defs: dict with permission definitions

        :param repo_name: repo name

        """

        raise NotImplementedError()

class HasPermissionAllApi(_BaseApiPerm):

    def __call__(self, user, check_location=''):

        return super(HasPermissionAllApi, self)\

            .__call__(check_location=check_location, user=user)

    def check_permissions(self, perm_defs, repo):

        if self.required_perms.issubset(perm_defs.get('global')):

            return True

        return False

class HasPermissionAnyApi(_BaseApiPerm):

    def __call__(self, user, check_location=''):

        return super(HasPermissionAnyApi, self)\

            .__call__(check_location=check_location, user=user)

    def check_permissions(self, perm_defs, repo):

        if self.required_perms.intersection(perm_defs.get('global')):

            return True

        return False

class HasRepoPermissionAllApi(_BaseApiPerm):

    def __call__(self, user, repo_name, check_location=''):

        return super(HasRepoPermissionAllApi, self)\

            .__call__(check_location=check_location, user=user,

                      repo_name=repo_name)

    def check_permissions(self, perm_defs, repo_name):

        try:

            self._user_perms = set(

                [perm_defs['repositories'][repo_name]]

            )

        except KeyError:

            log.warning(traceback.format_exc())

            return False

        if self.required_perms.issubset(self._user_perms):

            return True

        return False

class HasRepoPermissionAnyApi(_BaseApiPerm):

    def __call__(self, user, repo_name, check_location=''):

        return super(HasRepoPermissionAnyApi, self)\

            .__call__(check_location=check_location, user=user,

                      repo_name=repo_name)

    def check_permissions(self, perm_defs, repo_name):

        try:

            _user_perms = set(

                [perm_defs['repositories'][repo_name]]

            )

        except KeyError:

            log.warning(traceback.format_exc())

            return False

        if self.required_perms.intersection(_user_perms):

            return True

        return False

def check_ip_access(source_ip, allowed_ips=None):

    """

    Checks if source_ip is a subnet of any of allowed_ips.

    :param source_ip:

    :param allowed_ips: list of allowed ips together with mask

    """

    from rhodecode.lib import ipaddr

    log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips))

    if isinstance(allowed_ips, (tuple, list, set)):

        for ip in allowed_ips:

            try:

                if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):

                    return True

                # for any case we cannot determine the IP, don't crash just

                # skip it and log as error, we want to say forbidden still when

                # sending bad IP

            except Exception:

                log.error(traceback.format_exc())

                continue

    return False