Original author and date, and relevant copyright and licensing information is below:

:created_on: Nov 23, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

from pylons import request

from pylons import tmpl_context as c

from kallithea.model.db import Notification

from kallithea.model.notification import NotificationModel

from kallithea.model.meta import Session

from kallithea.lib.auth import LoginRequired, NotAnonymous

from kallithea.lib.base import BaseController, render

from kallithea.lib import helpers as h

from kallithea.lib.helpers import Page

from kallithea.lib.utils2 import safe_int

log = logging.getLogger(__name__)

                            .get_user_notification(c.user.user_id, no)

            # if this association to user is not valid, we don't want to show

            # this message

            if unotification is not None:

                if not unotification.read:

                    unotification.mark_as_read()

                    Session().commit()

                c.notification = no

                return render('admin/notifications/show_notification.html')

    def edit(self, notification_id, format='html'):

        """GET /_admin/notifications/id/edit: Form to edit an existing item"""

        # url('edit_notification', notification_id=ID)

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

import formencode

import itertools

from formencode import htmlfill

from pylons import request, tmpl_context as c, url

from pylons.i18n.translation import _, ungettext

import kallithea

from kallithea.lib import helpers as h

from kallithea.lib.compat import json

from kallithea.lib.auth import LoginRequired, \

    HasRepoGroupPermissionAnyDecorator, HasRepoGroupPermissionAll, \

    HasPermissionAll

from kallithea.lib.base import BaseController, render

from kallithea.model.db import RepoGroup, Repository

from kallithea.model.scm import RepoGroupList, AvailableRepoGroupChoices

from kallithea.model.repo_group import RepoGroupModel

from kallithea.model.forms import RepoGroupForm, RepoGroupPermsForm

from kallithea.model.meta import Session

from kallithea.model.repo import RepoModel

from kallithea.lib.utils2 import safe_int

from sqlalchemy.sql.expression import func

log = logging.getLogger(__name__)

class RepoGroupsController(BaseController):

    @LoginRequired()

    def __before__(self):

        super(RepoGroupsController, self).__before__()

        if HasPermissionAll('hg.admin')('group create'):

            #we're global admin, we're ok and we can create TOP level groups

            pass

        else:

            # we pass in parent group into creation form, thus we know

            # what would be the group, we can check perms here !

            group_id = safe_int(request.GET.get('parent_group'))

            group = RepoGroup.get(group_id) if group_id else None

            group_name = group.group_name if group else None

            if HasRepoGroupPermissionAll('group.admin')(group_name, 'group create'):

                pass

            else:

        self.__load_defaults()

        return render('admin/repo_groups/repo_group_add.html')

    @HasRepoGroupPermissionAnyDecorator('group.admin')

    def update(self, group_name):

        """PUT /repo_groups/group_name: Update an existing item"""

        # Forms posted to this method should contain a hidden field:

        #    <input type="hidden" name="_method" value="PUT" />

        # Or using helpers:

        #    h.form(url('repos_group', group_name=GROUP_NAME),

        #           method='put')

"""

import time

import os

import logging

import traceback

import hashlib

import itertools

import collections

from decorator import decorator

from pylons import url, request, session

from pylons.i18n.translation import _

from webhelpers.pylonslib import secure_form

from sqlalchemy import or_

from sqlalchemy.orm.exc import ObjectDeletedError

from sqlalchemy.orm import joinedload

from kallithea import __platform__, is_windows, is_unix

from kallithea.lib.vcs.utils.lazy import LazyProperty

from kallithea.model import meta

from kallithea.model.meta import Session

from kallithea.model.user import UserModel

from kallithea.model.db import User, Repository, Permission, \

    UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \

    RepoGroup, UserGroupRepoGroupToPerm, UserIpMap, UserGroupUserGroupToPerm, \

    UserGroup, UserApiKeys

from kallithea.lib.utils2 import safe_unicode, aslist

            # explicit controller is enabled or API is in our whitelist

            if self.api_access or allowed_api_access(loc, api_key=api_key):

                if api_key in user.api_keys:

                    log.info('user %s authenticated with API key ****%s @ %s',

                             user, api_key[-4:], loc)

                    return func(*fargs, **fkwargs)

                else:

                    log.warning('API key ****%s is NOT valid', api_key[-4:])

                    return redirect_to_login(_('Invalid API key'))

            else:

                # controller does not allow API access

                log.warning('API access to %s is not allowed', loc)

        # Only allow the following HTTP request methods. (We sometimes use POST

        # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only

        # used for the route lookup, and does not affect request.method.)

        if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:

        # Make sure CSRF token never appears in the URL. If so, invalidate it.

        if secure_form.token_key in request.GET:

            log.error('CSRF key leak detected')

            session.pop(secure_form.token_key, None)

            session.save()

            from kallithea.lib import helpers as h

            h.flash(_("CSRF token leak has been detected - all form tokens have been expired"),

                    category='error')

        # CSRF protection: Whenever a request has ambient authority (whether

        # through a session cookie or its origin IP address), it must include

        # the correct token, unless the HTTP method is GET or HEAD (and thus

        # guaranteed to be side effect free. In practice, the only situation

        # where we allow side effects without ambient authority is when the

        # authority comes from an API key; and that is handled above.

        if request.method not in ['GET', 'HEAD']:

            token = request.POST.get(secure_form.token_key)

            if not token or token != secure_form.authentication_token():

                log.error('CSRF check failed')

        # WebOb already ignores request payload parameters for anything other

        # than POST/PUT, but double-check since other Kallithea code relies on

        # this assumption.

        if request.method not in ['POST', 'PUT'] and request.POST:

            log.error('%r request with payload parameters; WebOb should have stopped this', request.method)

        # regular user authentication

        if user.is_authenticated:

            log.info('user %s authenticated with regular auth @ %s', user, loc)

            return func(*fargs, **fkwargs)

        else:

            log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)

            return redirect_to_login()

class NotAnonymous(object):

    """

    Must be logged in to execute this function else

        if self.check_permissions():

            log.debug('Permission granted for %s %s', cls, self.user)

            return func(*fargs, **fkwargs)

        else:

            log.debug('Permission denied for %s %s', cls, self.user)

            anonymous = self.user.username == User.DEFAULT_USER

            if anonymous:

                return redirect_to_login(_('You need to be signed in to view this page'))

            else:

    def check_permissions(self):

        """Dummy function for overriding"""

        raise Exception('You have to write this function in child class')

class HasPermissionAllDecorator(PermsDecorator):

    """

    Checks for access permission for all given predicates. All of them

    have to be meet in order to fulfill the request

    """