active=True, admin=admin,

                                     extern_type=User.DEFAULT_AUTH_TYPE)

    def create_default_user(self):

        log.info('creating default user')

        # create default user for handling default permissions.

                                            password=str(uuid.uuid1())[:20],

                                            email='anonymous@kallithea-scm.org',

                                            firstname='Anonymous',

                                            lastname='User')

        # based on configuration options activate/deactivate this user which

        # controls anonymous access

    def populate_default_permissions(self):

        """

        Populate default permissions. It will create only the default

        permissions that are missing, and not alter already defined ones

        """

        log.info('creating default user permissions')

    __table_args__ = (

        Index('u_username_idx', 'username'),

        Index('u_email_idx', 'email'),

        _table_args_default_dict,

    )

    DEFAULT_GRAVATAR_URL = 'https://secure.gravatar.com/avatar/{md5email}?d=identicon&s={size}'

    # The name of the default auth type in extern_type, 'internal' lives in auth_internal.py

    DEFAULT_AUTH_TYPE = 'internal'

    user_id = Column(Integer(), primary_key=True)

    username = Column(String(255), nullable=False, unique=True)

    @property

    def is_admin(self):

        return self.admin

    @hybrid_property

    def is_default_user(self):

    @hybrid_property

    def user_data(self):

        if not self._user_data:

            return {}

        if user is None:

            raise Exception('Missing administrative account!')

        return user

    @classmethod

    def get_default_user(cls):

        if user is None:

            raise Exception('Missing default account!')

        return user

    def get_api_data(self, details=False):

        """

        def _get_group(perm_name):

            return '.'.join(perm_name.split('.')[:1])

        perms = UserToPerm.query().filter(UserToPerm.user == user).all()

        defined_perms_groups = set(_get_group(x.permission.permission_name) for x in perms)

        log.debug('GOT ALREADY DEFINED:%s', perms)

        if force:

            for perm in perms:

                Session().delete(perm)

            Session().commit()

            defined_perms_groups = []

        # For every default permission that needs to be created, we check if

        # its group is already defined. If it's not, we create default permission.

            gr = _get_group(perm_name)

            if gr not in defined_perms_groups:

                log.debug('GR:%s not found, creating permission %s',

                          gr, perm_name)

                new_perm = _make_perm(perm_name)

                Session().add(new_perm)

                new_type = perm_dict.get('type')

                if new_member and new_perm and new_type:

                    perms_new.add((new_member, new_perm, new_type))

            for k, v in value.items():

                if k.startswith('u_perm_') or k.startswith('g_perm_'):

                    t = {'u': 'user',

                         'g': 'users_group'

                    }[k[0]]

                        if str2bool(value.get('repo_private')):

                            # set none for default when updating to

                            # private repo protects against form manipulation

                            v = EMPTY_PERM

            value['perms_updates'] = list(perms_update)

            value['perms_new'] = list(perms_new)

            # update permissions

            for k, v, t in perms_new:

            self._compare_ok(id_, expected, given=response.body)

        finally:

            RepoModel().revoke_user_permission(self.REPO, self.TEST_USER_LOGIN)

    def test_api_get_repo_by_non_admin_no_permission_to_repo(self):

        RepoModel().grant_user_permission(repo=self.REPO,

                                          perm='repository.none')

        try:

            RepoModel().grant_user_permission(repo=self.REPO,

                                              user=self.TEST_USER_LOGIN,

                                              perm='repository.none')

            response = api_call(self, params)

            expected = 'repository `%s` does not exist' % (self.REPO)

            self._compare_error(id_, expected, given=response.body)

        finally:

            RepoModel().grant_user_permission(repo=self.REPO,

                                              perm='repository.read')

    def test_api_get_repo_that_doesn_not_exist(self):

        id_, params = _build_data(self.apikey, 'get_repo',

                                  repoid='no-such-repo')

        response = api_call(self, params)

        expected = 'Only Kallithea admin can specify `owner` param'

        self._compare_error(id_, expected, given=response.body)

        fixture.destroy_repo(fork_name)

    def test_api_fork_repo_non_admin_no_permission_to_fork(self):

        RepoModel().grant_user_permission(repo=self.REPO,

                                          perm='repository.none')

        try:

            fork_name = 'api-repo-fork'

            id_, params = _build_data(self.apikey_regular, 'fork_repo',

                                      repoid=self.REPO,

                                      fork_name=fork_name,

            )

            response = api_call(self, params)

            expected = 'repository `%s` does not exist' % (self.REPO)

            self._compare_error(id_, expected, given=response.body)

        finally:

            RepoModel().grant_user_permission(repo=self.REPO,

                                              perm='repository.read')

            fixture.destroy_repo(fork_name)

    @base.parametrize('name,perm', [

        ('read', 'repository.read'),

        ('write', 'repository.write'),

        usr = self.log_user(base.TEST_USER_REGULAR_LOGIN, base.TEST_USER_REGULAR_PASS)

        # avoid spurious RepoGroup DetachedInstanceError ...

        session_csrf_secret_token = self.session_csrf_secret_token()

        # revoke

        user_model = UserModel()

        # disable fork and create on default user

        # disable on regular user

        user_model.revoke_perm(base.TEST_USER_REGULAR_LOGIN, 'hg.create.repository')

        user_model.grant_perm(base.TEST_USER_REGULAR_LOGIN, 'hg.create.none')

        user_model.revoke_perm(base.TEST_USER_REGULAR_LOGIN, 'hg.fork.repository')

        user_model.grant_perm(base.TEST_USER_REGULAR_LOGIN, 'hg.fork.none')

    def test_create_on_top_level_without_permissions(self):

        usr = self.log_user(base.TEST_USER_REGULAR_LOGIN, base.TEST_USER_REGULAR_PASS)

        # revoke

        user_model = UserModel()

        # disable fork and create on default user

        # disable on regular user

        user_model.revoke_perm(base.TEST_USER_REGULAR_LOGIN, 'hg.create.repository')

        user_model.grant_perm(base.TEST_USER_REGULAR_LOGIN, 'hg.create.none')

        user_model.revoke_perm(base.TEST_USER_REGULAR_LOGIN, 'hg.fork.repository')

        user_model.grant_perm(base.TEST_USER_REGULAR_LOGIN, 'hg.fork.none')

class TestPermissions(base.TestController):

    @classmethod

    def setup_class(cls):

        # recreate default user to get a clean start

                                                     force=True)

        Session().commit()

    def setup_method(self, method):

        self.u1 = UserModel().create_or_update(

            username='u1', password='qweqwe',