user_group_to_perm.user_group = user_group

        user_group_to_perm.user_id = def_user.user_id

        return user_group_to_perm

    def _update_permissions(self, user_group, perms_new=None,

                            perms_updates=None):

        from kallithea.lib.auth import HasUserGroupPermissionAny

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        # update permissions

        for member, perm, member_type in perms_updates:

            if member_type == 'user':

                # this updates existing one

                self.grant_user_permission(

                    user_group=user_group, user=member, perm=perm

                )

            else:

                #check if we have permissions to alter this usergroup

                if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write',

                                             'usergroup.admin')(member):

                    self.grant_user_group_permission(

                        target_user_group=user_group, user_group=member, perm=perm

                    )

        # set new permissions

        for member, perm, member_type in perms_new:

            if member_type == 'user':

                self.grant_user_permission(

                    user_group=user_group, user=member, perm=perm

                )

            else:

                #check if we have permissions to alter this usergroup

                if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write',

                                             'usergroup.admin')(member):

                    self.grant_user_group_permission(

                        target_user_group=user_group, user_group=member, perm=perm

                    )

    def get(self, user_group_id, cache=False):

        return UserGroup.get(user_group_id)

    def get_group(self, user_group):

        return self._get_user_group(user_group)

    def get_by_name(self, name, cache=False, case_insensitive=False):

        return UserGroup.get_by_group_name(name, cache, case_insensitive)

    def create(self, name, description, owner, active=True, group_data=None):

        try:

            new_user_group = UserGroup()

            new_user_group.user = self._get_user(owner)

            new_user_group.users_group_name = name

            new_user_group.user_group_description = description

            new_user_group.users_group_active = active

            if group_data:

                new_user_group.group_data = group_data

            self.sa.add(new_user_group)

            perm_obj = self._create_default_perms(new_user_group)

            self.sa.add(perm_obj)

            self.grant_user_permission(user_group=new_user_group,

                                       user=owner, perm='usergroup.admin')

            return new_user_group

        except Exception:

            log.error(traceback.format_exc())

            raise

    def update(self, user_group, form_data):

        try:

            user_group = self._get_user_group(user_group)

            for k, v in form_data.items():

                if k == 'users_group_members':

                    user_group.members = []

                    self.sa.flush()

                    members_list = []

                    if v:

                        v = [v] if isinstance(v, basestring) else v

                        for u_id in set(v):

                            member = UserGroupMember(user_group.users_group_id, u_id)

                            members_list.append(member)

                    setattr(user_group, 'members', members_list)

                setattr(user_group, k, v)

            self.sa.add(user_group)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def delete(self, user_group, force=False):

        """

        raises exception if there are members in that group, else deletes

        group and users

        :param user_group:

        :param force:

        """

        user_group = self._get_user_group(user_group)

        try:

            # check if this group is not assigned to repo

            assigned_groups = UserGroupRepoToPerm.query()\

                .filter(UserGroupRepoToPerm.users_group == user_group).all()

            if assigned_groups and not force:

                raise UserGroupsAssignedException(

            self.sa.delete(user_group)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def add_user_to_group(self, user_group, user):

        user_group = self._get_user_group(user_group)

        user = self._get_user(user)

        for m in user_group.members:

            u = m.user

            if u.user_id == user.user_id:

                # user already in the group, skip

                return True

        try:

            user_group_member = UserGroupMember()

            user_group_member.user = user

            user_group_member.users_group = user_group

            user_group.members.append(user_group_member)

            user.group_member.append(user_group_member)

            self.sa.add(user_group_member)

            return user_group_member

        except Exception:

            log.error(traceback.format_exc())

            raise

    def remove_user_from_group(self, user_group, user):

        user_group = self._get_user_group(user_group)

        user = self._get_user(user)

        user_group_member = None

        for m in user_group.members:

            if m.user.user_id == user.user_id:

                # Found this user's membership row

                user_group_member = m

                break

        if user_group_member:

            try:

                self.sa.delete(user_group_member)

                return True

            except Exception:

                log.error(traceback.format_exc())

                raise

        else:

            # User isn't in that group

            return False

    def has_perm(self, user_group, perm):

        user_group = self._get_user_group(user_group)

        perm = self._get_perm(perm)

        return UserGroupToPerm.query()\

            .filter(UserGroupToPerm.users_group == user_group)\

            .filter(UserGroupToPerm.permission == perm).scalar() is not None

    def grant_perm(self, user_group, perm):

        user_group = self._get_user_group(user_group)

        perm = self._get_perm(perm)

        # if this permission is already granted skip it

        _perm = UserGroupToPerm.query()\

            .filter(UserGroupToPerm.users_group == user_group)\

            .filter(UserGroupToPerm.permission == perm)\

            .scalar()

        if _perm:

            return

        new = UserGroupToPerm()

        new.users_group = user_group

        new.permission = perm

        self.sa.add(new)

        return new

    def revokehas_permrevoke_permgrant_perm_perm(self, user_group, perm):

        user_group = self._get_user_group(user_group)

        perm = self._get_perm(perm)

        obj = UserGroupToPerm.query()\

            .filter(UserGroupToPerm.users_group == user_group)\

            .filter(UserGroupToPerm.permission == perm).scalar()

        if obj:

            self.sa.delete(obj)

    def grant_user_permission(self, user_group, user, perm):

        """

        Grant permission for user on given user group, or update

        existing one if found

        :param user_group: Instance of UserGroup, users_group_id,

            or users_group_name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        response = api_call(self, params)

        try:

            expected = {

            'msg': 'added member `%s` to user group `%s`' % (

                    TEST_USER_ADMIN_LOGIN, gr_name),

            'success': True

            }

            self._compare_ok(id_, expected, given=response.body)

        finally:

            fixture.destroy_user_group(gr_name)

    def test_api_add_user_to_user_group_that_doesnt_exist(self):

        id_, params = _build_data(self.apikey, 'add_user_to_user_group',

                                  usergroupid='false-group',

                                  userid=TEST_USER_ADMIN_LOGIN)

        response = api_call(self, params)

        expected = 'user group `%s` does not exist' % 'false-group'

        self._compare_error(id_, expected, given=response.body)

    @mock.patch.object(UserGroupModel, 'add_user_to_group', crash)

    def test_api_add_user_to_user_group_exception_occurred(self):

        gr_name = 'test_group'

        fixture.create_user_group(gr_name)

        id_, params = _build_data(self.apikey, 'add_user_to_user_group',

                                  usergroupid=gr_name,

                                  userid=TEST_USER_ADMIN_LOGIN)

        response = api_call(self, params)

        try:

            expected = 'failed to add member to user group `%s`' % gr_name

            self._compare_error(id_, expected, given=response.body)

        finally:

            fixture.destroy_user_group(gr_name)

    def test_api_remove_user_from_user_group(self):

        gr_name = 'test_group_3'

        gr = fixture.create_user_group(gr_name)

        UserGroupModel().add_user_to_group(gr, user=TEST_USER_ADMIN_LOGIN)

        Session().commit()

        id_, params = _build_data(self.apikey, 'remove_user_from_user_group',

                                  usergroupid=gr_name,

                                  userid=TEST_USER_ADMIN_LOGIN)

        response = api_call(self, params)

        try:

            expected = {

                'msg': 'removed member `%s` from user group `%s`' % (

                    TEST_USER_ADMIN_LOGIN, gr_name

                ),

                'success': True}

            self._compare_ok(id_, expected, given=response.body)

        finally:

            fixture.destroy_user_group(gr_name)

    @mock.patch.object(UserGroupModel, 'remove_user_from_group', crash)

    def test_api_remove_user_from_user_group_exception_occurred(self):

        gr_name = 'test_group_3'

        gr = fixture.create_user_group(gr_name)

        UserGroupModel().add_user_to_group(gr, user=TEST_USER_ADMIN_LOGIN)

        Session().commit()

        id_, params = _build_data(self.apikey, 'remove_user_from_user_group',

                                  usergroupid=gr_name,

                                  userid=TEST_USER_ADMIN_LOGIN)

        response = api_call(self, params)

        try:

            expected = 'failed to remove member from user group `%s`' % gr_name

            self._compare_error(id_, expected, given=response.body)

        finally:

            fixture.destroy_user_group(gr_name)

    def test_api_delete_user_group(self):

        gr_name = 'test_group'

        ugroup = fixture.create_user_group(gr_name)

        gr_id = ugroup.users_group_id

        id_, params = _build_data(self.apikey, 'delete_user_group',

                                  usergroupid=gr_name,

                                  userid=TEST_USER_ADMIN_LOGIN)

        response = api_call(self, params)

        try:

            expected = {

                'user_group': None,

                'msg': 'deleted user group ID:%s %s' % (gr_id, gr_name)

            }

            self._compare_ok(id_, expected, given=response.body)

        finally:

            if UserGroupModel().get_by_name(gr_name):

                fixture.destroy_user_group(gr_name)

    def test_api_delete_user_group_that_is_assigned(self):

        gr_name = 'test_group'

        ugroup = fixture.create_user_group(gr_name)

        gr_id = ugroup.users_group_id

        ugr_to_perm = RepoModel().grant_user_group_permission(self.REPO, gr_name, 'repository.write')

        id_, params = _build_data(self.apikey, 'delete_user_group',

                                  usergroupid=gr_name,

                                  userid=TEST_USER_ADMIN_LOGIN)

        response = api_call(self, params)

        try:

            expected = msg

            self._compare_error(id_, expected, given=response.body)

        finally:

            if UserGroupModel().get_by_name(gr_name):

                fixture.destroy_user_group(gr_name)

    def test_api_delete_user_group_exception_occured(self):

        gr_name = 'test_group'

        ugroup = fixture.create_user_group(gr_name)

        gr_id = ugroup.users_group_id

        id_, params = _build_data(self.apikey, 'delete_user_group',

                                  usergroupid=gr_name,

                                  userid=TEST_USER_ADMIN_LOGIN)

        try:

            with mock.patch.object(UserGroupModel, 'delete', crash):

                response = api_call(self, params)

                expected = 'failed to delete user group ID:%s %s' % (gr_id, gr_name)

                self._compare_error(id_, expected, given=response.body)

        finally:

            fixture.destroy_user_group(gr_name)

    @parameterized.expand([('none', 'repository.none'),

                           ('read', 'repository.read'),

                           ('write', 'repository.write'),

                           ('admin', 'repository.admin')])

    def test_api_grant_user_permission(self, name, perm):

        id_, params = _build_data(self.apikey,

                                  'grant_user_permission',

                                  repoid=self.REPO,

                                  userid=TEST_USER_ADMIN_LOGIN,

                                  perm=perm)

        response = api_call(self, params)

        ret = {

            'msg': 'Granted perm: `%s` for user: `%s` in repo: `%s`' % (

                perm, TEST_USER_ADMIN_LOGIN, self.REPO

            ),

            'success': True

        }

        expected = ret

        self._compare_ok(id_, expected, given=response.body)

    def test_api_grant_user_permission_wrong_permission(self):

        perm = 'haha.no.permission'

        id_, params = _build_data(self.apikey,

                                  'grant_user_permission',

                                  repoid=self.REPO,

                                  userid=TEST_USER_ADMIN_LOGIN,

                                  perm=perm)

        response = api_call(self, params)

        expected = 'permission `%s` does not exist' % perm

        self._compare_error(id_, expected, given=response.body)

    @mock.patch.object(RepoModel, 'grant_user_permission', crash)

    def test_api_grant_user_permission_exception_when_adding(self):

        perm = 'repository.read'

        id_, params = _build_data(self.apikey,

                                  'grant_user_permission',

                                  repoid=self.REPO,

                                  userid=TEST_USER_ADMIN_LOGIN,

                                  perm=perm)

        response = api_call(self, params)

        expected = 'failed to edit permission for user: `%s` in repo: `%s`' % (

            TEST_USER_ADMIN_LOGIN, self.REPO

        )

        self._compare_error(id_, expected, given=response.body)

    def test_api_revoke_user_permission(self):

        id_, params = _build_data(self.apikey,

                                  'revoke_user_permission',

                                  repoid=self.REPO,

                                  userid=TEST_USER_ADMIN_LOGIN, )

        response = api_call(self, params)

        expected = {

            'msg': 'Revoked perm for user: `%s` in repo: `%s`' % (

                TEST_USER_ADMIN_LOGIN, self.REPO

            ),

            'success': True

        }

        self._compare_ok(id_, expected, given=response.body)

    @mock.patch.object(RepoModel, 'revoke_user_permission', crash)

    def test_api_revoke_user_permission_exception_when_adding(self):

        id_, params = _build_data(self.apikey,

                                  'revoke_user_permission',