@HasPermissionAllDecorator('hg.admin')

    def __before__(self):

        super(PermissionsController, self).__before__()

        c.repo_perms_choices = [('repository.none', _('None'),),

                                   ('repository.read', _('Read'),),

                                   ('repository.write', _('Write'),),

                                   ('repository.admin', _('Admin'),)]

        c.group_perms_choices = [('group.none', _('None'),),

                                 ('group.read', _('Read'),),

                                 ('group.write', _('Write'),),

                                 ('group.admin', _('Admin'),)]

        c.user_group_perms_choices = [('usergroup.none', _('None'),),

                                      ('usergroup.read', _('Read'),),

                                      ('usergroup.write', _('Write'),),

                                      ('usergroup.admin', _('Admin'),)]

        c.register_choices = [

            ('hg.register.none',

                _('Disabled')),

            ('hg.register.manual_activate',

                _('Allowed with manual account activation')),

            ('hg.register.auto_activate',

                _('Allowed with automatic account activation')), ]

        c.repo_create_choices = [('hg.create.none', _('Disabled')),

                                 ('hg.create.repository', _('Enabled'))]

        c.user_group_create_choices = [('hg.usergroup.create.false', _('Disabled')),

                                       ('hg.usergroup.create.true', _('Enabled'))]

        c.repo_group_create_choices = [('hg.repogroup.create.false', _('Disabled')),

                                       ('hg.repogroup.create.true', _('Enabled'))]

        c.fork_choices = [('hg.fork.none', _('Disabled')),

                          ('hg.fork.repository', _('Enabled'))]

    def index(self, format='html'):

        """GET /permissions: All items in the collection"""

        # url('permissions')

    def create(self):

        """POST /permissions: Create a new item"""

        # url('permissions')

    def new(self, format='html'):

        """GET /permissions/new: Form to create a new item"""

        # url('new_permission')

    def update(self, id):

        """PUT /permissions/id: Update an existing item"""

        # Forms posted to this method should contain a hidden field:

        #    <input type="hidden" name="_method" value="PUT" />

        # Or using helpers:

        #    h.form(url('permission', id=ID),

        #           method='put')

        # url('permission', id=ID)

        if id == 'default':

            c.user = default_user = User.get_default_user()

            c.perm_user = AuthUser(user_id=default_user.user_id)

            c.user_ip_map = UserIpMap.query()\

                            .filter(UserIpMap.user == default_user).all()

            _form = DefaultPermissionsForm(

                    [x[0] for x in c.repo_perms_choices],

                    [x[0] for x in c.group_perms_choices],

                    [x[0] for x in c.user_group_perms_choices],

                    [x[0] for x in c.repo_create_choices],

                    [x[0] for x in c.repo_group_create_choices],

                    [x[0] for x in c.user_group_create_choices],

                    [x[0] for x in c.fork_choices],

            try:

                form_result = _form.to_python(dict(request.POST))

                form_result.update({'perm_user_name': id})

                PermissionModel().update(form_result)

                Session().commit()

                h.flash(_('Default permissions updated successfully'),

                        category='success')

            except formencode.Invalid, errors:

                defaults = errors.value

                return htmlfill.render(

                    render('admin/permissions/permissions.html'),

                    defaults=defaults,

                    errors=errors.error_dict or {},

                    prefix_error=False,

                    encoding="UTF-8")

            except Exception:

                log.error(traceback.format_exc())

                h.flash(_('Error occurred during update of permissions'),

                        category='error')

        return redirect(url('edit_permission', id=id))

            c.user_ip_map = UserIpMap.query()\

                            .filter(UserIpMap.user == c.user).all()

            for p in c.user.user_perms:

                if p.permission.permission_name.startswith('repository.'):

                    defaults['default_repo_perm'] = p.permission.permission_name

                if p.permission.permission_name.startswith('group.'):

                    defaults['default_group_perm'] = p.permission.permission_name

                if p.permission.permission_name.startswith('usergroup.'):

                    defaults['default_user_group_perm'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.create.'):

                    defaults['default_repo_create'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.repogroup.'):

                    defaults['default_repo_group_create'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.usergroup.'):

                    defaults['default_user_group_create'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.register.'):

                    defaults['default_register'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.fork.'):

                    defaults['default_fork'] = p.permission.permission_name

            return htmlfill.render(

                render('admin/permissions/permissions.html'),

                defaults=defaults,

                encoding="UTF-8",

                force_defaults=False

            )

        else:

            return redirect(url('admin_home'))

                  'port': ldap_settings.get('ldap_port'),

                  'bind_dn': ldap_settings.get('ldap_dn_user'),

                  'bind_pass': ldap_settings.get('ldap_dn_pass'),

                  'tls_kind': ldap_settings.get('ldap_tls_kind'),

                  'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),

                  'ldap_filter': ldap_settings.get('ldap_filter'),

                  'search_scope': ldap_settings.get('ldap_search_scope'),

                  'attr_login': ldap_settings.get('ldap_attr_login'),

                  'ldap_version': 3,

                  }

            log.debug('Checking for ldap authentication')

            try:

                aldap = AuthLdap(**kwargs)

                (user_dn, ldap_attrs) = aldap.authenticate_ldap(username,

                                                                password)

                log.debug('Got ldap DN response %s' % user_dn)

                get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\

                                                           .get(k), [''])[0]

                user_attrs = {

                 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')),

                 'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')),

                 'email': get_ldap_attr('ldap_attr_email'),

                }

                # don't store LDAP password since we don't need it. Override

                # with some random generated password

                _password = PasswordGenerator().gen_password(length=8)

                # create this user on the fly if it doesn't exist in rhodecode

                # database

                if user_model.create_ldap(username, _password, user_dn,

                                          user_attrs):

                    log.info('created new ldap user %s' % username)

                Session().commit()

                return True

            except (LdapUsernameError, LdapPasswordError, LdapImportError):

                pass

            except (Exception,):

                log.error(traceback.format_exc())

                pass

    return False

def login_container_auth(username):

    user = User.get_by_username(username)

    if user is None:

        user_attrs = {

            'name': username,

            'lastname': None,

            'email': None,

        }

        user = UserModel().create_for_container_auth(username, user_attrs)

        if not user:

            return None

        log.info('User %s was created by container authentication' % username)

    if not user.active:

        return None

    user.update_lastlogin()

    Session().commit()

    log.debug('User %s is now logged in by container authentication',

              user.username)

    return user

def get_container_username(environ, config, clean_username=False):

    """

    Get's the container_auth username (or email). It tries to get username

    from REMOTE_USER if container_auth_enabled is enabled, if that fails

    it tries to get username from HTTP_X_FORWARDED_USER if proxypass_auth_enabled

    is enabled. clean_username extracts the username from this data if it's

    having @ in it.

        ('repository.admin', _('Repository admin access')),

        ('group.none', _('Repository group no access')),

        ('group.read', _('Repository group read access')),

        ('group.write', _('Repository group write access')),

        ('group.admin', _('Repository group admin access')),

        ('usergroup.none', _('User group no access')),

        ('usergroup.read', _('User group read access')),

        ('usergroup.write', _('User group write access')),

        ('usergroup.admin', _('User group admin access')),

        ('hg.repogroup.create.false', _('Repository Group creation disabled')),

        ('hg.repogroup.create.true', _('Repository Group creation enabled')),

        ('hg.usergroup.create.false', _('User Group creation disabled')),

        ('hg.usergroup.create.true', _('User Group creation enabled')),

        ('hg.create.none', _('Repository creation disabled')),

        ('hg.create.repository', _('Repository creation enabled')),

        ('hg.fork.none', _('Repository forking disabled')),

        ('hg.fork.repository', _('Repository forking enabled')),

    ]

    #definition of system default permissions for DEFAULT user

    DEFAULT_USER_PERMISSIONS = [

        'repository.read',

        'group.read',

        'usergroup.read',

        'hg.create.repository',

        'hg.fork.repository',

        'hg.register.manual_activate',

    ]

    # defines which permissions are more important higher the more important

    # Weight defines which permissions are more important.

    # The higher number the more important.

    PERM_WEIGHTS = {

        'repository.none': 0,

        'repository.read': 1,

        'repository.write': 3,

        'repository.admin': 4,

        'group.none': 0,

        'group.read': 1,

        'group.write': 3,

        'group.admin': 4,

        'usergroup.none': 0,

        'usergroup.read': 1,

        'usergroup.write': 3,

        'usergroup.admin': 4,

        'hg.repogroup.create.false': 0,

        'hg.repogroup.create.true': 1,

        'hg.usergroup.create.false': 0,

def ApplicationUiSettingsForm():

    class _ApplicationUiSettingsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = False

        web_push_ssl = v.StringBoolean(if_missing=False)

        paths_root_path = All(

            v.ValidPath(),

            v.UnicodeString(strip=True, min=1, not_empty=True)

        )

        hooks_changegroup_update = v.StringBoolean(if_missing=False)

        hooks_changegroup_repo_size = v.StringBoolean(if_missing=False)

        hooks_changegroup_push_logger = v.StringBoolean(if_missing=False)

        hooks_outgoing_pull_logger = v.StringBoolean(if_missing=False)

        extensions_largefiles = v.StringBoolean(if_missing=False)

        extensions_hgsubversion = v.StringBoolean(if_missing=False)

        extensions_hggit = v.StringBoolean(if_missing=False)

    return _ApplicationUiSettingsForm

def DefaultPermissionsForm(repo_perms_choices, group_perms_choices,

                           user_group_perms_choices, create_choices,

                           repo_group_create_choices, user_group_create_choices,

    class _DefaultPermissionsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        overwrite_default_repo = v.StringBoolean(if_missing=False)

        overwrite_default_group = v.StringBoolean(if_missing=False)

        overwrite_default_user_group = v.StringBoolean(if_missing=False)

        anonymous = v.StringBoolean(if_missing=False)

        default_repo_perm = v.OneOf(repo_perms_choices)

        default_group_perm = v.OneOf(group_perms_choices)

        default_user_group_perm = v.OneOf(user_group_perms_choices)

        default_repo_create = v.OneOf(create_choices)

        default_user_group_create = v.OneOf(user_group_create_choices)

        #default_repo_group_create = v.OneOf(repo_group_create_choices) #not impl. yet

        default_fork = v.OneOf(fork_choices)

        default_register = v.OneOf(register_choices)

    return _DefaultPermissionsForm

def CustomDefaultPermissionsForm():

    class _CustomDefaultPermissionsForm(formencode.Schema):

        filter_extra_fields = True

        allow_extra_fields = True

        inherit_default_permissions = v.StringBoolean(if_missing=False)

        create_repo_perm = v.StringBoolean(if_missing=False)

        create_user_group_perm = v.StringBoolean(if_missing=False)

        #create_repo_group_perm Impl. later

        fork_repo_perm = v.StringBoolean(if_missing=False)

    return _CustomDefaultPermissionsForm

def DefaultsForm(edit=False, old_data={}, supported_backends=BACKENDS.keys()):

    class _DefaultsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        default_repo_type = v.OneOf(supported_backends)

        default_repo_private = v.StringBoolean(if_missing=False)

                perm_user.active = str2bool(form_result['anonymous'])

                self.sa.add(perm_user)

            # stage 2 reset defaults and set them from form data

            def _make_new(usr, perm_name):

                log.debug('Creating new permission:%s' % (perm_name))

                new = UserToPerm()

                new.user = usr

                new.permission = Permission.get_by_key(perm_name)

                return new

            # clear current entries, to make this function idempotent

            # it will fix even if we define more permissions or permissions

            # are somehow missing

            u2p = self.sa.query(UserToPerm)\

                .filter(UserToPerm.user == perm_user)\

                .all()

            for p in u2p:

                self.sa.delete(p)

            #create fresh set of permissions

            for def_perm_key in ['default_repo_perm', 'default_group_perm',

                                 'default_user_group_perm',

                                 'default_repo_create',

                                 #'default_repo_group_create', #not implemented yet

                                 'default_user_group_create',

                p = _make_new(perm_user, form_result[def_perm_key])

                self.sa.add(p)

            #stage 3 update all default permissions for repos if checked

            if form_result['overwrite_default_repo'] == True:

                _def_name = form_result['default_repo_perm'].split('repository.')[-1]

                _def = Permission.get_by_key('repository.' + _def_name)

                # repos

                for r2p in self.sa.query(UserRepoToPerm)\

                               .filter(UserRepoToPerm.user == perm_user)\

                               .all():

                    #don't reset PRIVATE repositories

                    if not r2p.repository.private:

                        r2p.permission = _def

                        self.sa.add(r2p)

            if form_result['overwrite_default_group'] == True:

                _def_name = form_result['default_group_perm'].split('group.')[-1]

                # groups

                _def = Permission.get_by_key('group.' + _def_name)

                for g2p in self.sa.query(UserRepoGroupToPerm)\

                               .filter(UserRepoGroupToPerm.user == perm_user)\

                               .all():

             <div class="field">

                <div class="label">

                    <label for="default_user_group_create">${_('User group creation')}:</label>

                </div>

                <div class="select">

                    ${h.select('default_user_group_create','',c.user_group_create_choices)}

                </div>

             </div>

             <div class="field">

                <div class="label">

                    <label for="default_fork">${_('Repository forking')}:</label>

                </div>

                <div class="select">

                    ${h.select('default_fork','',c.fork_choices)}

                </div>

             </div>

             <div class="field">

                <div class="label">

                    <label for="default_register">${_('Registration')}:</label>

                </div>

                <div class="select">

                    ${h.select('default_register','',c.register_choices)}

                </div>

             </div>

            <div class="buttons">

              ${h.submit('save',_('Save'),class_="ui-btn large")}

              ${h.reset('reset',_('Reset'),class_="ui-btn large")}

            </div>

        </div>

    </div>

    ${h.end_form()}

</div>

<div style="min-height:780px" class="box box-right">

    <!-- box / title -->

    <div class="title">

        <h5>${_('Default User Permissions')}</h5>

    </div>

    ## permissions overview

    <%namespace name="p" file="/base/perms_summary.html"/>

    ${p.perms_summary(c.perm_user.permissions)}

</div>

<div class="box box-left" style="clear:left">

    <!-- box / title -->

    <div class="title">

        <h5>${_('Allowed IP addresses')}</h5>