def bump_permission(permissions, key, new_perm):

    """Add a new permission for key to permissions.

    Assuming the permissions are comparable, set the new permission if it

    has higher weight, else drop it and keep the old permission.

    """

    cur_perm = permissions[key]

    new_perm_val = PERM_WEIGHTS[new_perm]

    cur_perm_val = PERM_WEIGHTS[cur_perm]

    if new_perm_val > cur_perm_val:

        permissions[key] = new_perm

class AuthUser(object):

    """

    Represents a Kallithea user, including various authentication and

    authorization information. Typically used to store the current user,

    but is also used as a generic user information data structure in

    parts of the code, e.g. user management.

    Constructed from a database `User` object, a user ID or cookie dict,

    it looks up the user (if needed) and copies all attributes to itself,

    adding various non-persistent data. If lookup fails but anonymous

    access to Kallithea is enabled, the default user is loaded instead.

        self.is_anonymous = dbuser.is_default_user

        if dbuser.is_default_user and not dbuser.active:

            self.username = 'None'

            self.is_default_user = False

        else:

            # copy non-confidential database fields from a `db.User` to this `AuthUser`.

            for k, v in dbuser.get_dict().items():

                assert k not in ['api_keys', 'permissions']

                setattr(self, k, v)

            self.is_default_user = dbuser.is_default_user

        log.debug('Auth User is now %s', self)

    @LazyProperty

    def global_permissions(self):

        log.debug('Getting global permissions for %s', self)

        if self.is_admin:

            return set(['hg.admin'])

        global_permissions = set()

        # default global permissions from the default user

        default_global_perms = UserToPerm.query() \

            .filter(UserToPerm.user_id == kallithea.DEFAULT_USER_ID) \

                    perm.permission.permission_name)

            # user explicit permissions for repository groups

            user_repo_groups_perms = Permission.get_default_group_perms(self.user_id)

            for perm in user_repo_groups_perms:

                bump_permission(repository_group_permissions,

                    perm.group.group_name,

                    perm.permission.permission_name)

        return repository_group_permissions

    @LazyProperty

    def permissions(self):

        """dict with all 4 kind of permissions - mainly for backwards compatibility"""

        return {

            'global': self.global_permissions,

            'repositories': self.repository_permissions,

            'repositories_groups': self.repository_group_permissions,

            'user_groups': self.user_group_permissions,

        }

    def has_repository_permission_level(self, repo_name, level, purpose=None):

        required_perms = {

            'read': ['repository.read', 'repository.write', 'repository.admin'],