Changeset - 2e1059de6751
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Mads Kiilerich - 3 years ago 2023-05-09 17:42:44
mads@kiilerich.com
repo groups: make it possible to remove own explicit permissions, now when group owners always have admin permissions

Until recently, group owners very given explicit admin permissions on repo
group, and special care was taken to make sure they didn't remove themselves.

Now we always give admin permissions to owners, and don't care about the
explicit permissions. We no longer add them when creating groups or changing
owner. There is no migration step to remove redundant permissions, but we
should allow group admins to remove them. This change will thus remove the
mechanism for preventing removal of own/owner permissions.
2 files changed with 0 insertions and 30 deletions:
kallithea/controllers/admin/repo_groups.py
17
kallithea/templates/admin/repo_groups/repo_group_edit_perms.html
13
0 comments (0 inline, 0 general)
kallithea/controllers/admin/repo_groups.py
Show inline comments
 
@@ -87,19 +87,12 @@ class RepoGroupsController(base.BaseCont
 
        for p in repo_group.users_group_to_perm:
 
            data.update({'g_perm_%s' % p.users_group.users_group_name:
 
                             p.permission.permission_name})
 

			




	
	
	
		
 
        return data

			




	
	
	
		
 

			




	
	
	
		
 
    def _revoke_perms_on_yourself(self, form_result):

			




	
	
	
		
 
        _up = [u for u in form_result['perms_updates'] if request.authuser.username == u[0]]

			




	
	
	
		
 
        _new = [u for u in form_result['perms_new'] if request.authuser.username == u[0]]

			




	
	
	
		
 
        if _new and _new[0][1] != 'group.admin' or _up and _up[0][1] != 'group.admin':

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 
    def index(self, format='html'):

			




	
	
	
		
 
        _list = db.RepoGroup.query(sorted=True).all()

			




	
	
	
		
 
        group_iter = RepoGroupList(_list, perm_level='admin')

			




	
	
	
		
 
        repo_groups_data = []

			




	
	
	
		
 
        _tmpl_lookup = app_globals.mako_lookup

			




	
	
	
		
 
        template = _tmpl_lookup.get_template('data_table/_dt_elements.html')

			




	
	
		
 
@@ -346,17 +339,12 @@ class RepoGroupsController(base.BaseCont

			




	
	
	
		
 
        :param group_name:

			




	
	
	
		
 
        """

			




	
	
	
		
 

			




	
	
	
		
 
        c.repo_group = db.RepoGroup.guess_instance(group_name)

			




	
	
	
		
 
        valid_recursive_choices = ['none', 'repos', 'groups', 'all']

			




	
	
	
		
 
        form_result = RepoGroupPermsForm(valid_recursive_choices)().to_python(request.POST)

			




	
	
	
		
 
        if not request.authuser.is_admin:

			




	
	
	
		
 
            if self._revoke_perms_on_yourself(form_result):

			




	
	
	
		
 
                msg = _('Cannot revoke permission for yourself as admin')

			




	
	
	
		
 
                webutils.flash(msg, category='warning')

			




	
	
	
		
 
                raise HTTPFound(location=url('edit_repo_group_perms', group_name=group_name))

			




	
	
	
		
 
        recursive = form_result['recursive']

			




	
	
	
		
 
        # iterate over all members(if in recursive mode) of this groups and

			




	
	
	
		
 
        # set the permissions !

			




	
	
	
		
 
        # this can be potentially heavy operation

			




	
	
	
		
 
        RepoGroupModel()._update_permissions(c.repo_group,

			




	
	
	
		
 
                                             form_result['perms_new'],

			




	
	
		
 
@@ -376,17 +364,12 @@ class RepoGroupsController(base.BaseCont

			




	
	
	
		
 
            obj_id = None

			




	
	
	
		
 
            if obj_type == 'user':

			




	
	
	
		
 
                obj_id = safe_int(request.POST.get('user_id'))

			




	
	
	
		
 
            elif obj_type == 'user_group':

			




	
	
	
		
 
                obj_id = safe_int(request.POST.get('user_group_id'))

			




	
	
	
		
 

			




	
	
	
		
 
            if not request.authuser.is_admin:

			




	
	
	
		
 
                if obj_type == 'user' and request.authuser.user_id == obj_id:

			




	
	
	
		
 
                    msg = _('Cannot revoke permission for yourself as admin')

			




	
	
	
		
 
                    webutils.flash(msg, category='warning')

			




	
	
	
		
 
                    raise Exception('revoke admin permission on self')

			




	
	
	
		
 
            recursive = request.POST.get('recursive', 'none')

			




	
	
	
		
 
            if obj_type == 'user':

			




	
	
	
		
 
                RepoGroupModel().delete_permission(repo_group=group_name,

			




	
	
	
		
 
                                                   obj=obj_id, obj_type='user',

			




	
	
	
		
 
                                                   recursive=recursive)

			




	
	
	
		
 
            elif obj_type == 'user_group':

			




        

    


    
    

    

        

                

                    kallithea/templates/admin/repo_groups/repo_group_edit_perms.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -9,15 +9,13 @@ ${h.form(url('edit_repo_group_perms', gr

			




	
	
	
		
 
                    <td>${_('Admin')}<br />(${_('Add/Edit groups')})</td>

			




	
	
	
		
 
                    <td>${_('User/User Group')}</td>

			




	
	
	
		
 
                    <td></td>

			




	
	
	
		
 
                </tr>

			




	
	
	
		
 
                ## USERS

			




	
	
	
		
 
                %for r2p in c.repo_group.repo_group_to_perm:

			




	
	
	
		
 
                    ##forbid revoking permission from yourself, except if you're an super admin

			




	
	
	
		
 
                    <tr id="id${id(r2p.user.username)}">

			




	
	
	
		
 
                      %if request.authuser.user_id != r2p.user.user_id or request.authuser.is_admin:

			




	
	
	
		
 
                        <td>${h.radio('u_perm_%s' % r2p.user.username,'group.none')}</td>

			




	
	
	
		
 
                        <td>${h.radio('u_perm_%s' % r2p.user.username,'group.read')}</td>

			




	
	
	
		
 
                        <td>${h.radio('u_perm_%s' % r2p.user.username,'group.write')}</td>

			




	
	
	
		
 
                        <td>${h.radio('u_perm_%s' % r2p.user.username,'group.admin')}</td>

			




	
	
	
		
 
                        <td>

			




	
	
	
		
 
                            ${h.gravatar(r2p.user.email, cls="perm-gravatar", size=14)}

			




	
	
		
 
@@ -31,23 +29,12 @@ ${h.form(url('edit_repo_group_perms', gr

			




	
	
	
		
 
                          %if r2p.user.username !='default':

			




	
	
	
		
 
                            <button type="button" class="btn btn-default btn-xs" onclick="ajaxActionRevoke(${r2p.user.user_id}, 'user', '${'id%s'%id(r2p.user.username)}', '${r2p.user.username}')">

			




	
	
	
		
 
                             <i class="icon-minus-circled"></i>${_('Revoke')}

			




	
	
	
		
 
                            </button>

			




	
	
	
		
 
                          %endif

			




	
	
	
		
 
                        </td>

			




	
	
	
		
 
                      %else:

			




	
	
	
		
 
                        <td>${h.radio('u_perm_%s' % r2p.user.username,'group.none', disabled="disabled")}</td>

			




	
	
	
		
 
                        <td>${h.radio('u_perm_%s' % r2p.user.username,'group.read', disabled="disabled")}</td>

			




	
	
	
		
 
                        <td>${h.radio('u_perm_%s' % r2p.user.username,'group.write', disabled="disabled")}</td>

			




	
	
	
		
 
                        <td>${h.radio('u_perm_%s' % r2p.user.username,'group.admin', disabled="disabled")}</td>

			




	
	
	
		
 
                        <td>

			




	
	
	
		
 
                            ${h.gravatar(r2p.user.email, cls="perm-gravatar", size=14)}

			




	
	
	
		
 
                            ${r2p.user.username if r2p.user.username != 'default' else _('Default')}

			




	
	
	
		
 
                        </td>

			




	
	
	
		
 
                        <td><i class="icon-user"></i>${_('Admin')}</td>

			




	
	
	
		
 
                      %endif

			




	
	
	
		
 
                    </tr>

			




	
	
	
		
 
                %endfor

			




	
	
	
		
 

			




	
	
	
		
 
                ## USER GROUPS

			




	
	
	
		
 
                %for g2p in c.repo_group.users_group_to_perm:

			




	
	
	
		
 
                    <tr id="id${id(g2p.users_group.users_group_name)}">

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.