# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

Global configuration file for TurboGears2 specific settings in Kallithea.

This file complements the .ini file.

"""

import logging

import os

import platform

import sys

import alembic.config

import mercurial

import tg

from alembic.migration import MigrationContext

from alembic.script.base import ScriptDirectory

from sqlalchemy import create_engine

from tg import hooks

from tg.configuration import AppConfig

from tg.support.converters import asbool

import kallithea.lib.locale

import kallithea.model.base

from kallithea.lib.middleware.https_fixup import HttpsFixup

from kallithea.lib.middleware.permanent_repo_url import PermanentRepoUrl

from kallithea.lib.middleware.simplegit import SimpleGit

from kallithea.lib.middleware.simplehg import SimpleHg

from kallithea.lib.middleware.wrapper import RequestWrapper

from kallithea.lib.utils import check_git_version, load_rcextensions, make_ui, set_app_settings, set_indexer_config, set_vcs_config

from kallithea.lib.utils2 import str2bool

log = logging.getLogger(__name__)

class KallitheaAppConfig(AppConfig):

    # Note: AppConfig has a misleading name, as it's not the application

    # configuration, but the application configurator. The AppConfig values are

    # used as a template to create the actual configuration, which might

    # overwrite or extend the one provided by the configurator template.

    # To make it clear, AppConfig creates the config and sets into it the same

    # values that AppConfig itself has. Then the values from the config file and

    # gearbox options are loaded and merged into the configuration. Then an

    # after_init_config(conf) method of AppConfig is called for any change that

    # might depend on options provided by configuration files.

    def __init__(self):

        super(KallitheaAppConfig, self).__init__()

        self['package'] = kallithea

        self['prefer_toscawidgets2'] = False

        self['use_toscawidgets'] = False

        self['renderers'] = []

        # Enable json in expose

        self['renderers'].append('json')

        # Configure template rendering

        self['renderers'].append('mako')

        self['default_renderer'] = 'mako'

        self['use_dotted_templatenames'] = False

        # Configure Sessions, store data as JSON to avoid pickle security issues

        self['session.enabled'] = True

        self['session.data_serializer'] = 'json'

        # Configure the base SQLALchemy Setup

        self['use_sqlalchemy'] = True

        self['model'] = kallithea.model.base

        self['DBSession'] = kallithea.model.meta.Session

        # Configure App without an authentication backend.

        self['auth_backend'] = None

        # Use custom error page for these errors. By default, Turbogears2 does not add

        # 400 in this list.

        # Explicitly listing all is considered more robust than appending to defaults,

        # in light of possible future framework changes.

        self['errorpage.status_codes'] = [400, 401, 403, 404]

        # Disable transaction manager -- currently Kallithea takes care of transactions itself

        self['tm.enabled'] = False

base_config = KallitheaAppConfig()

# TODO still needed as long as we use pylonslib

sys.modules['pylons'] = tg

# DebugBar, a debug toolbar for TurboGears2.

# (https://github.com/TurboGears/tgext.debugbar)

# To enable it, install 'tgext.debugbar' and 'kajiki', and run Kallithea with

# 'debug = true' (not in production!)

# See the Kallithea documentation for more information.

try:

    from tgext.debugbar import enable_debugbar

    import kajiki # only to check its existence

except ImportError:

    pass

else:

    base_config['renderers'].append('kajiki')

    enable_debugbar(base_config)

def setup_configuration(app):

    config = app.config

    if not kallithea.lib.locale.current_locale_is_valid():

        log.error("Terminating ...")

        sys.exit(1)

    # Mercurial sets encoding at module import time, so we have to monkey patch it

    hgencoding = config.get('hgencoding')

    if hgencoding:

        mercurial.encoding.encoding = hgencoding

    if config.get('ignore_alembic_revision', False):

        log.warn('database alembic revision checking is disabled')

    else:

        dbconf = config['sqlalchemy.url']

        alembic_cfg = alembic.config.Config()

        alembic_cfg.set_main_option('script_location', 'kallithea:alembic')

        alembic_cfg.set_main_option('sqlalchemy.url', dbconf)

        script_dir = ScriptDirectory.from_config(alembic_cfg)

        available_heads = sorted(script_dir.get_heads())

        engine = create_engine(dbconf)

        with engine.connect() as conn:

            context = MigrationContext.configure(conn)

            current_heads = sorted(str(s) for s in context.get_current_heads())

        if current_heads != available_heads:

            log.error('Failed to run Kallithea:\n\n'

                      'The database version does not match the Kallithea version.\n'

                      'Please read the documentation on how to upgrade or downgrade the database.\n'

                      'Current database version id(s): %s\n'

                      'Expected database version id(s): %s\n'

                      'If you are a developer and you know what you are doing, you can add `ignore_alembic_revision = True` '

                      'to your .ini file to skip the check.\n' % (' '.join(current_heads), ' '.join(available_heads)))

            sys.exit(1)

    # store some globals into kallithea

    kallithea.CELERY_ON = str2bool(config.get('use_celery'))

    kallithea.CELERY_EAGER = str2bool(config.get('celery.always.eager'))

    kallithea.CONFIG = config

    load_rcextensions(root_path=config['here'])

    repos_path = make_ui().configitems('paths')[0][1]

    config['base_path'] = repos_path

    set_app_settings(config)

    instance_id = kallithea.CONFIG.get('instance_id', '*')

    if instance_id == '*':

        instance_id = '%s-%s' % (platform.uname()[1], os.getpid())

        kallithea.CONFIG['instance_id'] = instance_id

    # update kallithea.CONFIG with the meanwhile changed 'config'

    kallithea.CONFIG.update(config)

    # configure vcs and indexer libraries (they are supposed to be independent

    # as much as possible and thus avoid importing tg.config or

    # kallithea.CONFIG).

    set_vcs_config(kallithea.CONFIG)

    set_indexer_config(kallithea.CONFIG)

    check_git_version()

hooks.register('configure_new_app', setup_configuration)

def setup_application(app):

    config = app.config

    # we want our low level middleware to get to the request ASAP. We don't

    # need any stack middleware in them - especially no StatusCodeRedirect buffering

    app = SimpleHg(app, config)

    app = SimpleGit(app, config)

    # Enable https redirects based on HTTP_X_URL_SCHEME set by proxy

    if any(asbool(config.get(x)) for x in ['https_fixup', 'force_https', 'use_htsts']):

        app = HttpsFixup(app, config)

    app = PermanentRepoUrl(app, config)

    # Optional and undocumented wrapper - gives more verbose request/response logging, but has a slight overhead

    if str2bool(config.get('use_wsgi_wrapper')):

        app = RequestWrapper(app, config)

    return app

hooks.register('before_config', setup_application)

# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.admin.user_groups

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

User Groups crud controller

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Jan 25, 2011

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

import formencode

from formencode import htmlfill

from sqlalchemy.orm import joinedload

from sqlalchemy.sql.expression import func

from tg import tmpl_context as c

from tg.i18n import ugettext as _

from webob.exc import HTTPFound, HTTPInternalServerError

import kallithea

from kallithea.config.routing import url

from kallithea.lib import helpers as h

from kallithea.lib.auth import HasPermissionAnyDecorator, HasUserGroupPermissionLevelDecorator, LoginRequired

from kallithea.lib.base import BaseController, render

from kallithea.lib.exceptions import RepoGroupAssignmentError, UserGroupsAssignedException

from kallithea.lib.utils import action_logger

from kallithea.lib.utils2 import safe_int, safe_unicode

from kallithea.model.db import User, UserGroup, UserGroupRepoGroupToPerm, UserGroupRepoToPerm, UserGroupToPerm

from kallithea.model.forms import CustomDefaultPermissionsForm, UserGroupForm, UserGroupPermsForm

from kallithea.model.meta import Session

from kallithea.model.scm import UserGroupList

from kallithea.model.user_group import UserGroupModel

log = logging.getLogger(__name__)

class UserGroupsController(BaseController):

    """REST Controller styled on the Atom Publishing Protocol"""

    @LoginRequired(allow_default_user=True)

    def _before(self, *args, **kwargs):

        super(UserGroupsController, self)._before(*args, **kwargs)

    def __load_data(self, user_group_id):

        c.group_members_obj = sorted((x.user for x in c.user_group.members),

                                     key=lambda u: u.username.lower())

        c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]

        c.available_members = sorted(((x.user_id, x.username) for x in

                                      User.query().all()),

                                     key=lambda u: u[1].lower())

    def __load_defaults(self, user_group_id):

        """

        Load defaults settings for edit, and update

        :param user_group_id:

        """

        user_group = UserGroup.get_or_404(user_group_id)

        data = user_group.get_dict()

        return data

    def index(self, format='html'):

        _list = UserGroup.query() \

                        .order_by(func.lower(UserGroup.users_group_name)) \

                        .all()

        group_iter = UserGroupList(_list, perm_level='admin')

        user_groups_data = []

        total_records = len(group_iter)

        _tmpl_lookup = app_globals.mako_lookup

        template = _tmpl_lookup.get_template('data_table/_dt_elements.html')

        user_group_name = lambda user_group_id, user_group_name: (

            template.get_def("user_group_name")

            .render(user_group_id, user_group_name, _=_, h=h, c=c)

        )

        user_group_actions = lambda user_group_id, user_group_name: (

            template.get_def("user_group_actions")

            .render(user_group_id, user_group_name, _=_, h=h, c=c)

        )

        for user_gr in group_iter:

            user_groups_data.append({

                "raw_name": user_gr.users_group_name,

                "group_name": user_group_name(user_gr.users_group_id,

                                              user_gr.users_group_name),

                "desc": h.escape(user_gr.user_group_description),

                "members": len(user_gr.members),

                "active": h.boolicon(user_gr.users_group_active),

                "owner": h.person(user_gr.owner.username),

                "action": user_group_actions(user_gr.users_group_id, user_gr.users_group_name)

            })

        c.data = {

            "sort": None,

            "dir": "asc",

            "records": user_groups_data

        }

        return render('admin/user_groups/user_groups.html')

    @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')

    def create(self):

        users_group_form = UserGroupForm()()

        try:

            form_result = users_group_form.to_python(dict(request.POST))

            ug = UserGroupModel().create(name=form_result['users_group_name'],

                                         description=form_result['user_group_description'],

                                         owner=request.authuser.user_id,

                                         active=form_result['users_group_active'])

            gr = form_result['users_group_name']

            action_logger(request.authuser,

                          'admin_created_users_group:%s' % gr,

                          None, request.ip_addr)

            h.flash(h.HTML(_('Created user group %s')) % h.link_to(gr, url('edit_users_group', id=ug.users_group_id)),

                category='success')

            Session().commit()

        except formencode.Invalid as errors:

            return htmlfill.render(

                render('admin/user_groups/user_group_add.html'),

                defaults=errors.value,

                errors=errors.error_dict or {},

                prefix_error=False,

                encoding="UTF-8",

                force_defaults=False)

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('Error occurred during creation of user group %s')

                    % request.POST.get('users_group_name'), category='error')

        raise HTTPFound(location=url('users_groups'))

    @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')

    def new(self, format='html'):

        return render('admin/user_groups/user_group_add.html')

    @HasUserGroupPermissionLevelDecorator('admin')

# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.admin.users

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Users crud controller

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 4, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

import formencode

from formencode import htmlfill

from sqlalchemy.sql.expression import func

from tg import tmpl_context as c

from tg.i18n import ugettext as _

from webob.exc import HTTPFound, HTTPNotFound

import kallithea

from kallithea.config.routing import url

from kallithea.lib import auth_modules

from kallithea.lib import helpers as h

from kallithea.lib.auth import AuthUser, HasPermissionAnyDecorator, LoginRequired

from kallithea.lib.base import BaseController, IfSshEnabled, render

from kallithea.lib.exceptions import DefaultUserException, UserCreationError, UserOwnsReposException

from kallithea.lib.utils import action_logger

from kallithea.lib.utils2 import datetime_to_time, generate_api_key, safe_int

from kallithea.model.api_key import ApiKeyModel

from kallithea.model.db import User, UserEmailMap, UserIpMap, UserToPerm

from kallithea.model.forms import CustomDefaultPermissionsForm, UserForm

from kallithea.model.meta import Session

from kallithea.model.ssh_key import SshKeyModel, SshKeyModelException

from kallithea.model.user import UserModel

log = logging.getLogger(__name__)

class UsersController(BaseController):

    """REST Controller styled on the Atom Publishing Protocol"""

    @LoginRequired()

    @HasPermissionAnyDecorator('hg.admin')

    def _before(self, *args, **kwargs):

        super(UsersController, self)._before(*args, **kwargs)

    def index(self, format='html'):

        c.users_list = User.query().order_by(User.username) \

                        .filter_by(is_default_user=False) \

                        .order_by(func.lower(User.username)) \

                        .all()

        users_data = []

        total_records = len(c.users_list)

        _tmpl_lookup = app_globals.mako_lookup

        template = _tmpl_lookup.get_template('data_table/_dt_elements.html')

        grav_tmpl = '<div class="gravatar">%s</div>'

        username = lambda user_id, username: (

                template.get_def("user_name")

                .render(user_id, username, _=_, h=h, c=c))

        user_actions = lambda user_id, username: (

                template.get_def("user_actions")

                .render(user_id, username, _=_, h=h, c=c))

        for user in c.users_list:

            users_data.append({

                "gravatar": grav_tmpl % h.gravatar(user.email, size=20),

                "raw_name": user.username,

                "username": username(user.user_id, user.username),

                "firstname": h.escape(user.name),

                "lastname": h.escape(user.lastname),

                "last_login": h.fmt_date(user.last_login),

                "last_login_raw": datetime_to_time(user.last_login),

                "active": h.boolicon(user.active),

                "admin": h.boolicon(user.admin),

                "extern_type": user.extern_type,

                "extern_name": user.extern_name,

                "action": user_actions(user.user_id, user.username),

            })

        c.data = {

            "sort": None,

            "dir": "asc",

            "records": users_data

        }

        return render('admin/users/users.html')

    def create(self):

        c.default_extern_type = User.DEFAULT_AUTH_TYPE

        c.default_extern_name = ''

        user_model = UserModel()

        user_form = UserForm()()

        try:

            form_result = user_form.to_python(dict(request.POST))

            user = user_model.create(form_result)

            action_logger(request.authuser, 'admin_created_user:%s' % user.username,

                          None, request.ip_addr)

            h.flash(_('Created user %s') % user.username,

                    category='success')

            Session().commit()

        except formencode.Invalid as errors:

            return htmlfill.render(

                render('admin/users/user_add.html'),

                defaults=errors.value,

                errors=errors.error_dict or {},

                prefix_error=False,

                encoding="UTF-8",

                force_defaults=False)

        except UserCreationError as e:

            h.flash(e, 'error')

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('Error occurred during creation of user %s')

                    % request.POST.get('username'), category='error')

        raise HTTPFound(location=url('edit_user', id=user.user_id))

    def new(self, format='html'):

        c.default_extern_type = User.DEFAULT_AUTH_TYPE

        c.default_extern_name = ''

        return render('admin/users/user_add.html')

    def update(self, id):

        user_model = UserModel()

        user = user_model.get(id)

        _form = UserForm(edit=True, old_data={'user_id': id,

                                              'email': user.email})()

        form_result = {}

        try:

            form_result = _form.to_python(dict(request.POST))

            skip_attrs = ['extern_type', 'extern_name',

                         ] + auth_modules.get_managed_fields(user)

            user_model.update(id, form_result, skip_attrs=skip_attrs)

            usr = form_result['username']

            action_logger(request.authuser, 'admin_updated_user:%s' % usr,

                          None, request.ip_addr)

            h.flash(_('User updated successfully'), category='success')

# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.lib.app_globals

~~~~~~~~~~~~~~~~~~~~~~~~~

The application's Globals object

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Oct 06, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import tg

from tg import config

class Globals(object):

    """

    Globals acts as a container for objects available throughout the

    life of the application

    """

    def __init__(self):

        """One instance of Globals is created during application

        initialization and is available during requests via the

        'app_globals' variable

        """

    @property

    def cache(self):

        return tg.cache

    @property

    def mako_lookup(self):

        return config['render_functions']['mako'].normal_loader

        user_id = user.user_id

        user_is_admin = user.is_admin

        log.debug('Getting PERMISSION tree')

        compute = conditional_cache('short_term', 'cache_desc',

                                    condition=cache, func=_cached_perms_data)

        return compute(user_id, user_is_admin)

    def _get_api_keys(self):

        api_keys = [self.api_key]

        for api_key in UserApiKeys.query() \

                .filter_by(user_id=self.user_id, is_expired=False):

            api_keys.append(api_key.api_key)

        return api_keys

    @property

    def is_admin(self):

        return self.admin

    @property

    def repositories_admin(self):

        """

        Returns list of repositories you're an admin of

        """

        return [x[0] for x in self.permissions['repositories'].iteritems()

                if x[1] == 'repository.admin']

    @property

    def repository_groups_admin(self):

        """

        Returns list of repository groups you're an admin of

        """

        return [x[0] for x in self.permissions['repositories_groups'].iteritems()

                if x[1] == 'group.admin']

    @property

    def user_groups_admin(self):

        """

        Returns list of user groups you're an admin of

        """

        return [x[0] for x in self.permissions['user_groups'].iteritems()

                if x[1] == 'usergroup.admin']

    def __repr__(self):

        return "<AuthUser('id:%s[%s]')>" % (self.user_id, self.username)

    def to_cookie(self):

        """ Serializes this login session to a cookie `dict`. """

        return {

            'user_id': self.user_id,

            'is_external_auth': self.is_external_auth,

        }

    @staticmethod

    def from_cookie(cookie, ip_addr):

        """

        Deserializes an `AuthUser` from a cookie `dict` ... or return None.

        """

        return AuthUser.make(

            dbuser=UserModel().get(cookie.get('user_id')),

            is_external_auth=cookie.get('is_external_auth', False),

            ip_addr=ip_addr,

        )

    @classmethod

    def get_allowed_ips(cls, user_id, cache=False):

        _set = set()

        default_ips = UserIpMap.query().filter(UserIpMap.user_id ==

                                        User.get_default_user(cache=True).user_id)

        if cache:

            default_ips = default_ips.options(FromCache("sql_cache_short",

                                              "get_user_ips_default"))

        for ip in default_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def _redirect_to_login(message=None):

    """Return an exception that must be raised. It will redirect to the login

    page which will redirect back to the current URL after authentication.

    The optional message will be shown in a flash message."""

    from kallithea.lib import helpers as h

    if message:

        h.flash(message, category='warning')

    p = request.path_qs

    log.debug('Redirecting to login page, origin: %s', p)

    return HTTPFound(location=url('login_home', came_from=p))

# Use as decorator

class LoginRequired(object):

    """Client must be logged in as a valid User, or we'll redirect to the login

    page.

    If the "default" user is enabled and allow_default_user is true, that is

    considered valid too.

    Also checks that IP address is allowed.

    """

    def __init__(self, allow_default_user=False):

        self.allow_default_user = allow_default_user

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        controller = fargs[0]

        user = request.authuser

        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s', user, loc)

        # regular user authentication

        if user.is_default_user:

            if self.allow_default_user:

                log.info('default user @ %s', loc)

                return func(*fargs, **fkwargs)

            log.info('default user is not accepted here @ %s', loc)

        elif user.is_anonymous: # default user is disabled and no proper authentication

            log.warning('user is anonymous and NOT authenticated with regular auth @ %s', loc)

        else: # regular authentication

            log.info('user %s authenticated with regular auth @ %s', user, loc)

            return func(*fargs, **fkwargs)

        raise _redirect_to_login()

# Use as decorator

class NotAnonymous(object):

    """Ensures that client is not logged in as the "default" user, and

    redirects to the login page otherwise. Must be used together with

    LoginRequired."""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = request.authuser

        log.debug('Checking that user %s is not anonymous @%s', user.username, cls)

        if user.is_default_user:

            raise _redirect_to_login(_('You need to be a registered user to '

                                       'perform this action'))

        else:

            return func(*fargs, **fkwargs)

class _PermsDecorator(object):

    """Base class for controller decorators with multiple permissions"""

    def __init__(self, *required_perms):

        self.required_perms = required_perms # usually very short - a list is thus fine

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = request.authuser

        log.debug('checking %s permissions %s for %s %s',

          self.__class__.__name__, self.required_perms, cls, user)

        if self.check_permissions(user):

            log.debug('Permission granted for %s %s', cls, user)

            return func(*fargs, **fkwargs)

        else:

            log.info('Permission denied for %s %s', cls, user)