Changeset - 493ccf3e22e6
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 11 years ago 2014-07-14 21:12:23
madski@unity3d.com
user edit: always define c.EXTERN_TYPE_INTERNAL (issue 3)

It is needed by user_edit_profile.html when user_edit.html includes it because
.active='profile'. Some non-obvious code paths could lead to that - such as
editing other user's password.

Instead, set the value it in the controller initialization.
1 file changed with 1 insertions and 1 deletions:
kallithea/controllers/admin/users.py
1
1
0 comments (0 inline, 0 general)
kallithea/controllers/admin/users.py
Show inline comments
 
@@ -21,96 +21,97 @@ This file was forked by the Kallithea pr
 
Original author and date, and relevant copyright and licensing information is below:
 
:created_on: Apr 4, 2010
 
:author: marcink
 
:copyright: (c) 2013 RhodeCode GmbH, and others.
 
:license: GPLv3, see LICENSE.md for more details.
 
"""
 

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import traceback

			




	
	
	
		
 
import formencode

			




	
	
	
		
 
from pylons import response

			




	
	
	
		
 

			




	
	
	
		
 
from formencode import htmlfill

			




	
	
	
		
 
from pylons import request, session, tmpl_context as c, url, config

			




	
	
	
		
 
from pylons.controllers.util import redirect

			




	
	
	
		
 
from pylons.i18n.translation import _

			




	
	
	
		
 
from sqlalchemy.sql.expression import func

			




	
	
	
		
 

			




	
	
	
		
 
import kallithea

			




	
	
	
		
 
from kallithea.lib.exceptions import DefaultUserException, \

			




	
	
	
		
 
    UserOwnsReposException, UserCreationError

			




	
	
	
		
 
from kallithea.lib import helpers as h

			




	
	
	
		
 
from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator, \

			




	
	
	
		
 
    AuthUser, generate_api_key

			




	
	
	
		
 
import kallithea.lib.auth_modules.auth_internal

			




	
	
	
		
 
from kallithea.lib import auth_modules

			




	
	
	
		
 
from kallithea.lib.base import BaseController, render

			




	
	
	
		
 
from kallithea.model.api_key import ApiKeyModel

			




	
	
	
		
 

			




	
	
	
		
 
from kallithea.model.db import User, UserEmailMap, UserIpMap, UserToPerm

			




	
	
	
		
 
from kallithea.model.forms import UserForm, CustomDefaultPermissionsForm

			




	
	
	
		
 
from kallithea.model.user import UserModel

			




	
	
	
		
 
from kallithea.model.meta import Session

			




	
	
	
		
 
from kallithea.lib.utils import action_logger

			




	
	
	
		
 
from kallithea.lib.compat import json

			




	
	
	
		
 
from kallithea.lib.utils2 import datetime_to_time, str2bool, safe_int

			




	
	
	
		
 

			




	
	
	
		
 
log = logging.getLogger(__name__)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class UsersController(BaseController):

			




	
	
	
		
 
    """REST Controller styled on the Atom Publishing Protocol"""

			




	
	
	
		
 

			




	
	
	
		
 
    @LoginRequired()

			




	
	
	
		
 
    @HasPermissionAllDecorator('hg.admin')

			




	
	
	
		
 
    def __before__(self):

			




	
	
	
		
 
        super(UsersController, self).__before__()

			




	
	
	
		
 
        c.available_permissions = config['available_permissions']

			




	
	
	
		
 
        c.EXTERN_TYPE_INTERNAL = kallithea.EXTERN_TYPE_INTERNAL

			




	
	
	
		
 

			




	
	
	
		
 
    def index(self, format='html'):

			




	
	
	
		
 
        """GET /users: All items in the collection"""

			




	
	
	
		
 
        # url('users')

			




	
	
	
		
 

			




	
	
	
		
 
        c.users_list = User.query().order_by(User.username)\

			




	
	
	
		
 
                        .filter(User.username != User.DEFAULT_USER)\

			




	
	
	
		
 
                        .order_by(func.lower(User.username))\

			




	
	
	
		
 
                        .all()

			




	
	
	
		
 

			




	
	
	
		
 
        users_data = []

			




	
	
	
		
 
        total_records = len(c.users_list)

			




	
	
	
		
 
        _tmpl_lookup = kallithea.CONFIG['pylons.app_globals'].mako_lookup

			




	
	
	
		
 
        template = _tmpl_lookup.get_template('data_table/_dt_elements.html')

			




	
	
	
		
 

			




	
	
	
		
 
        grav_tmpl = lambda user_email, size: (

			




	
	
	
		
 
                template.get_def("user_gravatar")

			




	
	
	
		
 
                .render(user_email, size, _=_, h=h, c=c))

			




	
	
	
		
 

			




	
	
	
		
 
        username = lambda user_id, username: (

			




	
	
	
		
 
                template.get_def("user_name")

			




	
	
	
		
 
                .render(user_id, username, _=_, h=h, c=c))

			




	
	
	
		
 

			




	
	
	
		
 
        user_actions = lambda user_id, username: (

			




	
	
	
		
 
                template.get_def("user_actions")

			




	
	
	
		
 
                .render(user_id, username, _=_, h=h, c=c))

			




	
	
	
		
 

			




	
	
	
		
 
        for user in c.users_list:

			




	
	
	
		
 

			




	
	
	
		
 
            users_data.append({

			




	
	
	
		
 
                "gravatar": grav_tmpl(user. email, 20),

			




	
	
	
		
 
                "raw_name": user.username,

			




	
	
	
		
 
                "username": username(user.user_id, user.username),

			




	
	
	
		
 
                "firstname": user.name,

			




	
	
	
		
 
                "lastname": user.lastname,

			




	
	
	
		
 
                "last_login": h.fmt_date(user.last_login),

			




	
	
	
		
 
                "last_login_raw": datetime_to_time(user.last_login),

			




	
	
	
		
 
                "active": h.boolicon(user.active),

			




	
	
	
		
 
                "admin": h.boolicon(user.admin),

			




	
	
	
		
 
                "extern_type": user.extern_type,

			




	
	
	
		
 
                "extern_name": user.extern_name,

			




	
	
	
		
 
                "action": user_actions(user.user_id, user.username),

			




	
	
	
		
 
            })

			




	
	
	
		
 

			




	
	
	
		
 
        c.data = json.dumps({

			




	
	
	
		
 
            "totalRecords": total_records,

			




	
	
	
		
 
            "startIndex": 0,

			




	
	
	
		
 
            "sort": None,

			




	
	
		
 
@@ -200,97 +201,96 @@ class UsersController(BaseController):

			




	
	
	
		
 
                render('admin/users/user_edit.html'),

			




	
	
	
		
 
                defaults=defaults,

			




	
	
	
		
 
                errors=e,

			




	
	
	
		
 
                prefix_error=False,

			




	
	
	
		
 
                encoding="UTF-8")

			




	
	
	
		
 
        except Exception:

			




	
	
	
		
 
            log.error(traceback.format_exc())

			




	
	
	
		
 
            h.flash(_('Error occurred during update of user %s') \

			




	
	
	
		
 
                    % form_result.get('username'), category='error')

			




	
	
	
		
 
        return redirect(url('edit_user', id=id))

			




	
	
	
		
 

			




	
	
	
		
 
    def delete(self, id):

			




	
	
	
		
 
        """DELETE /users/id: Delete an existing item"""

			




	
	
	
		
 
        # Forms posted to this method should contain a hidden field:

			




	
	
	
		
 
        #    <input type="hidden" name="_method" value="DELETE" />

			




	
	
	
		
 
        # Or using helpers:

			




	
	
	
		
 
        #    h.form(url('delete_user', id=ID),

			




	
	
	
		
 
        #           method='delete')

			




	
	
	
		
 
        # url('user', id=ID)

			




	
	
	
		
 
        usr = User.get_or_404(id)

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            UserModel().delete(usr)

			




	
	
	
		
 
            Session().commit()

			




	
	
	
		
 
            h.flash(_('Successfully deleted user'), category='success')

			




	
	
	
		
 
        except (UserOwnsReposException, DefaultUserException), e:

			




	
	
	
		
 
            h.flash(e, category='warning')

			




	
	
	
		
 
        except Exception:

			




	
	
	
		
 
            log.error(traceback.format_exc())

			




	
	
	
		
 
            h.flash(_('An error occurred during deletion of user'),

			




	
	
	
		
 
                    category='error')

			




	
	
	
		
 
        return redirect(url('users'))

			




	
	
	
		
 

			




	
	
	
		
 
    def show(self, id, format='html'):

			




	
	
	
		
 
        """GET /users/id: Show a specific item"""

			




	
	
	
		
 
        # url('user', id=ID)

			




	
	
	
		
 
        User.get_or_404(-1)

			




	
	
	
		
 

			




	
	
	
		
 
    def edit(self, id, format='html'):

			




	
	
	
		
 
        """GET /users/id/edit: Form to edit an existing item"""

			




	
	
	
		
 
        # url('edit_user', id=ID)

			




	
	
	
		
 
        c.user = User.get_or_404(id)

			




	
	
	
		
 
        if c.user.username == User.DEFAULT_USER:

			




	
	
	
		
 
            h.flash(_("You can't edit this user"), category='warning')

			




	
	
	
		
 
            return redirect(url('users'))

			




	
	
	
		
 

			




	
	
	
		
 
        c.active = 'profile'

			




	
	
	
		
 
        c.extern_type = c.user.extern_type

			




	
	
	
		
 
        c.extern_name = c.user.extern_name

			




	
	
	
		
 
        c.EXTERN_TYPE_INTERNAL = kallithea.EXTERN_TYPE_INTERNAL

			




	
	
	
		
 
        c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)

			




	
	
	
		
 

			




	
	
	
		
 
        defaults = c.user.get_dict()

			




	
	
	
		
 
        return htmlfill.render(

			




	
	
	
		
 
            render('admin/users/user_edit.html'),

			




	
	
	
		
 
            defaults=defaults,

			




	
	
	
		
 
            encoding="UTF-8",

			




	
	
	
		
 
            force_defaults=False)

			




	
	
	
		
 

			




	
	
	
		
 
    def edit_advanced(self, id):

			




	
	
	
		
 
        c.user = User.get_or_404(id)

			




	
	
	
		
 
        if c.user.username == User.DEFAULT_USER:

			




	
	
	
		
 
            h.flash(_("You can't edit this user"), category='warning')

			




	
	
	
		
 
            return redirect(url('users'))

			




	
	
	
		
 

			




	
	
	
		
 
        c.active = 'advanced'

			




	
	
	
		
 
        c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)

			




	
	
	
		
 

			




	
	
	
		
 
        umodel = UserModel()

			




	
	
	
		
 
        defaults = c.user.get_dict()

			




	
	
	
		
 
        defaults.update({

			




	
	
	
		
 
            'create_repo_perm': umodel.has_perm(c.user, 'hg.create.repository'),

			




	
	
	
		
 
            'create_user_group_perm': umodel.has_perm(c.user,

			




	
	
	
		
 
                                                      'hg.usergroup.create.true'),

			




	
	
	
		
 
            'fork_repo_perm': umodel.has_perm(c.user, 'hg.fork.repository'),

			




	
	
	
		
 
        })

			




	
	
	
		
 
        return htmlfill.render(

			




	
	
	
		
 
            render('admin/users/user_edit.html'),

			




	
	
	
		
 
            defaults=defaults,

			




	
	
	
		
 
            encoding="UTF-8",

			




	
	
	
		
 
            force_defaults=False)

			




	
	
	
		
 

			




	
	
	
		
 
    def edit_api_keys(self, id):

			




	
	
	
		
 
        c.user = User.get_or_404(id)

			




	
	
	
		
 
        if c.user.username == User.DEFAULT_USER:

			




	
	
	
		
 
            h.flash(_("You can't edit this user"), category='warning')

			




	
	
	
		
 
            return redirect(url('users'))

			




	
	
	
		
 

			




	
	
	
		
 
        c.active = 'api_keys'

			




	
	
	
		
 
        show_expired = True

			




	
	
	
		
 
        c.lifetime_values = [

			




	
	
	
		
 
            (str(-1), _('forever')),

			




	
	
	
		
 
            (str(5), _('5 minutes')),

			




	
	
	
		
 
            (str(60), _('1 hour')),

			




	
	
	
		
 
            (str(60 * 24), _('1 day')),

			




	
	
	
		
 
            (str(60 * 24 * 30), _('1 month')),

			




	
	
	
		
 
        ]

			




	
	
	
		
 
        c.lifetime_options = [(c.lifetime_values, _("Lifetime"))]

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.