log.debug(formatted_json(defaults))

        return formencode.htmlfill.render(

            render('admin/auth/auth_settings.html'),

            defaults=c.defaults,

            errors=errors,

            prefix_error=False,

            encoding="UTF-8",

            force_defaults=False)

    def index(self):

        self.__load_defaults()

        return self.__render(defaults=None, errors=None)

    def auth_settings(self):

        """POST create and store auth settings"""

        self.__load_defaults()

        log.debug("POST Result: %s", formatted_json(dict(request.POST)))

        # First, parse only the plugin list (not the plugin settings).

        _auth_plugins_validator = AuthSettingsForm([]).fields['auth_plugins']

        try:

            new_enabled_plugins = _auth_plugins_validator.to_python(request.POST.get('auth_plugins'))

        except formencode.Invalid:

            pass

        else:

            # Hide plugins that the user has asked to be disabled, but

            # do not show plugins that the user has asked to be enabled

            # (yet), since that'll cause validation errors and/or wrong

            # settings being applied (e.g. checkboxes being cleared),

            # since the plugin settings will not be in the POST data.

            c.enabled_plugins = [ p for p in c.enabled_plugins if p in new_enabled_plugins ]

        # Next, parse everything including plugin settings.

        _form = AuthSettingsForm(c.enabled_plugins)()

        try:

            form_result = _form.to_python(dict(request.POST))

            for k, v in form_result.items():

                if k == 'auth_plugins':

                    # we want to store it comma separated inside our settings

                    v = ','.join(v)

                log.debug("%s = %s" % (k, str(v)))

                setting = Setting.create_or_update(k, v)

                Session().add(setting)

            Session().commit()

            h.flash(_('Auth settings updated successfully'),

                       category='success')

        return render('/password_reset.html')

    def password_reset_confirmation(self):

        if request.GET and request.GET.get('key'):

            try:

                user = User.get_by_api_key(request.GET.get('key'))

                data = dict(email=user.email)

                UserModel().reset_password(data)

                h.flash(_('Your password reset was successful, '

                          'new password has been sent to your email'),

                            category='success')

            except Exception, e:

                log.error(e)

                return redirect(url('reset_password'))

        return redirect(url('login_home'))

    def logout(self):

        session.delete()

        log.info('Logging out and deleting session for user')

        redirect(url('home'))

    def authentication_token(self):

        """Return the CSRF protection token for the session - just like it

        Only intended for testing but might also be useful for other kinds

        of automation.

        """

        return h.authentication_token()

            #if we use API key and don't have access it's a warning

            log.warning(msg)

        else:

            log.debug(msg)

    return api_access_valid

class AuthUser(object):

    """

    Represents a Kallithea user, including various authentication and

    authorization information. Typically used to store the current user,

    but is also used as a generic user information data structure in

    parts of the code, e.g. user management.

    Constructed from user ID, username, API key or cookie dict, it looks

    up the matching database `User` and copies all attributes to itself,

    adding various non-persistent data. If lookup fails but anonymous

    access to Kallithea is enabled, the default user is loaded instead.

    `AuthUser` does not by itself authenticate users and the constructor

    sets the `is_authenticated` field to False, except when falling back

    to the default anonymous user (if enabled). It's up to other parts

    of the code to check e.g. if a supplied password is correct, and if

    so, set `is_authenticated` to True.

    """

    def __init__(self, user_id=None, api_key=None, username=None,

            is_external_auth=False):

        self.user_id = user_id

        self._api_key = api_key # API key passed as parameter

        self.api_key = None # API key set by user_model.fill_data

        self.username = username

        self.name = ''

        self.lastname = ''

        self.email = ''

        self.is_authenticated = False

        self.admin = False

        self.inherit_default_permissions = False

        self.is_external_auth = is_external_auth

        self.propagate_data()

        self._instance = None

    @LazyProperty

    def permissions(self):

        return self.__get_perms(user=self, cache=False)

        ## INI stored

        c.visual.allow_repo_location_change = str2bool(config.get('allow_repo_location_change', True))

        c.visual.allow_custom_hooks_settings = str2bool(config.get('allow_custom_hooks_settings', True))

        c.instance_id = config.get('instance_id')

        c.issues_url = config.get('bugtracker', url('issues_url'))

        # END CONFIG VARS

        c.repo_name = get_repo_slug(request)  # can be empty

        c.backends = BACKENDS.keys()

        c.unread_notifications = NotificationModel()\

                        .get_unread_cnt_for_user(c.authuser.user_id)

        self.cut_off_limit = safe_int(config.get('cut_off_limit'))

        c.my_pr_count = PullRequestModel().get_pullrequest_cnt_for_user(c.authuser.user_id)

        self.sa = meta.Session

        self.scm_model = ScmModel(self.sa)

    @staticmethod

    def _determine_auth_user(api_key, session_authuser):

        """

        """

        # Authenticate by API key

        if api_key:

            # when using API_KEY we are sure user exists.

            return AuthUser(api_key=api_key, is_external_auth=True)

        # Authenticate by session cookie

        # In ancient login sessions, 'authuser' may not be a dict.

        # In that case, the user will have to log in again.

        if isinstance(session_authuser, dict):

            try:

                return AuthUser.from_cookie(session_authuser)

            except UserCreationError as e:

                # container auth or other auth functions that create users on

                # the fly can throw UserCreationError to signal issues with

                # user creation. Explanation should be provided in the

                # exception object.

                from kallithea.lib import helpers as h

                h.flash(e, 'error', logf=log.error)

        # Authenticate by auth_container plugin (if enabled)

        if any(

            auth_modules.importplugin(name).is_container_auth

    def reset_password(self, data):

        from kallithea.lib.celerylib import tasks, run_task

        from kallithea.lib import auth

        user_email = data['email']

        user = User.get_by_email(user_email)

        new_passwd = auth.PasswordGenerator().gen_password(

            8, auth.PasswordGenerator.ALPHABETS_BIG_SMALL)

        if user is not None:

            user.password = auth.get_crypt_password(new_passwd)

            Session().add(user)

            Session().commit()

            log.info('change password for %s' % user_email)

        if new_passwd is None:

            raise Exception('unable to generate new password')

        run_task(tasks.send_email, [user_email],

                 _('Your new password'),

                 _('Your new Kallithea password:%s') % (new_passwd,))

        log.info('send new password mail to %s' % user_email)

        return True

    def fill_data(self, auth_user, user_id=None, api_key=None, username=None):

        """

        Fills auth_user attributes with those taken from database.

        :param auth_user: instance of user to set attributes

        :param user_id: user id to fetch by

        :param api_key: API key to fetch by

        :param username: username to fetch by

        """

        if user_id is None and api_key is None and username is None:

            raise Exception('You need to pass user_id, api_key or username')

        dbuser = None

        if user_id is not None:

            dbuser = self.get(user_id)

        elif api_key is not None:

            dbuser = self.get_by_api_key(api_key)

        elif username is not None:

            dbuser = self.get_by_username(username)

        if dbuser is not None and dbuser.active:

            log.debug('filling %s data' % dbuser)

            for k, v in dbuser.get_dict().iteritems():

                if k not in ['api_keys', 'permissions']:

                    setattr(auth_user, k, v)

            return True

        return False