def __render(self, defaults, errors):

        c.defaults = {}

        c.plugin_settings = {}

        c.plugin_shortnames = {}

        for module in c.enabled_plugins:

            plugin = auth_modules.loadplugin(module)

            plugin_name = plugin.name

            c.plugin_shortnames[module] = plugin_name

            c.plugin_settings[module] = plugin.plugin_settings()

            for v in c.plugin_settings[module]:

                fullname = ("auth_" + plugin_name + "_" + v["name"])

                if "default" in v:

                    c.defaults[fullname] = v["default"]

                # Current values will be the default on the form, if there are any

                setting = Setting.get_by_name(fullname)

                if setting is not None:

                    c.defaults[fullname] = setting.app_settings_value

        # we want to show , separated list of enabled plugins

        c.defaults['auth_plugins'] = ','.join(c.enabled_plugins)

        if defaults:

            c.defaults.update(defaults)

        log.debug(formatted_json(defaults))

        return formencode.htmlfill.render(

            render('admin/auth/auth_settings.html'),

            defaults=c.defaults,

            errors=errors,

            prefix_error=False,

            encoding="UTF-8",

            force_defaults=False)

    def index(self):

        self.__load_defaults()

        return self.__render(defaults=None, errors=None)

    def auth_settings(self):

        """POST create and store auth settings"""

        self.__load_defaults()

        log.debug("POST Result: %s", formatted_json(dict(request.POST)))

        # First, parse only the plugin list (not the plugin settings).

        _auth_plugins_validator = AuthSettingsForm([]).fields['auth_plugins']

        try:

            new_enabled_plugins = _auth_plugins_validator.to_python(request.POST.get('auth_plugins'))

        except formencode.Invalid:

            pass

        else:

            # Hide plugins that the user has asked to be disabled, but

            # do not show plugins that the user has asked to be enabled

            # (yet), since that'll cause validation errors and/or wrong

            # settings being applied (e.g. checkboxes being cleared),

            # since the plugin settings will not be in the POST data.

            c.enabled_plugins = [ p for p in c.enabled_plugins if p in new_enabled_plugins ]

        # Next, parse everything including plugin settings.

        _form = AuthSettingsForm(c.enabled_plugins)()

        try:

            form_result = _form.to_python(dict(request.POST))

            for k, v in form_result.items():

                if k == 'auth_plugins':

                    # we want to store it comma separated inside our settings

                    v = ','.join(v)

                log.debug("%s = %s" % (k, str(v)))

                setting = Setting.create_or_update(k, v)

                Session().add(setting)

            Session().commit()

            h.flash(_('Auth settings updated successfully'),

                       category='success')

        except formencode.Invalid, errors:

            log.error(traceback.format_exc())

            e = errors.error_dict or {}

            return self.__render(

                defaults=errors.value,

                errors=e,

            )

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('error occurred during update of auth settings'),

                    category='error')

        return redirect(url('auth_home'))

                    response = submit(request.POST.get('recaptcha_challenge_field'),

                                      request.POST.get('recaptcha_response_field'),

                                      private_key=captcha_private_key,

                                      remoteip=self.ip_addr)

                    if c.captcha_active and not response.is_valid:

                        _value = form_result

                        _msg = _('Bad captcha')

                        error_dict = {'recaptcha_field': _msg}

                        raise formencode.Invalid(_msg, _value, None,

                                                 error_dict=error_dict)

                UserModel().reset_password_link(form_result)

                h.flash(_('Your password reset link was sent'),

                            category='success')

                return redirect(url('login_home'))

            except formencode.Invalid, errors:

                return htmlfill.render(

                    render('/password_reset.html'),

                    defaults=errors.value,

                    errors=errors.error_dict or {},

                    prefix_error=False,

                    encoding="UTF-8",

                    force_defaults=False)

        return render('/password_reset.html')

    def password_reset_confirmation(self):

        if request.GET and request.GET.get('key'):

            try:

                user = User.get_by_api_key(request.GET.get('key'))

                data = dict(email=user.email)

                UserModel().reset_password(data)

                h.flash(_('Your password reset was successful, '

                          'new password has been sent to your email'),

                            category='success')

            except Exception, e:

                log.error(e)

                return redirect(url('reset_password'))

        return redirect(url('login_home'))

    def logout(self):

        session.delete()

        log.info('Logging out and deleting session for user')

        redirect(url('home'))

    def authentication_token(self):

        """Return the CSRF protection token for the session - just like it

        Only intended for testing but might also be useful for other kinds

        of automation.

        """

        return h.authentication_token()

        p = perm.Permission.permission_name

        cur_perm = permissions[UK][u_k]

        if not explicit:

            p = _choose_perm(p, cur_perm)

        permissions[UK][u_k] = p

    return permissions

def allowed_api_access(controller_name, whitelist=None, api_key=None):

    """

    Check if given controller_name is in whitelist API access

    """

    if not whitelist:

        from kallithea import CONFIG

        whitelist = aslist(CONFIG.get('api_access_controllers_whitelist'),

                           sep=',')

        log.debug('whitelist of API access is: %s' % (whitelist))

    api_access_valid = controller_name in whitelist

    if api_access_valid:

        log.debug('controller:%s is in API whitelist' % (controller_name))

    else:

        msg = 'controller: %s is *NOT* in API whitelist' % (controller_name)

        if api_key:

            #if we use API key and don't have access it's a warning

            log.warning(msg)

        else:

            log.debug(msg)

    return api_access_valid

class AuthUser(object):

    """

    Represents a Kallithea user, including various authentication and

    authorization information. Typically used to store the current user,

    but is also used as a generic user information data structure in

    parts of the code, e.g. user management.

    Constructed from user ID, username, API key or cookie dict, it looks

    up the matching database `User` and copies all attributes to itself,

    adding various non-persistent data. If lookup fails but anonymous

    access to Kallithea is enabled, the default user is loaded instead.

    `AuthUser` does not by itself authenticate users and the constructor

    sets the `is_authenticated` field to False, except when falling back

    to the default anonymous user (if enabled). It's up to other parts

    of the code to check e.g. if a supplied password is correct, and if

    so, set `is_authenticated` to True.

    """

    def __init__(self, user_id=None, api_key=None, username=None,

            is_external_auth=False):

        self.user_id = user_id

        self._api_key = api_key # API key passed as parameter

        self.api_key = None # API key set by user_model.fill_data

        self.username = username

        self.name = ''

        self.lastname = ''

        self.email = ''

        self.is_authenticated = False

        self.admin = False

        self.inherit_default_permissions = False

        self.is_external_auth = is_external_auth

        self.propagate_data()

        self._instance = None

    @LazyProperty

    def permissions(self):

        return self.__get_perms(user=self, cache=False)

    @property

    def api_keys(self):

        return self.get_api_keys()

    def propagate_data(self):

        user_model = UserModel()

        self.anonymous_user = User.get_default_user(cache=True)

        is_user_loaded = False

        # lookup by userid

        if self.user_id is not None and self.user_id != self.anonymous_user.user_id:

            log.debug('Auth User lookup by USER ID %s' % self.user_id)

            is_user_loaded = user_model.fill_data(self, user_id=self.user_id)

        # try go get user by API key

        elif self._api_key and self._api_key != self.anonymous_user.api_key:

            log.debug('Auth User lookup by API key %s' % self._api_key)

            is_user_loaded = user_model.fill_data(self, api_key=self._api_key)

        # lookup by username

        elif self.username:

            log.debug('Auth User lookup by USER NAME %s' % self.username)

            is_user_loaded = user_model.fill_data(self, username=self.username)

        c.visual.stylify_metatags = str2bool(rc_config.get('stylify_metatags'))

        c.visual.dashboard_items = safe_int(rc_config.get('dashboard_items', 100))

        c.visual.admin_grid_items = safe_int(rc_config.get('admin_grid_items', 100))

        c.visual.repository_fields = str2bool(rc_config.get('repository_fields'))

        c.visual.show_version = str2bool(rc_config.get('show_version'))

        c.visual.use_gravatar = str2bool(rc_config.get('use_gravatar'))

        c.visual.gravatar_url = rc_config.get('gravatar_url')

        c.ga_code = rc_config.get('ga_code')

        # TODO: replace undocumented backwards compatibility hack with db upgrade and rename ga_code

        if c.ga_code and '<' not in c.ga_code:

            c.ga_code = '''<script type="text/javascript">

                var _gaq = _gaq || [];

                _gaq.push(['_setAccount', '%s']);

                _gaq.push(['_trackPageview']);

                (function() {

                    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;

                    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';

                    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);

                    })();

            </script>''' % c.ga_code

        c.site_name = rc_config.get('title')

        c.clone_uri_tmpl = rc_config.get('clone_uri_tmpl')

        ## INI stored

        c.visual.allow_repo_location_change = str2bool(config.get('allow_repo_location_change', True))

        c.visual.allow_custom_hooks_settings = str2bool(config.get('allow_custom_hooks_settings', True))

        c.instance_id = config.get('instance_id')

        c.issues_url = config.get('bugtracker', url('issues_url'))

        # END CONFIG VARS

        c.repo_name = get_repo_slug(request)  # can be empty

        c.backends = BACKENDS.keys()

        c.unread_notifications = NotificationModel()\

                        .get_unread_cnt_for_user(c.authuser.user_id)

        self.cut_off_limit = safe_int(config.get('cut_off_limit'))

        c.my_pr_count = PullRequestModel().get_pullrequest_cnt_for_user(c.authuser.user_id)

        self.sa = meta.Session

        self.scm_model = ScmModel(self.sa)

    @staticmethod

    def _determine_auth_user(api_key, session_authuser):

        """

        """

        # Authenticate by API key

        if api_key:

            # when using API_KEY we are sure user exists.

            return AuthUser(api_key=api_key, is_external_auth=True)

        # Authenticate by session cookie

        # In ancient login sessions, 'authuser' may not be a dict.

        # In that case, the user will have to log in again.

        if isinstance(session_authuser, dict):

            try:

                return AuthUser.from_cookie(session_authuser)

            except UserCreationError as e:

                # container auth or other auth functions that create users on

                # the fly can throw UserCreationError to signal issues with

                # user creation. Explanation should be provided in the

                # exception object.

                from kallithea.lib import helpers as h

                h.flash(e, 'error', logf=log.error)

        # Authenticate by auth_container plugin (if enabled)

        if any(

            auth_modules.importplugin(name).is_container_auth

            for name in Setting.get_auth_plugins()

        ):

            try:

                auth_info = auth_modules.authenticate('', '', request.environ)

            except UserCreationError as e:

                from kallithea.lib import helpers as h

                h.flash(e, 'error', logf=log.error)

            else:

                if auth_info:

                    username = auth_info['username']

                    user = User.get_by_username(username, case_insensitive=True)

                    return log_in_user(user, remember=False,

                                       is_external_auth=True)

        # User is anonymous

        return AuthUser()

    def __call__(self, environ, start_response):

        """Invoke the Controller"""

        # WSGIController.__call__ dispatches to the Controller method

        # the request is routed to. This routing information is

        # available in environ['pylons.routes_dict']

        try:

        user_email = data['email']

        user = User.get_by_email(user_email)

        if user is not None:

            log.debug('password reset user found %s' % user)

            link = h.canonical_url('reset_password_confirmation',

                                   key=user.api_key)

            reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET

            body = EmailNotificationModel().get_email_tmpl(

                reg_type, 'txt',

                user=user.short_contact,

                reset_url=link)

            html_body = EmailNotificationModel().get_email_tmpl(

                reg_type, 'html',

                user=user.short_contact,

                reset_url=link)

            log.debug('sending email')

            run_task(tasks.send_email, [user_email],

                     _("Password reset link"), body, html_body)

            log.info('send new password mail to %s' % user_email)

        else:

            log.debug("password reset email %s not found" % user_email)

        return True

    def reset_password(self, data):

        from kallithea.lib.celerylib import tasks, run_task

        from kallithea.lib import auth

        user_email = data['email']

        user = User.get_by_email(user_email)

        new_passwd = auth.PasswordGenerator().gen_password(

            8, auth.PasswordGenerator.ALPHABETS_BIG_SMALL)

        if user is not None:

            user.password = auth.get_crypt_password(new_passwd)

            Session().add(user)

            Session().commit()

            log.info('change password for %s' % user_email)

        if new_passwd is None:

            raise Exception('unable to generate new password')

        run_task(tasks.send_email, [user_email],

                 _('Your new password'),

                 _('Your new Kallithea password:%s') % (new_passwd,))

        log.info('send new password mail to %s' % user_email)

        return True

    def fill_data(self, auth_user, user_id=None, api_key=None, username=None):

        """

        Fills auth_user attributes with those taken from database.

        :param auth_user: instance of user to set attributes

        :param user_id: user id to fetch by

        :param api_key: API key to fetch by

        :param username: username to fetch by

        """

        if user_id is None and api_key is None and username is None:

            raise Exception('You need to pass user_id, api_key or username')

        dbuser = None

        if user_id is not None:

            dbuser = self.get(user_id)

        elif api_key is not None:

            dbuser = self.get_by_api_key(api_key)

        elif username is not None:

            dbuser = self.get_by_username(username)

        if dbuser is not None and dbuser.active:

            log.debug('filling %s data' % dbuser)

            for k, v in dbuser.get_dict().iteritems():

                if k not in ['api_keys', 'permissions']:

                    setattr(auth_user, k, v)

            return True

        return False

    def has_perm(self, user, perm):

        perm = self._get_perm(perm)

        user = self._get_user(user)

        return UserToPerm.query().filter(UserToPerm.user == user)\

            .filter(UserToPerm.permission == perm).scalar() is not None

    def grant_perm(self, user, perm):

        """

        Grant user global permissions

        :param user:

        :param perm:

        """

        user = self._get_user(user)

        perm = self._get_perm(perm)

        # if this permission is already granted skip it

        _perm = UserToPerm.query()\

            .filter(UserToPerm.user == user)\

            .filter(UserToPerm.permission == perm)\

            .scalar()

        if _perm:

            return