full rescan of paths

- fixes #376 Cannot edit user (using container auth)

- fixes #378 Invalid image urls on changeset screen with proxy-prefix

  configuration

- fixed initial sorting of repos inside repo group

- fixes issue when user tried to resubmit same permission into user/user_groups

- bumped beaker version that fixes #375 leap error bug

- fixed raw_changeset for git. It was generated with hg patch headers

- fixed vcs issue with last_changeset for filenodes

- fixed missing commit after hook delete

- fixed #372 issues with git operation detection that caused a security issue

  for git repos

1.3.2 (**2012-02-28**)

----------------------

news

++++

fixes

+++++

- fixed git protocol issues with repos-groups

- fixed git remote repos validator that prevented from cloning remote git repos

- fixes #370 ending slashes fixes for repo and groups

- fixes #368 improved git-protocol detection to handle other clients

- fixes #366 When Setting Repository Group To Blank Repo Group Wont Be

  Moved To Root

- fixes #371 fixed issues with beaker/sqlalchemy and non-ascii cache keys

- fixed #373 missing cascade drop on user_group_to_perm table

1.3.1 (**2012-02-27**)

----------------------

news

++++

fixes

+++++

- redirection loop occurs when remember-me wasn't checked during login

- fixes issues with git blob history generation

- don't fetch branch for git in file history dropdown. Causes unneeded slowness

1.3.0 (**2012-02-26**)

----------------------

news

++++

- code review, inspired by github code-comments

- #215 rst and markdown README files support

- #252 Container-based and proxy pass-through authentication support

- #44 branch browser. Filtering of changelog by branches

- mercurial bookmarks support

- new hover top menu, optimized to add maximum size for important views

- configurable clone url template with possibility to specify  protocol like

  ssh:// or http:// and also manually alter other parts of clone_url.

- enabled largefiles extension by default

- optimized summary file pages and saved a lot of unused space in them

- #239 option to manually mark repository as fork

- #320 mapping of commit authors to RhodeCode users

- #304 hashes are displayed using monospace font

- diff configuration, toggle white lines and context lines

- #307 configurable diffs, whitespace toggle, increasing context lines

- sorting on branches, tags and bookmarks using YUI datatable

- improved file filter on files page

- implements #330 api method for listing nodes ar particular revision

- #73 added linking issues in commit messages to chosen issue tracker url

  based on user defined regular expression

- added linking of changesets in commit messages

- new compact changelog with expandable commit messages

- firstname and lastname are optional in user creation

- #348 added post-create repository hook

- #212 global encoding settings is now configurable from .ini files

- #227 added repository groups permissions

- markdown gets codehilite extensions

- new API methods, delete_repositories, grante/revoke permissions for groups

  and repos

fixes

+++++

- rewrote dbsession management for atomic operations, and better error handling

- fixed sorting of repo tables

- #326 escape of special html entities in diffs

- normalized user_name => username in api attributes

- fixes #298 ldap created users with mixed case emails created conflicts

  on saving a form

- fixes issue when owner of a repo couldn't revoke permissions for users

  and groups

- fixes #271 rare JSON serialization problem with statistics

- fixes #337 missing validation check for conflicting names of a group with a

- #340 fixed session problem for mysql and celery tasks

- fixed #331 RhodeCode mangles repository names if the a repository group

  contains the "full path" to the repositories

- #355 RhodeCode doesn't store encrypted LDAP passwords

1.2.5 (**2012-01-28**)

----------------------

news

++++

fixes

+++++

- #340 Celery complains about MySQL server gone away, added session cleanup

  for celery tasks

- #341 "scanning for repositories in None" log message during Rescan was missing

  a parameter

- fixed creating archives with subrepos. Some hooks were triggered during that

  operation leading to crash.

- fixed missing email in account page.

- Reverted Mercurial to 2.0.1 for windows due to bug in Mercurial that makes

  forking on windows impossible

1.2.4 (**2012-01-19**)

----------------------

news

++++

- RhodeCode is bundled with mercurial series 2.0.X by default, with

  full support to largefiles extension. Enabled by default in new installations

- #329 Ability to Add/Remove Groups to/from a Repository via AP

- added requires.txt file with requirements

fixes

+++++

- fixes db session issues with celery when emailing admins

- #331 RhodeCode mangles repository names if the a repository group

  contains the "full path" to the repositories

- #298 Conflicting e-mail addresses for LDAP and RhodeCode users

- DB session cleanup after hg protocol operations, fixes issues with

  `mysql has gone away` errors

- #333 doc fixes for get_repo api function

- #271 rare JSON serialization problem with statistics enabled

- #337 Fixes issues with validation of repository name conflicting with

  a group name. A proper message is now displayed.

- #292 made ldap_dn in user edit readonly, to get rid of confusion that field

  doesn't work

- #316 fixes issues with web description in hgrc files

1.2.3 (**2011-11-02**)

----------------------

news

++++

- added option to manage repos group for non admin users

- added following API methods for get_users, create_user, get_users_groups,

  get_users_group, create_users_group, add_user_to_users_groups, get_repos,

  get_repo, create_repo, add_user_to_repo

- implements #237 added password confirmation for my account

  and admin edit user.

- implements #291 email notification for global events are now sent to all

  administrator users, and global config email.

fixes

+++++

- added option for passing auth method for smtp mailer

- #276 issue with adding a single user with id>10 to usergroups

- #277 fixes windows LDAP settings in which missing values breaks the ldap auth

- #288 fixes managing of repos in a group for non admin user

1.2.2 (**2011-10-17**)

----------------------

news

++++

- #226 repo groups are available by path instead of numerical id

fixes

+++++

- #259 Groups with the same name but with different parent group

- #260 Put repo in group, then move group to another group -> repo becomes unavailable

- #258 RhodeCode 1.2 assumes egg folder is writable (lockfiles problems)

- #265 ldap save fails sometimes on converting attributes to booleans,

  added getter and setter into model that will prevent from this on db model level

- fixed problems with timestamps issues #251 and #213

- fixes #266 RhodeCode allows to create repo with the same name and in

  the same parent as group

- fixes #245 Rescan of the repositories on Windows

- fixes #248 cannot edit repos inside a group on windows

"""

Routes configuration

The more specific and detailed routes should be defined first so they

may take precedent over the more generic routes. For more information

refer to the routes manual at http://routes.groovie.org/docs/

"""

from __future__ import with_statement

from routes import Mapper

# prefix for non repository related links needs to be prefixed with `/`

ADMIN_PREFIX = '/_admin'

def make_map(config):

    """Create, configure and return the routes Mapper"""

    rmap = Mapper(directory=config['pylons.paths']['controllers'],

                 always_scan=config['debug'])

    rmap.minimization = False

    rmap.explicit = False

    from rhodecode.lib.utils import is_valid_repo

    from rhodecode.lib.utils import is_valid_repos_group

    def check_repo(environ, match_dict):

        """

        check for valid repository for proper 404 handling

        :param environ:

        :param match_dict:

        """

        from rhodecode.model.db import Repository

        repo_name = match_dict.get('repo_name')

        if match_dict.get('f_path'):

            #fix for multiple initial slashes that causes errors

            match_dict['f_path'] = match_dict['f_path'].lstrip('/')

        try:

            by_id = repo_name.split('_')

            if len(by_id) == 2 and by_id[1].isdigit() and by_id[0] == '':

                repo_name = Repository.get(by_id[1]).repo_name

                match_dict['repo_name'] = repo_name

        except:

            pass

        return is_valid_repo(repo_name, config['base_path'])

    def check_group(environ, match_dict):

        """

        :param environ:

        :param match_dict:

        """

        repos_group_name = match_dict.get('group_name')

        return is_valid_repos_group(repos_group_name, config['base_path'])

    def check_int(environ, match_dict):

        return match_dict.get('id').isdigit()

    # The ErrorController route (handles 404/500 error pages); it should

    # likely stay at the top, ensuring it can always be resolved

    rmap.connect('/error/{action}', controller='error')

    rmap.connect('/error/{action}/{id}', controller='error')

    #==========================================================================

    # CUSTOM ROUTES HERE

    #==========================================================================

    #MAIN PAGE

    rmap.connect('home', '/', controller='home', action='index')

    rmap.connect('repo_switcher', '/repos', controller='home',

                 action='repo_switcher')

    rmap.connect('branch_tag_switcher', '/branches-tags/{repo_name:.*?}',

                 controller='home', action='branch_tag_switcher')

    rmap.connect('bugtracker',

                 "http://bitbucket.org/marcinkuzminski/rhodecode/issues",

                 _static=True)

    rmap.connect('rst_help',

                 "http://docutils.sourceforge.net/docs/user/rst/quickref.html",

                 _static=True)

    rmap.connect('rhodecode_official', "http://rhodecode.org", _static=True)

    #ADMIN REPOSITORY REST ROUTES

    with rmap.submapper(path_prefix=ADMIN_PREFIX,

                        controller='admin/repos') as m:

        m.connect("repos", "/repos",

             action="create", conditions=dict(method=["POST"]))

        m.connect("repos", "/repos",

             action="index", conditions=dict(method=["GET"]))

        m.connect("formatted_repos", "/repos.{format}",

             action="index",

            conditions=dict(method=["GET"]))

        m.connect("new_repo", "/repos/new",

             action="new", conditions=dict(method=["GET"]))

        m.connect("formatted_new_repo", "/repos/new.{format}",

             action="new", conditions=dict(method=["GET"]))

        m.connect("/repos/{repo_name:.*?}",

             action="update", conditions=dict(method=["PUT"],

                                              function=check_repo))

        m.connect("/repos/{repo_name:.*?}",

             action="delete", conditions=dict(method=["DELETE"],

                                              function=check_repo))

        # no longer used:

        m.connect("edit_repo_admin", "/repos/{repo_name:.*?}/edit",

             action="edit", conditions=dict(method=["GET"],

                                            function=check_repo))

        m.connect("formatted_edit_repo", "/repos/{repo_name:.*?}.{format}/edit",

             action="edit", conditions=dict(method=["GET"],

                                            function=check_repo))

        m.connect("repo", "/repos/{repo_name:.*?}",

             action="show", conditions=dict(method=["GET"],

                                            function=check_repo))

        m.connect("formatted_repo", "/repos/{repo_name:.*?}.{format}",

             action="show", conditions=dict(method=["GET"],

                                            function=check_repo))

        #ajax delete repo perm user

        m.connect('delete_repo_user', "/repos_delete_user/{repo_name:.*?}",

             action="delete_perm_user",

             conditions=dict(method=["DELETE"], function=check_repo))

        #ajax delete repo perm users_group

        m.connect('delete_repo_users_group',

                  "/repos_delete_users_group/{repo_name:.*?}",

                  action="delete_perm_users_group",

                  conditions=dict(method=["DELETE"], function=check_repo))

        #settings actions

        m.connect('repo_stats', "/repos_stats/{repo_name:.*?}",

                  action="repo_stats", conditions=dict(method=["DELETE"],

                                                       function=check_repo))

        m.connect('repo_cache', "/repos_cache/{repo_name:.*?}",

                  action="repo_cache", conditions=dict(method=["DELETE"],

                                                       function=check_repo))

        m.connect('repo_public_journal', "/repos_public_journal/{repo_name:.*?}",

                  action="repo_public_journal", conditions=dict(method=["PUT"],

                                                        function=check_repo))

        m.connect('repo_pull', "/repo_pull/{repo_name:.*?}",

                  action="repo_pull", conditions=dict(method=["PUT"],

                                                      function=check_repo))

        m.connect('repo_as_fork', "/repo_as_fork/{repo_name:.*?}",

                  action="repo_as_fork", conditions=dict(method=["PUT"],

                                                      function=check_repo))

        m.connect('repo_locking', "/repo_locking/{repo_name:.*?}",

                  action="repo_locking", conditions=dict(method=["PUT"],

                                                      function=check_repo))

            return groups

        cur_gr = self.parent_group

        groups.insert(0, cur_gr)

        cnt = 0

        while 1:

            cnt += 1

            gr = getattr(cur_gr, 'parent_group', None)

            cur_gr = cur_gr.parent_group

            if gr is None:

                break

            if cnt == parents_recursion_limit:

                # this will prevent accidental infinit loops

                log.error('group nested more than %s' %

                          parents_recursion_limit)

                break

            groups.insert(0, gr)

        return groups

    @property

    def children(self):

        return RepoGroup.query().filter(RepoGroup.parent_group == self)

    @property

    def name(self):

        return self.group_name.split(RepoGroup.url_sep())[-1]

    @property

    def full_path(self):

        return self.group_name

    @property

    def full_path_splitted(self):

        return self.group_name.split(RepoGroup.url_sep())

    @property

    def repositories(self):

        return Repository.query()\

                .filter(Repository.group == self)\

                .order_by(Repository.repo_name)

    @property

    def repositories_recursive_count(self):

        cnt = self.repositories.count()

        def children_count(group):

            cnt = 0

            for child in group.children:

                cnt += child.repositories.count()

                cnt += children_count(child)

            return cnt

        return cnt + children_count(self)

    def recursive_groups_and_repos(self):

        """

        Recursive return all groups, with repositories in those groups

        """

        all_ = []

        def _get_members(root_gr):

            for r in root_gr.repositories:

                all_.append(r)

            childs = root_gr.children.all()

            if childs:

                for gr in childs:

                    all_.append(gr)

                    _get_members(gr)

        _get_members(self)

        return [self] + all_

    def get_new_name(self, group_name):

        """

        returns new full group name based on parent and new name

        :param group_name:

        """

        path_prefix = (self.parent_group.full_path_splitted if

                       self.parent_group else [])

        return RepoGroup.url_sep().join(path_prefix + [group_name])

class Permission(Base, BaseModel):

    __tablename__ = 'permissions'

    __table_args__ = (

        Index('p_perm_name_idx', 'permission_name'),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'},

    )

    PERMS = [

        ('repository.none', _('Repository no access')),

        ('repository.read', _('Repository read access')),

        ('repository.write', _('Repository write access')),

        ('repository.admin', _('Repository admin access')),

        ('hg.admin', _('RhodeCode Administrator')),

        ('hg.create.none', _('Repository creation disabled')),

        ('hg.create.repository', _('Repository creation enabled')),

        ('hg.fork.none', _('Repository forking disabled')),

        ('hg.fork.repository', _('Repository forking enabled')),

        ('hg.register.none', _('Register disabled')),

        ('hg.register.manual_activate', _('Register new user with RhodeCode '

                                          'with manual activation')),

        ('hg.register.auto_activate', _('Register new user with RhodeCode '

                                        'with auto activation')),

    ]

    # defines which permissions are more important higher the more important

    PERM_WEIGHTS = {

        'repository.none': 0,

        'repository.read': 1,

        'repository.write': 3,

        'repository.admin': 4,

        'group.none': 0,

        'group.read': 1,

        'group.write': 3,

        'group.admin': 4,

        'hg.fork.none': 0,

        'hg.fork.repository': 1,

        'hg.create.none': 0,

        'hg.create.repository':1

    }

    permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    permission_name = Column("permission_name", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    permission_longname = Column("permission_longname", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    def __unicode__(self):

        return u"<%s('%s:%s')>" % (

            self.__class__.__name__, self.permission_id, self.permission_name

        )

    @classmethod

    def get_by_key(cls, key):

        return cls.query().filter(cls.permission_name == key).scalar()

    @classmethod

    def get_default_perms(cls, default_user_id):

        q = Session().query(UserRepoToPerm, Repository, cls)\

         .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\

         .join((cls, UserRepoToPerm.permission_id == cls.permission_id))\

         .filter(UserRepoToPerm.user_id == default_user_id)

        return q.all()

    @classmethod

    def get_default_group_perms(cls, default_user_id):

        q = Session().query(UserRepoGroupToPerm, RepoGroup, cls)\

         .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\

         .join((cls, UserRepoGroupToPerm.permission_id == cls.permission_id))\

         .filter(UserRepoGroupToPerm.user_id == default_user_id)

        return q.all()

class UserRepoToPerm(Base, BaseModel):

    __tablename__ = 'repo_to_perm'

    __table_args__ = (

        UniqueConstraint('user_id', 'repository_id', 'permission_id'),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'}

    )

    repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)

    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)

    repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)

    user = relationship('User')

    repository = relationship('Repository')

    permission = relationship('Permission')

    @classmethod

    def create(cls, user, repository, permission):

        n = cls()

        n.user = user

        n.repository = repository

        n.permission = permission

        Session().add(n)

        return n

    def __unicode__(self):

        return u'<user:%s => %s >' % (self.user, self.repository)

class UserToPerm(Base, BaseModel):

    __tablename__ = 'user_to_perm'

    __table_args__ = (

# -*- coding: utf-8 -*-

"""

    rhodecode.model.user_group

    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    repo group model for RhodeCode

    :created_on: Jan 25, 2011

    :author: marcink

    :copyright: (C) 2011-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import os

import logging

import traceback

import shutil

import datetime

from rhodecode.lib.utils2 import LazyProperty

from rhodecode.model import BaseModel

from rhodecode.model.db import RepoGroup, RhodeCodeUi, UserRepoGroupToPerm, \

    User, Permission, UsersGroupRepoGroupToPerm, UsersGroup, Repository

log = logging.getLogger(__name__)

class ReposGroupModel(BaseModel):

    cls = RepoGroup

    def __get_users_group(self, users_group):

        return self._get_instance(UsersGroup, users_group,

                                  callback=UsersGroup.get_by_group_name)

    def _get_repos_group(self, repos_group):

        return self._get_instance(RepoGroup, repos_group,

                                  callback=RepoGroup.get_by_group_name)

    @LazyProperty

    def repos_path(self):

        """

        Get's the repositories root path from database

        """

        q = RhodeCodeUi.get_by_key('/')

        return q.ui_value

    def _create_default_perms(self, new_group):

        # create default permission

        repo_group_to_perm = UserRepoGroupToPerm()

        default_perm = 'group.read'

        for p in User.get_by_username('default').user_perms:

            if p.permission.permission_name.startswith('group.'):

                default_perm = p.permission.permission_name

                break

        repo_group_to_perm.permission_id = self.sa.query(Permission)\

                .filter(Permission.permission_name == default_perm)\

                .one().permission_id

        repo_group_to_perm.group = new_group

        repo_group_to_perm.user_id = User.get_by_username('default').user_id

        self.sa.add(repo_group_to_perm)

    def __create_group(self, group_name):

        """

        :param repo_name:

        :param parent_id:

        """

        create_path = os.path.join(self.repos_path, group_name)

        log.debug('creating new group in %s' % create_path)

        if os.path.isdir(create_path):

            raise Exception('That directory already exists !')

        os.makedirs(create_path)

    def __rename_group(self, old, new):

        """

        Renames a group on filesystem

        :param group_name:

        """

        if old == new:

            log.debug('skipping group rename')

            return

        log.debug('renaming repos group from %s to %s' % (old, new))

        old_path = os.path.join(self.repos_path, old)

        new_path = os.path.join(self.repos_path, new)

        log.debug('renaming repos paths from %s to %s' % (old_path, new_path))

        if os.path.isdir(new_path):

            raise Exception('Was trying to rename to already '

                            'existing dir %s' % new_path)

        shutil.move(old_path, new_path)

    def __delete_group(self, group, force_delete=False):

        """

        Deletes a group from a filesystem

        :param group: instance of group from database

        :param force_delete: use shutil rmtree to remove all objects

        """

        paths = group.full_path.split(RepoGroup.url_sep())

        paths = os.sep.join(paths)

        rm_path = os.path.join(self.repos_path, paths)

        log.info("Removing group %s" % (rm_path))

        # delete only if that path really exists

        if os.path.isdir(rm_path):

            if force_delete:

                shutil.rmtree(rm_path)

            else:

                #archive that group`

                _now = datetime.datetime.now()

                _ms = str(_now.microsecond).rjust(6, '0')

                _d = 'rm__%s_GROUP_%s' % (_now.strftime('%Y%m%d_%H%M%S_' + _ms),

                                          group.name)

                shutil.move(rm_path, os.path.join(self.repos_path, _d))

    def create(self, group_name, group_description, owner, parent=None, just_db=False):

        try:

            new_repos_group = RepoGroup()

            new_repos_group.group_description = group_description or group_name

            new_repos_group.parent_group = self._get_repos_group(parent)

            new_repos_group.group_name = new_repos_group.get_new_name(group_name)

            self.sa.add(new_repos_group)

            self._create_default_perms(new_repos_group)

            #create an ADMIN permission for owner, later owner should go into

            #the owner field of groups

            self.grant_user_permission(repos_group=new_repos_group,

                                       user=owner, perm='group.admin')

            if not just_db:

                # we need to flush here, in order to check if database won't

                # throw any exceptions, create filesystem dirs at the very end

                self.sa.flush()

                self.__create_group(new_repos_group.group_name)

            return new_repos_group

        except:

            log.error(traceback.format_exc())

            raise

    def _update_permissions(self, repos_group, perms_new=None,

                            perms_updates=None, recursive=False):

        from rhodecode.model.repo import RepoModel

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        def _set_perm_user(obj, user, perm):

            if isinstance(obj, RepoGroup):

                break

        return updates

    def update(self, repos_group, form_data):

        try:

            repos_group = self._get_repos_group(repos_group)

            recursive = form_data['recursive']

            # iterate over all members(if in recursive mode) of this groups and

            # set the permissions !

            # this can be potentially heavy operation

            self._update_permissions(repos_group, form_data['perms_new'],

                                     form_data['perms_updates'], recursive)

            old_path = repos_group.full_path

            # change properties

            repos_group.group_description = form_data['group_description']

            repos_group.parent_group = RepoGroup.get(form_data['group_parent_id'])

            repos_group.group_parent_id = form_data['group_parent_id']

            repos_group.enable_locking = form_data['enable_locking']

            repos_group.group_name = repos_group.get_new_name(form_data['group_name'])

            new_path = repos_group.full_path

            self.sa.add(repos_group)

            # iterate over all members of this groups and set the locking !

            # this can be potentially heavy operation

            for obj in repos_group.recursive_groups_and_repos():

                #set the value from it's parent

                obj.enable_locking = repos_group.enable_locking

                self.sa.add(obj)

            # we need to get all repositories from this new group and

            # rename them accordingly to new group path

            for r in repos_group.repositories:

                r.repo_name = r.get_new_name(r.just_name)

                self.sa.add(r)

            self.__rename_group(old_path, new_path)

            return repos_group

        except:

            log.error(traceback.format_exc())

            raise

    def delete(self, repos_group, force_delete=False):

        repos_group = self._get_repos_group(repos_group)

        try:

            self.sa.delete(repos_group)

            self.__delete_group(repos_group, force_delete)

        except:

            log.error('Error removing repos_group %s' % repos_group)

            raise

    def delete_permission(self, repos_group, obj, obj_type, recursive):

        """

        Revokes permission for repos_group for given obj(user or users_group),

        obj_type can be user or user group

        :param repos_group:

        :param obj: user or user group id

        :param obj_type: user or user group type

        :param recursive: recurse to all children of group

        """

        from rhodecode.model.repo import RepoModel

        repos_group = self._get_repos_group(repos_group)

        for el in repos_group.recursive_groups_and_repos():

            if not recursive:

                # if we don't recurse set the permission on only the top level

                # object

                el = repos_group

            if isinstance(el, RepoGroup):

                if obj_type == 'user':

                    ReposGroupModel().revoke_user_permission(el, user=obj)

                elif obj_type == 'users_group':

                    ReposGroupModel().revoke_users_group_permission(el, group_name=obj)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            elif isinstance(el, Repository):

                if obj_type == 'user':

                    RepoModel().revoke_user_permission(el, user=obj)

                elif obj_type == 'users_group':

                    RepoModel().revoke_users_group_permission(el, group_name=obj)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            #if it's not recursive call

            # break the loop and don't proceed with other changes

            if not recursive:

                break

    def grant_user_permission(self, repos_group, user, perm):

        """

        existing one if found

        :param repos_group: Instance of ReposGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        repos_group = self._get_repos_group(repos_group)

        user = self._get_user(user)

        permission = self._get_perm(perm)

        # check if we have that permission already

        obj = self.sa.query(UserRepoGroupToPerm)\

            .filter(UserRepoGroupToPerm.user == user)\

            .filter(UserRepoGroupToPerm.group == repos_group)\

            .scalar()

        if obj is None:

            # create new !

            obj = UserRepoGroupToPerm()

        obj.group = repos_group

        obj.user = user

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s' % (perm, user, repos_group))

    def revoke_user_permission(self, repos_group, user):

        """

        :param repos_group: Instance of ReposGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        """

        repos_group = self._get_repos_group(repos_group)

        user = self._get_user(user)

        obj = self.sa.query(UserRepoGroupToPerm)\

            .filter(UserRepoGroupToPerm.user == user)\