kallithea Changeset - 591effa1fc4d

Changeset - 591effa1fc4d

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich - 9 years ago 2016-09-12 17:41:20
madski@unity3d.com

api: drop the old Api auth methods and use the normal methods for access control

2 files changed with 46 insertions and 124 deletions:

kallithea/controllers/api/api.py

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/controllers/api/api.py

➞

Show inline comments

@@ @@ -24,26 +24,26 @@ Original author and date, and relevant c @@
 :copyright: (c) 2013 RhodeCode GmbH, and others.
 :license: GPLv3, see LICENSE.md for more details.
 """
 import time
 import traceback
 import logging
 from sqlalchemy import or_
 from kallithea.controllers.api import JSONRPCController, JSONRPCError
 from kallithea.lib.auth import (
     PasswordGenerator, AuthUser, HasPermissionAnyDecorator,
     HasPermissionAnyDecorator, HasPermissionAnyApi, HasRepoPermissionAnyApi,
     HasRepoGroupPermissionAnyApi, HasUserGroupPermissionAny)
     HasPermissionAnyDecorator, HasPermissionAny, HasRepoPermissionAny,
     HasRepoGroupPermissionAny, HasUserGroupPermissionAny)
 from kallithea.lib.utils import map_groups, repo2db_mapper
 from kallithea.lib.utils2 import (
     str2bool, time_to_datetime, safe_int, Optional, OAttr)
 from kallithea.model.meta import Session
 from kallithea.model.repo_group import RepoGroupModel
 from kallithea.model.scm import ScmModel, UserGroupList
 from kallithea.model.repo import RepoModel
 from kallithea.model.user import UserModel
 from kallithea.model.user_group import UserGroupModel
 from kallithea.model.gist import GistModel
 from kallithea.model.db import (
     Repository, Setting, UserIpMap, Permission, User, Gist,
@@ @@ -265,28 +265,28 @@ class ApiController(JSONRPCController): @@
           error :  null
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             'Error occurred during cache invalidation action'
+          }
         """
         repo = get_repo_or_error(repoid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo !
             if not HasRepoPermissionAnyApi('repository.admin',
                                            'repository.write')(
             if not HasRepoPermissionAny('repository.admin',
                                         'repository.write')(
                     repo_name=repo.repo_name):
                 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
         try:
             ScmModel().mark_for_invalidation(repo.repo_name)
             return dict(
                 msg='Cache for repository `%s` was invalidated' % (repoid,),
                 repository=repo.repo_name
+            )
         except Exception:
             log.error(traceback.format_exc())
             raise JSONRPCError(
@@ @@ -329,28 +329,28 @@ class ApiController(JSONRPCController): @@
           error :  null
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             'Error occurred locking repository `<reponame>`
+          }
         """
         repo = get_repo_or_error(repoid)
-        if HasPermissionAnyApi('hg.admin')():
+        if HasPermissionAny('hg.admin')():
             pass
         elif HasRepoPermissionAnyApi('repository.admin',
                                      'repository.write')(repo_name=repo.repo_name):
         elif HasRepoPermissionAny('repository.admin',
                                   'repository.write')(repo_name=repo.repo_name):
             # make sure normal user does not pass someone else userid,
             # he is not allowed to do that
             if not isinstance(userid, Optional) and userid != self.authuser.user_id:
                 raise JSONRPCError(
                     'userid is not the same as your user'
+                )
         else:
             raise JSONRPCError('repository `%s` does not exist' % (repoid,))
         if isinstance(userid, Optional):
             userid = self.authuser.user_id
@@ @@ -419,25 +419,25 @@ class ApiController(JSONRPCController): @@
         :param userid: User to get locks for
         :type userid: Optional(str or int)
         OUTPUT::
           id : <id_given_in_input>
           result : {
             [repo_object, repo_object,...]
+          }
           error :  null
         """
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # make sure normal user does not pass someone else userid,
             # he is not allowed to do that
             if not isinstance(userid, Optional) and userid != self.authuser.user_id:
                 raise JSONRPCError(
                     'userid is not the same as your user'
+                )
         ret = []
         if isinstance(userid, Optional):
             user = None
         else:
             user = get_user_or_error(userid)
@@ @@ -547,25 +547,25 @@ class ApiController(JSONRPCController): @@
                         "permissions": {
                             "global": ["hg.create.repository",
                                        "repository.read",
                                        "hg.register.manual_activate"],
                             "repositories": {"repo1": "repository.none"},
                             "repositories_groups": {"Group1": "group.read"}
                          },
+                    }
             error:  null
         """
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # make sure normal user does not pass someone else userid,
             # he is not allowed to do that
             if not isinstance(userid, Optional) and userid != self.authuser.user_id:
                 raise JSONRPCError(
                     'userid is not the same as your user'
+                )
         if isinstance(userid, Optional):
             userid = self.authuser.user_id
         user = get_user_or_error(userid)
         data = user.get_api_data()
@@ @@ -812,25 +812,25 @@ class ApiController(JSONRPCController): @@
             id : <id_given_in_input>
             result : None if group not exist
+                     {
                        "users_group_id" : "<id>",
                        "group_name" :     "<groupname>",
                        "active":          "<bool>",
                        "members" :  [<user_obj>,...]
+                     }
             error : null
         """
         user_group = get_user_group_or_error(usergroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have at least read permission for this user group !
             _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
             if not HasUserGroupPermissionAny(*_perms)(
                     user_group_name=user_group.users_group_name):
                 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
         data = user_group.get_api_data()
         return data
     # permission check inside
     def get_user_groups(self):
         """
@@ @@ -941,25 +941,25 @@ class ApiController(JSONRPCController): @@
           error :  null
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             "failed to update user group `<user group name>`"
+          }
         """
         user_group = get_user_group_or_error(usergroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this user group !
             _perms = ('usergroup.admin',)
             if not HasUserGroupPermissionAny(*_perms)(
                     user_group_name=user_group.users_group_name):
                 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
         if not isinstance(owner, Optional):
             owner = get_user_or_error(owner)
         updates = {}
         store_update(updates, group_name, 'users_group_name')
         store_update(updates, description, 'user_group_description')
@@ @@ -998,25 +998,25 @@ class ApiController(JSONRPCController): @@
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             "failed to delete user group ID:<user_group_id> <user_group_name>"
             or
             "RepoGroup assigned to <repo_groups_list>"
+          }
         """
         user_group = get_user_group_or_error(usergroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this user group !
             _perms = ('usergroup.admin',)
             if not HasUserGroupPermissionAny(*_perms)(
                     user_group_name=user_group.users_group_name):
                 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
         try:
             UserGroupModel().delete(user_group)
             Session().commit()
             return dict(
                 msg='deleted user group ID:%s %s' %
                     (user_group.users_group_id, user_group.users_group_name),
@@ @@ -1057,25 +1057,25 @@ class ApiController(JSONRPCController): @@
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             "failed to add member to user group `<user_group_name>`"
+          }
         """
         user = get_user_or_error(userid)
         user_group = get_user_group_or_error(usergroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this user group !
             _perms = ('usergroup.admin',)
             if not HasUserGroupPermissionAny(*_perms)(
                     user_group_name=user_group.users_group_name):
                 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
         try:
             ugm = UserGroupModel().add_user_to_group(user_group, user)
             success = True if ugm != True else False
             msg = 'added member `%s` to user group `%s`' % (
                 user.username, user_group.users_group_name
+            )
@@ @@ -1109,25 +1109,25 @@ class ApiController(JSONRPCController): @@
             id : <id_given_in_input>
             result: {
                       "success":  True|False,  # depends on if member is in group
                       "msg": "removed member <username> from user group <groupname> |
                               User wasn't in group"
+                    }
             error:  null
         """
         user = get_user_or_error(userid)
         user_group = get_user_group_or_error(usergroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this user group !
             _perms = ('usergroup.admin',)
             if not HasUserGroupPermissionAny(*_perms)(
                     user_group_name=user_group.users_group_name):
                 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
         try:
             success = UserGroupModel().remove_user_from_group(user_group, user)
             msg = 'removed member `%s` from user group `%s`' % (
                 user.username, user_group.users_group_name
+            )
             msg = msg if success else "User wasn't in group"
@@ @@ -1192,28 +1192,28 @@ class ApiController(JSONRPCController): @@
                                   },
                                   …
+                                ]
                  "followers":   [<user_obj>, ...]
+                 ]
+            }
+          }
           error :  null
         """
         repo = get_repo_or_error(repoid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo !
             perms = ('repository.admin', 'repository.write', 'repository.read')
-            if not HasRepoPermissionAnyApi(*perms)(repo_name=repo.repo_name):
+            if not HasRepoPermissionAny(*perms)(repo_name=repo.repo_name):
                 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
         members = []
         followers = []
         for user in repo.repo_to_perm:
             perm = user.permission.permission_name
             user = user.user
             user_data = {
                 'name': user.username,
                 'type': "user",
                 'permission': perm
+            }
@@ @@ -1260,25 +1260,25 @@ class ApiController(JSONRPCController): @@
                         "landing_rev":       "<landing_rev>",
                         "owner":             "<repo_owner>",
                         "fork_of":           "<name_of_fork_parent>",
                         "enable_downloads":  "<bool>",
                         "enable_locking":    "<bool>",
                         "enable_statistics": "<bool>",
                       },
                       …
+                    ]
             error:  null
         """
         result = []
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             repos = RepoModel().get_all_user_repos(user=self.authuser.user_id)
         else:
             repos = Repository.get_all()
         for repo in repos:
             result.append(repo.get_api_data())
         return result
     # permission check inside
     def get_repo_nodes(self, repoid, revision, root_path,
                        ret_type=Optional('all')):
         """
@@ @@ -1302,28 +1302,28 @@ class ApiController(JSONRPCController): @@
             id : <id_given_in_input>
             result: [
+                      {
                         "name" :        "<name>"
                         "type" :        "<type>",
                       },
                       …
+                    ]
             error:  null
         """
         repo = get_repo_or_error(repoid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo !
             perms = ('repository.admin', 'repository.write', 'repository.read')
-            if not HasRepoPermissionAnyApi(*perms)(repo_name=repo.repo_name):
+            if not HasRepoPermissionAny(*perms)(repo_name=repo.repo_name):
                 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
         ret_type = Optional.extract(ret_type)
         _map = {}
         try:
             _d, _f = ScmModel().get_nodes(repo, revision, root_path,
                                           flat=False)
             _map = {
                 'all': _d + _f,
                 'files': _f,
                 'dirs': _d,
+            }
@@ @@ -1388,25 +1388,25 @@ class ApiController(JSONRPCController): @@
+                    }
             error:  null
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
              'failed to create repository `<repo_name>`
+          }
         """
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             if not isinstance(owner, Optional):
                 # forbid setting owner for non-admins
                 raise JSONRPCError(
                     'Only Kallithea admin can specify `owner` param'
+                )
         if isinstance(owner, Optional):
             owner = self.authuser.user_id
         owner = get_user_or_error(owner)
         if RepoModel().get_by_repo_name(repo_name):
             raise JSONRPCError("repo `%s` already exist" % repo_name)
@@ @@ -1480,31 +1480,31 @@ class ApiController(JSONRPCController): @@
         :param name:
         :param owner:
         :param group:
         :param description:
         :param private:
         :param clone_uri:
         :param landing_rev:
         :param enable_statistics:
         :param enable_locking:
         :param enable_downloads:
         """
         repo = get_repo_or_error(repoid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo !
-            if not HasRepoPermissionAnyApi('repository.admin')(repo_name=repo.repo_name):
+            if not HasRepoPermissionAny('repository.admin')(repo_name=repo.repo_name):
                 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
             if (name != repo.repo_name and
-                not HasPermissionAnyApi('hg.create.repository')()
+                not HasPermissionAny('hg.create.repository')()
                 ):
                 raise JSONRPCError('no permission to create (or move) repositories')
             if not isinstance(owner, Optional):
                 # forbid setting owner for non-admins
                 raise JSONRPCError(
                     'Only Kallithea admin can specify `owner` param'
+                )
         updates = {}
         repo_group = group
         if not isinstance(repo_group, Optional):
@@ @@ -1577,36 +1577,36 @@ class ApiController(JSONRPCController): @@
+                    }
             error:  null
         """
         repo = get_repo_or_error(repoid)
         repo_name = repo.repo_name
         _repo = RepoModel().get_by_repo_name(fork_name)
         if _repo:
             type_ = 'fork' if _repo.fork else 'repo'
             raise JSONRPCError("%s `%s` already exist" % (type_, fork_name))
-        if HasPermissionAnyApi('hg.admin')():
+        if HasPermissionAny('hg.admin')():
             pass
         elif HasRepoPermissionAnyApi('repository.admin',
                                      'repository.write',
                                      'repository.read')(repo_name=repo.repo_name):
         elif HasRepoPermissionAny('repository.admin',
                                   'repository.write',
                                   'repository.read')(repo_name=repo.repo_name):
             if not isinstance(owner, Optional):
                 # forbid setting owner for non-admins
                 raise JSONRPCError(
                     'Only Kallithea admin can specify `owner` param'
+                )
-            if not HasPermissionAnyApi('hg.create.repository')():
+            if not HasPermissionAny('hg.create.repository')():
                 raise JSONRPCError('no permission to create repositories')
         else:
             raise JSONRPCError('repository `%s` does not exist' % (repoid,))
         if isinstance(owner, Optional):
             owner = self.authuser.user_id
         owner = get_user_or_error(owner)
         try:
             # create structure of groups and return the last group
             group = map_groups(fork_name)
@@ @@ -1657,27 +1657,27 @@ class ApiController(JSONRPCController): @@
         OUTPUT::
             id : <id_given_in_input>
             result: {
                       "msg": "Deleted repository `<reponame>`",
                       "success": true
+                    }
             error:  null
         """
         repo = get_repo_or_error(repoid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo !
-            if not HasRepoPermissionAnyApi('repository.admin')(repo_name=repo.repo_name):
+            if not HasRepoPermissionAny('repository.admin')(repo_name=repo.repo_name):
                 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
         try:
             handle_forks = Optional.extract(forks)
             _forks_msg = ''
             _forks = [f for f in repo.forks]
             if handle_forks == 'detach':
                 _forks_msg = ' ' + 'Detached %s forks' % len(_forks)
             elif handle_forks == 'delete':
                 _forks_msg = ' ' + 'Deleted %s forks' % len(_forks)
             elif _forks:
                 raise JSONRPCError(
@@ @@ -1809,28 +1809,28 @@ class ApiController(JSONRPCController): @@
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             "failed to edit permission for user group: `<usergroup>` in repo `<repo>`'
+          }
         """
         repo = get_repo_or_error(repoid)
         perm = get_perm_or_error(perm)
         user_group = get_user_group_or_error(usergroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo !
             _perms = ('repository.admin',)
-            if not HasRepoPermissionAnyApi(*_perms)(
+            if not HasRepoPermissionAny(*_perms)(
                     repo_name=repo.repo_name):
                 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
             # check if we have at least read permission for this user group !
             _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
             if not HasUserGroupPermissionAny(*_perms)(
                     user_group_name=user_group.users_group_name):
                 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
         try:
             RepoModel().grant_user_group_permission(
                 repo=repo, group_name=user_group, perm=perm)
@@ @@ -1865,28 +1865,28 @@ class ApiController(JSONRPCController): @@
         OUTPUT::
             id : <id_given_in_input>
             result: {
                       "msg" : "Revoked perm for group: `<usersgroupname>` in repo: `<reponame>`",
                       "success": true
+                    }
             error:  null
         """
         repo = get_repo_or_error(repoid)
         user_group = get_user_group_or_error(usergroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo !
             _perms = ('repository.admin',)
-            if not HasRepoPermissionAnyApi(*_perms)(
+            if not HasRepoPermissionAny(*_perms)(
                     repo_name=repo.repo_name):
                 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
             # check if we have at least read permission for this user group !
             _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
             if not HasUserGroupPermissionAny(*_perms)(
                     user_group_name=user_group.users_group_name):
                 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
         try:
             RepoModel().revoke_user_group_permission(
                 repo=repo, group_name=user_group)
@@ @@ -2117,27 +2117,27 @@ class ApiController(JSONRPCController): @@
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
+          }
         """
         repo_group = get_repo_group_or_error(repogroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo group !
-            if not HasRepoGroupPermissionAnyApi('group.admin')(group_name=repo_group.group_name):
+            if not HasRepoGroupPermissionAny('group.admin')(group_name=repo_group.group_name):
                 raise JSONRPCError('repository group `%s` does not exist' % (repogroupid,))
         user = get_user_or_error(userid)
         perm = get_perm_or_error(perm, prefix='group.')
         apply_to_children = Optional.extract(apply_to_children)
         try:
             RepoGroupModel().add_permission(repo_group=repo_group,
                                             obj=user,
                                             obj_type="user",
                                             perm=perm,
                                             recursive=apply_to_children)
@@ @@ -2181,27 +2181,27 @@ class ApiController(JSONRPCController): @@
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
+          }
         """
         repo_group = get_repo_group_or_error(repogroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo group !
-            if not HasRepoGroupPermissionAnyApi('group.admin')(group_name=repo_group.group_name):
+            if not HasRepoGroupPermissionAny('group.admin')(group_name=repo_group.group_name):
                 raise JSONRPCError('repository group `%s` does not exist' % (repogroupid,))
         user = get_user_or_error(userid)
         apply_to_children = Optional.extract(apply_to_children)
         try:
             RepoGroupModel().delete_permission(repo_group=repo_group,
                                                obj=user,
                                                obj_type="user",
                                                recursive=apply_to_children)
             Session().commit()
@@ @@ -2249,28 +2249,28 @@ class ApiController(JSONRPCController): @@
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
+          }
         """
         repo_group = get_repo_group_or_error(repogroupid)
         perm = get_perm_or_error(perm, prefix='group.')
         user_group = get_user_group_or_error(usergroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo group !
             _perms = ('group.admin',)
-            if not HasRepoGroupPermissionAnyApi(*_perms)(
+            if not HasRepoGroupPermissionAny(*_perms)(
                     group_name=repo_group.group_name):
                 raise JSONRPCError(
                     'repository group `%s` does not exist' % (repogroupid,))
             # check if we have at least read permission for this user group !
             _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
             if not HasUserGroupPermissionAny(*_perms)(
                     user_group_name=user_group.users_group_name):
                 raise JSONRPCError(
                     'user group `%s` does not exist' % (usergroupid,))
         apply_to_children = Optional.extract(apply_to_children)
@@ @@ -2325,28 +2325,28 @@ class ApiController(JSONRPCController): @@
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
+          }
         """
         repo_group = get_repo_group_or_error(repogroupid)
         user_group = get_user_group_or_error(usergroupid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # check if we have admin permission for this repo group !
             _perms = ('group.admin',)
-            if not HasRepoGroupPermissionAnyApi(*_perms)(
+            if not HasRepoGroupPermissionAny(*_perms)(
                     group_name=repo_group.group_name):
                 raise JSONRPCError(
                     'repository group `%s` does not exist' % (repogroupid,))
             # check if we have at least read permission for this user group !
             _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
             if not HasUserGroupPermissionAny(*_perms)(
                     user_group_name=user_group.users_group_name):
                 raise JSONRPCError(
                     'user group `%s` does not exist' % (usergroupid,))
         apply_to_children = Optional.extract(apply_to_children)
@@ @@ -2370,38 +2370,38 @@ class ApiController(JSONRPCController): @@
                     user_group.users_group_name, repo_group.name
+                )
+            )
     def get_gist(self, gistid):
         """
         Get given gist by id
         :param gistid: id of private or public gist
         :type gistid: str
         """
         gist = get_gist_or_error(gistid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             if gist.gist_owner != self.authuser.user_id:
                 raise JSONRPCError('gist `%s` does not exist' % (gistid,))
         return gist.get_api_data()
     def get_gists(self, userid=Optional(OAttr('apiuser'))):
         """
         Get all gists for given user. If userid is empty returned gists
         are for user who called the api
         :param userid: user to get gists for
         :type userid: Optional(str or int)
         """
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             # make sure normal user does not pass someone else userid,
             # he is not allowed to do that
             if not isinstance(userid, Optional) and userid != self.authuser.user_id:
                 raise JSONRPCError(
                     'userid is not the same as your user'
+                )
         if isinstance(userid, Optional):
             user_id = self.authuser.user_id
         else:
             user_id = get_user_or_error(userid).user_id
@@ @@ -2499,25 +2499,25 @@ class ApiController(JSONRPCController): @@
           error :  null
         ERROR OUTPUT::
           id : <id_given_in_input>
           result : null
           error :  {
             "failed to delete gist ID:<gist_id>"
+          }
         """
         gist = get_gist_or_error(gistid)
-        if not HasPermissionAnyApi('hg.admin')():
+        if not HasPermissionAny('hg.admin')():
             if gist.gist_owner != self.authuser.user_id:
                 raise JSONRPCError('gist `%s` does not exist' % (gistid,))
         try:
             GistModel().delete(gist)
             Session().commit()
             return dict(
                 msg='deleted gist ID:%s' % (gist.gist_access_id,),
                 gist=None
+            )
         except Exception:
             log.error(traceback.format_exc())

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -1056,102 +1056,24 @@ class HasPermissionAnyMiddleware(object) @@
         log.debug('checking VCS protocol '
                   'permissions %s for user:%s repository:%s', self.user_perms,
                                                 self.username, self.repo_name)
         if self.required_perms.intersection(self.user_perms):
             log.debug('Permission to repo: %s granted for user: %s @ %s',
                       self.repo_name, self.username, 'PermissionMiddleware')
             return True
         log.debug('Permission to repo: %s denied for user: %s @ %s',
                   self.repo_name, self.username, 'PermissionMiddleware')
         return False
 #==============================================================================
 # SPECIAL VERSION TO HANDLE API AUTH
 #==============================================================================
 class _BaseApiPerm(object):
     def __init__(self, *perms):
         self.required_perms = set(perms)
     def __call__(self, check_location=None, repo_name=None, group_name=None):
         user = request.user
         assert user
         assert isinstance(user, AuthUser), user
         cls_name = self.__class__.__name__
         check_scope = 'user:%s' % (user)
         if repo_name:
             check_scope += ', repo:%s' % (repo_name)
         if group_name:
             check_scope += ', repo group:%s' % (group_name)
         log.debug('checking cls:%s %s %s @ %s',
                   cls_name, self.required_perms, check_scope, check_location)
         ## process user
         if not check_location:
             check_location = 'unspecified'
         if self.check_permissions(user.permissions, repo_name, group_name):
             log.debug('Permission to %s granted for user: %s @ %s',
                       check_scope, user, check_location)
             return True
         else:
             log.debug('Permission to %s denied for user: %s @ %s',
                       check_scope, user, check_location)
             return False
     def check_permissions(self, perm_defs, repo_name=None, group_name=None):
         """
         implement in child class should return True if permissions are ok,
         False otherwise
         :param perm_defs: dict with permission definitions
         :param repo_name: repo name
         """
         raise NotImplementedError()
 class HasPermissionAnyApi(_BaseApiPerm):
     def check_permissions(self, perm_defs, repo_name=None, group_name=None):
         if self.required_perms.intersection(perm_defs.get('global')):
             return True
         return False
 class HasRepoPermissionAnyApi(_BaseApiPerm):
     def check_permissions(self, perm_defs, repo_name=None, group_name=None):
         try:
             _user_perms = set([perm_defs['repositories'][repo_name]])
         except KeyError:
             log.warning(traceback.format_exc())
             return False
         if self.required_perms.intersection(_user_perms):
             return True
         return False
 class HasRepoGroupPermissionAnyApi(_BaseApiPerm):
     def check_permissions(self, perm_defs, repo_name=None, group_name=None):
         try:
             _user_perms = set([perm_defs['repositories_groups'][group_name]])
         except KeyError:
             log.warning(traceback.format_exc())
             return False
         if self.required_perms.intersection(_user_perms):
             return True
         return False
 def check_ip_access(source_ip, allowed_ips=None):
     """
     Checks if source_ip is a subnet of any of allowed_ips.
     :param source_ip:
     :param allowed_ips: list of allowed ips together with mask
     """
     from kallithea.lib import ipaddr
     log.debug('checking if ip:%s is subnet of %s', source_ip, allowed_ips)
     if isinstance(allowed_ips, (tuple, list, set)):
         for ip in allowed_ips:
             if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):

0 comments (0 inline, 0 general)