result : "{'added': [<list of names of added repos>],

               'removed': [<list of names of removed repos>]}"

    error :  null

invalidate_cache

----------------

Invalidate cache for repository.

This command can be executed only using api_key belonging to user with admin

rights or regular user that have write or admin or write access to repository.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "invalidate_cache"

    args :    {

                "repoid" : "<reponame or repo_id>"

              }

OUTPUT::

    id : <id_given_in_input>

    result : "Caches of repository `<reponame>`"

    error :  null

lock

----

Set locking state on given repository by given user. If userid param is skipped

, then it is set to id of user whos calling this method. If locked param is skipped

then function shows current lock state of given repo.

This command can be executed only using api_key belonging to user with admin

rights or regular user that have admin or write access to repository.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "lock"

    args :    {

                "repoid" : "<reponame or repo_id>"

                "userid" : "<user_id or username = Optional(=apiuser)>",

                "locked" : "<bool true|false = Optional(=None)>"

              }

OUTPUT::

    id : <id_given_in_input>

    result : {  

                 "repo": "<reponame>",

                 "locked": "<bool true|false>",

                 "locked_since": "<float lock_time>",

                 "locked_by": "<username>",

                 "msg": "User `<username>` set lock state for repo `<reponame>` to `<false|true>`"

             }               

    error :  null

show_ip

-------

Shows IP address as seen from RhodeCode server, together with all

defined IP addresses for given user.

This command can be executed only using api_key belonging to user with admin

rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "show_ip"

    args :    {

                "userid" : "<user_id or username>",

              }

OUTPUT::

    id : <id_given_in_input>

    result : {

                 "ip_addr_server": <ip_from_clien>",

                 "user_ips": [

                                {

                                   "ip_addr": "<ip_with_mask>",

                                   "ip_range": ["<start_ip>", "<end_ip>"],

                                },

                                ...

                             ]

             }

    error :  null

get_user

--------

Get's an user by username or user_id, Returns empty result if user is not found.

If userid param is skipped it is set to id of user who is calling this method.

This command can be executed only using api_key belonging to user with admin

rights, or regular users that cannot specify different userid than theirs

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "get_user"

    args :    {

                "userid" : "<username or user_id Optional(=apiuser)>"

              }

OUTPUT::

    id : <id_given_in_input>

    result: None if user does not exist or

            {

                "user_id" :     "<user_id>",

                "api_key" :     "<api_key>",

                "username" :    "<username>",

                "firstname":    "<firstname>",

                "lastname" :    "<lastname>",

                "email" :       "<email>",

                "emails":       "<list_of_all_additional_emails>",

                "ip_addresses": "<list_of_ip_addresses_for_user>",

                "active" :      "<bool>",

                "admin" :       "<bool>",

                "ldap_dn" :     "<ldap_dn>",

                "last_login":   "<last_login>",

                "permissions": {

                    "global": ["hg.create.repository",

                               "repository.read",

                               "hg.register.manual_activate"],

                    "repositories": {"repo1": "repository.none"},

                    "repositories_groups": {"Group1": "group.read"}

                 },

            }

    error:  null

get_users

---------

Lists all existing users. This command can be executed only using api_key

belonging to user with admin rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "get_users"

    args :    { }

OUTPUT::

    id : <id_given_in_input>

    result: [

              {

                "user_id" :     "<user_id>",

                "username" :    "<username>",

                "firstname":    "<firstname>",

                "lastname" :    "<lastname>",

                "email" :       "<email>",

                "emails":       "<list_of_all_additional_emails>",

                "ip_addresses": "<list_of_ip_addresses_for_user>",

                "active" :      "<bool>",

                "admin" :       "<bool>",

                "ldap_dn" :     "<ldap_dn>",

                "last_login":   "<last_login>",

              },

              …

            ]

    error:  null

create_user

-----------

Creates new user. This command can

be executed only using api_key belonging to user with admin rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "create_user"

    args :    {

                "username" :  "<username>",

                "email" :     "<useremail>",

                "firstname" : "<firstname> = Optional(None)",

                "lastname" :  "<lastname> = Optional(None)",

                "active" :    "<bool> = Optional(True)",

                "admin" :     "<bool> = Optional(False)",

                "ldap_dn" :   "<ldap_dn> = Optional(None)"

              }

OUTPUT::

    id : <id_given_in_input>

    result: {

              "msg" : "created new user `<username>`",

              "user": {

                "user_id" :  "<user_id>",

                "username" : "<username>",

                "firstname": "<firstname>",

                "lastname" : "<lastname>",

                "email" :    "<email>",

                "emails":    "<list_of_all_additional_emails>",

                "active" :   "<bool>",

                "admin" :    "<bool>",

                "ldap_dn" :  "<ldap_dn>",

                "last_login": "<last_login>",

              },

            }

    error:  null

update_user

-----------

updates given user if such user exists. This command can

be executed only using api_key belonging to user with admin rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "update_user"

    args :    {

                "userid" : "<user_id or username>",

                "username" :  "<username> = Optional(None)",

                "email" :     "<useremail> = Optional(None)",

                "password" :  "<password> = Optional(None)",

                "firstname" : "<firstname> = Optional(None)",

                "lastname" :  "<lastname> = Optional(None)",

                "active" :    "<bool> = Optional(None)",

                "admin" :     "<bool> = Optional(None)",

                "ldap_dn" :   "<ldap_dn> = Optional(None)"

              }

OUTPUT::

    id : <id_given_in_input>

    result: {

              "msg" : "updated user ID:<userid> <username>",

              "user": {

                "user_id" :  "<user_id>",

                "username" : "<username>",

                "firstname": "<firstname>",

                "lastname" : "<lastname>",

                "email" :    "<email>",

                "emails":    "<list_of_all_additional_emails>",

                "active" :   "<bool>",

                "admin" :    "<bool>",

                "ldap_dn" :  "<ldap_dn>",

                "last_login": "<last_login>",

              },

            }

    error:  null

delete_user

-----------

deletes givenuser if such user exists. This command can

be executed only using api_key belonging to user with admin rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "delete_user"

    args :    {

                "userid" : "<user_id or username>",

              }

OUTPUT::

    id : <id_given_in_input>

    result: {

              "msg" : "deleted user ID:<userid> <username>",

              "user": null

            }

    error:  null

get_users_group

---------------

Gets an existing user group. This command can be executed only using api_key

belonging to user with admin rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "get_users_group"

    args :    {

                "usersgroupid" : "<user group id or name>"

              }

OUTPUT::

    id : <id_given_in_input>

    result : None if group not exist

             {

               "users_group_id" : "<id>",

               "group_name" :     "<groupname>",

               "active":          "<bool>",

               "members" :  [

                              {

                                "user_id" :  "<user_id>",

                                "username" : "<username>",

                                "firstname": "<firstname>",

                                "lastname" : "<lastname>",

                                "email" :    "<email>",

                                "emails":    "<list_of_all_additional_emails>",

                                "active" :   "<bool>",

                                "admin" :    "<bool>",

                                "ldap_dn" :  "<ldap_dn>",

                                "last_login": "<last_login>",

                              },

                              …

                            ]

             }

    error : null

get_users_groups

----------------

Lists all existing user groups. This command can be executed only using

api_key belonging to user with admin rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "get_users_groups"

    args :    { }

OUTPUT::

    id : <id_given_in_input>

    result : [

               {

               "users_group_id" : "<id>",

               "group_name" :     "<groupname>",

               "active":          "<bool>",

               },

               …

              ]

    error : null

create_users_group

------------------

Creates new user group. This command can be executed only using api_key

belonging to user with admin rights

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "create_users_group"

    args:     {

                "group_name": "<groupname>",

                "owner" :     "<onwer_name_or_id = Optional(=apiuser)>",

                "active":     "<bool> = Optional(True)"

              }

OUTPUT::

    id : <id_given_in_input>

            # check if we have admin permission for this repo !

            if HasRepoPermissionAnyApi('repository.admin',

                                       'repository.write')(user=apiuser,

                                            repo_name=repo.repo_name) is False:

                raise JSONRPCError('repository `%s` does not exist' % (repoid))

        try:

            ScmModel().mark_for_invalidation(repo.repo_name)

            return ('Caches of repository `%s` was invalidated' % repoid)

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError(

                'Error occurred during cache invalidation action'

            )

    def lock(self, apiuser, repoid, locked=Optional(None),

             userid=Optional(OAttr('apiuser'))):

        """

        Set locking state on particular repository by given user, if

        this command is runned by non-admin account userid is set to user

        who is calling this method

        :param apiuser:

        :param repoid:

        :param userid:

        :param locked:

        """

        repo = get_repo_or_error(repoid)

        if HasPermissionAnyApi('hg.admin')(user=apiuser):

            pass

        elif HasRepoPermissionAnyApi('repository.admin',

                                     'repository.write')(user=apiuser,

                                                         repo_name=repo.repo_name):

            #make sure normal user does not pass someone else userid,

            #he is not allowed to do that

            if not isinstance(userid, Optional) and userid != apiuser.user_id:

                raise JSONRPCError(

                    'userid is not the same as your user'

                )

        else:

            raise JSONRPCError('repository `%s` does not exist' % (repoid))

        if isinstance(userid, Optional):

            userid = apiuser.user_id

        user = get_user_or_error(userid)

        if isinstance(locked, Optional):

            lockobj = Repository.getlock(repo)

            if lockobj[0] is None:

                _d = {

                    'repo': repo.repo_name,

                    'locked': False,

                    'locked_since': None,

                    'locked_by': None,

                    'msg': 'Repo `%s` not locked.' % repo.repo_name

                }

                return _d

            else:

                userid, time_ = lockobj

                lock_user = get_user_or_error(userid)

                _d = {

                    'repo': repo.repo_name,

                    'locked': True,

                    'locked_since': time_,

                    'locked_by': lock_user.username,

                    'msg': ('Repo `%s` locked by `%s`. '

                            % (repo.repo_name,

                               json.dumps(time_to_datetime(time_))))

                }

                return _d

        # force locked state through a flag

        else:

            locked = str2bool(locked)

            try:

                if locked:

                    lock_time = time.time()

                    Repository.lock(repo, user.user_id, lock_time)

                else:

                    lock_time = None

                    Repository.unlock(repo)

                _d = {

                    'repo': repo.repo_name,

                    'locked': locked,

                    'locked_since': lock_time,

                    'locked_by': user.username,

                    'msg': ('User `%s` set lock state for repo `%s` to `%s`'

                            % (user.username, repo.repo_name, locked))

                }

                return _d

            except Exception:

                log.error(traceback.format_exc())

                raise JSONRPCError(

                    'Error occurred locking repository `%s`' % repo.repo_name

                )

    def get_locks(self, apiuser, userid=Optional(OAttr('apiuser'))):

        """

        Get all locks for given userid, if

        this command is runned by non-admin account userid is set to user

        who is calling this method, thus returning locks for himself

        :param apiuser:

        :param userid:

        """

        if HasPermissionAnyApi('hg.admin')(user=apiuser):

            pass

        else:

            #make sure normal user does not pass someone else userid,

            #he is not allowed to do that

            if not isinstance(userid, Optional) and userid != apiuser.user_id:

                raise JSONRPCError(

                    'userid is not the same as your user'

                )

        ret = []

        if isinstance(userid, Optional):

            user = None

        else:

            user = get_user_or_error(userid)

        #show all locks

        for r in Repository.getAll():

            userid, time_ = r.locked

            if time_:

                _api_data = r.get_api_data()

                # if we use userfilter just show the locks for this user

                if user:

                    if safe_int(userid) == user.user_id:

                        ret.append(_api_data)

                else:

                    ret.append(_api_data)

        return ret

    @HasPermissionAllDecorator('hg.admin')

    def show_ip(self, apiuser, userid):

        """

        Shows IP address as seen from RhodeCode server, together with all

        defined IP addresses for given user

        :param apiuser:

        :param userid:

        """

        user = get_user_or_error(userid)

        ips = UserIpMap.query().filter(UserIpMap.user == user).all()

        return dict(

            ip_addr_server=self.ip_addr,

            user_ips=ips

        )

    def get_user(self, apiuser, userid=Optional(OAttr('apiuser'))):

        """"

        Get a user by username, or userid, if userid is given

        :param apiuser:

        :param userid:

        """

        if HasPermissionAnyApi('hg.admin')(user=apiuser) is False:

            #make sure normal user does not pass someone else userid,

            #he is not allowed to do that

            if not isinstance(userid, Optional) and userid != apiuser.user_id:

                raise JSONRPCError(

                    'userid is not the same as your user'

                )

        if isinstance(userid, Optional):

            userid = apiuser.user_id

        user = get_user_or_error(userid)

        data = user.get_api_data()

        data['permissions'] = AuthUser(user_id=user.user_id).permissions

        return data

    @HasPermissionAllDecorator('hg.admin')

    def get_users(self, apiuser):

        """"

        Get all users

        :param apiuser:

        """

        result = []

        users_list = User.query().order_by(User.username)\

                        .filter(User.username != User.DEFAULT_USER)\

                        .all()

        for user in users_list:

            result.append(user.get_api_data())

        return result

    @HasPermissionAllDecorator('hg.admin')

                    firstname=Optional(None), lastname=Optional(None),

                    active=Optional(True), admin=Optional(False),

                    ldap_dn=Optional(None)):

        """

        Create new user

        :param apiuser:

        :param username:

        :param email:

        :param password:

        :param firstname:

        :param lastname:

        :param active:

        :param admin:

        :param ldap_dn:

        """

        if UserModel().get_by_username(username):

            raise JSONRPCError("user `%s` already exist" % username)

        if UserModel().get_by_email(email, case_insensitive=True):

            raise JSONRPCError("email `%s` already exist" % email)

        if Optional.extract(ldap_dn):

            # generate temporary password if ldap_dn

            password = PasswordGenerator().gen_password(length=8)

        try:

            user = UserModel().create_or_update(

                username=Optional.extract(username),

                password=Optional.extract(password),

                email=Optional.extract(email),

                firstname=Optional.extract(firstname),

                lastname=Optional.extract(lastname),

                active=Optional.extract(active),

                admin=Optional.extract(admin),

                ldap_dn=Optional.extract(ldap_dn)

            )

            Session().commit()

            return dict(

                msg='created new user `%s`' % username,

                user=user.get_api_data()

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError('failed to create user `%s`' % username)

    @HasPermissionAllDecorator('hg.admin')

    def update_user(self, apiuser, userid, username=Optional(None),

                    email=Optional(None), firstname=Optional(None),

                    lastname=Optional(None), active=Optional(None),

                    admin=Optional(None), ldap_dn=Optional(None),

                    password=Optional(None)):

        """

        Updates given user

        :param apiuser:

        :param userid:

        :param username:

        :param email:

        :param firstname:

        :param lastname:

        :param active:

        :param admin:

        :param ldap_dn:

        :param password:

        """

        user = get_user_or_error(userid)

        # call function and store only updated arguments

        updates = {}

        def store_update(attr, name):

            if not isinstance(attr, Optional):

                updates[name] = attr

        try:

            store_update(username, 'username')

            store_update(password, 'password')

            store_update(email, 'email')

            store_update(firstname, 'name')

            store_update(lastname, 'lastname')

            store_update(active, 'active')

            store_update(admin, 'admin')

            store_update(ldap_dn, 'ldap_dn')

            user = UserModel().update_user(user, **updates)

            Session().commit()

            return dict(

                msg='updated user ID:%s %s' % (user.user_id, user.username),

                user=user.get_api_data()

            )

        except DefaultUserException:

            log.error(traceback.format_exc())

            raise JSONRPCError('editing default user is forbidden')

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError('failed to update user `%s`' % userid)

    @HasPermissionAllDecorator('hg.admin')

    def delete_user(self, apiuser, userid):

        """"

        Deletes an user

        :param apiuser:

        :param userid:

        """

        user = get_user_or_error(userid)

        try:

            UserModel().delete(userid)

            Session().commit()

            return dict(

                msg='deleted user ID:%s %s' % (user.user_id, user.username),

                user=None

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError('failed to delete ID:%s %s' % (user.user_id,

                                                              user.username))

    @HasPermissionAllDecorator('hg.admin')

    def get_users_group(self, apiuser, usersgroupid):

        """"

        Get user group by name or id

        :param apiuser:

        :param usersgroupid:

        """

        users_group = get_users_group_or_error(usersgroupid)

        data = users_group.get_api_data()

        members = []

        for user in users_group.members:

            user = user.user

            members.append(user.get_api_data())

        data['members'] = members

        return data

    @HasPermissionAllDecorator('hg.admin')

    def get_users_groups(self, apiuser):

        """"

        Get all user groups

        :param apiuser:

        """

        result = []

        for users_group in UserGroupModel().get_all():

            result.append(users_group.get_api_data())

        return result

    @HasPermissionAllDecorator('hg.admin')

    def create_users_group(self, apiuser, group_name,

                           owner=Optional(OAttr('apiuser')),

                           active=Optional(True)):

        """

        Creates an new usergroup

        :param apiuser:

        :param group_name:

        :param owner:

        :param active:

        """

        if UserGroupModel().get_by_name(group_name):

            raise JSONRPCError("user group `%s` already exist" % group_name)

        try:

            if isinstance(owner, Optional):

                owner = apiuser.user_id

            owner = get_user_or_error(owner)

            active = Optional.extract(active)

            ug = UserGroupModel().create(name=group_name,

                                         owner=owner,

                                         active=active)

            Session().commit()

            return dict(

                msg='created new user group `%s`' % group_name,

                users_group=ug.get_api_data()

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError('failed to create group `%s`' % group_name)

    @HasPermissionAllDecorator('hg.admin')

    def add_user_to_users_group(self, apiuser, usersgroupid, userid):

        """"

# -*- coding: utf-8 -*-

"""

    rhodecode.model.user

    ~~~~~~~~~~~~~~~~~~~~

    users model for RhodeCode

    :created_on: Apr 9, 2010

    :author: marcink

    :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import traceback

import itertools

import collections

from pylons import url

from pylons.i18n.translation import _

from sqlalchemy.exc import DatabaseError

from sqlalchemy.orm import joinedload

from rhodecode.lib.utils2 import safe_unicode, generate_api_key

from rhodecode.lib.caching_query import FromCache

from rhodecode.model import BaseModel

from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \

    UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \

    Notification, RepoGroup, UserRepoGroupToPerm, UserGroupRepoGroupToPerm, \

    UserEmailMap, UserIpMap, UserGroupUserGroupToPerm, UserGroup

from rhodecode.lib.exceptions import DefaultUserException, \

    UserOwnsReposException

from rhodecode.model.meta import Session

log = logging.getLogger(__name__)

PERM_WEIGHTS = Permission.PERM_WEIGHTS

class UserModel(BaseModel):

    cls = User

    def get(self, user_id, cache=False):

        user = self.sa.query(User)

        if cache:

            user = user.options(FromCache("sql_cache_short",

                                          "get_user_%s" % user_id))

        return user.get(user_id)

    def get_user(self, user):

        return self._get_user(user)

    def get_by_username(self, username, cache=False, case_insensitive=False):

        if case_insensitive:

            user = self.sa.query(User).filter(User.username.ilike(username))

        else:

            user = self.sa.query(User)\

                .filter(User.username == username)

        if cache:

            user = user.options(FromCache("sql_cache_short",

                                          "get_user_%s" % username))

        return user.scalar()

    def get_by_email(self, email, cache=False, case_insensitive=False):

        return User.get_by_email(email, case_insensitive, cache)

    def get_by_api_key(self, api_key, cache=False):

        return User.get_by_api_key(api_key, cache)

    def create(self, form_data):

        from rhodecode.lib.auth import get_crypt_password

        try:

            new_user = User()

            for k, v in form_data.items():

                if k == 'password':

                    v = get_crypt_password(v)

                if k == 'firstname':

                    k = 'name'

                setattr(new_user, k, v)

            new_user.api_key = generate_api_key(form_data['username'])