return {'username': self.username,

                'user_id': self.user_id,

                'is_authenticated': self.is_authenticated}

    @classmethod

    def from_cookie_store(cls, cookie_store):

        """

        Creates AuthUser from a cookie store

        :param cls:

        :param cookie_store:

        """

        user_id = cookie_store.get('user_id')

        username = cookie_store.get('username')

        api_key = cookie_store.get('api_key')

        return AuthUser(user_id, api_key, username)

    @classmethod

    def get_allowed_ips(cls, user_id, cache=False):

        _set = set()

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate pylons globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current pylons config instance

    """

    log.info('getting information about all available permissions')

    try:

        sa = meta.Session

        all_perms = sa.query(Permission).all()

    except Exception:

    finally:

        meta.Session.remove()

#==============================================================================

# CHECK DECORATORS

#==============================================================================

class LoginRequired(object):

    """

    Must be logged in to execute this function else

    redirect to login page

    :param api_access: if enabled this checks only for valid auth token

        and grants access based on valid token

    """

    def __init__(self, api_access=False):

        self.api_access = api_access

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = cls.rhodecode_user

        loc = "%s:%s" % (cls.__class__.__name__, func.__name__)

        # defined whitelist of controllers which API access will be enabled

        whitelist = aslist(config.get('api_access_controllers_whitelist'),

                           sep=',')

        api_access_whitelist = loc in whitelist

        log.debug('loc:%s is in API whitelist:%s:%s' % (loc, whitelist,

                                                        api_access_whitelist))

        #check IP

        ip_access_ok = True

        if not user.ip_allowed:

            from rhodecode.lib import helpers as h

            h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),

                    category='warning')

            ip_access_ok = False

        api_access_ok = False

        if self.api_access or api_access_whitelist:

            log.debug('Checking API KEY access for %s' % cls)

            if user.api_key == request.GET.get('api_key'):

                api_access_ok = True

            else:

                log.debug("API KEY token not valid")

        log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))

        if (user.is_authenticated or api_access_ok) and ip_access_ok:

            reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'