# -*- coding: utf-8 -*-

"""

    rhodecode.lib.auth

    ~~~~~~~~~~~~~~~~~~

    authentication and permission libraries

    :created_on: Apr 4, 2010

    :author: marcink

    :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import random

import logging

import traceback

import hashlib

from tempfile import _RandomNameSequence

from decorator import decorator

from pylons import config, url, request

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from rhodecode import __platform__, is_windows, is_unix

from rhodecode.model.meta import Session

from rhodecode.lib.utils2 import str2bool, safe_unicode

from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError

from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug

from rhodecode.lib.auth_ldap import AuthLdap

from rhodecode.model import meta

from rhodecode.model.user import UserModel

from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap

from rhodecode.lib.caching_query import FromCache

log = logging.getLogger(__name__)

class PasswordGenerator(object):

    """

    This is a simple class for generating password from different sets of

    characters

    usage::

        passwd_gen = PasswordGenerator()

        #print 8-letter password containing only big and small letters

            of alphabet

        passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)

    """

    ALPHABETS_NUM = r'''1234567890'''

    ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''

    ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''

    ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''

    ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \

        + ALPHABETS_NUM + ALPHABETS_SPECIAL

    ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM

    ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL

    ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM

    ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM

    def __init__(self, passwd=''):

        self.passwd = passwd

    def gen_password(self, length, type_=None):

        if type_ is None:

            type_ = self.ALPHABETS_FULL

        self.passwd = ''.join([random.choice(type_) for _ in xrange(length)])

        return self.passwd

class RhodeCodeCrypto(object):

    @classmethod

    def hash_string(cls, str_):

        """

        Cryptographic function used for password hashing based on pybcrypt

        or pycrypto in windows

        :param password: password to hash

        """

        if is_windows:

            from hashlib import sha256

            return sha256(str_).hexdigest()

        elif is_unix:

            import bcrypt

            return bcrypt.hashpw(str_, bcrypt.gensalt(10))

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

    @classmethod

    def hash_check(cls, password, hashed):

        """

        Checks matching password with it's hashed value, runs different

        implementation based on platform it runs on

        :param password: password

        :param hashed: password in hashed form

        """

        if is_windows:

            from hashlib import sha256

            return sha256(password).hexdigest() == hashed

        elif is_unix:

            import bcrypt

            return bcrypt.hashpw(password, hashed) == hashed

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

def get_crypt_password(password):

    return RhodeCodeCrypto.hash_string(password)

def check_password(password, hashed):

    return RhodeCodeCrypto.hash_check(password, hashed)

        if self._api_key and self._api_key != self.anonymous_user.api_key:

            log.debug('Auth User lookup by API KEY %s' % self._api_key)

            is_user_loaded = user_model.fill_data(self, api_key=self._api_key)

        # lookup by userid

        elif (self.user_id is not None and

              self.user_id != self.anonymous_user.user_id):

            log.debug('Auth User lookup by USER ID %s' % self.user_id)

            is_user_loaded = user_model.fill_data(self, user_id=self.user_id)

        # lookup by username

        elif self.username and \

            str2bool(config.get('container_auth_enabled', False)):

            log.debug('Auth User lookup by USER NAME %s' % self.username)

            dbuser = login_container_auth(self.username)

            if dbuser is not None:

                log.debug('filling all attributes to object')

                for k, v in dbuser.get_dict().items():

                    setattr(self, k, v)

                self.set_authenticated()

                is_user_loaded = True

        else:

            log.debug('No data in %s that could been used to log in' % self)

        if not is_user_loaded:

            # if we cannot authenticate user try anonymous

            if self.anonymous_user.active is True:

                user_model.fill_data(self, user_id=self.anonymous_user.user_id)

                # then we set this user is logged in

                self.is_authenticated = True

            else:

                self.user_id = None

                self.username = None

                self.is_authenticated = False

        if not self.username:

            self.username = 'None'

        log.debug('Auth User is now %s' % self)

        user_model.fill_perms(self)

    @property

    def is_admin(self):

        return self.admin

    @property

    def ip_allowed(self):

        """

        Checks if ip_addr used in constructor is allowed from defined list of

        allowed ip_addresses for user

        :returns: boolean, True if ip is in allowed ip range

        """

        #check IP

        allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True)

        if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips):

            log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips))

            return True

        else:

            log.info('Access for IP:%s forbidden, '

                     'not in %s' % (self.ip_addr, allowed_ips))

            return False

    def __repr__(self):

        return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username,

                                              self.is_authenticated)

    def set_authenticated(self, authenticated=True):

        if self.user_id != self.anonymous_user.user_id:

            self.is_authenticated = authenticated

    def get_cookie_store(self):

        return {'username': self.username,

                'user_id': self.user_id,

                'is_authenticated': self.is_authenticated}

    @classmethod

    def from_cookie_store(cls, cookie_store):

        """

        Creates AuthUser from a cookie store

        :param cls:

        :param cookie_store:

        """

        user_id = cookie_store.get('user_id')

        username = cookie_store.get('username')

        api_key = cookie_store.get('api_key')

        return AuthUser(user_id, api_key, username)

    @classmethod

    def get_allowed_ips(cls, user_id, cache=False):

        _set = set()

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

def set_available_permissions(config):

    """

    This function will propagate pylons globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current pylons config instance

    """

    log.info('getting information about all available permissions')

    try:

        sa = meta.Session

        all_perms = sa.query(Permission).all()

    except Exception:

        pass

    finally:

        meta.Session.remove()

    config['available_permissions'] = [x.permission_name for x in all_perms]

#==============================================================================

# CHECK DECORATORS

#==============================================================================

class LoginRequired(object):

    """

    Must be logged in to execute this function else

    redirect to login page

    :param api_access: if enabled this checks only for valid auth token

        and grants access based on valid token

    """

    def __init__(self, api_access=False):

        self.api_access = api_access

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = cls.rhodecode_user

        loc = "%s:%s" % (cls.__class__.__name__, func.__name__)

        #check IP

        ip_access_ok = True

        if not user.ip_allowed:

            from rhodecode.lib import helpers as h

            h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),

                    category='warning')

            ip_access_ok = False

        api_access_ok = False

        if self.api_access:

            log.debug('Checking API KEY access for %s' % cls)

            if user.api_key == request.GET.get('api_key'):

                api_access_ok = True

            else:

                log.debug("API KEY token not valid")

        log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))

        if (user.is_authenticated or api_access_ok) and ip_access_ok:

            reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'

            log.info('user %s is authenticated and granted access to %s '

                     'using %s' % (user.username, loc, reason)

            )

            return func(*fargs, **fkwargs)

        else:

            log.warn('user %s NOT authenticated on func: %s' % (

                user, loc)

            )

            p = url.current()

            log.debug('redirecting to login page with %s' % p)

            return redirect(url('login_home', came_from=p))

class NotAnonymous(object):

    """

    Must be logged in to execute this function else

    redirect to login page"""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        self.user = cls.rhodecode_user

        log.debug('Checking if user is not anonymous @%s' % cls)

        anonymous = self.user.username == 'default'

            user = AuthUser(user.user_id)

        if self.check_permissions(user.permissions, repo_name):

            log.debug('Permission to %s granted for user: %s @ %s', repo_name,

                      user, check_location)

            return True

        else:

            log.debug('Permission to %s denied for user: %s @ %s', repo_name,

                      user, check_location)

            return False

    def check_permissions(self, perm_defs, repo_name):

        """

        implement in child class should return True if permissions are ok,

        False otherwise

        :param perm_defs: dict with permission definitions

        :param repo_name: repo name

        """

        raise NotImplementedError()

class HasPermissionAllApi(_BaseApiPerm):

    def __call__(self, user, check_location=''):

        return super(HasPermissionAllApi, self)\

            .__call__(check_location=check_location, user=user)

    def check_permissions(self, perm_defs, repo):

        if self.required_perms.issubset(perm_defs.get('global')):

            return True

        return False

class HasPermissionAnyApi(_BaseApiPerm):

    def __call__(self, user, check_location=''):

        return super(HasPermissionAnyApi, self)\

            .__call__(check_location=check_location, user=user)

    def check_permissions(self, perm_defs, repo):

        if self.required_perms.intersection(perm_defs.get('global')):

            return True

        return False

class HasRepoPermissionAllApi(_BaseApiPerm):

    def __call__(self, user, repo_name, check_location=''):

        return super(HasRepoPermissionAllApi, self)\

            .__call__(check_location=check_location, user=user,

                      repo_name=repo_name)

    def check_permissions(self, perm_defs, repo_name):

        try:

            self._user_perms = set(

                [perm_defs['repositories'][repo_name]]

            )

        except KeyError:

            log.warning(traceback.format_exc())

            return False

        if self.required_perms.issubset(self._user_perms):

            return True

        return False

class HasRepoPermissionAnyApi(_BaseApiPerm):

    def __call__(self, user, repo_name, check_location=''):

        return super(HasRepoPermissionAnyApi, self)\

            .__call__(check_location=check_location, user=user,

                      repo_name=repo_name)

    def check_permissions(self, perm_defs, repo_name):

        try:

            _user_perms = set(

                [perm_defs['repositories'][repo_name]]

            )

        except KeyError:

            log.warning(traceback.format_exc())

            return False

        if self.required_perms.intersection(_user_perms):

            return True

        return False

def check_ip_access(source_ip, allowed_ips=None):

    """

    Checks if source_ip is a subnet of any of allowed_ips.

    :param source_ip:

    :param allowed_ips: list of allowed ips together with mask

    """

    from rhodecode.lib import ipaddr

    log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips))

    if isinstance(allowed_ips, (tuple, list, set)):

        for ip in allowed_ips:

    return False

            if user:

                return user

        # Maybe we can match by username?

        _author = author_name(author)

        user = cls.get_by_username(_author, case_insensitive=True)

        if user:

            return user

    def update_lastlogin(self):

        """Update user lastlogin"""

        self.last_login = datetime.datetime.now()

        Session().add(self)

        log.debug('updated user %s lastlogin' % self.username)

    def get_api_data(self):

        """

        Common function for generating user related data for API

        """

        user = self

        data = dict(

            user_id=user.user_id,

            username=user.username,

            firstname=user.name,

            lastname=user.lastname,

            email=user.email,

            emails=user.emails,

            api_key=user.api_key,

            active=user.active,

            admin=user.admin,

            ldap_dn=user.ldap_dn,

            last_login=user.last_login,

            ip_addresses=user.ip_addresses

        )

        return data

    def __json__(self):

        data = dict(

            full_name=self.full_name,

            full_name_or_username=self.full_name_or_username,

            short_contact=self.short_contact,

            full_contact=self.full_contact

        )

        data.update(self.get_api_data())

        return data

class UserEmailMap(Base, BaseModel):

    __tablename__ = 'user_email_map'

    __table_args__ = (

        Index('uem_email_idx', 'email'),

        UniqueConstraint('email'),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'}

    )

    __mapper_args__ = {}

    email_id = Column("email_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)

    _email = Column("email", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None)

    user = relationship('User', lazy='joined')

    @validates('_email')

    def validate_email(self, key, email):

        # check if this email is not main one

        main_email = Session().query(User).filter(User.email == email).scalar()

        if main_email is not None:

            raise AttributeError('email %s is present is user table' % email)

        return email

    @hybrid_property

    def email(self):

        return self._email

    @email.setter

    def email(self, val):

        self._email = val.lower() if val else None

class UserIpMap(Base, BaseModel):

    __tablename__ = 'user_ip_map'

    __table_args__ = (

        UniqueConstraint('user_id', 'ip_addr'),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'}

    )

    __mapper_args__ = {}

    ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)

    ip_addr = Column("ip_addr", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None)

    active = Column("active", Boolean(), nullable=True, unique=None, default=True)

    user = relationship('User', lazy='joined')

    @classmethod

    def _get_ip_range(cls, ip_addr):

        from rhodecode.lib import ipaddr

        return [str(net.network), str(net.broadcast)]

    def __json__(self):

        return dict(

          ip_addr=self.ip_addr,

          ip_range=self._get_ip_range(self.ip_addr)

        )

class UserLog(Base, BaseModel):

    __tablename__ = 'user_logs'

    __table_args__ = (

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'},

    )

    user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)

    username = Column("username", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True)

    repository_name = Column("repository_name", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    user_ip = Column("user_ip", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    action = Column("action", UnicodeText(1200000, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)

    @property

    def action_as_day(self):

        return datetime.date(*self.action_date.timetuple()[:3])

    user = relationship('User')

    repository = relationship('Repository', cascade='')

class UsersGroup(Base, BaseModel):

    __tablename__ = 'users_groups'

    __table_args__ = (

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'},

    )

    users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    users_group_name = Column("users_group_name", String(255, convert_unicode=False, assert_unicode=None), nullable=False, unique=True, default=None)

    users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)

    inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)

    members = relationship('UsersGroupMember', cascade="all, delete, delete-orphan", lazy="joined")

    users_group_to_perm = relationship('UsersGroupToPerm', cascade='all')

    users_group_repo_to_perm = relationship('UsersGroupRepoToPerm', cascade='all')

    def __unicode__(self):

        return u'<userGroup(%s)>' % (self.users_group_name)

    @classmethod

    def get_by_group_name(cls, group_name, cache=False,

                          case_insensitive=False):

        if case_insensitive:

            q = cls.query().filter(cls.users_group_name.ilike(group_name))

        else:

            q = cls.query().filter(cls.users_group_name == group_name)

        if cache:

            q = q.options(FromCache(

                            "sql_cache_short",

                            "get_user_%s" % _hash_key(group_name)

                          )

            )

        return q.scalar()

    @classmethod

    def get(cls, users_group_id, cache=False):

        users_group = cls.query()

        if cache:

            users_group = users_group.options(FromCache("sql_cache_short",

                                    "get_users_group_%s" % users_group_id))

        return users_group.get(users_group_id)

    def get_api_data(self):

        users_group = self

        data = dict(

            users_group_id=users_group.users_group_id,

            group_name=users_group.users_group_name,

            active=users_group.users_group_active,

        )

        return data

class UsersGroupMember(Base, BaseModel):

    __tablename__ = 'users_groups_members'

    __table_args__ = (

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'},

    )

    users_group_member_id = Column("users_group_member_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)

"""

Set of generic validators

"""

import os

import re

import formencode

import logging

from collections import defaultdict

from pylons.i18n.translation import _

from webhelpers.pylonslib.secure_form import authentication_token

from formencode.validators import (

    UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set,

    NotEmpty, IPAddress, CIDR

)

from rhodecode.lib.compat import OrderedSet

from rhodecode.lib.utils import repo_name_slug

from rhodecode.model.db import RepoGroup, Repository, UsersGroup, User,\

    ChangesetStatus

from rhodecode.lib.exceptions import LdapImportError

from rhodecode.config.routing import ADMIN_PREFIX

from rhodecode.lib.auth import HasReposGroupPermissionAny

# silence warnings and pylint

UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set, \

    NotEmpty, IPAddress, CIDR

log = logging.getLogger(__name__)

class UniqueList(formencode.FancyValidator):

    """

    Unique List !

    """

    messages = dict(

        empty=_('Value cannot be an empty list'),

        missing_value=_('Value cannot be an empty list'),

    )

    def _to_python(self, value, state):

        if isinstance(value, list):

            return value

        elif isinstance(value, set):

            return list(value)

        elif isinstance(value, tuple):

            return list(value)

        elif value is None:

            return []

        else:

            return [value]

    def empty_value(self, value):

        return []

class StateObj(object):

    """

    this is needed to translate the messages using _() in validators

    """

    _ = staticmethod(_)

def M(self, key, state=None, **kwargs):

    """

    returns string from self.message based on given key,

    passed kw params are used to substitute %(named)s params inside

    translated strings

    :param msg:

    :param state:

    """

    if state is None:

        state = StateObj()

    else:

        state._ = staticmethod(_)

    #inject validator into state object

    return self.message(key, state, **kwargs)

def ValidUsername(edit=False, old_data={}):

    class _validator(formencode.validators.FancyValidator):

        messages = {

            'username_exists': _(u'Username "%(username)s" already exists'),

            'system_invalid_username':

                _(u'Username "%(username)s" is forbidden'),

            'invalid_username':

                _(u'Username may only contain alphanumeric characters '

                  'underscores, periods or dashes and must begin with '

                  'alphanumeric character')

        }

        def validate_python(self, value, state):

            if value in ['default', 'new_user']:

                msg = M(self, 'system_invalid_username', state, username=value)

                raise formencode.Invalid(msg, value, state)

            #check if user is unique

            old_un = None

            if edit:

                old_un = User.get(old_data.get('user_id')).username

            if old_un != value or not edit:

                if User.get_by_username(value, case_insensitive=True):

                    msg = M(self, 'username_exists', state, username=value)

                    raise formencode.Invalid(msg, value, state)

            if re.match(r'^[a-zA-Z0-9]{1}[a-zA-Z0-9\-\_\.]*$', value) is None:

                msg = M(self, 'invalid_username', state)

                raise formencode.Invalid(msg, value, state)

    return _validator

def ValidRepoUser():

                        error_dict=dict(email=msg)

                    )

    return _validator

def ValidSystemEmail():

    class _validator(formencode.validators.FancyValidator):

        messages = {

            'non_existing_email': _(u'e-mail "%(email)s" does not exist.')

        }

        def _to_python(self, value, state):

            return value.lower()

        def validate_python(self, value, state):

            user = User.get_by_email(value, case_insensitive=True)

            if user is None:

                msg = M(self, 'non_existing_email', state, email=value)

                raise formencode.Invalid(msg, value, state,

                    error_dict=dict(email=msg)

                )

    return _validator

def LdapLibValidator():

    class _validator(formencode.validators.FancyValidator):

        messages = {

        }

        def validate_python(self, value, state):

            try:

                import ldap

                ldap  # pyflakes silence !

            except ImportError:

                raise LdapImportError()

    return _validator

def AttrLoginValidator():

    class _validator(formencode.validators.FancyValidator):

        messages = {

            'invalid_cn':

                  _(u'The LDAP Login attribute of the CN must be specified - '

                    'this is the name of the attribute that is equivalent '

                    'to "username"')

        }

        def validate_python(self, value, state):

            if not value or not isinstance(value, (str, unicode)):

                msg = M(self, 'invalid_cn', state)

                raise formencode.Invalid(msg, value, state,

                    error_dict=dict(ldap_attr_login=msg)

                )

    return _validator

def NotReviewedRevisions(repo_id):

    class _validator(formencode.validators.FancyValidator):

        messages = {

            'rev_already_reviewed':

                  _(u'Revisions %(revs)s are already part of pull request '

                    'or have set status')

        }

        def validate_python(self, value, state):

            # check revisions if they are not reviewed, or a part of another

            # pull request

            statuses = ChangesetStatus.query()\

                .filter(ChangesetStatus.revision.in_(value))\

                .filter(ChangesetStatus.repo_id == repo_id)\

                .all()

            errors = []

            for cs in statuses:

                if cs.pull_request_id:

                    errors.append(['pull_req', cs.revision[:12]])

                elif cs.status:

                    errors.append(['status', cs.revision[:12]])

            if errors:

                revs = ','.join([x[1] for x in errors])

                msg = M(self, 'rev_already_reviewed', state, revs=revs)

                raise formencode.Invalid(msg, value, state,

                    error_dict=dict(revisions=revs)

                )

    return _validator

def ValidIp():

    class _validator(CIDR):

        messages = dict(

            illegalBits=_('The network size (bits) must be within the range'

                ' of 0-32 (not %(bits)r)'))

        def validate_python(self, value, state):