# need to group here by groups since user can be in more than

    # one group

    _grouped = [[x, list(y)] for x, y in

                itertools.groupby(user_perms_from_users_groups,

                                  lambda x:x.users_group)]

    for gr, perms in _grouped:

        for perm in perms:

            permissions[GLOBAL].add(perm.permission.permission_name)

    # user specific global permissions

    user_perms = Session().query(UserToPerm) \

            .options(joinedload(UserToPerm.permission)) \

            .filter(UserToPerm.user_id == user_id).all()

    for perm in user_perms:

        permissions[GLOBAL].add(perm.permission.permission_name)

    # for each kind of global permissions, only keep the one with heighest weight

    kind_max_perm = {}

    for perm in sorted(permissions[GLOBAL], key=lambda n: PERM_WEIGHTS[n]):

        kind = perm.rsplit('.', 1)[0]

        kind_max_perm[kind] = perm

    permissions[GLOBAL] = set(kind_max_perm.values())

    ## END GLOBAL PERMISSIONS

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORIES !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository and

    # fill in his permission from it.

    #======================================================================

    # user group for repositories permissions

    user_repo_perms_from_users_groups = \

     Session().query(UserGroupRepoToPerm, Permission, Repository,) \

        .join((Repository, UserGroupRepoToPerm.repository_id ==

               Repository.repo_id)) \

        .join((Permission, UserGroupRepoToPerm.permission_id ==

               Permission.permission_id)) \

        .join((UserGroup, UserGroupRepoToPerm.users_group_id ==

               UserGroup.users_group_id)) \

        .filter(UserGroup.users_group_active == True) \

        .join((UserGroupMember, UserGroupRepoToPerm.users_group_id ==

               UserGroupMember.users_group_id)) \

        .filter(UserGroupMember.user_id == user_id) \

        .all()

    for perm in user_repo_perms_from_users_groups:

        r_k = perm.UserGroupRepoToPerm.repository.repo_name

        p = perm.Permission.permission_name

        permissions[RK][r_k] = p

    # user permissions for repositories

    user_repo_perms = Permission.get_default_perms(user_id)

    for perm in user_repo_perms:

        r_k = perm.UserRepoToPerm.repository.repo_name

        cur_perm = permissions[RK][r_k]

        p = perm.Permission.permission_name

        p = _choose_perm(p, cur_perm)

        permissions[RK][r_k] = p

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORY GROUPS !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository groups and

    # fill in his permission from it.

    #======================================================================

    # user group for repo groups permissions

    user_repo_group_perms_from_users_groups = \

     Session().query(UserGroupRepoGroupToPerm, Permission, RepoGroup) \

     .join((RepoGroup, UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)) \

     .join((Permission, UserGroupRepoGroupToPerm.permission_id

            == Permission.permission_id)) \

     .join((UserGroup, UserGroupRepoGroupToPerm.users_group_id ==

            UserGroup.users_group_id)) \

     .filter(UserGroup.users_group_active == True) \

     .join((UserGroupMember, UserGroupRepoGroupToPerm.users_group_id

            == UserGroupMember.users_group_id)) \

     .filter(UserGroupMember.user_id == user_id) \

     .all()

    for perm in user_repo_group_perms_from_users_groups:

        g_k = perm.UserGroupRepoGroupToPerm.group.group_name

        p = perm.Permission.permission_name

        cur_perm = permissions[GK][g_k]

        permissions[GK][g_k] = p

    # user explicit permissions for repository groups

    user_repo_groups_perms = Permission.get_default_group_perms(user_id)

    for perm in user_repo_groups_perms:

        rg_k = perm.UserRepoGroupToPerm.group.group_name

        p = perm.Permission.permission_name

        cur_perm = permissions[GK][rg_k]

        p = _choose_perm(p, cur_perm)

        permissions[GK][rg_k] = p

    #======================================================================

    # !! PERMISSIONS FOR USER GROUPS !!

    #======================================================================

    # user group for user group permissions

    user_group_user_groups_perms = \

     Session().query(UserGroupUserGroupToPerm, Permission, UserGroup) \

     .join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id

            == UserGroup.users_group_id)) \

     .join((Permission, UserGroupUserGroupToPerm.permission_id

            == Permission.permission_id)) \

     .join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id

            == UserGroupMember.users_group_id)) \

     .filter(UserGroupMember.user_id == user_id) \

     .join((UserGroup, UserGroupMember.users_group_id ==

            UserGroup.users_group_id), aliased=True, from_joinpoint=True) \

     .filter(UserGroup.users_group_active == True) \

     .all()

    for perm in user_group_user_groups_perms:

        g_k = perm.UserGroupUserGroupToPerm.target_user_group.users_group_name

        p = perm.Permission.permission_name

        cur_perm = permissions[UK][g_k]

        permissions[UK][g_k] = p

    # user explicit permission for user groups

    user_user_groups_perms = Permission.get_default_user_group_perms(user_id)

    for perm in user_user_groups_perms:

        u_k = perm.UserUserGroupToPerm.user_group.users_group_name

        p = perm.Permission.permission_name

        cur_perm = permissions[UK][u_k]

        p = _choose_perm(p, cur_perm)

        permissions[UK][u_k] = p

    return permissions

def allowed_api_access(controller_name, whitelist=None, api_key=None):

    """

    Check if given controller_name is in whitelist API access

    """

    if not whitelist:

        from kallithea import CONFIG

        whitelist = aslist(CONFIG.get('api_access_controllers_whitelist'),

                           sep=',')

        log.debug('whitelist of API access is: %s', whitelist)

    api_access_valid = controller_name in whitelist

    if api_access_valid:

        log.debug('controller:%s is in API whitelist', controller_name)

    else:

        msg = 'controller: %s is *NOT* in API whitelist' % (controller_name)

        if api_key:

            # if we use API key and don't have access it's a warning

            log.warning(msg)

        else:

            log.debug(msg)

    return api_access_valid

class AuthUser(object):

    """

    Represents a Kallithea user, including various authentication and

    authorization information. Typically used to store the current user,

    but is also used as a generic user information data structure in

    parts of the code, e.g. user management.

    Constructed from a database `User` object, a user ID or cookie dict,

    it looks up the user (if needed) and copies all attributes to itself,

    adding various non-persistent data. If lookup fails but anonymous

    access to Kallithea is enabled, the default user is loaded instead.

        # enable only write access for default user on user group

        UserGroupModel().grant_user_permission(self.ug2,

                                               user='default',

                                               perm='usergroup.write')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['user_groups'][u'G1'] == u'usergroup.read'

        assert u1_auth.permissions['user_groups'][u'G2'] == u'usergroup.write'

    def test_inactive_user_group_does_not_affect_user_group_permissions_inverse(self):

        self.ug1 = fixture.create_user_group(u'G1')

        user_group_model = UserGroupModel()

        user_group_model.add_user_to_group(self.ug1, self.u1)

        user_group_model.update(self.ug1, {'users_group_active': False})

        self.ug2 = fixture.create_user_group(u'G2')

        # enable only write access for user group on user group

        UserGroupModel().grant_user_group_permission(self.ug2,

                                                     user_group=self.ug1,

                                                     perm='usergroup.write')

        # enable admin access for default user on user group

        UserGroupModel().grant_user_permission(self.ug2,

                                               user='default',

                                               perm='usergroup.admin')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['user_groups'][u'G1'] == u'usergroup.read'

        assert u1_auth.permissions['user_groups'][u'G2'] == u'usergroup.admin'

    def test_owner_permissions_doesnot_get_overwritten_by_group(self):

        # create repo as USER,

        self.test_repo = fixture.create_repo(name=u'myownrepo',

                                             repo_type='hg',

                                             cur_user=self.u1)

        # he has permissions of admin as owner

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['repositories']['myownrepo'] == 'repository.admin'

        # set his permission as user group, he should still be admin

        self.ug1 = fixture.create_user_group(u'G1')

        UserGroupModel().add_user_to_group(self.ug1, self.u1)

        RepoModel().grant_user_group_permission(self.test_repo,

                                                 group_name=self.ug1,

                                                 perm='repository.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

    def test_owner_permissions_doesnot_get_overwritten_by_others(self):

        # create repo as USER,

        self.test_repo = fixture.create_repo(name=u'myownrepo',

                                             repo_type='hg',

                                             cur_user=self.u1)

        # he has permissions of admin as owner

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['repositories']['myownrepo'] == 'repository.admin'

        # set his permission as user, he should still be admin

        RepoModel().grant_user_permission(self.test_repo, user=self.u1,

                                          perm='repository.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['repositories']['myownrepo'] == 'repository.admin'

    def _test_def_perm_equal(self, user, change_factor=0):

        perms = UserToPerm.query() \

                .filter(UserToPerm.user == user) \

                .all()

        assert len(perms) == len(Permission.DEFAULT_USER_PERMISSIONS,)+change_factor, perms

    def test_set_default_permissions(self):

        PermissionModel().create_default_permissions(user=self.u1)

        self._test_def_perm_equal(user=self.u1)

    def test_set_default_permissions_after_one_is_missing(self):

        PermissionModel().create_default_permissions(user=self.u1)

        self._test_def_perm_equal(user=self.u1)

        # now we delete one, it should be re-created after another call

        perms = UserToPerm.query() \

                .filter(UserToPerm.user == self.u1) \

                .all()

        Session().delete(perms[0])

        Session().commit()

        self._test_def_perm_equal(user=self.u1, change_factor=-1)

        # create missing one !

        PermissionModel().create_default_permissions(user=self.u1)

        self._test_def_perm_equal(user=self.u1)

    @parametrize('perm,modify_to', [

        ('repository.read', 'repository.none'),

        ('group.read', 'group.none'),

        ('usergroup.read', 'usergroup.none'),

        ('hg.create.repository', 'hg.create.none'),

    # set permission to g0 non-recursive mode

    recursive = 'none'

    group = u'g0/g0_1'

    permissions_setup_func(group, 'group.write', recursive=recursive)

    items = [x for x in _get_repo_perms(group, recursive)]

    expected = 0

    assert len(items) == expected, ' %s != %s' % (len(items), expected)

    for name, perm in items:

        check_tree_perms(name, perm, group, 'repository.read')

    items = [x for x in _get_group_perms(group, recursive)]

    expected = 1

    assert len(items) == expected, ' %s != %s' % (len(items), expected)

    for name, perm in items:

        check_tree_perms(name, perm, group, 'group.write')

def test_user_permissions_on_group_with_recursive_mode():

    # set permission to g0 recursive mode, all children including

    # other repos and groups should have this permission now set !

    recursive = 'all'

    group = u'g0'

    permissions_setup_func(group, 'group.write', recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

        check_tree_perms(name, perm, group, 'repository.write')

    for name, perm in items:

        check_tree_perms(name, perm, group, 'group.write')

def test_user_permissions_on_group_with_recursive_mode_inner_group():

    ## set permission to g0_3 group to none

    recursive = 'all'

    group = u'g0/g0_3'

    permissions_setup_func(group, 'group.none', recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

    for name, perm in items:

def test_user_permissions_on_group_with_recursive_mode_deepest():

    recursive = 'all'

    group = u'g0/g0_1/g0_1_1'

    permissions_setup_func(group, 'group.write', recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

        check_tree_perms(name, perm, group, 'repository.write')

    for name, perm in items:

        check_tree_perms(name, perm, group, 'group.write')

def test_user_permissions_on_group_with_recursive_mode_only_with_repos():

    recursive = 'all'

    group = u'g0/g0_2'

    permissions_setup_func(group, 'group.admin', recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

        check_tree_perms(name, perm, group, 'repository.admin')

    for name, perm in items:

        check_tree_perms(name, perm, group, 'group.admin')

def test_user_permissions_on_group_with_recursive_mode_on_repos():

    # set permission to g0/g0_1 with recursive mode on just repositories

    recursive = 'repos'

    group = u'g0/g0_1'

    perm = 'group.write'

    permissions_setup_func(group, perm, recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

        check_tree_perms(name, perm, group, 'repository.write')

    for name, perm in items:

        # permission is set with repos only mode, but we also change the permission

        # on the group we trigger the apply to children from, thus we need

        # to change its permission check

        old_perm = 'group.read'

        if name == group:

            old_perm = perm

        check_tree_perms(name, perm, group, old_perm)

def test_user_permissions_on_group_with_recursive_mode_on_repo_groups():

    # set permission to g0/g0_1 with recursive mode on just repository groups

    recursive = 'groups'

    group = u'g0/g0_1'

    perm = 'group.none'

    permissions_setup_func(group, perm, recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

        check_tree_perms(name, perm, group, 'repository.read')

    for name, perm in items: