# Create an Alembic configuration and generate the version table,

        # "stamping" it with the most recent Alembic migration revision, to

        # tell Alembic that all the schema upgrades are already in effect.

        alembic_cfg = alembic.config.Config()

        alembic_cfg.set_main_option('script_location', 'kallithea:alembic')

        alembic_cfg.set_main_option('sqlalchemy.url', self.dburi)

        # This command will give an error in an Alembic multi-head scenario,

        # but in practice, such a scenario should not come up during database

        # creation, even during development.

        alembic.command.stamp(alembic_cfg, 'head')

        log.info('Created tables for %s', self.dbname)

    def fix_repo_paths(self):

        """

        Fixes a old kallithea version path into new one without a '*'

        """

        paths = self.sa.query(Ui) \

                .filter(Ui.ui_key == '/') \

                .scalar()

        paths.ui_value = paths.ui_value.replace('*', '')

        self.sa.commit()

    def fix_default_user(self):

        """

        Fixes a old default user with some 'nicer' default values,

        used mostly for anonymous access

        """

        def_user = self.sa.query(User).filter_by(is_default_user=True).one()

        def_user.name = 'Anonymous'

        def_user.lastname = 'User'

        def_user.email = 'anonymous@kallithea-scm.org'

        self.sa.commit()

    def fix_settings(self):

        """

        Fixes kallithea settings adds ga_code key for google analytics

        """

        hgsettings3 = Setting('ga_code', '')

        self.sa.add(hgsettings3)

        self.sa.commit()

    def admin_prompt(self, second=False):

        if not self.tests:

            import getpass

            username = self.cli_args.get('username')

            password = self.cli_args.get('password')

            email = self.cli_args.get('email')

            def get_password():

                password = getpass.getpass('Specify admin password '

                                           '(min 6 chars):')

                confirm = getpass.getpass('Confirm password:')

                continue

            setting = Setting(k, v, t)

            self.sa.add(setting)

    def create_default_options(self, skip_existing=False):

        """Creates default settings"""

        for k, v, t in [

            ('default_repo_enable_locking',  False, 'bool'),

            ('default_repo_enable_downloads', False, 'bool'),

            ('default_repo_enable_statistics', False, 'bool'),

            ('default_repo_private', False, 'bool'),

            ('default_repo_type', 'hg', 'unicode')]:

            if skip_existing and Setting.get_by_name(k) is not None:

                log.debug('Skipping option %s', k)

                continue

            setting = Setting(k, v, t)

            self.sa.add(setting)

    def fixup_groups(self):

        def_usr = User.get_default_user()

        for g in RepoGroup.query().all():

            g.group_name = g.get_new_name(g.name)

            # get default perm

            default = UserRepoGroupToPerm.query() \

                .filter(UserRepoGroupToPerm.group == g) \

                .filter(UserRepoGroupToPerm.user == def_usr) \

                .scalar()

            if default is None:

                log.debug('missing default permission for group %s adding', g)

                RepoGroupModel()._create_default_perms(g)

    def reset_permissions(self, username):

        """

        Resets permissions to default state, useful when old systems had

        bad permissions, we must clean them up

        :param username:

        """

        default_user = User.get_by_username(username)

        if not default_user:

            return

        u2p = UserToPerm.query() \

            .filter(UserToPerm.user == default_user).all()

        fixed = False

            q = q.filter(ChangesetStatus.repo == repo)

            q = q.filter(ChangesetStatus.revision == revision)

            revisions = [revision]

        else:

            assert pull_request is not None

            pull_request = PullRequest.guess_instance(pull_request)

            repo = pull_request.org_repo

            q = q.filter(ChangesetStatus.repo == repo)

            q = q.filter(ChangesetStatus.revision.in_(pull_request.revisions))

            revisions = pull_request.revisions

        cur_statuses = q.all()

        #if statuses exists and last is associated with a closed pull request

        # we need to check if we can allow this status change

        if (dont_allow_on_closed_pull_request and cur_statuses

            and getattr(cur_statuses[0].pull_request, 'status', '')

                == PullRequest.STATUS_CLOSED):

            raise StatusChangeOnClosedPullRequestError(

                'Changing status on closed pull request is not allowed'

            )

        #update all current statuses with older version

        for st in cur_statuses:

            st.version += 1

        new_statuses = []

        for rev in revisions:

            new_status = ChangesetStatus()

            new_status.version = 0 # default

            new_status.author = User.guess_instance(user)

            new_status.repo = Repository.guess_instance(repo)

            new_status.status = status

            new_status.comment = comment

            new_status.revision = rev

            new_status.pull_request = pull_request

            new_statuses.append(new_status)

            self.sa.add(new_status)

        return new_statuses

        :param gist_mapping: mapping {filename:{'content':content},...}

        :param gist_type: type of gist private/public

        :param lifetime: in minutes, -1 == forever

        """

        owner = User.guess_instance(owner)

        gist_id = make_gist_id()

        lifetime = safe_int(lifetime, -1)

        gist_expires = time.time() + (lifetime * 60) if lifetime != -1 else -1

        log.debug('set GIST expiration date to: %s',

                  time_to_datetime(gist_expires)

                   if gist_expires != -1 else 'forever')

        #create the Database version

        gist = Gist()

        gist.gist_description = description

        gist.gist_access_id = gist_id

        gist.owner_id = owner.user_id

        gist.gist_expires = gist_expires

        gist.gist_type = safe_unicode(gist_type)

        self.sa.add(gist)

        self.sa.flush() # make database assign gist.gist_id

        if gist_type == Gist.GIST_PUBLIC:

            # use DB ID for easy to use GIST ID

            gist_id = safe_unicode(gist.gist_id)

            gist.gist_access_id = gist_id

        gist_repo_path = os.path.join(GIST_STORE_LOC, gist_id)

        log.debug('Creating new %s GIST repo in %s', gist_type, gist_repo_path)

        repo = RepoModel()._create_filesystem_repo(

            repo_name=gist_id, repo_type='hg', repo_group=GIST_STORE_LOC)

        processed_mapping = {}

        for filename in gist_mapping:

            if filename != os.path.basename(filename):

                raise Exception('Filename cannot be inside a directory')

            content = gist_mapping[filename]['content']

            #TODO: expand support for setting explicit lexers

#             if lexer is None:

#                 try:

#                     guess_lexer = pygments.lexers.guess_lexer_for_filename

#                     lexer = guess_lexer(filename,content)

#                 except pygments.util.ClassNotFound:

#                     lexer = 'text'

            processed_mapping[filename] = {'content': content}

        # now create single multifile commit

        message = 'added file'

        message += 's: ' if len(processed_mapping) > 1 else ': '

        DEFAULT_PERMS = Permission.DEFAULT_USER_PERMISSIONS

        if force:

            for perm in perms:

                self.sa.delete(perm)

            self.sa.commit()

            defined_perms_groups = []

        # For every default permission that needs to be created, we check if

        # its group is already defined. If it's not, we create default permission.

        for perm_name in DEFAULT_PERMS:

            gr = _get_group(perm_name)

            if gr not in defined_perms_groups:

                log.debug('GR:%s not found, creating permission %s',

                          gr, perm_name)

                new_perm = _make_perm(perm_name)

                self.sa.add(new_perm)

    def update(self, form_result):

        perm_user = User.get_by_username(username=form_result['perm_user_name'])

        try:

            # stage 1 set anonymous access

            if perm_user.is_default_user:

                perm_user.active = str2bool(form_result['anonymous'])

            # stage 2 reset defaults and set them from form data

            def _make_new(usr, perm_name):

                log.debug('Creating new permission:%s', perm_name)

                new = UserToPerm()

                new.user = usr

                new.permission = Permission.get_by_key(perm_name)

                return new

            # clear current entries, to make this function idempotent

            # it will fix even if we define more permissions or permissions

            # are somehow missing

            u2p = self.sa.query(UserToPerm) \

                .filter(UserToPerm.user == perm_user) \

                .all()

            for p in u2p:

                self.sa.delete(p)

            #create fresh set of permissions

            for def_perm_key in ['default_repo_perm',

                                 'default_group_perm',

                                 'default_user_group_perm',

                                 'default_repo_create',

                                 'create_on_write', # special case for create repos on write access to group

                                 #'default_repo_group_create', #not implemented yet

                                 'default_user_group_create',

                                 'default_fork',

                                 'default_register',

                                 'default_extern_activate']:

                p = _make_new(perm_user, form_result[def_perm_key])

                self.sa.add(p)

            #stage 3 update all default permissions for repos if checked

            if form_result['overwrite_default_repo']:

                _def_name = form_result['default_repo_perm'].split('repository.')[-1]

                _def = Permission.get_by_key('repository.' + _def_name)

                # repos

                for r2p in self.sa.query(UserRepoToPerm) \

                               .filter(UserRepoToPerm.user == perm_user) \

                               .all():

                    #don't reset PRIVATE repositories

                    if not r2p.repository.private:

                        r2p.permission = _def

            if form_result['overwrite_default_group']:

                _def_name = form_result['default_group_perm'].split('group.')[-1]

                # groups

                _def = Permission.get_by_key('group.' + _def_name)

                for g2p in self.sa.query(UserRepoGroupToPerm) \

                               .filter(UserRepoGroupToPerm.user == perm_user) \

                               .all():

                    g2p.permission = _def

            if form_result['overwrite_default_user_group']:

                _def_name = form_result['default_user_group_perm'].split('usergroup.')[-1]

                # groups

                _def = Permission.get_by_key('usergroup.' + _def_name)

                for g2p in self.sa.query(UserUserGroupToPerm) \

                               .filter(UserUserGroupToPerm.user == perm_user) \

                               .all():

                    g2p.permission = _def

            self.sa.commit()

        except (DatabaseError,):

            log.error(traceback.format_exc())

            self.sa.rollback()

            raise

                      'repo_enable_statistics',

                      ]:

                if k in kwargs:

                    setattr(cur_repo, remove_prefix(k, 'repo_'), kwargs[k])

            clone_uri = kwargs.get('clone_uri')

            if clone_uri is not None and clone_uri != cur_repo.clone_uri_hidden:

                cur_repo.clone_uri = clone_uri

            if 'repo_name' in kwargs:

                cur_repo.repo_name = cur_repo.get_new_name(kwargs['repo_name'])

            #if private flag is set, reset default permission to NONE

            if kwargs.get('repo_private'):

                EMPTY_PERM = 'repository.none'

                RepoModel().grant_user_permission(

                    repo=cur_repo, user='default', perm=EMPTY_PERM

                )

                #handle extra fields

            for field in filter(lambda k: k.startswith(RepositoryField.PREFIX),

                                kwargs):

                k = RepositoryField.un_prefix_key(field)

                ex_field = RepositoryField.get_by_key_name(key=k, repo=cur_repo)

                if ex_field:

                    ex_field.field_value = kwargs[field]

            if org_repo_name != cur_repo.repo_name:

                # rename repository

                self._rename_filesystem_repo(old=org_repo_name, new=cur_repo.repo_name)

            return cur_repo

        except Exception:

            log.error(traceback.format_exc())

            raise

    def _create_repo(self, repo_name, repo_type, description, owner,

                     private=False, clone_uri=None, repo_group=None,

                     landing_rev='rev:tip', fork_of=None,

                     copy_fork_permissions=False, enable_statistics=False,

                     enable_locking=False, enable_downloads=False,

                     copy_group_permissions=False, state=Repository.STATE_PENDING):

        """

        Create repository inside database with PENDING state. This should only be

        executed by create() repo, with exception of importing existing repos.

        """

        from kallithea.model.scm import ScmModel

        owner = User.guess_instance(owner)

        :param form_data:

        :param cur_user:

        """

        from kallithea.lib.celerylib import tasks

        return tasks.create_repo_fork(form_data, cur_user)

    def delete(self, repo, forks=None, fs_remove=True, cur_user=None):

        """

        Delete given repository, forks parameter defines what do do with

        attached forks. Throws AttachedForksError if deleted repo has attached

        forks

        :param repo:

        :param forks: str 'delete' or 'detach'

        :param fs_remove: remove(archive) repo from filesystem

        """

        if not cur_user:

            cur_user = getattr(get_current_authuser(), 'username', None)

        repo = Repository.guess_instance(repo)

        if repo is not None:

            if forks == 'detach':

                for r in repo.forks:

                    r.fork = None

            elif forks == 'delete':

                for r in repo.forks:

                    self.delete(r, forks='delete')

            elif [f for f in repo.forks]:

                raise AttachedForksError()

            old_repo_dict = repo.get_dict()

            try:

                self.sa.delete(repo)

                if fs_remove:

                    self._delete_filesystem_repo(repo)

                else:

                    log.debug('skipping removal from filesystem')

                log_delete_repository(old_repo_dict,

                                      deleted_by=cur_user)

            except Exception:

                log.error(traceback.format_exc())

                raise

    def grant_user_permission(self, repo, user, perm):

        """

        Grant permission for user on given repository, or update existing one

        if found

        :param repo: Instance of Repository, repository_id, or repository name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        user = User.guess_instance(user)

        repo = Repository.guess_instance(repo)

        permission = Permission.guess_instance(perm)

        # check if we have that permission already

        obj = self.sa.query(UserRepoToPerm) \

            .filter(UserRepoToPerm.user == user) \

            .filter(UserRepoToPerm.repository == repo) \

            .scalar()

        if obj is None:

            # create new !

            obj = UserRepoToPerm()

        obj.repository = repo

        obj.user = user

        obj.permission = permission

        log.debug('Granted perm %s to %s on %s', perm, user, repo)

        return obj

    def revoke_user_permission(self, repo, user):

        """

        Revoke permission for user on given repository

        :param repo: Instance of Repository, repository_id, or repository name

        :param user: Instance of User, user_id or username

        """

        user = User.guess_instance(user)

        repo = Repository.guess_instance(repo)

        obj = self.sa.query(UserRepoToPerm) \

            .filter(UserRepoToPerm.repository == repo) \

            .filter(UserRepoToPerm.user == user) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s', repo, user)

    def grant_user_group_permission(self, repo, group_name, perm):

        """

        Grant permission for user group on given repository, or update

        existing one if found

        :param repo: Instance of Repository, repository_id, or repository name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        :param perm: Instance of Permission, or permission_name

        """

        repo = Repository.guess_instance(repo)

        group_name = UserGroup.guess_instance(group_name)

        permission = Permission.guess_instance(perm)

        # check if we have that permission already

        obj = self.sa.query(UserGroupRepoToPerm) \

            .filter(UserGroupRepoToPerm.users_group == group_name) \

            .filter(UserGroupRepoToPerm.repository == repo) \

            .scalar()

        if obj is None:

            # create new

            obj = UserGroupRepoToPerm()

        obj.repository = repo

        obj.users_group = group_name

        obj.permission = permission

        log.debug('Granted perm %s to %s on %s', perm, group_name, repo)

        return obj

    def revoke_user_group_permission(self, repo, group_name):

        """

        Revoke permission for user group on given repository

        :param repo: Instance of Repository, repository_id, or repository name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        """

        repo = Repository.guess_instance(repo)

        group_name = UserGroup.guess_instance(group_name)

        obj = self.sa.query(UserGroupRepoToPerm) \

            .filter(UserGroupRepoToPerm.repository == repo) \

            .filter(UserGroupRepoToPerm.users_group == group_name) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm to %s on %s', repo, group_name)

    def delete_stats(self, repo_name):

        """

            new_path = repo_group.full_path

            self.sa.add(repo_group)

            # iterate over all members of this groups and do fixes

            # set locking if given

            # if obj is a repoGroup also fix the name of the group according

            # to the parent

            # if obj is a Repo fix it's name

            # this can be potentially heavy operation

            for obj in repo_group.recursive_groups_and_repos():

                #set the value from it's parent

                obj.enable_locking = repo_group.enable_locking

                if isinstance(obj, RepoGroup):

                    new_name = obj.get_new_name(obj.name)

                    log.debug('Fixing group %s to new name %s' \

                                % (obj.group_name, new_name))

                    obj.group_name = new_name

                elif isinstance(obj, Repository):

                    # we need to get all repositories from this new group and

                    # rename them accordingly to new group path

                    new_name = obj.get_new_name(obj.just_name)

                    log.debug('Fixing repo %s to new name %s' \

                                % (obj.repo_name, new_name))

                    obj.repo_name = new_name

            self._rename_group(old_path, new_path)

            return repo_group

        except Exception:

            log.error(traceback.format_exc())

            raise

    def delete(self, repo_group, force_delete=False):

        repo_group = RepoGroup.guess_instance(repo_group)

        try:

            self.sa.delete(repo_group)

            self._delete_group(repo_group, force_delete)

        except Exception:

            log.error('Error removing repo_group %s', repo_group)

            raise

    def add_permission(self, repo_group, obj, obj_type, perm, recursive):

        from kallithea.model.repo import RepoModel

        repo_group = RepoGroup.guess_instance(repo_group)

        perm = Permission.guess_instance(perm)

        for el in repo_group.recursive_groups_and_repos():

            # iterated obj is an instance of a repos group or repository in

    def grant_user_permission(self, repo_group, user, perm):

        """

        Grant permission for user on given repository group, or update

        existing one if found

        :param repo_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        repo_group = RepoGroup.guess_instance(repo_group)

        user = User.guess_instance(user)

        permission = Permission.guess_instance(perm)

        # check if we have that permission already

        obj = self.sa.query(UserRepoGroupToPerm) \

            .filter(UserRepoGroupToPerm.user == user) \

            .filter(UserRepoGroupToPerm.group == repo_group) \

            .scalar()

        if obj is None:

            # create new !

            obj = UserRepoGroupToPerm()

        obj.group = repo_group

        obj.user = user

        obj.permission = permission

        log.debug('Granted perm %s to %s on %s', perm, user, repo_group)

        return obj

    def revoke_user_permission(self, repo_group, user):

        """

        Revoke permission for user on given repository group

        :param repo_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        """

        repo_group = RepoGroup.guess_instance(repo_group)

        user = User.guess_instance(user)

        obj = self.sa.query(UserRepoGroupToPerm) \

            .filter(UserRepoGroupToPerm.user == user) \

            .filter(UserRepoGroupToPerm.group == repo_group) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s', repo_group, user)

    def grant_user_group_permission(self, repo_group, group_name, perm):

        """

        Grant permission for user group on given repository group, or update

        existing one if found

        :param repo_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        :param perm: Instance of Permission, or permission_name

        """

        repo_group = RepoGroup.guess_instance(repo_group)

        group_name = UserGroup.guess_instance(group_name)

        permission = Permission.guess_instance(perm)

        # check if we have that permission already

        obj = self.sa.query(UserGroupRepoGroupToPerm) \

            .filter(UserGroupRepoGroupToPerm.group == repo_group) \

            .filter(UserGroupRepoGroupToPerm.users_group == group_name) \

            .scalar()

        if obj is None:

            # create new

            obj = UserGroupRepoGroupToPerm()

        obj.group = repo_group

        obj.users_group = group_name

        obj.permission = permission

        log.debug('Granted perm %s to %s on %s', perm, group_name, repo_group)

        return obj

    def revoke_user_group_permission(self, repo_group, group_name):

        """

        Revoke permission for user group on given repository group

        :param repo_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        """

        repo_group = RepoGroup.guess_instance(repo_group)

        group_name = UserGroup.guess_instance(group_name)

        obj = self.sa.query(UserGroupRepoGroupToPerm) \

            .filter(UserGroupRepoGroupToPerm.group == repo_group) \

            .filter(UserGroupRepoGroupToPerm.users_group == group_name) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm to %s on %s', repo_group, group_name)

        return self.sa.query(UserFollowing) \

                .filter(UserFollowing.follows_repository == repo).count()

    def get_forks(self, repo):

        repo = Repository.guess_instance(repo)

        return self.sa.query(Repository) \

                .filter(Repository.fork == repo).count()

    def get_pull_requests(self, repo):

        repo = Repository.guess_instance(repo)

        return self.sa.query(PullRequest) \

                .filter(PullRequest.other_repo == repo) \

                .filter(PullRequest.status != PullRequest.STATUS_CLOSED).count()

    def mark_as_fork(self, repo, fork, user):

        repo = self.__get_repo(repo)

        fork = self.__get_repo(fork)

        if fork and repo.repo_id == fork.repo_id:

            raise Exception("Cannot set repository as fork of itself")

        if fork and repo.repo_type != fork.repo_type:

            raise RepositoryError("Cannot set repository as fork of repository with other type")

        repo.fork = fork

        return repo

    def _handle_rc_scm_extras(self, username, repo_name, repo_alias,

                              action=None):

        from kallithea import CONFIG

        from kallithea.lib.base import _get_ip_addr

        try:

            from pylons import request

            environ = request.environ

        except TypeError:

            # we might use this outside of request context, let's fake the

            # environ data

            from webob import Request

            environ = Request.blank('').environ

        extras = {

            'ip': _get_ip_addr(environ),

            'username': username,

            'action': action or 'push_local',

            'repository': repo_name,

            'scm': repo_alias,

            'config': CONFIG['__file__'],

            'server_url': get_server_url(environ),

            'make_lock': None,

            'locked_by': [None, None]

                                   body=body, recipients=None,

                                   type_=Notification.TYPE_REGISTRATION,

                                   email_kwargs=email_kwargs)

    def update(self, user_id, form_data, skip_attrs=None):

        from kallithea.lib.auth import get_crypt_password

        skip_attrs = skip_attrs or []

        user = self.get(user_id, cache=False)

        if user.is_default_user:

            raise DefaultUserException(

                            _("You can't edit this user since it's "

                              "crucial for entire application"))

        for k, v in form_data.items():

            if k in skip_attrs:

                continue

            if k == 'new_password' and v:

                user.password = get_crypt_password(v)

            else:

                # old legacy thing orm models store firstname as name,

                # need proper refactor to username

                if k == 'firstname':

                    k = 'name'

                setattr(user, k, v)

    def update_user(self, user, **kwargs):

        from kallithea.lib.auth import get_crypt_password

        user = User.guess_instance(user)

        if user.is_default_user:

            raise DefaultUserException(

                _("You can't edit this user since it's"

                  " crucial for entire application")

            )

        for k, v in kwargs.items():

            if k == 'password' and v:

                v = get_crypt_password(v)

            setattr(user, k, v)

        return user

    def delete(self, user, cur_user=None):

        if cur_user is None:

            cur_user = getattr(get_current_authuser(), 'username', None)

        user = User.guess_instance(user)

        if user.is_default_user:

            raise DefaultUserException(

                _("You can't remove this user since it is"

                  " crucial for the entire application"))

        if user.repositories:

            repos = [x.repo_name for x in user.repositories]

            raise UserOwnsReposException(

                _('User "%s" still owns %s repositories and cannot be '

                  'removed. Switch owners or remove those repositories: %s')

                % (user.username, len(repos), ', '.join(repos)))

        if user.repo_groups:

            repogroups = [x.group_name for x in user.repo_groups]

            raise UserOwnsReposException(_(

                'User "%s" still owns %s repository groups and cannot be '

                'removed. Switch owners or remove those repository groups: %s')

                % (user.username, len(repogroups), ', '.join(repogroups)))

        if user.user_groups:

    def grant_user_permission(self, user_group, user, perm):

        """

        Grant permission for user on given user group, or update

        existing one if found

        :param user_group: Instance of UserGroup, users_group_id,

            or users_group_name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        user_group = UserGroup.guess_instance(user_group)

        user = User.guess_instance(user)

        permission = Permission.guess_instance(perm)

        # check if we have that permission already

        obj = self.sa.query(UserUserGroupToPerm) \

            .filter(UserUserGroupToPerm.user == user) \

            .filter(UserUserGroupToPerm.user_group == user_group) \

            .scalar()

        if obj is None:

            # create new !

            obj = UserUserGroupToPerm()

        obj.user_group = user_group

        obj.user = user

        obj.permission = permission

        log.debug('Granted perm %s to %s on %s', perm, user, user_group)

        return obj

    def revoke_user_permission(self, user_group, user):

        """

        Revoke permission for user on given repository group

        :param user_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        """

        user_group = UserGroup.guess_instance(user_group)

        user = User.guess_instance(user)

        obj = self.sa.query(UserUserGroupToPerm) \

            .filter(UserUserGroupToPerm.user == user) \

            .filter(UserUserGroupToPerm.user_group == user_group) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s', user_group, user)

    def grant_user_group_permission(self, target_user_group, user_group, perm):

        """

        Grant user group permission for given target_user_group

        :param target_user_group:

        :param user_group:

        :param perm:

        """

        target_user_group = UserGroup.guess_instance(target_user_group)

        user_group = UserGroup.guess_instance(user_group)

        permission = Permission.guess_instance(perm)

        # forbid assigning same user group to itself

        if target_user_group == user_group:

            raise RepoGroupAssignmentError('target repo:%s cannot be '

                                           'assigned to itself' % target_user_group)

        # check if we have that permission already

        obj = self.sa.query(UserGroupUserGroupToPerm) \

            .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group) \

            .filter(UserGroupUserGroupToPerm.user_group == user_group) \

            .scalar()

        if obj is None:

            # create new !

            obj = UserGroupUserGroupToPerm()

        obj.user_group = user_group

        obj.target_user_group = target_user_group

        obj.permission = permission