# we need to flush here, in order to check if database won't

                # throw any exceptions, create filesystem dirs at the very end

                self.sa.flush()

                self.__create_group(new_repos_group.group_name)

            return new_repos_group

        except:

            log.error(traceback.format_exc())

            raise

    def _update_permissions(self, repos_group, perms_new=None,

                            perms_updates=None, recursive=False):

        from rhodecode.model.repo import RepoModel

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        def _set_perm_user(obj, user, perm):

            if isinstance(obj, RepoGroup):

                ReposGroupModel().grant_user_permission(

                    repos_group=obj, user=user, perm=perm

                )

            elif isinstance(obj, Repository):

                # we set group permission but we have to switch to repo

                # permission

                perm = perm.replace('group.', 'repository.')

                RepoModel().grant_user_permission(

                    repo=obj, user=user, perm=perm

                )

        def _set_perm_group(obj, users_group, perm):

            if isinstance(obj, RepoGroup):

                ReposGroupModel().grant_users_group_permission(

                    repos_group=obj, group_name=users_group, perm=perm

                )

            elif isinstance(obj, Repository):

                # we set group permission but we have to switch to repo

                # permission

                perm = perm.replace('group.', 'repository.')

                RepoModel().grant_users_group_permission(

                    repo=obj, group_name=users_group, perm=perm

                )

        updates = []

        log.debug('Now updating permissions for %s in recursive mode:%s'

                  % (repos_group, recursive))

        for obj in repos_group.recursive_groups_and_repos():

            if not recursive:

                obj = repos_group

            # update permissions

            for member, perm, member_type in perms_updates:

                ## set for user

                if member_type == 'user':

                    # this updates also current one if found

                    _set_perm_user(obj, user=member, perm=perm)

                ## set for users group

                else:

                    _set_perm_group(obj, users_group=member, perm=perm)

            # set new permissions

            for member, perm, member_type in perms_new:

                if member_type == 'user':

                    _set_perm_user(obj, user=member, perm=perm)

                else:

                    _set_perm_group(obj, users_group=member, perm=perm)

            updates.append(obj)

            #if it's not recursive call

            # break the loop and don't proceed with other changes

            if not recursive:

                break

        return updates

        <td><input type="radio" value="group.read" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td><input type="radio" value="group.write" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td><input type="radio" value="group.admin" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td class="ac"> \

            <div class="perm_ac" id="perm_ac_{0}"> \

                <input class="yui-ac-input" id="perm_new_member_name_{0}" name="perm_new_member_name_{0}" value="" type="text"> \

                <input id="perm_new_member_type_{0}" name="perm_new_member_type_{0}" value="" type="hidden">  \

                <div id="perm_container_{0}"></div> \

            </div> \

        </td> \

        <td></td>'""")

    %>

    ## ADD HERE DYNAMICALLY NEW INPUTS FROM THE '_tmpl'

    <tr class="new_members last_new_member" id="add_perm_input"></tr>

    <tr>

        <td colspan="6">

            <span id="add_perm" class="add_icon" style="cursor: pointer;">

            ${_('Add another member')}

            </span>

        </td>

    </tr>

    <tr>

        <td colspan="6">

           ${h.checkbox('recursive',value="True", label=_('apply to children'))}

        </td>

    </tr>

</table>

<script type="text/javascript">

function ajaxActionUser(user_id, field_id) {

    var sUrl = "${h.url('delete_repos_group_user_perm',group_name=c.repos_group.group_name)}";

    var callback = {

        success: function (o) {

            var tr = YUD.get(String(field_id));

            tr.parentNode.removeChild(tr);

        },

        failure: function (o) {

            alert("${_('Failed to remove user')}");

        },

    };

    var recursive = YUD.get('recursive').checked;

    var postData = '_method=delete&recursive={0}&user_id={1}'.format(recursive,user_id);

    var request = YAHOO.util.Connect.asyncRequest('POST', sUrl, callback, postData);

};

function ajaxActionUsersGroup(users_group_id,field_id){

    var sUrl = "${h.url('delete_repos_group_users_group_perm',group_name=c.repos_group.group_name)}";

    var callback = {

        success:function(o){

from rhodecode.tests import *

from rhodecode.model.repos_group import ReposGroupModel

from rhodecode.model.repo import RepoModel

from rhodecode.model.db import RepoGroup, Repository, User

from rhodecode.model.user import UserModel

from rhodecode.lib.auth import AuthUser

from rhodecode.model.meta import Session

def _make_group(path, desc='desc', parent_id=None,

                 skip_if_exists=False):

    gr = RepoGroup.get_by_group_name(path)

    if gr and skip_if_exists:

        return gr

    if isinstance(parent_id, RepoGroup):

        parent_id = parent_id.group_id

    gr = ReposGroupModel().create(path, desc, parent_id)

    return gr

    return RepoModel().create_repo(name, repo_type, 'desc',

                                   TEST_USER_ADMIN_LOGIN,

def _destroy_project_tree(test_u1_id):

    Session.remove()

    repos_group = RepoGroup.get_by_group_name(group_name='g0')

    for el in reversed(repos_group.recursive_groups_and_repos()):

        if isinstance(el, Repository):

            RepoModel().delete(el)

        elif isinstance(el, RepoGroup):

            ReposGroupModel().delete(el, force_delete=True)

    u = User.get(test_u1_id)

    Session().delete(u)

    Session().commit()

def _create_project_tree():

    """

    Creates a tree of groups and repositories to test permissions

    structure

     [g0] - group `g0` with 3 subgroups

     |

     |__[g0_1] group g0_1 with 2 groups 0 repos

     |  |

     |  |__[g0_1_1] group g0_1_1 with 1 group 2 repos

     |  |   |__<g0/g0_1/g0_1_1/g0_1_1_r1>

     |  |   |__<g0/g0_1/g0_1_1/g0_1_1_r2>

     |  |__<g0/g0_1/g0_1_r1>

     |

     |__[g0_2] 2 repos

     |  |

     |  |__<g0/g0_2/g0_2_r1>

     |  |__<g0/g0_2/g0_2_r2>

     |

     |__[g0_3] 1 repo

        |

        |_<g0/g0_3/g0_3_r1>

    """

    test_u1 = UserModel().create_or_update(

        username=u'test_u1', password=u'qweqwe',

        email=u'test_u1@rhodecode.org', firstname=u'test_u1', lastname=u'test_u1'

    )

    g0 = _make_group('g0')

    g0_1 = _make_group('g0_1', parent_id=g0)

    g0_1_1 = _make_group('g0_1_1', parent_id=g0_1)

    g0_1_1_r1 = _make_repo('g0/g0_1/g0_1_1/g0_1_1_r1', repos_group=g0_1_1)

    g0_1_1_r2 = _make_repo('g0/g0_1/g0_1_1/g0_1_1_r2', repos_group=g0_1_1)

    g0_1_r1 = _make_repo('g0/g0_1/g0_1_r1', repos_group=g0_1)

    g0_2 = _make_group('g0_2', parent_id=g0)

    g0_2_r1 = _make_repo('g0/g0_2/g0_2_r1', repos_group=g0_2)

    g0_2_r2 = _make_repo('g0/g0_2/g0_2_r2', repos_group=g0_2)

    g0_3 = _make_group('g0_3', parent_id=g0)

    g0_3_r1 = _make_repo('g0/g0_3/g0_3_r1', repos_group=g0_3)

    return test_u1

def expected_count(group_name, objects=False):

    repos_group = RepoGroup.get_by_group_name(group_name=group_name)

    objs = repos_group.recursive_groups_and_repos()

    if objects:

        return objs

    return len(objs)

def _check_expected_count(items, repo_items, expected):

    should_be = len(items + repo_items)

    there_are = len(expected)

    assert  should_be == there_are, ('%s != %s' % ((items + repo_items), expected))

def check_tree_perms(obj_name, repo_perm, prefix, expected_perm):

    assert repo_perm == expected_perm, ('obj:`%s` got perm:`%s` should:`%s`'

                                    % (obj_name, repo_perm, expected_perm))

def _get_perms(filter_='', recursive=True, key=None, test_u1_id=None):

    test_u1 = AuthUser(user_id=test_u1_id)

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'repository.read'

    items = [x for x in _get_group_perms(group, recursive)]

    expected = 1

    assert len(items) == expected, ' %s != %s' % (len(items), expected)

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'group.write'

@with_setup(permissions_setup_func)

def test_user_permissions_on_group_with_recursive_mode():

    # set permission to g0 recursive mode, all children including

    # other repos and groups should have this permission now set !

    recursive = True

    group = 'g0'

    permissions_setup_func(group, 'group.write', recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

        yield check_tree_perms, name, perm, group, 'repository.write'

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'group.write'

@with_setup(permissions_setup_func)

def test_user_permissions_on_group_with_recursive_mode_inner_group():

    ## set permission to g0_3 group to none

    recursive = True

    group = 'g0/g0_3'

    permissions_setup_func(group, 'group.none', recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

        yield check_tree_perms, name, perm, group, 'repository.none'

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'group.none'