log.info("Removing group %s" % (rm_path))

        # delete only if that path really exists

        if os.path.isdir(rm_path):

            if force_delete:

                shutil.rmtree(rm_path)

            else:

                #archive that group`

                _now = datetime.datetime.now()

                _ms = str(_now.microsecond).rjust(6, '0')

                _d = 'rm__%s_GROUP_%s' % (_now.strftime('%Y%m%d_%H%M%S_' + _ms),

                                          group.name)

                shutil.move(rm_path, os.path.join(self.repos_path, _d))

    def create(self, group_name, group_description, parent=None, just_db=False):

        try:

            new_repos_group = RepoGroup()

            new_repos_group.group_description = group_description

            new_repos_group.parent_group = self._get_repos_group(parent)

            new_repos_group.group_name = new_repos_group.get_new_name(group_name)

            self.sa.add(new_repos_group)

            self._create_default_perms(new_repos_group)

            if not just_db:

                # we need to flush here, in order to check if database won't

                # throw any exceptions, create filesystem dirs at the very end

                self.sa.flush()

                self.__create_group(new_repos_group.group_name)

            return new_repos_group

        except:

            log.error(traceback.format_exc())

            raise

    def _update_permissions(self, repos_group, perms_new=None,

                            perms_updates=None, recursive=False):

        from rhodecode.model.repo import RepoModel

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        def _set_perm_user(obj, user, perm):

            if isinstance(obj, RepoGroup):

                ReposGroupModel().grant_user_permission(

                    repos_group=obj, user=user, perm=perm

                )

            elif isinstance(obj, Repository):

                # we set group permission but we have to switch to repo

                # permission

                perm = perm.replace('group.', 'repository.')

                RepoModel().grant_user_permission(

                    repo=obj, user=user, perm=perm

                )

        def _set_perm_group(obj, users_group, perm):

            if isinstance(obj, RepoGroup):

                ReposGroupModel().grant_users_group_permission(

                    repos_group=obj, group_name=users_group, perm=perm

                )

            elif isinstance(obj, Repository):

                # we set group permission but we have to switch to repo

                # permission

                perm = perm.replace('group.', 'repository.')

                RepoModel().grant_users_group_permission(

                    repo=obj, group_name=users_group, perm=perm

                )

        updates = []

        log.debug('Now updating permissions for %s in recursive mode:%s'

                  % (repos_group, recursive))

        for obj in repos_group.recursive_groups_and_repos():

            if not recursive:

                obj = repos_group

            # update permissions

            for member, perm, member_type in perms_updates:

                ## set for user

                if member_type == 'user':

                    # this updates also current one if found

                    _set_perm_user(obj, user=member, perm=perm)

                ## set for users group

                else:

                    _set_perm_group(obj, users_group=member, perm=perm)

            # set new permissions

            for member, perm, member_type in perms_new:

                if member_type == 'user':

                    _set_perm_user(obj, user=member, perm=perm)

                else:

                    _set_perm_group(obj, users_group=member, perm=perm)

            updates.append(obj)

            #if it's not recursive call

            # break the loop and don't proceed with other changes

            if not recursive:

                break

        return updates

    def update(self, repos_group_id, form_data):

        try:

            repos_group = RepoGroup.get(repos_group_id)

            recursive = form_data['recursive']

            # iterate over all members(if in recursive mode) of this groups and

            # set the permissions !

            # this can be potentially heavy operation

            self._update_permissions(repos_group, form_data['perms_new'],

                                     form_data['perms_updates'], recursive)

            old_path = repos_group.full_path

            # change properties

            repos_group.group_description = form_data['group_description']

            repos_group.parent_group = RepoGroup.get(form_data['group_parent_id'])

            repos_group.group_parent_id = form_data['group_parent_id']

            repos_group.enable_locking = form_data['enable_locking']

            repos_group.group_name = repos_group.get_new_name(form_data['group_name'])

            new_path = repos_group.full_path

            self.sa.add(repos_group)

            </td>

        </tr>

    %endfor

    ## USERS GROUPS

    %for g2p in c.repos_group.users_group_to_perm:

        <tr id="id${id(g2p.users_group.users_group_name)}">

            <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.none')}</td>

            <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.read')}</td>

            <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.write')}</td>

            <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.admin')}</td>

            <td style="white-space: nowrap;">

                <img class="perm-gravatar" src="${h.url('/images/icons/group.png')}"/>${g2p.users_group.users_group_name}

            </td>

            <td>

                <span class="delete_icon action_button" onclick="ajaxActionUsersGroup(${g2p.users_group.users_group_id},'${'id%s'%id(g2p.users_group.users_group_name)}')">

                ${_('revoke')}

                </span>

            </td>

        </tr>

    %endfor

<%

    _tmpl = h.literal("""' \

        <td><input type="radio" value="group.none" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td><input type="radio" value="group.read" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td><input type="radio" value="group.write" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td><input type="radio" value="group.admin" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td class="ac"> \

            <div class="perm_ac" id="perm_ac_{0}"> \

                <input class="yui-ac-input" id="perm_new_member_name_{0}" name="perm_new_member_name_{0}" value="" type="text"> \

                <input id="perm_new_member_type_{0}" name="perm_new_member_type_{0}" value="" type="hidden">  \

                <div id="perm_container_{0}"></div> \

            </div> \

        </td> \

        <td></td>'""")

    %>

    ## ADD HERE DYNAMICALLY NEW INPUTS FROM THE '_tmpl'

    <tr class="new_members last_new_member" id="add_perm_input"></tr>

    <tr>

        <td colspan="6">

            <span id="add_perm" class="add_icon" style="cursor: pointer;">

            ${_('Add another member')}

            </span>

        </td>

    </tr>

    <tr>

        <td colspan="6">

           ${h.checkbox('recursive',value="True", label=_('apply to children'))}

        </td>

    </tr>

</table>

<script type="text/javascript">

function ajaxActionUser(user_id, field_id) {

    var sUrl = "${h.url('delete_repos_group_user_perm',group_name=c.repos_group.group_name)}";

    var callback = {

        success: function (o) {

            var tr = YUD.get(String(field_id));

            tr.parentNode.removeChild(tr);

        },

        failure: function (o) {

            alert("${_('Failed to remove user')}");

        },

    };

    var recursive = YUD.get('recursive').checked;

    var postData = '_method=delete&recursive={0}&user_id={1}'.format(recursive,user_id);

    var request = YAHOO.util.Connect.asyncRequest('POST', sUrl, callback, postData);

};

function ajaxActionUsersGroup(users_group_id,field_id){

    var sUrl = "${h.url('delete_repos_group_users_group_perm',group_name=c.repos_group.group_name)}";

    var callback = {

        success:function(o){

            var tr = YUD.get(String(field_id));

            tr.parentNode.removeChild(tr);

        },

        failure:function(o){

            alert("${_('Failed to remove users group')}");

        },

    };

    var recursive = YUD.get('recursive').checked;

    var postData = '_method=delete&recursive={0}&users_group_id={1}'.format(recursive,users_group_id);

    var request = YAHOO.util.Connect.asyncRequest('POST', sUrl, callback, postData);

};

YUE.onDOMReady(function () {

    if (!YUD.hasClass('perm_new_member_name', 'error')) {

        YUD.setStyle('add_perm_input', 'display', 'none');

    }

    YAHOO.util.Event.addListener('add_perm', 'click', function () {

    	addPermAction(${_tmpl}, ${c.users_array|n}, ${c.users_groups_array|n});

    });

});

</script>

import os

import unittest

import functools

from rhodecode.tests import *

from rhodecode.model.repos_group import ReposGroupModel

from rhodecode.model.repo import RepoModel

from rhodecode.model.db import RepoGroup, Repository, User

from rhodecode.model.user import UserModel

from rhodecode.lib.auth import AuthUser

from rhodecode.model.meta import Session

def _make_group(path, desc='desc', parent_id=None,

                 skip_if_exists=False):

    gr = RepoGroup.get_by_group_name(path)

    if gr and skip_if_exists:

        return gr

    if isinstance(parent_id, RepoGroup):

        parent_id = parent_id.group_id

    gr = ReposGroupModel().create(path, desc, parent_id)

    return gr

    return RepoModel().create_repo(name, repo_type, 'desc',

                                   TEST_USER_ADMIN_LOGIN,

def _destroy_project_tree(test_u1_id):

    Session.remove()

    repos_group = RepoGroup.get_by_group_name(group_name='g0')

    for el in reversed(repos_group.recursive_groups_and_repos()):

        if isinstance(el, Repository):

            RepoModel().delete(el)

        elif isinstance(el, RepoGroup):

            ReposGroupModel().delete(el, force_delete=True)

    u = User.get(test_u1_id)

    Session().delete(u)

    Session().commit()

def _create_project_tree():

    """

    Creates a tree of groups and repositories to test permissions

    structure

     [g0] - group `g0` with 3 subgroups

     |

     |__[g0_1] group g0_1 with 2 groups 0 repos

     |  |

     |  |__[g0_1_1] group g0_1_1 with 1 group 2 repos

     |  |   |__<g0/g0_1/g0_1_1/g0_1_1_r1>

     |  |   |__<g0/g0_1/g0_1_1/g0_1_1_r2>

     |  |__<g0/g0_1/g0_1_r1>

     |

     |__[g0_2] 2 repos

     |  |

     |  |__<g0/g0_2/g0_2_r1>

     |  |__<g0/g0_2/g0_2_r2>

     |

     |__[g0_3] 1 repo

        |

        |_<g0/g0_3/g0_3_r1>

    """

    test_u1 = UserModel().create_or_update(

        username=u'test_u1', password=u'qweqwe',

        email=u'test_u1@rhodecode.org', firstname=u'test_u1', lastname=u'test_u1'

    )

    g0 = _make_group('g0')

    g0_1 = _make_group('g0_1', parent_id=g0)

    g0_1_1 = _make_group('g0_1_1', parent_id=g0_1)

    g0_1_1_r1 = _make_repo('g0/g0_1/g0_1_1/g0_1_1_r1', repos_group=g0_1_1)

    g0_1_1_r2 = _make_repo('g0/g0_1/g0_1_1/g0_1_1_r2', repos_group=g0_1_1)

    g0_1_r1 = _make_repo('g0/g0_1/g0_1_r1', repos_group=g0_1)

    g0_2 = _make_group('g0_2', parent_id=g0)

    g0_2_r1 = _make_repo('g0/g0_2/g0_2_r1', repos_group=g0_2)

    g0_2_r2 = _make_repo('g0/g0_2/g0_2_r2', repos_group=g0_2)

    g0_3 = _make_group('g0_3', parent_id=g0)

    g0_3_r1 = _make_repo('g0/g0_3/g0_3_r1', repos_group=g0_3)

    return test_u1

def expected_count(group_name, objects=False):

    repos_group = RepoGroup.get_by_group_name(group_name=group_name)

    objs = repos_group.recursive_groups_and_repos()

    if objects:

        return objs

    return len(objs)

def _check_expected_count(items, repo_items, expected):

    should_be = len(items + repo_items)

    there_are = len(expected)

    assert  should_be == there_are, ('%s != %s' % ((items + repo_items), expected))

def check_tree_perms(obj_name, repo_perm, prefix, expected_perm):

    assert repo_perm == expected_perm, ('obj:`%s` got perm:`%s` should:`%s`'

                                    % (obj_name, repo_perm, expected_perm))

def _get_perms(filter_='', recursive=True, key=None, test_u1_id=None):

    test_u1 = AuthUser(user_id=test_u1_id)

    for k, v in test_u1.permissions[key].items():

        if recursive and k.startswith(filter_):

            yield k, v

        elif not recursive:

            if k == filter_:

                yield k, v

    items = [x for x in _get_repo_perms(group, recursive)]

    expected = 0

    assert len(items) == expected, ' %s != %s' % (len(items), expected)

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'repository.read'

    items = [x for x in _get_group_perms(group, recursive)]

    expected = 1

    assert len(items) == expected, ' %s != %s' % (len(items), expected)

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'group.write'

@with_setup(permissions_setup_func)

def test_user_permissions_on_group_without_recursive_mode_subgroup():

    # set permission to g0 non-recursive mode

    recursive = False

    group = 'g0/g0_1'

    permissions_setup_func(group, 'group.write', recursive=recursive)

    items = [x for x in _get_repo_perms(group, recursive)]

    expected = 0

    assert len(items) == expected, ' %s != %s' % (len(items), expected)

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'repository.read'

    items = [x for x in _get_group_perms(group, recursive)]

    expected = 1

    assert len(items) == expected, ' %s != %s' % (len(items), expected)

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'group.write'

@with_setup(permissions_setup_func)

def test_user_permissions_on_group_with_recursive_mode():

    # set permission to g0 recursive mode, all children including

    # other repos and groups should have this permission now set !

    recursive = True

    group = 'g0'

    permissions_setup_func(group, 'group.write', recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'group.write'

@with_setup(permissions_setup_func)

def test_user_permissions_on_group_with_recursive_mode_inner_group():

    ## set permission to g0_3 group to none

    recursive = True

    group = 'g0/g0_3'

    permissions_setup_func(group, 'group.none', recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

        yield check_tree_perms, name, perm, group, 'repository.none'

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'group.none'

@with_setup(permissions_setup_func)

def test_user_permissions_on_group_with_recursive_mode_deepest():

    ## set permission to g0_3 group to none

    recursive = True

    group = 'g0/g0_1/g0_1_1'

    permissions_setup_func(group, 'group.write', recursive=recursive)

    repo_items = [x for x in _get_repo_perms(group, recursive)]

    items = [x for x in _get_group_perms(group, recursive)]

    _check_expected_count(items, repo_items, expected_count(group, True))

    for name, perm in repo_items:

        yield check_tree_perms, name, perm, group, 'repository.write'

    for name, perm in items:

        yield check_tree_perms, name, perm, group, 'group.write'

@with_setup(permissions_setup_func)

def test_user_permissions_on_group_with_recursive_mode_only_with_repos():

    ## set permission to g0_3 group to none

    recursive = True

    group = 'g0/g0_2'

    permissions_setup_func(group, 'group.admin', recursive=recursive)