# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.admin.permissions

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

permissions controller for Kallithea

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 27, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

import formencode

from formencode import htmlfill

from tg import request, tmpl_context as c

from tg.i18n import ugettext as _

from webob.exc import HTTPFound

from kallithea.config.routing import url

from kallithea.lib import helpers as h

from kallithea.lib.auth import LoginRequired, HasPermissionAnyDecorator, AuthUser

from kallithea.lib.base import BaseController, render

from kallithea.model.forms import DefaultPermissionsForm

from kallithea.model.permission import PermissionModel

from kallithea.model.db import User, UserIpMap

from kallithea.model.meta import Session

log = logging.getLogger(__name__)

class PermissionsController(BaseController):

    """REST Controller styled on the Atom Publishing Protocol"""

    # To properly map this controller, ensure your config/routing.py

    # file has a resource setup:

    #     map.resource('permission', 'permissions')

    @LoginRequired()

    @HasPermissionAnyDecorator('hg.admin')

    def _before(self, *args, **kwargs):

        super(PermissionsController, self)._before(*args, **kwargs)

    def __load_data(self):

        c.repo_perms_choices = [('repository.none', _('None'),),

                                   ('repository.read', _('Read'),),

                                   ('repository.write', _('Write'),),

                                   ('repository.admin', _('Admin'),)]

        c.group_perms_choices = [('group.none', _('None'),),

                                 ('group.read', _('Read'),),

                                 ('group.write', _('Write'),),

                                 ('group.admin', _('Admin'),)]

        c.user_group_perms_choices = [('usergroup.none', _('None'),),

                                      ('usergroup.read', _('Read'),),

                                      ('usergroup.write', _('Write'),),

                                      ('usergroup.admin', _('Admin'),)]

        c.register_choices = [

            ('hg.register.none',

                _('Disabled')),

            ('hg.register.manual_activate',

                _('Allowed with manual account activation')),

            ('hg.register.auto_activate',

                _('Allowed with automatic account activation')), ]

        c.extern_activate_choices = [

            ('hg.extern_activate.manual', _('Manual activation of external account')),

            ('hg.extern_activate.auto', _('Automatic activation of external account')),

        ]

        c.repo_create_choices = [('hg.create.none', _('Disabled')),

                                 ('hg.create.repository', _('Enabled'))]

        c.repo_create_on_write_choices = [

            ('hg.create.write_on_repogroup.true', _('Enabled')),

            ('hg.create.write_on_repogroup.false', _('Disabled')),

        ]

        c.user_group_create_choices = [('hg.usergroup.create.false', _('Disabled')),

                                       ('hg.usergroup.create.true', _('Enabled'))]

        c.repo_group_create_choices = [('hg.repogroup.create.false', _('Disabled')),

                                       ('hg.repogroup.create.true', _('Enabled'))]

        c.fork_choices = [('hg.fork.none', _('Disabled')),

                          ('hg.fork.repository', _('Enabled'))]

    def permission_globals(self):

        c.active = 'globals'

        self.__load_data()

        if request.POST:

            _form = DefaultPermissionsForm(

                [x[0] for x in c.repo_perms_choices],

                [x[0] for x in c.group_perms_choices],

                [x[0] for x in c.user_group_perms_choices],

                [x[0] for x in c.repo_create_choices],

                [x[0] for x in c.repo_create_on_write_choices],

                [x[0] for x in c.repo_group_create_choices],

                [x[0] for x in c.user_group_create_choices],

                [x[0] for x in c.fork_choices],

                [x[0] for x in c.register_choices],

                [x[0] for x in c.extern_activate_choices])()

            try:

                form_result = _form.to_python(dict(request.POST))

                form_result.update({'perm_user_name': 'default'})

                PermissionModel().update(form_result)

                Session().commit()

                h.flash(_('Global permissions updated successfully'),

                        category='success')

            except formencode.Invalid as errors:

                defaults = errors.value

                return htmlfill.render(

                    render('admin/permissions/permissions.html'),

                    defaults=defaults,

                    errors=errors.error_dict or {},

                    prefix_error=False,

                    encoding="UTF-8",

                    force_defaults=False)

            except Exception:

                log.error(traceback.format_exc())

                h.flash(_('Error occurred during update of permissions'),

                        category='error')

            raise HTTPFound(location=url('admin_permissions'))

        c.user = User.get_default_user()

        defaults = {'anonymous': c.user.active}

        for p in c.user.user_perms:

            if p.permission.permission_name.startswith('repository.'):

                defaults['default_repo_perm'] = p.permission.permission_name

            if p.permission.permission_name.startswith('group.'):

                defaults['default_group_perm'] = p.permission.permission_name

            if p.permission.permission_name.startswith('usergroup.'):

                defaults['default_user_group_perm'] = p.permission.permission_name

                defaults['create_on_write'] = p.permission.permission_name

            elif p.permission.permission_name.startswith('hg.create.'):

                defaults['default_repo_create'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.repogroup.'):

                defaults['default_repo_group_create'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.usergroup.'):

                defaults['default_user_group_create'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.register.'):

                defaults['default_register'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.extern_activate.'):

                defaults['default_extern_activate'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.fork.'):

                defaults['default_fork'] = p.permission.permission_name

        return htmlfill.render(

            render('admin/permissions/permissions.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False)

    def permission_ips(self):

        c.active = 'ips'

        c.user = User.get_default_user()

        c.user_ip_map = UserIpMap.query() \

                        .filter(UserIpMap.user == c.user).all()

        return render('admin/permissions/permissions.html')

    def permission_perms(self):

        c.active = 'perms'

        c.user = User.get_default_user()

        c.perm_user = AuthUser(dbuser=c.user)

        return render('admin/permissions/permissions.html')

        if 'with_id' in override:

            uri_tmpl = self.DEFAULT_CLONE_URI_ID

            del override['with_id']

        if 'uri_tmpl' in override:

            uri_tmpl = override['uri_tmpl']

            del override['uri_tmpl']

        # we didn't override our tmpl from **overrides

        if not uri_tmpl:

            uri_tmpl = self.DEFAULT_CLONE_URI

            try:

                from tg import tmpl_context as c

                uri_tmpl = c.clone_uri_tmpl

            except AttributeError:

                # in any case if we call this outside of request context,

                # ie, not having tmpl_context set up

                pass

        return get_clone_url(uri_tmpl=uri_tmpl,

                             qualified_home_url=qualified_home_url,

                             repo_name=self.repo_name,

                             repo_id=self.repo_id, **override)

    def set_state(self, state):

        self.repo_state = state

    #==========================================================================

    # SCM PROPERTIES

    #==========================================================================

    def get_changeset(self, rev=None):

        return get_changeset_safe(self.scm_instance, rev)

    def get_landing_changeset(self):

        """

        Returns landing changeset, or if that doesn't exist returns the tip

        """

        _rev_type, _rev = self.landing_rev

        cs = self.get_changeset(_rev)

        if isinstance(cs, EmptyChangeset):

            return self.get_changeset()

        return cs

    def update_changeset_cache(self, cs_cache=None):

        """

        Update cache of last changeset for repository, keys should be::

            short_id

            raw_id

            revision

            message

            date

            author

        :param cs_cache:

        """

        from kallithea.lib.vcs.backends.base import BaseChangeset

        if cs_cache is None:

            cs_cache = EmptyChangeset()

            # use no-cache version here

            scm_repo = self.scm_instance_no_cache()

            if scm_repo:

                cs_cache = scm_repo.get_changeset()

        if isinstance(cs_cache, BaseChangeset):

            cs_cache = cs_cache.__json__()

        if (not self.changeset_cache or cs_cache['raw_id'] != self.changeset_cache['raw_id']):

            _default = datetime.datetime.fromtimestamp(0)

            last_change = cs_cache.get('date') or _default

            log.debug('updated repo %s with new cs cache %s',

                      self.repo_name, cs_cache)

            self.updated_on = last_change

            self.changeset_cache = cs_cache

            Session().commit()

        else:

            log.debug('changeset_cache for %s already up to date with %s',

                      self.repo_name, cs_cache['raw_id'])

    @property

    def tip(self):

        return self.get_changeset('tip')

    @property

    def author(self):

        return self.tip.author

    @property

    def last_change(self):

        return self.scm_instance.last_change

    def get_comments(self, revisions=None):

        """

        Returns comments for this repository grouped by revisions

        :param revisions: filter query by revisions only

        """

        cmts = ChangesetComment.query() \

            .filter(ChangesetComment.repo == self)

        if revisions is not None:

            if not revisions:

                return {} # don't use sql 'in' on empty set

            cmts = cmts.filter(ChangesetComment.revision.in_(revisions))

        grouped = collections.defaultdict(list)

        for cmt in cmts.all():

            grouped[cmt.revision].append(cmt)

        return grouped

    def statuses(self, revisions):

        """

        Returns statuses for this repository.

        PRs without any votes do _not_ show up as unreviewed.

        :param revisions: list of revisions to get statuses for

        """

        if not revisions:

            return {}

        statuses = ChangesetStatus.query() \

            .filter(ChangesetStatus.repo == self) \

            .filter(ChangesetStatus.version == 0) \

            .filter(ChangesetStatus.revision.in_(revisions))

        grouped = {}

        for stat in statuses.all():

            pr_id = pr_nice_id = pr_repo = None

            if stat.pull_request:

                pr_id = stat.pull_request.pull_request_id

                pr_nice_id = PullRequest.make_nice_id(pr_id)

                pr_repo = stat.pull_request.other_repo.repo_name

            grouped[stat.revision] = [str(stat.status), stat.status_lbl,

                                      pr_id, pr_repo, pr_nice_id,

                                      stat.author]

        return grouped

    def _repo_size(self):

        from kallithea.lib import helpers as h

        log.debug('calculating repository size...')

        return h.format_byte_size(self.scm_instance.size)

    #==========================================================================

    # SCM CACHE INSTANCE

    #==========================================================================

    def set_invalidate(self):

        """

        Mark caches of this repo as invalid.

        """

        CacheInvalidation.set_invalidate(self.repo_name)

    _scm_instance = None

    @property

    def scm_instance(self):

        if self._scm_instance is None:

            self._scm_instance = self.scm_instance_cached()

        return self._scm_instance

    def scm_instance_cached(self, valid_cache_keys=None):

        @cache_region('long_term', 'scm_instance_cached')

        def _c(repo_name): # repo_name is just for the cache key

            log.debug('Creating new %s scm_instance and populating cache', repo_name)

            return self.scm_instance_no_cache()

        rn = self.repo_name

        valid = CacheInvalidation.test_and_set_valid(rn, None, valid_cache_keys=valid_cache_keys)

        if not valid:

            log.debug('Cache for %s invalidated, getting new object', rn)

            region_invalidate(_c, None, 'scm_instance_cached', rn)

        else:

            log.debug('Trying to get scm_instance of %s from cache', rn)

        return _c(rn)

    def scm_instance_no_cache(self):

        repo_full_path = safe_str(self.repo_full_path)

        alias = get_scm(repo_full_path)[0]

        log.debug('Creating instance of %s repository from %s',

                  alias, self.repo_full_path)

        backend = get_backend(alias)

        if alias == 'hg':

            repo = backend(repo_full_path, create=False,

                           baseui=self._ui)

        else:

            repo = backend(repo_full_path, create=False)

        return repo

    def __json__(self):

        return dict(

            repo_id=self.repo_id,

            repo_name=self.repo_name,

            landing_rev=self.landing_rev,

        )

class RepoGroup(Base, BaseDbModel):

    __tablename__ = 'groups'

    __table_args__ = (

        _table_args_default_dict,

    )

    __mapper_args__ = {'order_by': 'group_name'} # TODO: Deprecated as of SQLAlchemy 1.1.

    SEP = ' » '

    group_id = Column(Integer(), primary_key=True)

    group_name = Column(Unicode(255), nullable=False, unique=True) # full path

    parent_group_id = Column('group_parent_id', Integer(), ForeignKey('groups.group_id'), nullable=True)

    group_description = Column(Unicode(10000), nullable=False)

    owner_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)

    created_on = Column(DateTime(timezone=False), nullable=False, default=datetime.datetime.now)

    repo_group_to_perm = relationship('UserRepoGroupToPerm', cascade='all', order_by='UserRepoGroupToPerm.group_to_perm_id')

    users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')

    parent_group = relationship('RepoGroup', remote_side=group_id)

    owner = relationship('User')

    @classmethod

    def query(cls, sorted=False):

        """Add RepoGroup-specific helpers for common query constructs.

        sorted: if True, apply the default ordering (name, case insensitive).

        """

        q = super(RepoGroup, cls).query()

        if sorted:

            q = q.order_by(func.lower(RepoGroup.group_name))

        return q

    def __init__(self, group_name='', parent_group=None):

        self.group_name = group_name

        self.parent_group = parent_group

    def __unicode__(self):

        return u"<%s('id:%s:%s')>" % (self.__class__.__name__, self.group_id,

                                      self.group_name)

    @classmethod

    def _generate_choice(cls, repo_group):

        """Return tuple with group_id and name as html literal"""

        from webhelpers.html import literal

        if repo_group is None:

            return (-1, u'-- %s --' % _('top level'))

        return repo_group.group_id, literal(cls.SEP.join(repo_group.full_path_splitted))

    @classmethod

    def groups_choices(cls, groups):

        """Return tuples with group_id and name as html literal."""

        return sorted((cls._generate_choice(g) for g in groups),

                      key=lambda c: c[1].split(cls.SEP))

    @classmethod

    def url_sep(cls):

        return URL_SEP

    @classmethod

    def guess_instance(cls, value):

        return super(RepoGroup, cls).guess_instance(value, RepoGroup.get_by_group_name)

    @classmethod

    def get_by_group_name(cls, group_name, cache=False, case_insensitive=False):

        group_name = group_name.rstrip('/')

        if case_insensitive:

            gr = cls.query() \

                .filter(func.lower(cls.group_name) == func.lower(group_name))

        else:

            gr = cls.query() \

                .filter(cls.group_name == group_name)

        if cache:

            gr = gr.options(FromCache(

                            "sql_cache_short",

                            "get_group_%s" % _hash_key(group_name)

                            )

            )

        return gr.scalar()

    @property

    def parents(self):

        groups = []

        group = self.parent_group

        while group is not None:

            groups.append(group)

            group = group.parent_group

            assert group not in groups, group # avoid recursion on bad db content

        groups.reverse()

        return groups

    @property

    def children(self):

        return RepoGroup.query().filter(RepoGroup.parent_group == self)

    @property

    def name(self):

        return self.group_name.split(RepoGroup.url_sep())[-1]

    @property

    def full_path(self):

        return self.group_name

    @property

    def full_path_splitted(self):

        return self.group_name.split(RepoGroup.url_sep())

    @property

    def repositories(self):

        return Repository.query(sorted=True).filter_by(group=self)

    @property

    def repositories_recursive_count(self):

        cnt = self.repositories.count()

        def children_count(group):

            cnt = 0

            for child in group.children:

                cnt += child.repositories.count()

                cnt += children_count(child)

            return cnt

        return cnt + children_count(self)

    def _recursive_objects(self, include_repos=True):

        all_ = []

        def _get_members(root_gr):

            if include_repos:

                for r in root_gr.repositories:

                    all_.append(r)

            childs = root_gr.children.all()

            if childs:

                for gr in childs:

                    all_.append(gr)

                    _get_members(gr)

        _get_members(self)

        return [self] + all_

    def recursive_groups_and_repos(self):

        """

        Recursive return all groups, with repositories in those groups

        """

        return self._recursive_objects()

    def recursive_groups(self):

        """

        Returns all children groups for this group including children of children

        """

        return self._recursive_objects(include_repos=False)

    def get_new_name(self, group_name):

        """

        returns new full group name based on parent and new name

        :param group_name:

        """

        path_prefix = (self.parent_group.full_path_splitted if

                       self.parent_group else [])

        return RepoGroup.url_sep().join(path_prefix + [group_name])

    def get_api_data(self):

        """

        Common function for generating api data

        """

        group = self

        data = dict(

            group_id=group.group_id,

            group_name=group.group_name,

            group_description=group.group_description,

            parent_group=group.parent_group.group_name if group.parent_group else None,

            repositories=[x.repo_name for x in group.repositories],

            owner=group.owner.username

        )

        return data

class Permission(Base, BaseDbModel):

    __tablename__ = 'permissions'

    __table_args__ = (

        Index('p_perm_name_idx', 'permission_name'),

        _table_args_default_dict,

    )

        ('hg.admin', _('Kallithea Administrator')),

        ('repository.none', _('Default user has no access to new repositories')),

        ('repository.read', _('Default user has read access to new repositories')),

        ('repository.write', _('Default user has write access to new repositories')),

        ('repository.admin', _('Default user has admin access to new repositories')),

        ('group.none', _('Default user has no access to new repository groups')),

        ('group.read', _('Default user has read access to new repository groups')),

        ('group.write', _('Default user has write access to new repository groups')),

        ('group.admin', _('Default user has admin access to new repository groups')),

        ('usergroup.none', _('Default user has no access to new user groups')),

        ('usergroup.read', _('Default user has read access to new user groups')),

        ('usergroup.write', _('Default user has write access to new user groups')),

        ('usergroup.admin', _('Default user has admin access to new user groups')),

        ('hg.repogroup.create.false', _('Only admins can create repository groups')),

        ('hg.repogroup.create.true', _('Non-admins can create repository groups')),

        ('hg.usergroup.create.false', _('Only admins can create user groups')),

        ('hg.usergroup.create.true', _('Non-admins can create user groups')),

        ('hg.create.none', _('Only admins can create top level repositories')),

        ('hg.create.repository', _('Non-admins can create top level repositories')),

        ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),

        ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),

        ('hg.fork.none', _('Only admins can fork repositories')),

        ('hg.fork.repository', _('Non-admins can fork repositories')),

        ('hg.register.none', _('Registration disabled')),

        ('hg.register.manual_activate', _('User registration with manual account activation')),

        ('hg.register.auto_activate', _('User registration with automatic account activation')),

        ('hg.extern_activate.manual', _('Manual activation of external account')),

        ('hg.extern_activate.auto', _('Automatic activation of external account')),

    # definition of system default permissions for DEFAULT user

        'repository.read',

        'group.read',

        'usergroup.read',

        'hg.create.repository',

        'hg.create.write_on_repogroup.true',

        'hg.fork.repository',

        'hg.register.manual_activate',

        'hg.extern_activate.auto',

    # defines which permissions are more important higher the more important

    # Weight defines which permissions are more important.

    # The higher number the more important.

    PERM_WEIGHTS = {

        'repository.none': 0,

        'repository.read': 1,

        'repository.write': 3,

        'repository.admin': 4,

        'group.none': 0,

        'group.read': 1,

        'group.write': 3,

        'group.admin': 4,

        'usergroup.none': 0,

        'usergroup.read': 1,

        'usergroup.write': 3,

        'usergroup.admin': 4,

        'hg.repogroup.create.false': 0,

        'hg.repogroup.create.true': 1,

        'hg.usergroup.create.false': 0,

        'hg.usergroup.create.true': 1,

        'hg.fork.none': 0,

        'hg.fork.repository': 1,

        'hg.create.none': 0,

    }

    permission_id = Column(Integer(), primary_key=True)

    permission_name = Column(String(255), nullable=False)

    def __unicode__(self):

        return u"<%s('%s:%s')>" % (

            self.__class__.__name__, self.permission_id, self.permission_name

        )

    @classmethod

    def guess_instance(cls, value):

        return super(Permission, cls).guess_instance(value, Permission.get_by_key)

    @classmethod

    def get_by_key(cls, key):

        return cls.query().filter(cls.permission_name == key).scalar()

    @classmethod

    def get_default_perms(cls, default_user_id):

        q = Session().query(UserRepoToPerm, Repository, cls) \

         .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id)) \

         .join((cls, UserRepoToPerm.permission_id == cls.permission_id)) \

         .filter(UserRepoToPerm.user_id == default_user_id)

        return q.all()

    @classmethod

    def get_default_group_perms(cls, default_user_id):

        q = Session().query(UserRepoGroupToPerm, RepoGroup, cls) \

         .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id)) \

         .join((cls, UserRepoGroupToPerm.permission_id == cls.permission_id)) \

         .filter(UserRepoGroupToPerm.user_id == default_user_id)

        return q.all()

    @classmethod

    def get_default_user_group_perms(cls, default_user_id):

        q = Session().query(UserUserGroupToPerm, UserGroup, cls) \

         .join((UserGroup, UserUserGroupToPerm.user_group_id == UserGroup.users_group_id)) \

         .join((cls, UserUserGroupToPerm.permission_id == cls.permission_id)) \

         .filter(UserUserGroupToPerm.user_id == default_user_id)

        return q.all()

class UserRepoToPerm(Base, BaseDbModel):

    __tablename__ = 'repo_to_perm'

    __table_args__ = (

        UniqueConstraint('user_id', 'repository_id', 'permission_id'),

        _table_args_default_dict,

    )

    repo_to_perm_id = Column(Integer(), primary_key=True)

    user_id = Column(Integer(), ForeignKey('users.user_id'), nullable=False)

    permission_id = Column(Integer(), ForeignKey('permissions.permission_id'), nullable=False)

    repository_id = Column(Integer(), ForeignKey('repositories.repo_id'), nullable=False)

    user = relationship('User')

    repository = relationship('Repository')

    permission = relationship('Permission')

    @classmethod

    def create(cls, user, repository, permission):

        n = cls()

        n.user = user

        n.repository = repository

        n.permission = permission

        Session().add(n)

        return n

    def __unicode__(self):

        return u'<%s => %s >' % (self.user, self.repository)

class UserUserGroupToPerm(Base, BaseDbModel):

    __tablename__ = 'user_user_group_to_perm'

    __table_args__ = (

        UniqueConstraint('user_id', 'user_group_id', 'permission_id'),

        _table_args_default_dict,

    )

    user_user_group_to_perm_id = Column(Integer(), primary_key=True)

    user_id = Column(Integer(), ForeignKey('users.user_id'), nullable=False)

    permission_id = Column(Integer(), ForeignKey('permissions.permission_id'), nullable=False)

    user_group_id = Column(Integer(), ForeignKey('users_groups.users_group_id'), nullable=False)

    user = relationship('User')

    user_group = relationship('UserGroup')

    permission = relationship('Permission')

    @classmethod

    def create(cls, user, user_group, permission):

        n = cls()

        n.user = user

        n.user_group = user_group

        n.permission = permission

        Session().add(n)

        return n

    def __unicode__(self):

        return u'<%s => %s >' % (self.user, self.user_group)

class UserToPerm(Base, BaseDbModel):

    __tablename__ = 'user_to_perm'

    __table_args__ = (

        UniqueConstraint('user_id', 'permission_id'),

        _table_args_default_dict,

    )

    user_to_perm_id = Column(Integer(), primary_key=True)

    user_id = Column(Integer(), ForeignKey('users.user_id'), nullable=False)

    permission_id = Column(Integer(), ForeignKey('permissions.permission_id'), nullable=False)

    user = relationship('User')

    permission = relationship('Permission')

    def __unicode__(self):

        return u'<%s => %s >' % (self.user, self.permission)

class UserGroupRepoToPerm(Base, BaseDbModel):

    __tablename__ = 'users_group_repo_to_perm'

    __table_args__ = (

        UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),

        _table_args_default_dict,

    )

    users_group_to_perm_id = Column(Integer(), primary_key=True)

    users_group_id = Column(Integer(), ForeignKey('users_groups.users_group_id'), nullable=False)

    permission_id = Column(Integer(), ForeignKey('permissions.permission_id'), nullable=False)

    repository_id = Column(Integer(), ForeignKey('repositories.repo_id'), nullable=False)

    users_group = relationship('UserGroup')

    permission = relationship('Permission')

    repository = relationship('Repository')

    @classmethod

    def create(cls, users_group, repository, permission):

        n = cls()

        n.users_group = users_group

        n.repository = repository

        n.permission = permission

        Session().add(n)

        return n

    def __unicode__(self):

        return u'<UserGroupRepoToPerm:%s => %s >' % (self.users_group, self.repository)

class UserGroupUserGroupToPerm(Base, BaseDbModel):

    __tablename__ = 'user_group_user_group_to_perm'

    __table_args__ = (

        UniqueConstraint('target_user_group_id', 'user_group_id', 'permission_id'),

        _table_args_default_dict,

    )

    user_group_user_group_to_perm_id = Column(Integer(), primary_key=True)

    target_user_group_id = Column(Integer(), ForeignKey('users_groups.users_group_id'), nullable=False)

    permission_id = Column(Integer(), ForeignKey('permissions.permission_id'), nullable=False)

    user_group_id = Column(Integer(), ForeignKey('users_groups.users_group_id'), nullable=False)

    target_user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id')

    user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.user_group_id==UserGroup.users_group_id')

    permission = relationship('Permission')

    @classmethod

    def create(cls, target_user_group, user_group, permission):

        n = cls()

        n.target_user_group = target_user_group

        n.user_group = user_group

        n.permission = permission

        Session().add(n)

        return n

    def __unicode__(self):

        return u'<UserGroupUserGroup:%s => %s >' % (self.target_user_group, self.user_group)

class UserGroupToPerm(Base, BaseDbModel):

    __tablename__ = 'users_group_to_perm'

    __table_args__ = (

        UniqueConstraint('users_group_id', 'permission_id',),

        _table_args_default_dict,

    )

    users_group_to_perm_id = Column(Integer(), primary_key=True)

    users_group_id = Column(Integer(), ForeignKey('users_groups.users_group_id'), nullable=False)

    permission_id = Column(Integer(), ForeignKey('permissions.permission_id'), nullable=False)

    users_group = relationship('UserGroup')