RepoModel().grant_user_permission(

                    repo=cur_repo, user='default', perm=EMPTY_PERM

                )

            #handle extra fields

            for field in filter(lambda k: k.startswith(RepositoryField.PREFIX), kwargs):

                k = RepositoryField.un_prefix_key(field)

                ex_field = RepositoryField.get_by_key_name(key=k, repo=cur_repo)

                if ex_field:

                    ex_field.field_value = kwargs[field]

                    self.sa.add(ex_field)

            self.sa.add(cur_repo)

            if org_repo_name != new_name:

                # rename repository

                self.__rename_repo(old=org_repo_name, new=new_name)

            return cur_repo

        except Exception:

            log.error(traceback.format_exc())

            raise

    def create_repo(self, repo_name, repo_type, description, owner,

                    private=False, clone_uri=None, repos_group=None,

                    landing_rev='tip', just_db=False, fork_of=None,

                    copy_fork_permissions=False, enable_statistics=False,

                    enable_locking=False, enable_downloads=False):

        """

        Create repository

        """

        from rhodecode.model.scm import ScmModel

        owner = self._get_user(owner)

        fork_of = self._get_repo(fork_of)

        repos_group = self._get_repo_group(repos_group)

        try:

            # repo name is just a name of repository

            # while repo_name_full is a full qualified name that is combined

            # with name and path of group

            repo_name_full = repo_name

            repo_name = repo_name.split(self.URL_SEPARATOR)[-1]

            new_repo = Repository()

            new_repo.enable_statistics = False

            new_repo.repo_name = repo_name_full

            new_repo.repo_type = repo_type

            new_repo.user = owner

            new_repo.group = repos_group

            new_repo.description = description or repo_name

            new_repo.private = private

            new_repo.clone_uri = clone_uri

            new_repo.landing_rev = landing_rev

            new_repo.enable_statistics = enable_statistics

            new_repo.enable_locking = enable_locking

            new_repo.enable_downloads = enable_downloads

            if repos_group:

                new_repo.enable_locking = repos_group.enable_locking

            if fork_of:

                parent_repo = fork_of

                new_repo.fork = parent_repo

            self.sa.add(new_repo)

            if fork_of:

                if copy_fork_permissions:

                    repo = fork_of

                    user_perms = UserRepoToPerm.query()\

                        .filter(UserRepoToPerm.repository == repo).all()

                    group_perms = UserGroupRepoToPerm.query()\

                        .filter(UserGroupRepoToPerm.repository == repo).all()

                    for perm in user_perms:

                        UserRepoToPerm.create(perm.user, new_repo,

                                              perm.permission)

                    for perm in group_perms:

                        UserGroupRepoToPerm.create(perm.users_group, new_repo,

                                                    perm.permission)

                else:

                    perm_obj = self._create_default_perms(new_repo, private)

                    self.sa.add(perm_obj)

            else:

                perm_obj = self._create_default_perms(new_repo, private)

                self.sa.add(perm_obj)

            if not just_db:

                self.__create_repo(repo_name, repo_type,

                                   repos_group,

                                   clone_uri)

                log_create_repository(new_repo.get_dict(),

                                      created_by=owner.username)

            # now automatically start following this repository as owner

            ScmModel(self.sa).toggle_following_repo(new_repo.repo_id,

                                                    owner.user_id)

            return new_repo

        except Exception:

            log.error(traceback.format_exc())

            raise

    def create(self, form_data, cur_user, just_db=False, fork=None):

        """

        Backward compatibility function, just a wrapper on top of create_repo

        :param form_data:

        :param cur_user:

        :param just_db:

        :param fork:

        """

        owner = cur_user

        repo_name = form_data['repo_name_full']

        repo_type = form_data['repo_type']

        description = form_data['repo_description']

        private = form_data['repo_private']

        clone_uri = form_data.get('clone_uri')

        repos_group = form_data['repo_group']

        landing_rev = form_data['repo_landing_rev']

        copy_fork_permissions = form_data.get('copy_permissions')

        fork_of = form_data.get('fork_parent_id')

        ## repo creation defaults, private and repo_type are filled in form

        defs = RhodeCodeSetting.get_default_repo_settings(strip_prefix=True)

        enable_statistics = defs.get('repo_enable_statistics')

        enable_locking = defs.get('repo_enable_locking')

        enable_downloads = defs.get('repo_enable_downloads')

        return self.create_repo(

            repo_name, repo_type, description, owner, private, clone_uri,

            repos_group, landing_rev, just_db, fork_of, copy_fork_permissions,

            enable_statistics, enable_locking, enable_downloads

        )

    def _update_permissions(self, repo, perms_new=None, perms_updates=None,

                            check_perms=True):

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        # update permissions

        for member, perm, member_type in perms_updates:

            if member_type == 'user':

                # this updates existing one

                self.grant_user_permission(

                    repo=repo, user=member, perm=perm

                )

            else:

                #check if we have permissions to alter this usergroup

                req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')

                if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):

                    self.grant_users_group_permission(

                        repo=repo, group_name=member, perm=perm

                    )

        # set new permissions

        for member, perm, member_type in perms_new:

            if member_type == 'user':

                self.grant_user_permission(

                    repo=repo, user=member, perm=perm

                )

            else:

                #check if we have permissions to alter this usergroup

                req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')

                if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):

                    self.grant_users_group_permission(

                        repo=repo, group_name=member, perm=perm

                    )

    def create_fork(self, form_data, cur_user):

        """

        Simple wrapper into executing celery task for fork creation

        :param form_data:

        :param cur_user:

        """

        from rhodecode.lib.celerylib import tasks, run_task

        run_task(tasks.create_repo_fork, form_data, cur_user)

    def delete(self, repo, forks=None, fs_remove=True, cur_user=None):

        """

        Delete given repository, forks parameter defines what do do with

        attached forks. Throws AttachedForksError if deleted repo has attached

        forks

        :param repo:

        :param forks: str 'delete' or 'detach'

        :param fs_remove: remove(archive) repo from filesystem

        """

        if not cur_user:

        repo = self._get_repo(repo)

        if repo:

            if forks == 'detach':

                for r in repo.forks:

                    r.fork = None

                    self.sa.add(r)

            elif forks == 'delete':

                for r in repo.forks:

                    self.delete(r, forks='delete')

            elif [f for f in repo.forks]:

                raise AttachedForksError()

            old_repo_dict = repo.get_dict()

            owner = repo.user

            try:

                self.sa.delete(repo)

                if fs_remove:

                    self.__delete_repo(repo)

                else:

                    log.debug('skipping removal from filesystem')

                log_delete_repository(old_repo_dict,

                                      deleted_by=cur_user)

            except Exception:

                log.error(traceback.format_exc())

                raise

    def grant_user_permission(self, repo, user, perm):

        """

        Grant permission for user on given repository, or update existing one

        if found

        :param repo: Instance of Repository, repository_id, or repository name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        user = self._get_user(user)

        repo = self._get_repo(repo)

        permission = self._get_perm(perm)

        # check if we have that permission already

        obj = self.sa.query(UserRepoToPerm)\

            .filter(UserRepoToPerm.user == user)\

            .filter(UserRepoToPerm.repository == repo)\

            .scalar()

        if obj is None:

            # create new !

            obj = UserRepoToPerm()

        obj.repository = repo

        obj.user = user

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s' % (perm, user, repo))

    def revoke_user_permission(self, repo, user):

        """

        Revoke permission for user on given repository

        :param repo: Instance of Repository, repository_id, or repository name

        :param user: Instance of User, user_id or username

        """

        user = self._get_user(user)

        repo = self._get_repo(repo)

        obj = self.sa.query(UserRepoToPerm)\

            .filter(UserRepoToPerm.repository == repo)\

            .filter(UserRepoToPerm.user == user)\

            .scalar()

        if obj:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s' % (repo, user))

    def grant_users_group_permission(self, repo, group_name, perm):

        """

        Grant permission for user group on given repository, or update

        existing one if found

        :param repo: Instance of Repository, repository_id, or repository name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        :param perm: Instance of Permission, or permission_name

        """

        repo = self._get_repo(repo)

        group_name = self._get_user_group(group_name)

        permission = self._get_perm(perm)

        # check if we have that permission already

        obj = self.sa.query(UserGroupRepoToPerm)\

            .filter(UserGroupRepoToPerm.users_group == group_name)\

            .filter(UserGroupRepoToPerm.repository == repo)\

            .scalar()

        if obj is None:

            # create new

            obj = UserGroupRepoToPerm()

        obj.repository = repo

        obj.users_group = group_name

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s' % (perm, group_name, repo))

    def revoke_users_group_permission(self, repo, group_name):

        """

        Revoke permission for user group on given repository

        :param repo: Instance of Repository, repository_id, or repository name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        """

        repo = self._get_repo(repo)

        group_name = self._get_user_group(group_name)

        obj = self.sa.query(UserGroupRepoToPerm)\

            .filter(UserGroupRepoToPerm.repository == repo)\

            .filter(UserGroupRepoToPerm.users_group == group_name)\

            .scalar()

        if obj:

            self.sa.delete(obj)

            log.debug('Revoked perm to %s on %s' % (repo, group_name))

    def delete_stats(self, repo_name):

        """

        removes stats for given repo

        :param repo_name:

        """

        repo = self._get_repo(repo_name)

        try:

            obj = self.sa.query(Statistics)\

                    .filter(Statistics.repository == repo).scalar()

            if obj:

                self.sa.delete(obj)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def _create_repo(self, repo_name, alias, parent, clone_uri=False,

                     repo_store_location=None):

        return self.__create_repo(repo_name, alias, parent, clone_uri,

                                  repo_store_location)

    def __create_repo(self, repo_name, alias, parent, clone_uri=False,

                      repo_store_location=None):

        """

        makes repository on filesystem. It's group aware means it'll create

        a repository within a group, and alter the paths accordingly of

        group location

        :param repo_name:

        :param alias:

        :param parent_id:

        :param clone_uri:

        :param repo_path:

        """

        from rhodecode.lib.utils import is_valid_repo, is_valid_repos_group

        from rhodecode.model.scm import ScmModel

        if parent:

            new_parent_path = os.sep.join(parent.full_path_splitted)

        else:

            new_parent_path = ''

        if repo_store_location:

            _paths = [repo_store_location]

        else:

            _paths = [self.repos_path, new_parent_path, repo_name]

        # we need to make it str for mercurial

        repo_path = os.path.join(*map(lambda x: safe_str(x), _paths))

        # check if this path is not a repository

        if is_valid_repo(repo_path, self.repos_path):

            raise Exception('This path %s is a valid repository' % repo_path)

        # check if this path is a group

        if is_valid_repos_group(repo_path, self.repos_path):

            raise Exception('This path %s is a valid group' % repo_path)

        log.info('creating repo %s in %s @ %s' % (

                     repo_name, safe_unicode(repo_path),

                     obfuscate_url_pw(clone_uri)

                )

        )

        backend = get_backend(alias)

        if alias == 'hg':

            repo = backend(repo_path, create=True, src_url=clone_uri)

        elif alias == 'git':

            repo = backend(repo_path, create=True, src_url=clone_uri, bare=True)

            # add rhodecode hook into this repo

            ScmModel().install_git_hook(repo=repo)

        else:

            raise Exception('Undefined alias %s' % alias)

        return repo

# -*- coding: utf-8 -*-

"""

    rhodecode.model.user

    ~~~~~~~~~~~~~~~~~~~~

    users model for RhodeCode

    :created_on: Apr 9, 2010

    :author: marcink

    :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import traceback

import itertools

import collections

from pylons import url

from pylons.i18n.translation import _

from sqlalchemy.exc import DatabaseError

from sqlalchemy.orm import joinedload

from rhodecode.lib.utils2 import safe_unicode, generate_api_key, get_current_rhodecode_user

from rhodecode.lib.caching_query import FromCache

from rhodecode.model import BaseModel

from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \

    UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \

    Notification, RepoGroup, UserRepoGroupToPerm, UserGroupRepoGroupToPerm, \

    UserEmailMap, UserIpMap, UserGroupUserGroupToPerm, UserGroup

from rhodecode.lib.exceptions import DefaultUserException, \

    UserOwnsReposException

from rhodecode.model.meta import Session

log = logging.getLogger(__name__)

PERM_WEIGHTS = Permission.PERM_WEIGHTS

class UserModel(BaseModel):

    cls = User

    def get(self, user_id, cache=False):

        user = self.sa.query(User)

        if cache:

            user = user.options(FromCache("sql_cache_short",

                                          "get_user_%s" % user_id))

        return user.get(user_id)

    def get_user(self, user):

        return self._get_user(user)

    def get_by_username(self, username, cache=False, case_insensitive=False):

        if case_insensitive:

            user = self.sa.query(User).filter(User.username.ilike(username))

        else:

            user = self.sa.query(User)\

                .filter(User.username == username)

        if cache:

            user = user.options(FromCache("sql_cache_short",

                                          "get_user_%s" % username))

        return user.scalar()

    def get_by_email(self, email, cache=False, case_insensitive=False):

        return User.get_by_email(email, case_insensitive, cache)

    def get_by_api_key(self, api_key, cache=False):

        return User.get_by_api_key(api_key, cache)

    def create(self, form_data, cur_user=None):

        if not cur_user:

        from rhodecode.lib.auth import get_crypt_password

        try:

            new_user = User()

            for k, v in form_data.items():

                if k == 'password':

                    v = get_crypt_password(v)

                if k == 'firstname':

                    k = 'name'

                setattr(new_user, k, v)

            new_user.api_key = generate_api_key(form_data['username'])

            self.sa.add(new_user)

            from rhodecode.lib.hooks import log_create_user

            log_create_user(new_user.get_dict(), cur_user)

            return new_user

        except Exception:

            log.error(traceback.format_exc())

            raise

    def create_or_update(self, username, password, email, firstname='',

                         lastname='', active=True, admin=False, ldap_dn=None, cur_user=None):

        """

        Creates a new instance if not found, or updates current one

        :param username:

        :param password:

        :param email:

        :param active:

        :param firstname:

        :param lastname:

        :param active:

        :param admin:

        :param ldap_dn:

        """

        if not cur_user:

        from rhodecode.lib.auth import get_crypt_password

        log.debug('Checking for %s account in RhodeCode database' % username)

        user = User.get_by_username(username, case_insensitive=True)

        if user is None:

            log.debug('creating new user %s' % username)

            new_user = User()

            edit = False

        else:

            log.debug('updating user %s' % username)

            new_user = user

            edit = True

        try:

            new_user.username = username

            new_user.admin = admin

            # set password only if creating an user or password is changed

            if not edit or user.password != password:

                new_user.password = get_crypt_password(password) if password else None

                new_user.api_key = generate_api_key(username)

            new_user.email = email

            new_user.active = active

            new_user.ldap_dn = safe_unicode(ldap_dn) if ldap_dn else None

            new_user.name = firstname

            new_user.lastname = lastname

            self.sa.add(new_user)

            if not edit:

                from rhodecode.lib.hooks import log_create_user

                log_create_user(new_user.get_dict(), cur_user)

            return new_user

        except (DatabaseError,):

            log.error(traceback.format_exc())

            raise

    def create_for_container_auth(self, username, attrs, cur_user=None):

        """

        Creates the given user if it's not already in the database

        :param username:

        :param attrs:

        """

        if not cur_user:

        if self.get_by_username(username, case_insensitive=True) is None:

            # autogenerate email for container account without one

            generate_email = lambda usr: '%s@container_auth.account' % usr

            try:

                new_user = User()

                new_user.username = username

                new_user.password = None

                new_user.api_key = generate_api_key(username)

                new_user.email = attrs['email']

                new_user.active = attrs.get('active', True)

                new_user.name = attrs['name'] or generate_email(username)

                new_user.lastname = attrs['lastname']

                self.sa.add(new_user)

                from rhodecode.lib.hooks import log_create_user

                log_create_user(new_user.get_dict(), cur_user)

                return new_user

            except (DatabaseError,):

                log.error(traceback.format_exc())

                self.sa.rollback()

                raise

        log.debug('User %s already exists. Skipping creation of account'

                  ' for container auth.', username)

        return None

    def create_ldap(self, username, password, user_dn, attrs, cur_user=None):

        """

        Checks if user is in database, if not creates this user marked

        as ldap user

        :param username:

        :param password:

        :param user_dn:

        :param attrs:

        """

        if not cur_user:

        from rhodecode.lib.auth import get_crypt_password

        log.debug('Checking for such ldap account in RhodeCode database')

        if self.get_by_username(username, case_insensitive=True) is None:

            # autogenerate email for ldap account without one

            generate_email = lambda usr: '%s@ldap.account' % usr

            try:

                new_user = User()

                username = username.lower()

                # add ldap account always lowercase

                new_user.username = username

                new_user.password = get_crypt_password(password)

                new_user.api_key = generate_api_key(username)

                new_user.email = attrs['email'] or generate_email(username)

                new_user.active = attrs.get('active', True)

                new_user.ldap_dn = safe_unicode(user_dn)

                new_user.name = attrs['name']

                new_user.lastname = attrs['lastname']

                self.sa.add(new_user)

                from rhodecode.lib.hooks import log_create_user

                log_create_user(new_user.get_dict(), cur_user)

                return new_user

            except (DatabaseError,):

                log.error(traceback.format_exc())

                self.sa.rollback()

                raise

        log.debug('this %s user exists skipping creation of ldap account',

                  username)

        return None

    def create_registration(self, form_data):

        from rhodecode.model.notification import NotificationModel

        try:

            form_data['admin'] = False

            new_user = self.create(form_data)

            self.sa.add(new_user)

            self.sa.flush()

            # notification to admins

            subject = _('New user registration')

            body = ('New user registration\n'

                    '---------------------\n'

                    '- Username: %s\n'

                    '- Full Name: %s\n'

                    '- Email: %s\n')

            body = body % (new_user.username, new_user.full_name,

                           new_user.email)

            edit_url = url('edit_user', id=new_user.user_id, qualified=True)

            kw = {'registered_user_url': edit_url}

            NotificationModel().create(created_by=new_user, subject=subject,

                                       body=body, recipients=None,

                                       type_=Notification.TYPE_REGISTRATION,

                                       email_kwargs=kw)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def update(self, user_id, form_data, skip_attrs=[]):

        from rhodecode.lib.auth import get_crypt_password

        try:

            user = self.get(user_id, cache=False)

            if user.username == 'default':

                raise DefaultUserException(

                                _("You can't Edit this user since it's"

                                  " crucial for entire application"))

            for k, v in form_data.items():

                if k in skip_attrs:

                    continue

                if k == 'new_password' and v:

                    user.password = get_crypt_password(v)

                    user.api_key = generate_api_key(user.username)

                else:

                    if k == 'firstname':

                        k = 'name'

                    setattr(user, k, v)

            self.sa.add(user)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def update_user(self, user, **kwargs):

        from rhodecode.lib.auth import get_crypt_password

        try:

            user = self._get_user(user)

            if user.username == 'default':

                raise DefaultUserException(

                    _("You can't Edit this user since it's"

                      " crucial for entire application")

                )

            for k, v in kwargs.items():

                if k == 'password' and v:

                    v = get_crypt_password(v)

                    user.api_key = generate_api_key(user.username)

                setattr(user, k, v)

            self.sa.add(user)

            return user

        except Exception:

            log.error(traceback.format_exc())

            raise

    def delete(self, user, cur_user=None):

        if not cur_user:

        user = self._get_user(user)

        try:

            if user.username == 'default':

                raise DefaultUserException(

                    _(u"You can't remove this user since it's"

                      " crucial for entire application")

                )

            if user.repositories:

                repos = [x.repo_name for x in user.repositories]

                raise UserOwnsReposException(

                    _(u'user "%s" still owns %s repositories and cannot be '

                      'removed. Switch owners or remove those repositories. %s')

                    % (user.username, len(repos), ', '.join(repos))

                )

            self.sa.delete(user)

            from rhodecode.lib.hooks import log_delete_user

            log_delete_user(user.get_dict(), cur_user)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def reset_password_link(self, data):

        from rhodecode.lib.celerylib import tasks, run_task

        from rhodecode.model.notification import EmailNotificationModel

        user_email = data['email']

        try:

            user = User.get_by_email(user_email)

            if user:

                log.debug('password reset user found %s' % user)

                link = url('reset_password_confirmation', key=user.api_key,

                           qualified=True)

                reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET

                body = EmailNotificationModel().get_email_tmpl(reg_type,

                                                    **{'user': user.short_contact,

                                                       'reset_url': link})

                log.debug('sending email')

                run_task(tasks.send_email, user_email,

                         _("Password reset link"), body, body)

                log.info('send new password mail to %s' % user_email)

            else:

                log.debug("password reset email %s not found" % user_email)

        except Exception:

            log.error(traceback.format_exc())

            return False

        return True

    def reset_password(self, data):

        from rhodecode.lib.celerylib import tasks, run_task

        from rhodecode.lib import auth

        user_email = data['email']

        try:

            try:

                user = User.get_by_email(user_email)

                new_passwd = auth.PasswordGenerator().gen_password(8,

                                 auth.PasswordGenerator.ALPHABETS_BIG_SMALL)

                if user:

                    user.password = auth.get_crypt_password(new_passwd)

                    user.api_key = auth.generate_api_key(user.username)

                    Session().add(user)

                    Session().commit()

                    log.info('change password for %s' % user_email)

                if new_passwd is None:

                    raise Exception('unable to generate new password')

            except Exception:

                log.error(traceback.format_exc())

                Session().rollback()

            run_task(tasks.send_email, user_email,

                     _('Your new password'),

                     _('Your new RhodeCode password:%s') % (new_passwd))

            log.info('send new password mail to %s' % user_email)

        except Exception:

            log.error('Failed to update user password')

            log.error(traceback.format_exc())

        return True

    def fill_data(self, auth_user, user_id=None, api_key=None):

        """

        Fetches auth_user by user_id,or api_key if present.

        Fills auth_user attributes with those taken from database.

        Additionally set's is_authenitated if lookup fails

        present in database

        :param auth_user: instance of user to set attributes

        :param user_id: user id to fetch by

        :param api_key: api key to fetch by

        """

        if user_id is None and api_key is None:

            raise Exception('You need to pass user_id or api_key')

        try:

            if api_key:

                dbuser = self.get_by_api_key(api_key)

            else:

                dbuser = self.get(user_id)

            if dbuser is not None and dbuser.active:

                log.debug('filling %s data' % dbuser)

                for k, v in dbuser.get_dict().items():

                    setattr(auth_user, k, v)

            else:

                return False

        except Exception:

            log.error(traceback.format_exc())

            auth_user.is_authenticated = False

            return False

        return True

    def fill_perms(self, user, explicit=True, algo='higherwin'):

        """

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: user instance to fill his perms

        :param explicit: In case there are permissions both for user and a group

            that user is part of, explicit flag will defiine if user will

            explicitly override permissions from group, if it's False it will

            make decision based on the algo

        :param algo: algorithm to decide what permission should be choose if

            it's multiple defined, eg user in two different groups. It also

            decides if explicit flag is turned off how to specify the permission

            for case when user is in a group + have defined separate permission

        """

        RK = 'repositories'

        GK = 'repositories_groups'

        UK = 'user_groups'

        GLOBAL = 'global'

        user.permissions[RK] = {}

        user.permissions[GK] = {}

        user.permissions[UK] = {}

        user.permissions[GLOBAL] = set()

        def _choose_perm(new_perm, cur_perm):

            new_perm_val = PERM_WEIGHTS[new_perm]

            cur_perm_val = PERM_WEIGHTS[cur_perm]

            if algo == 'higherwin':

                if new_perm_val > cur_perm_val:

                    return new_perm

                return cur_perm

            elif algo == 'lowerwin':

                if new_perm_val < cur_perm_val:

                    return new_perm

                return cur_perm

        #======================================================================

        # fetch default permissions

        #======================================================================

        default_user = User.get_by_username('default', cache=True)

        default_user_id = default_user.user_id

        default_repo_perms = Permission.get_default_perms(default_user_id)

        default_repo_groups_perms = Permission.get_default_group_perms(default_user_id)

        default_user_group_perms = Permission.get_default_user_group_perms(default_user_id)