# now automatically start following this repository as owner

            ScmModel(self.sa).toggle_following_repo(new_repo.repo_id,

                                                    owner.user_id)

            return new_repo

        except Exception:

            log.error(traceback.format_exc())

            raise

    def create(self, form_data, cur_user, just_db=False, fork=None):

        """

        Backward compatibility function, just a wrapper on top of create_repo

        :param form_data:

        :param cur_user:

        :param just_db:

        :param fork:

        """

        owner = cur_user

        repo_name = form_data['repo_name_full']

        repo_type = form_data['repo_type']

        description = form_data['repo_description']

        private = form_data['repo_private']

        clone_uri = form_data.get('clone_uri')

        repos_group = form_data['repo_group']

        landing_rev = form_data['repo_landing_rev']

        copy_fork_permissions = form_data.get('copy_permissions')

        fork_of = form_data.get('fork_parent_id')

        ## repo creation defaults, private and repo_type are filled in form

        defs = RhodeCodeSetting.get_default_repo_settings(strip_prefix=True)

        enable_statistics = defs.get('repo_enable_statistics')

        enable_locking = defs.get('repo_enable_locking')

        enable_downloads = defs.get('repo_enable_downloads')

        return self.create_repo(

            repo_name, repo_type, description, owner, private, clone_uri,

            repos_group, landing_rev, just_db, fork_of, copy_fork_permissions,

            enable_statistics, enable_locking, enable_downloads

        )

    def _update_permissions(self, repo, perms_new=None, perms_updates=None,

                            check_perms=True):

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        # update permissions

        for member, perm, member_type in perms_updates:

            if member_type == 'user':

                # this updates existing one

                self.grant_user_permission(

                    repo=repo, user=member, perm=perm

                )

            else:

                #check if we have permissions to alter this usergroup

                req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')

                if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):

                    self.grant_users_group_permission(

                        repo=repo, group_name=member, perm=perm

                    )

        # set new permissions

        for member, perm, member_type in perms_new:

            if member_type == 'user':

                self.grant_user_permission(

                    repo=repo, user=member, perm=perm

                )

            else:

                #check if we have permissions to alter this usergroup

                req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')

                if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):

                    self.grant_users_group_permission(

                        repo=repo, group_name=member, perm=perm

                    )

    def create_fork(self, form_data, cur_user):

        """

        Simple wrapper into executing celery task for fork creation

        :param form_data:

        :param cur_user:

        """

        from rhodecode.lib.celerylib import tasks, run_task

        run_task(tasks.create_repo_fork, form_data, cur_user)

    def delete(self, repo, forks=None, fs_remove=True, cur_user=None):

        """

        Delete given repository, forks parameter defines what do do with

        attached forks. Throws AttachedForksError if deleted repo has attached

        forks

        :param repo:

        :param forks: str 'delete' or 'detach'

        :param fs_remove: remove(archive) repo from filesystem

        """

        if not cur_user:

        repo = self._get_repo(repo)

        if repo:

            if forks == 'detach':

                for r in repo.forks:

                    r.fork = None

                    self.sa.add(r)

            elif forks == 'delete':

                for r in repo.forks:

                    self.delete(r, forks='delete')

            elif [f for f in repo.forks]:

                raise AttachedForksError()

            old_repo_dict = repo.get_dict()

            owner = repo.user

            try:

                self.sa.delete(repo)

                if fs_remove:

                    self.__delete_repo(repo)

                else:

                    log.debug('skipping removal from filesystem')

                log_delete_repository(old_repo_dict,

                                      deleted_by=cur_user)

            except Exception:

                log.error(traceback.format_exc())

                raise

    def grant_user_permission(self, repo, user, perm):

        """

        Grant permission for user on given repository, or update existing one

        if found

        :param repo: Instance of Repository, repository_id, or repository name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        user = self._get_user(user)

        repo = self._get_repo(repo)

        permission = self._get_perm(perm)

        # check if we have that permission already

        obj = self.sa.query(UserRepoToPerm)\

            .filter(UserRepoToPerm.user == user)\

            .filter(UserRepoToPerm.repository == repo)\

            .scalar()

        if obj is None:

            # create new !

            obj = UserRepoToPerm()

        obj.repository = repo

        obj.user = user

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s' % (perm, user, repo))

    def revoke_user_permission(self, repo, user):

        """

        Revoke permission for user on given repository

        :param repo: Instance of Repository, repository_id, or repository name

        :param user: Instance of User, user_id or username

        """

        user = self._get_user(user)

        repo = self._get_repo(repo)

        obj = self.sa.query(UserRepoToPerm)\

            .filter(UserRepoToPerm.repository == repo)\

            .filter(UserRepoToPerm.user == user)\

            .scalar()

        if obj:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s' % (repo, user))

    def grant_users_group_permission(self, repo, group_name, perm):

        """

        Grant permission for user group on given repository, or update

        existing one if found

        :param repo: Instance of Repository, repository_id, or repository name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        :param perm: Instance of Permission, or permission_name

        """

        repo = self._get_repo(repo)

        group_name = self._get_user_group(group_name)

        permission = self._get_perm(perm)

        # check if we have that permission already

        obj = self.sa.query(UserGroupRepoToPerm)\

            .filter(UserGroupRepoToPerm.users_group == group_name)\

            .filter(UserGroupRepoToPerm.repository == repo)\

            .scalar()

        if obj is None:

            # create new

            obj = UserGroupRepoToPerm()

# -*- coding: utf-8 -*-

"""

    rhodecode.model.user

    ~~~~~~~~~~~~~~~~~~~~

    users model for RhodeCode

    :created_on: Apr 9, 2010

    :author: marcink

    :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import traceback

import itertools

import collections

from pylons import url

from pylons.i18n.translation import _

from sqlalchemy.exc import DatabaseError

from sqlalchemy.orm import joinedload

from rhodecode.lib.utils2 import safe_unicode, generate_api_key, get_current_rhodecode_user

from rhodecode.lib.caching_query import FromCache

from rhodecode.model import BaseModel

from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \

    UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \

    Notification, RepoGroup, UserRepoGroupToPerm, UserGroupRepoGroupToPerm, \

    UserEmailMap, UserIpMap, UserGroupUserGroupToPerm, UserGroup

from rhodecode.lib.exceptions import DefaultUserException, \

    UserOwnsReposException

from rhodecode.model.meta import Session

log = logging.getLogger(__name__)

PERM_WEIGHTS = Permission.PERM_WEIGHTS

class UserModel(BaseModel):

    cls = User

    def get(self, user_id, cache=False):

        user = self.sa.query(User)

        if cache:

            user = user.options(FromCache("sql_cache_short",

                                          "get_user_%s" % user_id))

        return user.get(user_id)

    def get_user(self, user):

        return self._get_user(user)

    def get_by_username(self, username, cache=False, case_insensitive=False):

        if case_insensitive:

            user = self.sa.query(User).filter(User.username.ilike(username))

        else:

            user = self.sa.query(User)\

                .filter(User.username == username)

        if cache:

            user = user.options(FromCache("sql_cache_short",

                                          "get_user_%s" % username))

        return user.scalar()

    def get_by_email(self, email, cache=False, case_insensitive=False):

        return User.get_by_email(email, case_insensitive, cache)

    def get_by_api_key(self, api_key, cache=False):

        return User.get_by_api_key(api_key, cache)

    def create(self, form_data, cur_user=None):

        if not cur_user:

        from rhodecode.lib.auth import get_crypt_password

        try:

            new_user = User()

            for k, v in form_data.items():

                if k == 'password':

                    v = get_crypt_password(v)

                if k == 'firstname':

                    k = 'name'

                setattr(new_user, k, v)

            new_user.api_key = generate_api_key(form_data['username'])

            self.sa.add(new_user)

            from rhodecode.lib.hooks import log_create_user

            log_create_user(new_user.get_dict(), cur_user)

            return new_user

        except Exception:

            log.error(traceback.format_exc())

            raise

    def create_or_update(self, username, password, email, firstname='',

                         lastname='', active=True, admin=False, ldap_dn=None, cur_user=None):

        """

        Creates a new instance if not found, or updates current one

        :param username:

        :param password:

        :param email:

        :param active:

        :param firstname:

        :param lastname:

        :param active:

        :param admin:

        :param ldap_dn:

        """

        if not cur_user:

        from rhodecode.lib.auth import get_crypt_password

        log.debug('Checking for %s account in RhodeCode database' % username)

        user = User.get_by_username(username, case_insensitive=True)

        if user is None:

            log.debug('creating new user %s' % username)

            new_user = User()

            edit = False

        else:

            log.debug('updating user %s' % username)

            new_user = user

            edit = True

        try:

            new_user.username = username

            new_user.admin = admin

            # set password only if creating an user or password is changed

            if not edit or user.password != password:

                new_user.password = get_crypt_password(password) if password else None

                new_user.api_key = generate_api_key(username)

            new_user.email = email

            new_user.active = active

            new_user.ldap_dn = safe_unicode(ldap_dn) if ldap_dn else None

            new_user.name = firstname

            new_user.lastname = lastname

            self.sa.add(new_user)

            if not edit:

                from rhodecode.lib.hooks import log_create_user

                log_create_user(new_user.get_dict(), cur_user)

            return new_user

        except (DatabaseError,):

            log.error(traceback.format_exc())

            raise

    def create_for_container_auth(self, username, attrs, cur_user=None):

        """

        Creates the given user if it's not already in the database

        :param username:

        :param attrs:

        """

        if not cur_user:

        if self.get_by_username(username, case_insensitive=True) is None:

            # autogenerate email for container account without one

            generate_email = lambda usr: '%s@container_auth.account' % usr

            try:

                new_user = User()

                new_user.username = username

                new_user.password = None

                new_user.api_key = generate_api_key(username)

                new_user.email = attrs['email']

                new_user.active = attrs.get('active', True)

                new_user.name = attrs['name'] or generate_email(username)

                new_user.lastname = attrs['lastname']

                self.sa.add(new_user)

                from rhodecode.lib.hooks import log_create_user

                log_create_user(new_user.get_dict(), cur_user)

                return new_user

            except (DatabaseError,):

                log.error(traceback.format_exc())

                self.sa.rollback()

                raise

        log.debug('User %s already exists. Skipping creation of account'

                  ' for container auth.', username)

        return None

    def create_ldap(self, username, password, user_dn, attrs, cur_user=None):

        """

        Checks if user is in database, if not creates this user marked

        as ldap user

        :param username:

        :param password:

        :param user_dn:

        :param attrs:

        """

        if not cur_user:

        from rhodecode.lib.auth import get_crypt_password

        log.debug('Checking for such ldap account in RhodeCode database')

        if self.get_by_username(username, case_insensitive=True) is None:

            # autogenerate email for ldap account without one

            generate_email = lambda usr: '%s@ldap.account' % usr

            try:

                new_user = User()

                username = username.lower()

                # add ldap account always lowercase

                new_user.username = username

                new_user.password = get_crypt_password(password)

                new_user.api_key = generate_api_key(username)

                new_user.email = attrs['email'] or generate_email(username)

                new_user.active = attrs.get('active', True)

                new_user.ldap_dn = safe_unicode(user_dn)

                new_user.name = attrs['name']

                new_user.lastname = attrs['lastname']

                self.sa.add(new_user)

                from rhodecode.lib.hooks import log_create_user

                log_create_user(new_user.get_dict(), cur_user)

                return new_user

            except (DatabaseError,):

                log.error(traceback.format_exc())

                self.sa.rollback()

                raise

        log.debug('this %s user exists skipping creation of ldap account',

                  username)

        return None

    def create_registration(self, form_data):

        from rhodecode.model.notification import NotificationModel

        try:

            form_data['admin'] = False

            new_user = self.create(form_data)

            self.sa.add(new_user)

            self.sa.flush()

            # notification to admins

            subject = _('New user registration')

            body = ('New user registration\n'

                    '---------------------\n'

                    '- Username: %s\n'

                    '- Full Name: %s\n'

                    '- Email: %s\n')

            body = body % (new_user.username, new_user.full_name,

                           new_user.email)

            edit_url = url('edit_user', id=new_user.user_id, qualified=True)

            kw = {'registered_user_url': edit_url}

            NotificationModel().create(created_by=new_user, subject=subject,

                                       body=body, recipients=None,

                                       type_=Notification.TYPE_REGISTRATION,

                                       email_kwargs=kw)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def update(self, user_id, form_data, skip_attrs=[]):

        from rhodecode.lib.auth import get_crypt_password

        try:

            user = self.get(user_id, cache=False)

            if user.username == 'default':

                raise DefaultUserException(

                                _("You can't Edit this user since it's"

                                  " crucial for entire application"))

            for k, v in form_data.items():

                if k in skip_attrs:

                    continue

                if k == 'new_password' and v:

                    user.password = get_crypt_password(v)

                    user.api_key = generate_api_key(user.username)

                else:

                    if k == 'firstname':

                        k = 'name'

                    setattr(user, k, v)

            self.sa.add(user)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def update_user(self, user, **kwargs):

        from rhodecode.lib.auth import get_crypt_password

        try:

            user = self._get_user(user)

            if user.username == 'default':

                raise DefaultUserException(

                    _("You can't Edit this user since it's"

                      " crucial for entire application")

                )

            for k, v in kwargs.items():

                if k == 'password' and v:

                    v = get_crypt_password(v)

                    user.api_key = generate_api_key(user.username)

                setattr(user, k, v)

            self.sa.add(user)

            return user

        except Exception:

            log.error(traceback.format_exc())

            raise

    def delete(self, user, cur_user=None):

        if not cur_user:

        user = self._get_user(user)

        try:

            if user.username == 'default':

                raise DefaultUserException(

                    _(u"You can't remove this user since it's"

                      " crucial for entire application")

                )

            if user.repositories:

                repos = [x.repo_name for x in user.repositories]

                raise UserOwnsReposException(

                    _(u'user "%s" still owns %s repositories and cannot be '

                      'removed. Switch owners or remove those repositories. %s')

                    % (user.username, len(repos), ', '.join(repos))

                )

            self.sa.delete(user)

            from rhodecode.lib.hooks import log_delete_user

            log_delete_user(user.get_dict(), cur_user)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def reset_password_link(self, data):

        from rhodecode.lib.celerylib import tasks, run_task

        from rhodecode.model.notification import EmailNotificationModel

        user_email = data['email']

        try:

            user = User.get_by_email(user_email)

            if user:

                log.debug('password reset user found %s' % user)

                link = url('reset_password_confirmation', key=user.api_key,

                           qualified=True)

                reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET

                body = EmailNotificationModel().get_email_tmpl(reg_type,

                                                    **{'user': user.short_contact,

                                                       'reset_url': link})

                log.debug('sending email')

                run_task(tasks.send_email, user_email,

                         _("Password reset link"), body, body)

                log.info('send new password mail to %s' % user_email)

            else:

                log.debug("password reset email %s not found" % user_email)

        except Exception:

            log.error(traceback.format_exc())

            return False

        return True

    def reset_password(self, data):

        from rhodecode.lib.celerylib import tasks, run_task

        from rhodecode.lib import auth

        user_email = data['email']

        try:

            try:

                user = User.get_by_email(user_email)

                new_passwd = auth.PasswordGenerator().gen_password(8,

                                 auth.PasswordGenerator.ALPHABETS_BIG_SMALL)

                if user:

                    user.password = auth.get_crypt_password(new_passwd)

                    user.api_key = auth.generate_api_key(user.username)

                    Session().add(user)

                    Session().commit()

                    log.info('change password for %s' % user_email)

                if new_passwd is None:

                    raise Exception('unable to generate new password')

            except Exception:

                log.error(traceback.format_exc())

                Session().rollback()

            run_task(tasks.send_email, user_email,

                     _('Your new password'),

                     _('Your new RhodeCode password:%s') % (new_passwd))

            log.info('send new password mail to %s' % user_email)

        except Exception:

            log.error('Failed to update user password')

            log.error(traceback.format_exc())

        return True

    def fill_data(self, auth_user, user_id=None, api_key=None):

        """

        Fetches auth_user by user_id,or api_key if present.

        Fills auth_user attributes with those taken from database.

        Additionally set's is_authenitated if lookup fails

        present in database

        :param auth_user: instance of user to set attributes

        :param user_id: user id to fetch by

        :param api_key: api key to fetch by

        """

        if user_id is None and api_key is None:

            raise Exception('You need to pass user_id or api_key')

        try: