:param short_contact:

      :param admin:

      :param lastname:

      :param ip_addresses:

      :param ldap_dn:

      :param email:

      :param api_key:

      :param last_login:

      :param full_name:

      :param active:

      :param password:

      :param emails:

      :param created_by:

    """

    return 0

CREATE_USER_HOOK = _cruserhook

#==============================================================================

# POST DELETE REPOSITORY HOOK

#==============================================================================

# this function will be executed after each repository deletion

      :param short_contact:

      :param admin:

      :param lastname:

      :param ip_addresses:

      :param ldap_dn:

      :param email:

      :param api_key:

      :param last_login:

      :param full_name:

      :param active:

      :param password:

      :param emails:

      :param deleted_by:

    """

    return 0

DELETE_USER_HOOK = _dluserhook

#==============================================================================

# POST PUSH HOOK

#==============================================================================

            encoding="UTF-8",

            force_defaults=False

        )

    @HasUserGroupPermissionLevelDecorator('admin')

    def update_default_perms(self, id):

        user_group = UserGroup.get_or_404(id)

        try:

            form = CustomDefaultPermissionsForm()()

            form_result = form.to_python(request.POST)

            usergroup_model = UserGroupModel()

            defs = UserGroupToPerm.query() \

                .filter(UserGroupToPerm.users_group == user_group) \

                .all()

            for ug in defs:

                Session().delete(ug)

            if form_result['create_repo_perm']:

                usergroup_model.grant_perm(id, 'hg.create.repository')

            else:

                usergroup_model.grant_perm(id, 'hg.create.none')

            render('admin/users/user_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False)

    def update_perms(self, id):

        user = self._get_user_or_raise_if_default(id)

        try:

            form = CustomDefaultPermissionsForm()()

            form_result = form.to_python(request.POST)

            user_model = UserModel()

            defs = UserToPerm.query() \

                .filter(UserToPerm.user == user) \

                .all()

            for ug in defs:

                Session().delete(ug)

            if form_result['create_repo_perm']:

                user_model.grant_perm(id, 'hg.create.repository')

            else:

                user_model.grant_perm(id, 'hg.create.none')

        user_model = UserModel()

        user_model.delete_extra_email(id, email_id)

        Session().commit()

        h.flash(_("Removed email from user"), category='success')

        raise HTTPFound(location=url('edit_user_emails', id=id))

    def edit_ips(self, id):

        c.user = self._get_user_or_raise_if_default(id)

        c.active = 'ips'

        c.user_ip_map = UserIpMap.query() \

            .filter(UserIpMap.user == c.user).all()

        c.default_user_ip_map = UserIpMap.query() \

            .filter(UserIpMap.user == User.get_default_user()).all()

        defaults = c.user.get_dict()

        return htmlfill.render(

            render('admin/users/user_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False)

    def add_ip(self, id):

        ip = request.POST.get('new_ip')

        import bcrypt

        try:

            return bcrypt.checkpw(safe_str(password), safe_str(hashed))

        except ValueError as e:

            # bcrypt will throw ValueError 'Invalid hashed_password salt' on all password errors

            log.error('error from bcrypt checking password: %s', e)

            return False

    else:

        raise Exception('Unknown or unsupported platform %s'

                        % __platform__)

                       explicit):

    RK = 'repositories'

    GK = 'repositories_groups'

    UK = 'user_groups'

    GLOBAL = 'global'

    PERM_WEIGHTS = Permission.PERM_WEIGHTS

    permissions = {RK: {}, GK: {}, UK: {}, GLOBAL: set()}

    def _choose_perm(new_perm, cur_perm):

        new_perm_val = PERM_WEIGHTS[new_perm]

        cur_perm_val = PERM_WEIGHTS[cur_perm]

        if new_perm_val > cur_perm_val:

        rg_k = perm.UserRepoGroupToPerm.group.group_name

        p = perm.Permission.permission_name

        permissions[GK][rg_k] = p

    # defaults for user groups taken from default user permission

    # on given user group

    for perm in default_user_group_perms:

        u_k = perm.UserUserGroupToPerm.user_group.users_group_name

        p = perm.Permission.permission_name

        permissions[UK][u_k] = p

    #======================================================================

    #======================================================================

    # USER GROUPS comes first

    # user group global permissions

    user_perms_from_users_groups = Session().query(UserGroupToPerm) \

        .options(joinedload(UserGroupToPerm.permission)) \

        .join((UserGroupMember, UserGroupToPerm.users_group_id ==

               UserGroupMember.users_group_id)) \

        .filter(UserGroupMember.user_id == user_id) \

        .join((UserGroup, UserGroupMember.users_group_id ==

               UserGroup.users_group_id)) \

        .filter(UserGroup.users_group_active == True) \

        .order_by(UserGroupToPerm.users_group_id) \

        .all()

    # need to group here by groups since user can be in more than

    # one group

    _grouped = [[x, list(y)] for x, y in

                itertools.groupby(user_perms_from_users_groups,

                                  lambda x:x.users_group)]

    for gr, perms in _grouped:

        for perm in perms:

            permissions[GLOBAL].add(perm.permission.permission_name)

    # user specific global permissions

    user_perms = Session().query(UserToPerm) \

            .options(joinedload(UserToPerm.permission)) \

            .filter(UserToPerm.user_id == user_id).all()

    ## END GLOBAL PERMISSIONS

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORIES !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository and

    # fill in his permission from it.

    #======================================================================

    # user group for repositories permissions

    user_repo_perms_from_users_groups = \

        self.authenticating_api_key = authenticating_api_key

        # These attributes will be overridden by fill_data, below, unless the

        # requested user cannot be found and the default anonymous user is

        # not enabled.

        self.user_id = None

        self.username = None

        self.api_key = None

        self.name = ''

        self.lastname = ''

        self.email = ''

        self.admin = False

        # Look up database user, if necessary.

        if user_id is not None:

            log.debug('Auth User lookup by USER ID %s', user_id)

            dbuser = UserModel().get(user_id)

        else:

            # Note: dbuser is allowed to be None.

            log.debug('Auth User lookup by database user %s', dbuser)

        is_user_loaded = self._fill_data(dbuser)

        # If user cannot be found, try falling back to anonymous.

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: `AuthUser` instance

        :param explicit: In case there are permissions both for user and a group

            that user is part of, explicit flag will define if user will

            explicitly override permissions from group, if it's False it will

            compute the decision

        """

        user_id = user.user_id

        user_is_admin = user.is_admin

        log.debug('Getting PERMISSION tree')

        compute = conditional_cache('short_term', 'cache_desc',

                                    condition=cache, func=_cached_perms_data)

    def _get_api_keys(self):

        api_keys = [self.api_key]

        for api_key in UserApiKeys.query() \

                .filter_by(user_id=self.user_id, is_expired=False):

            api_keys.append(api_key.api_key)

        return api_keys

    @property

    def is_admin(self):

        return self.admin

        """

        Returns list of user groups you're an admin of

        """

        return [x[0] for x in self.permissions['user_groups'].iteritems()

                if x[1] == 'usergroup.admin']

    @staticmethod

    def check_ip_allowed(user, ip_addr):

        """

        Check if the given IP address (a `str`) is allowed for the given

        user (an `AuthUser` or `db.User`).

        """

        if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):

            log.debug('IP:%s is in range of %s', ip_addr, allowed_ips)

            return True

        else:

            log.info('Access for IP:%s forbidden, '

                     'not in %s' % (ip_addr, allowed_ips))

            return False

    def __repr__(self):

        return "<AuthUser('id:%s[%s] auth:%s')>" \

            % (self.user_id, self.username, (self.is_authenticated or self.is_default_user))

        """

        Deserializes an `AuthUser` from a cookie `dict`.

        """

        au = AuthUser(

            user_id=cookie.get('user_id'),

            is_external_auth=cookie.get('is_external_auth', False),

        )

        au.is_authenticated = True

        return au

    @classmethod

        _set = set()

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

     'short_contact',

     'admin',

     'lastname',

     'ip_addresses',

     'ldap_dn',

     'email',

     'api_key',

     'last_login',

     'full_name',

     'active',

     'password',

     'emails',

    """

    from kallithea import EXTENSIONS

    callback = getattr(EXTENSIONS, 'CREATE_USER_HOOK', None)

    if callable(callback):

        return callback(created_by=created_by, **user_dict)

    return 0

def log_delete_repository(repository_dict, deleted_by, **kwargs):

    """

     'short_contact',

     'admin',

     'lastname',

     'ip_addresses',

     'ldap_dn',

     'email',

     'api_key',

     'last_login',

     'full_name',

     'active',

     'password',

     'emails',

    """

    from kallithea import EXTENSIONS

    callback = getattr(EXTENSIONS, 'DELETE_USER_HOOK', None)

    if callable(callback):

        return callback(deleted_by=deleted_by, **user_dict)

    return 0

def _hook_environment(repo_path):

    """

    user_id = Column(Integer(), primary_key=True)

    username = Column(String(255), nullable=False, unique=True)

    password = Column(String(255), nullable=False)

    active = Column(Boolean(), nullable=False, default=True)

    admin = Column(Boolean(), nullable=False, default=False)

    name = Column("firstname", Unicode(255), nullable=False)

    lastname = Column(Unicode(255), nullable=False)

    _email = Column("email", String(255), nullable=True, unique=True) # FIXME: not nullable?

    last_login = Column(DateTime(timezone=False), nullable=True)

    extern_type = Column(String(255), nullable=True) # FIXME: not nullable?

    extern_name = Column(String(255), nullable=True) # FIXME: not nullable?

    api_key = Column(String(255), nullable=False)

    created_on = Column(DateTime(timezone=False), nullable=False, default=datetime.datetime.now)

    _user_data = Column("user_data", LargeBinary(), nullable=True)  # JSON data # FIXME: not nullable?

    user_log = relationship('UserLog')

    user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all')

    repositories = relationship('Repository')

    repo_groups = relationship('RepoGroup')

    user_groups = relationship('UserGroup')

    user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all')

    followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all')

class UserGroup(Base, BaseDbModel):

    __tablename__ = 'users_groups'

    __table_args__ = (

        _table_args_default_dict,

    )

    users_group_id = Column(Integer(), primary_key=True)

    users_group_name = Column(Unicode(255), nullable=False, unique=True)

    user_group_description = Column(Unicode(10000), nullable=True) # FIXME: not nullable?

    users_group_active = Column(Boolean(), nullable=False)

    owner_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)

    created_on = Column(DateTime(timezone=False), nullable=False, default=datetime.datetime.now)

    _group_data = Column("group_data", LargeBinary(), nullable=True)  # JSON data # FIXME: not nullable?

    members = relationship('UserGroupMember', cascade="all, delete-orphan")

    users_group_to_perm = relationship('UserGroupToPerm', cascade='all')

    users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all')

    users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')

    user_user_group_to_perm = relationship('UserUserGroupToPerm ', cascade='all')

    user_group_user_group_to_perm = relationship('UserGroupUserGroupToPerm ', primaryjoin="UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id", cascade='all')

    owner = relationship('User')

        #default_repo_group_create = v.OneOf(repo_group_create_choices) #not impl. yet

        default_fork = v.OneOf(fork_choices)

        default_register = v.OneOf(register_choices)

        default_extern_activate = v.OneOf(extern_activate_choices)

    return _DefaultPermissionsForm

def CustomDefaultPermissionsForm():

    class _CustomDefaultPermissionsForm(formencode.Schema):

        filter_extra_fields = True

        allow_extra_fields = True

        create_repo_perm = v.StringBoolean(if_missing=False)

        create_user_group_perm = v.StringBoolean(if_missing=False)

        #create_repo_group_perm Impl. later

        fork_repo_perm = v.StringBoolean(if_missing=False)

    return _CustomDefaultPermissionsForm

def DefaultsForm(edit=False, old_data=None, supported_backends=BACKENDS.keys()):

    class _DefaultsForm(formencode.Schema):

<table class="table">

        %for ip in c.default_user_ip_map:

          <tr>

            <td><div class="ip">${ip.ip_addr}</div></td>

            <td><div class="ip">${h.ip_range(ip.ip_addr)}</div></td>

            <td>${h.HTML(_('Inherited from %s')) % h.link_to('*default*',h.url('admin_permissions_ips'))}</td>

          </tr>

        %endfor

    %endif

    %if c.user_ip_map:

        %for ip in c.user_ip_map:

          <tr>

## snippet for displaying default permission box

## usage:

##    <%namespace name="dpb" file="/base/default_perms_box.html"/>

##    ${dpb.default_perms_box(<url_to_form>)}

<%def name="default_perms_box(form_url)">

${h.form(form_url)}

    <div class="form">

            <div class="form-group">

                <label class="control-label" for="create_repo_perm">${_('Create repositories')}:</label>

                <div>

                    ${h.checkbox('create_repo_perm',value=True)}

                    <span class="help-block">

                        ${_('Select this option to allow repository creation for this user')}

                    </span>

                </div>

            </div>

            <div class="form-group">

                <label class="control-label" for="create_user_group_perm">${_('Create user groups')}:</label>

                <div>

            </div>

            <div class="form-group">

                <label class="control-label" for="fork_repo_perm">${_('Fork repositories')}:</label>

                <div>

                    ${h.checkbox('fork_repo_perm',value=True)}

                    <span class="help-block">

                        ${_('Select this option to allow repository forking for this user')}

                    </span>

                </div>

            </div>

            <div class="form-group">

                <div class="buttons">

                    ${h.submit('save',_('Save'),class_="btn btn-default")}

                    ${h.reset('reset',_('Reset'),class_="btn btn-default")}

                </div>

            </div>

    </div>

${h.end_form()}

</%def>

# -*- coding: utf-8 -*-

import urllib

import unittest

from kallithea.tests.base import *

from kallithea.tests.fixture import Fixture

from kallithea.lib.utils2 import safe_str, safe_unicode

from kallithea.model.repo import RepoModel

from kallithea.model.user import UserModel

from kallithea.model.meta import Session

fixture = Fixture()

class _BaseTestCase(TestController):

    """

    Write all tests here

    """

    REPO = None

        fixture.destroy_user(self.u1_id)

        Session().commit()

    def test_index(self):

        self.log_user()

        repo_name = self.REPO

        response = self.app.get(url(controller='forks', action='forks',

                                    repo_name=repo_name))

        response.mustcontain("""There are no forks yet""")

    def test_no_permissions_to_fork(self):

        try:

            user_model = UserModel()

            user_model.revoke_perm(usr, 'hg.fork.repository')

            user_model.grant_perm(usr, 'hg.fork.none')

            Session().commit()

            # try create a fork

            repo_name = self.REPO

            self.app.post(url(controller='forks', action='fork_create',

                              repo_name=repo_name), {'_authentication_token': self.authentication_token()}, status=403)

        finally:

            user_model.revoke_perm(usr, 'hg.fork.none')

            user_model.grant_perm(usr, 'hg.fork.repository')

            Session().commit()

    def test_index_with_fork(self):

        self.log_user()

        # create a fork

        fork_name = self.REPO_FORK

        description = 'fork of vcs test'

        repo_name = self.REPO

        org_repo = Repository.get_by_repo_name(repo_name)

            .filter(UserGroupRepoGroupToPerm.group == self.g1) \

            .filter(UserGroupRepoGroupToPerm.users_group == self.ug1) \

            .scalar()

        assert obj.permission.permission_name == 'group.read'

        a1_auth = AuthUser(user_id=self.anon.user_id)

        assert a1_auth.permissions['repositories_groups'] == {u'group1': u'group.none'}

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['repositories_groups'] == {u'group1': u'group.read'}

        user_model = UserModel()

        # enable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.none')

        user_model.grant_perm(usr, 'hg.create.repository')

        user_model.revoke_perm(usr, 'hg.fork.none')

        user_model.grant_perm(usr, 'hg.fork.repository')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited permissions from default user

        assert u1_auth.permissions['global'] == set(['hg.create.repository', 'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read', 'hg.create.write_on_repogroup.true'])

        user_model = UserModel()

        # disable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.repository')

        user_model.grant_perm(usr, 'hg.create.none')

        user_model.revoke_perm(usr, 'hg.fork.repository')

        user_model.grant_perm(usr, 'hg.fork.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited permissions from default user

        assert u1_auth.permissions['global'] == set(['hg.create.none', 'hg.fork.none',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read', 'hg.create.write_on_repogroup.true'])

        user_model = UserModel()

        # enable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.none')

        user_model.grant_perm(usr, 'hg.create.repository')

        user_model.revoke_perm(usr, 'hg.fork.none')

        user_model.grant_perm(usr, 'hg.fork.repository')

        # disable global perms on specific user

        user_model.revoke_perm(self.u1, 'hg.create.repository')

        user_model.grant_perm(self.u1, 'hg.create.none')

        user_model.revoke_perm(self.u1, 'hg.fork.repository')

        user_model.grant_perm(self.u1, 'hg.fork.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read', 'hg.create.write_on_repogroup.true'])

        user_model = UserModel()

        # disable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.repository')

        user_model.grant_perm(usr, 'hg.create.none')

        user_model.revoke_perm(usr, 'hg.fork.repository')

        user_model.grant_perm(usr, 'hg.fork.none')

        # enable global perms on specific user

        user_model.revoke_perm(self.u1, 'hg.create.none')

        user_model.grant_perm(self.u1, 'hg.create.repository')

        user_model.revoke_perm(self.u1, 'hg.fork.none')

        user_model.grant_perm(self.u1, 'hg.fork.repository')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read', 'hg.create.write_on_repogroup.true'])

    def test_inactive_user_group_does_not_affect_global_permissions(self):

        # Add user to inactive user group, set specific permissions on user

        self.ug1 = fixture.create_user_group(u'G1')

        user_group_model = UserGroupModel()

        user_group_model.add_user_to_group(self.ug1, self.u1)

        user_group_model.update(self.ug1, {'users_group_active': False})

        # enable fork and create on user group

        user_group_model.revoke_perm(self.ug1, perm='hg.create.none')

        user_group_model.grant_perm(self.ug1, perm='hg.create.repository')

        user_group_model.revoke_perm(self.ug1, perm='hg.fork.none')

        user_group_model.grant_perm(self.ug1, perm='hg.fork.repository')

        user_model = UserModel()

        # disable fork and create on default user

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['global'] == set(['hg.create.none', 'hg.fork.none',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read',

                              'hg.create.write_on_repogroup.true'])

    def test_inactive_user_group_does_not_affect_global_permissions_inverse(self):

        # Add user to inactive user group, set specific permissions on user

        self.ug1 = fixture.create_user_group(u'G1')

        user_group_model = UserGroupModel()

        user_group_model.add_user_to_group(self.ug1, self.u1)

        user_group_model.update(self.ug1, {'users_group_active': False})

        # disable fork and create on user group