setattr(self, k, v)

            return True

        return False

    @LazyProperty

    def permissions(self):

        return self.__get_perms(user=self, cache=False)

    @property

    def api_keys(self):

        return self._get_api_keys()

    def __get_perms(self, user, explicit=True, algo='higherwin', cache=False):

        """

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: `AuthUser` instance

        :param explicit: In case there are permissions both for user and a group

            that user is part of, explicit flag will define if user will

            explicitly override permissions from group, if it's False it will

            make decision based on the algo

        :param algo: algorithm to decide what permission should be choose if

            it's multiple defined, eg user in two different groups. It also

            decides if explicit flag is turned off how to specify the permission

            for case when user is in a group + have defined separate permission

        """

        user_id = user.user_id

        user_is_admin = user.is_admin

        user_inherit_default_permissions = user.inherit_default_permissions

        log.debug('Getting PERMISSION tree')

        compute = conditional_cache('short_term', 'cache_desc',

                                    condition=cache, func=_cached_perms_data)

        return compute(user_id, user_is_admin,

                       user_inherit_default_permissions, explicit, algo)

    def _get_api_keys(self):

        api_keys = [self.api_key]

        for api_key in UserApiKeys.query()\

                .filter(UserApiKeys.user_id == self.user_id)\

                .filter(or_(UserApiKeys.expires == -1,

                            UserApiKeys.expires >= time.time())).all():

            api_keys.append(api_key.api_key)

        return api_keys

    @property

    def is_admin(self):

        return self.admin

    @property

    def repositories_admin(self):

        """

        Returns list of repositories you're an admin of

        """

        return [x[0] for x in self.permissions['repositories'].iteritems()

                if x[1] == 'repository.admin']

    @property

    def repository_groups_admin(self):

        """

        Returns list of repository groups you're an admin of

        """

        return [x[0] for x in self.permissions['repositories_groups'].iteritems()

                if x[1] == 'group.admin']

    @property

    def user_groups_admin(self):

        """

        Returns list of user groups you're an admin of

        """

        return [x[0] for x in self.permissions['user_groups'].iteritems()

                if x[1] == 'usergroup.admin']

    @staticmethod

    def check_ip_allowed(user, ip_addr):

        """

        Check if the given IP address (a `str`) is allowed for the given

        user (an `AuthUser` or `db.User`).

        """

        allowed_ips = AuthUser.get_allowed_ips(user.user_id, cache=True,

            inherit_from_default=user.inherit_default_permissions)

        if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):

            log.debug('IP:%s is in range of %s', ip_addr, allowed_ips)

            return True

        else:

            log.info('Access for IP:%s forbidden, '

                     'not in %s' % (ip_addr, allowed_ips))

            return False

    def __repr__(self):

        return "<AuthUser('id:%s[%s] auth:%s')>"\

            % (self.user_id, self.username, self.is_authenticated)

    def to_cookie(self):

        """ Serializes this login session to a cookie `dict`. """

        return {

            'user_id': self.user_id,

            'is_authenticated': self.is_authenticated,

            'is_external_auth': self.is_external_auth,

        }

    @staticmethod

    def from_cookie(cookie):

        """

        Deserializes an `AuthUser` from a cookie `dict`.

        """

        au = AuthUser(

            user_id=cookie.get('user_id'),

            is_external_auth=cookie.get('is_external_auth', False),

        )

        if not au.is_authenticated and au.user_id is not None:

            # user is not authenticated and not empty

        return au

    @classmethod

    def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):

        _set = set()

        if inherit_from_default:

            default_ips = UserIpMap.query().filter(UserIpMap.user ==

                                            User.get_default_user(cache=True))

            if cache:

                default_ips = default_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_default"))

            # populate from default user

            for ip in default_ips:

                try:

                    _set.add(ip.ip_addr)

                except ObjectDeletedError:

                    # since we use heavy caching sometimes it happens that we get

                    # deleted objects here, we just skip them

                    pass

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate pylons globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current pylons config instance

    """

    log.info('getting information about all available permissions')

    try:

        sa = meta.Session

        all_perms = sa.query(Permission).all()

        config['available_permissions'] = [x.permission_name for x in all_perms]

    finally:

        meta.Session.remove()

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def redirect_to_login(message=None):

    from kallithea.lib import helpers as h

    p = request.path_qs

    if message:

        h.flash(h.literal(message), category='warning')

    log.debug('Redirecting to login page, origin: %s', p)

    raise HTTPFound(location=url('login_home', came_from=p))

class LoginRequired(object):

    """

    Must be logged in to execute this function else

    redirect to login page

    :param api_access: if enabled this checks only for valid auth token

        and grants access based on valid token

    """

    def __init__(self, api_access=False):

        self.api_access = api_access

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        controller = fargs[0]

        user = controller.authuser

        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s', user, loc)

        if not AuthUser.check_ip_allowed(user, controller.ip_addr):

            return redirect_to_login(_('IP %s not allowed') % controller.ip_addr)

        # check if we used an API key and it's a valid one

        api_key = request.GET.get('api_key')

        if api_key is not None:

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Oct 06, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import datetime

import logging

import time

import traceback

import webob.exc

import paste.httpexceptions

import paste.auth.basic

import paste.httpheaders

from pylons import config, tmpl_context as c, request, session, url

from pylons.controllers import WSGIController

from pylons.templating import render_mako as render  # don't remove this import

from pylons.i18n.translation import _

from kallithea import __version__, BACKENDS

from kallithea.lib.utils2 import str2bool, safe_unicode, AttributeDict,\

    safe_str, safe_int

from kallithea.lib import auth_modules

from kallithea.lib.auth import AuthUser, HasPermissionAnyMiddleware

from kallithea.lib.utils import get_repo_slug

from kallithea.lib.exceptions import UserCreationError

from kallithea.lib.vcs.exceptions import RepositoryError, EmptyRepositoryError, ChangesetDoesNotExistError

from kallithea.model import meta

from kallithea.model.db import Repository, Ui, User, Setting

from kallithea.model.notification import NotificationModel

from kallithea.model.scm import ScmModel

from kallithea.model.pull_request import PullRequestModel

log = logging.getLogger(__name__)

def _filter_proxy(ip):

    """

    HEADERS can have multiple ips inside the left-most being the original

    client, and each successive proxy that passed the request adding the IP

    address where it received the request from.

    :param ip:

    """

    if ',' in ip:

        _ips = ip.split(',')

        _first_ip = _ips[0].strip()

        log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)

        return _first_ip

    return ip

def _get_ip_addr(environ):

    proxy_key = 'HTTP_X_REAL_IP'

    proxy_key2 = 'HTTP_X_FORWARDED_FOR'

    def_key = 'REMOTE_ADDR'

    ip = environ.get(proxy_key)

    if ip:

        return _filter_proxy(ip)

    ip = environ.get(proxy_key2)

    if ip:

        return _filter_proxy(ip)

    ip = environ.get(def_key, '0.0.0.0')

    return _filter_proxy(ip)

def _get_access_path(environ):

    path = environ.get('PATH_INFO')

    org_req = environ.get('pylons.original_request')

    if org_req:

        path = org_req.environ.get('PATH_INFO')

    return path

def log_in_user(user, remember, is_external_auth):

    """

    Log a `User` in and update session and cookies. If `remember` is True,

    the session cookie is set to expire in a year; otherwise, it expires at

    the end of the browser session.

    Returns populated `AuthUser` object.

    """

    user.update_lastlogin()

    meta.Session().commit()

    auth_user = AuthUser(dbuser=user,

                         is_external_auth=is_external_auth)

    # Start new session to prevent session fixation attacks.

    session.invalidate()

    session['authuser'] = cookie = auth_user.to_cookie()

    # If they want to be remembered, update the cookie.

    # NOTE: Assumes that beaker defaults to browser session cookie.

    if remember:

        t = datetime.datetime.now() + datetime.timedelta(days=365)

        session._set_cookie_expires(t)

    session.save()

    log.info('user %s is now authenticated and stored in '

             'session, session attrs %s', user.username, cookie)

    # dumps session attrs back to cookie

    session._update_cookie_out()

    return auth_user

class BasicAuth(paste.auth.basic.AuthBasicAuthenticator):

    def __init__(self, realm, authfunc, auth_http_code=None):

        self.realm = realm

        self.authfunc = authfunc

        self._rc_auth_http_code = auth_http_code

    def build_authentication(self):

        head = paste.httpheaders.WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)

        if self._rc_auth_http_code and self._rc_auth_http_code == '403':

            # return 403 if alternative http return code is specified in

            # Kallithea config

            return paste.httpexceptions.HTTPForbidden(headers=head)

        return paste.httpexceptions.HTTPUnauthorized(headers=head)

    def authenticate(self, environ):

        authorization = paste.httpheaders.AUTHORIZATION(environ)

        if not authorization:

            return self.build_authentication()

        (authmeth, auth) = authorization.split(' ', 1)

        if 'basic' != authmeth.lower():

            return self.build_authentication()

        auth = auth.strip().decode('base64')

        _parts = auth.split(':', 1)

        if len(_parts) == 2:

            username, password = _parts

            if self.authfunc(username, password, environ) is not None:

                return username

        return self.build_authentication()

    __call__ = authenticate

class BaseVCSController(object):

    def __init__(self, application, config):

        self.application = application

        self.config = config

        # base path of repo locations

        self.basepath = self.config['base_path']

        # authenticate this VCS request using the authentication modules

        self.authenticate = BasicAuth('', auth_modules.authenticate,

                                      config.get('auth_ret_code'))

        self.ip_addr = '0.0.0.0'

    def _handle_request(self, environ, start_response):

        raise NotImplementedError()

    def _get_by_id(self, repo_name):

        """

        Gets a special pattern _<ID> from clone url and tries to replace it

        with a repository_name for support of _<ID> permanent URLs

        :param repo_name:

        """

        data = repo_name.split('/')

        if len(data) >= 2:

            from kallithea.lib.utils import get_repo_by_id

            by_id_match = get_repo_by_id(repo_name)

            if by_id_match:

                data[1] = by_id_match

        return '/'.join(data)

    def _invalidate_cache(self, repo_name):

        """

        Sets cache for this repository for invalidation on next access

        :param repo_name: full repo name, also a cache key

        """

        ScmModel().mark_for_invalidation(repo_name)

    def _check_permission(self, action, user, repo_name, ip_addr=None):