for perm in default_global_perms:

        permissions[GLOBAL].add(perm.permission.permission_name)

    # defaults for repositories, taken from default user

    for perm in default_repo_perms:

        r_k = perm.UserRepoToPerm.repository.repo_name

        if perm.Repository.private and not (perm.Repository.user_id == uid):

            # disable defaults for private repos,

            p = 'repository.none'

        elif perm.Repository.user_id == uid:

            # set admin if owner

            p = 'repository.admin'

        else:

            p = perm.Permission.permission_name

        permissions[RK][r_k] = p

    # defaults for repository groups taken from default user permission

    # on given group

    for perm in default_repo_groups_perms:

        rg_k = perm.UserRepoGroupToPerm.group.group_name

        p = perm.Permission.permission_name

        permissions[GK][rg_k] = p

    # defaults for user groups taken from default user permission

    # on given user group

    for perm in default_user_group_perms:

        u_k = perm.UserUserGroupToPerm.user_group.users_group_name

        p = perm.Permission.permission_name

        permissions[UK][u_k] = p

    #======================================================================

    # !! OVERRIDE GLOBALS !! with user permissions if any found

    #======================================================================

    # those can be configured from groups or users explicitly

    _configurable = set([

        'hg.fork.none', 'hg.fork.repository',

        'hg.create.none', 'hg.create.repository',

        'hg.usergroup.create.false', 'hg.usergroup.create.true'

    ])

    # USER GROUPS comes first

    # user group global permissions

    user_perms_from_users_groups = Session().query(UserGroupToPerm)\

        .options(joinedload(UserGroupToPerm.permission))\

        .join((UserGroupMember, UserGroupToPerm.users_group_id ==

               UserGroupMember.users_group_id))\

        .filter(UserGroupMember.user_id == uid)\

        .order_by(UserGroupToPerm.users_group_id)\

        .all()

    # need to group here by groups since user can be in more than

    # one group

    _grouped = [[x, list(y)] for x, y in

                itertools.groupby(user_perms_from_users_groups,

                                  lambda x:x.users_group)]

    for gr, perms in _grouped:

        # since user can be in multiple groups iterate over them and

        # select the lowest permissions first (more explicit)

        ##TODO: do this^^

        if not gr.inherit_default_permissions:

            # NEED TO IGNORE all configurable permissions and

            # replace them with explicitly set

            permissions[GLOBAL] = permissions[GLOBAL]\

                                            .difference(_configurable)

        for perm in perms:

            permissions[GLOBAL].add(perm.permission.permission_name)

    # user specific global permissions

    user_perms = Session().query(UserToPerm)\

            .options(joinedload(UserToPerm.permission))\

            .filter(UserToPerm.user_id == uid).all()

    if not user_inherit_default_permissions:

        # NEED TO IGNORE all configurable permissions and

        # replace them with explicitly set

        permissions[GLOBAL] = permissions[GLOBAL]\

                                        .difference(_configurable)

        for perm in user_perms:

            permissions[GLOBAL].add(perm.permission.permission_name)

    ## END GLOBAL PERMISSIONS

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORIES !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository and

    # fill in his permission from it. _choose_perm decides of which

    # permission should be selected based on selected method

    #======================================================================

    # user group for repositories permissions

    user_repo_perms_from_users_groups = \

     Session().query(UserGroupRepoToPerm, Permission, Repository,)\

        .join((Repository, UserGroupRepoToPerm.repository_id ==

               Repository.repo_id))\

        .join((Permission, UserGroupRepoToPerm.permission_id ==

               Permission.permission_id))\

        .join((UserGroupMember, UserGroupRepoToPerm.users_group_id ==

               UserGroupMember.users_group_id))\

        .filter(UserGroupMember.user_id == uid)\

        .all()

    multiple_counter = collections.defaultdict(int)

    for perm in user_repo_perms_from_users_groups:

        r_k = perm.UserGroupRepoToPerm.repository.repo_name

        multiple_counter[r_k] += 1

        p = perm.Permission.permission_name

        cur_perm = permissions[RK][r_k]

        if perm.Repository.user_id == uid:

            # set admin if owner

            p = 'repository.admin'

        else:

            if multiple_counter[r_k] > 1:

                p = _choose_perm(p, cur_perm)

        permissions[RK][r_k] = p

    # user explicit permissions for repositories, overrides any specified

    # by the group permission

    user_repo_perms = Permission.get_default_perms(uid)

    for perm in user_repo_perms:

        r_k = perm.UserRepoToPerm.repository.repo_name

        cur_perm = permissions[RK][r_k]

        # set admin if owner

        if perm.Repository.user_id == uid:

            p = 'repository.admin'

        else:

            p = perm.Permission.permission_name

            if not explicit:

                p = _choose_perm(p, cur_perm)

        permissions[RK][r_k] = p

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORY GROUPS !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository groups and

    # fill in his permission from it. _choose_perm decides of which

    # permission should be selected based on selected method

    #======================================================================

    # user group for repo groups permissions

    user_repo_group_perms_from_users_groups = \

     Session().query(UserGroupRepoGroupToPerm, Permission, RepoGroup)\

     .join((RepoGroup, UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\

     .join((Permission, UserGroupRepoGroupToPerm.permission_id

            == Permission.permission_id))\

     .join((UserGroupMember, UserGroupRepoGroupToPerm.users_group_id

            == UserGroupMember.users_group_id))\

     .filter(UserGroupMember.user_id == uid)\

     .all()

    multiple_counter = collections.defaultdict(int)

    for perm in user_repo_group_perms_from_users_groups:

        g_k = perm.UserGroupRepoGroupToPerm.group.group_name

        multiple_counter[g_k] += 1

        p = perm.Permission.permission_name

        cur_perm = permissions[GK][g_k]

        if multiple_counter[g_k] > 1:

            p = _choose_perm(p, cur_perm)

        permissions[GK][g_k] = p

    # user explicit permissions for repository groups

    user_repo_groups_perms = Permission.get_default_group_perms(uid)

    for perm in user_repo_groups_perms:

        rg_k = perm.UserRepoGroupToPerm.group.group_name

        p = perm.Permission.permission_name

        cur_perm = permissions[GK][rg_k]

        if not explicit:

            p = _choose_perm(p, cur_perm)

        permissions[GK][rg_k] = p

    #======================================================================

    # !! PERMISSIONS FOR USER GROUPS !!

    #======================================================================

    # user group for user group permissions

    user_group_user_groups_perms = \

     Session().query(UserGroupUserGroupToPerm, Permission, UserGroup)\

     .join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id

            == UserGroup.users_group_id))\

     .join((Permission, UserGroupUserGroupToPerm.permission_id

            == Permission.permission_id))\

     .join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id

            == UserGroupMember.users_group_id))\

     .filter(UserGroupMember.user_id == uid)\

     .all()

    multiple_counter = collections.defaultdict(int)

    for perm in user_group_user_groups_perms:

        g_k = perm.UserGroupUserGroupToPerm.target_user_group.users_group_name

        multiple_counter[g_k] += 1

        p = perm.Permission.permission_name

        cur_perm = permissions[UK][g_k]

        if multiple_counter[g_k] > 1:

            p = _choose_perm(p, cur_perm)

        permissions[UK][g_k] = p

    #user explicit permission for user groups

    user_user_groups_perms = Permission.get_default_user_group_perms(uid)

    for perm in user_user_groups_perms:

        u_k = perm.UserUserGroupToPerm.user_group.users_group_name

        p = perm.Permission.permission_name

        cur_perm = permissions[UK][u_k]

        if not explicit:

            p = _choose_perm(p, cur_perm)

        permissions[UK][u_k] = p

    return permissions

def allowed_api_access(controller_name, whitelist=None, api_key=None):

    """

    Check if given controller_name is in whitelist API access

    """

    if not whitelist:

        from kallithea import CONFIG

        whitelist = aslist(CONFIG.get('api_access_controllers_whitelist'),

                           sep=',')

        log.debug('whitelist of API access is: %s' % (whitelist))

    api_access_valid = controller_name in whitelist

    if api_access_valid:

        log.debug('controller:%s is in API whitelist' % (controller_name))

    else:

        msg = 'controller: %s is *NOT* in API whitelist' % (controller_name)

        if api_key:

            #if we use API key and don't have access it's a warning

            log.warning(msg)

        else:

            log.debug(msg)

    return api_access_valid

class AuthUser(object):

    def remove_user_from_group(self, user_group, user):

        user_group = self._get_user_group(user_group)

        user = self._get_user(user)

        user_group_member = None

        for m in user_group.members:

            if m.user.user_id == user.user_id:

                # Found this user's membership row

                user_group_member = m

                break

        if user_group_member:

            try:

                self.sa.delete(user_group_member)

                return True

            except Exception:

                log.error(traceback.format_exc())

                raise

        else:

            # User isn't in that group

            return False

    def has_perm(self, user_group, perm):

        user_group = self._get_user_group(user_group)

        perm = self._get_perm(perm)

        return UserGroupToPerm.query()\

            .filter(UserGroupToPerm.users_group == user_group)\

            .filter(UserGroupToPerm.permission == perm).scalar() is not None

    def grant_perm(self, user_group, perm):

        user_group = self._get_user_group(user_group)

        perm = self._get_perm(perm)

        # if this permission is already granted skip it

        _perm = UserGroupToPerm.query()\

            .filter(UserGroupToPerm.users_group == user_group)\

            .filter(UserGroupToPerm.permission == perm)\

            .scalar()

        if _perm:

            return

        new = UserGroupToPerm()

        new.users_group = user_group

        new.permission = perm

        self.sa.add(new)

        return new

        user_group = self._get_user_group(user_group)

        perm = self._get_perm(perm)

        obj = UserGroupToPerm.query()\

            .filter(UserGroupToPerm.users_group == user_group)\

            .filter(UserGroupToPerm.permission == perm).scalar()

        if obj:

            self.sa.delete(obj)

    def grant_user_permission(self, user_group, user, perm):

        """

        Grant permission for user on given user group, or update

        existing one if found

        :param user_group: Instance of UserGroup, users_group_id,

            or users_group_name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        user_group = self._get_user_group(user_group)

        user = self._get_user(user)

        permission = self._get_perm(perm)

        # check if we have that permission already

        obj = self.sa.query(UserUserGroupToPerm)\

            .filter(UserUserGroupToPerm.user == user)\

            .filter(UserUserGroupToPerm.user_group == user_group)\

            .scalar()

        if obj is None:

            # create new !

            obj = UserUserGroupToPerm()

        obj.user_group = user_group

        obj.user = user

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s' % (perm, user, user_group))

        return obj

    def revoke_user_permission(self, user_group, user):

        """

        Revoke permission for user on given repository group

        :param user_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        """

class TestPermissions(BaseTestCase):

    def __init__(self, methodName='runTest'):

        super(TestPermissions, self).__init__(methodName=methodName)

    @classmethod

    def setUpClass(cls):

        #recreate default user to get a clean start

        PermissionModel().create_default_permissions(user=User.DEFAULT_USER,

                                                     force=True)

        Session().commit()

    def setUp(self):

        self.u1 = UserModel().create_or_update(

            username=u'u1', password=u'qweqwe',

            email=u'u1@example.com', firstname=u'u1', lastname=u'u1'

        )

        self.u2 = UserModel().create_or_update(

            username=u'u2', password=u'qweqwe',

            email=u'u2@example.com', firstname=u'u2', lastname=u'u2'

        )

        self.u3 = UserModel().create_or_update(

            username=u'u3', password=u'qweqwe',

            email=u'u3@example.com', firstname=u'u3', lastname=u'u3'

        )

        self.anon = User.get_default_user()

        self.a1 = UserModel().create_or_update(

            username=u'a1', password=u'qweqwe',

            email=u'a1@example.com', firstname=u'a1', lastname=u'a1', admin=True

        )

        Session().commit()

    def tearDown(self):

        if hasattr(self, 'test_repo'):

            RepoModel().delete(repo=self.test_repo)

        UserModel().delete(self.u1)

        UserModel().delete(self.u2)

        UserModel().delete(self.u3)

        UserModel().delete(self.a1)

        if hasattr(self, 'g1'):

            RepoGroupModel().delete(self.g1.group_id)

        if hasattr(self, 'g2'):

            RepoGroupModel().delete(self.g2.group_id)

        if hasattr(self, 'ug1'):

            UserGroupModel().delete(self.ug1, force=True)

        Session().commit()

    def test_default_perms_set(self):

        u1_auth = AuthUser(user_id=self.u1.user_id)

        perms = {

            'repositories_groups': {},

            'global': set([u'hg.create.repository', u'repository.read',

                           u'hg.register.manual_activate']),

            'repositories': {u'vcs_test_hg': u'repository.read'}

        }

        self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],

                         perms['repositories'][HG_REPO])

        new_perm = 'repository.write'

        RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1,

                                          perm=new_perm)

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],

                         new_perm)

    def test_default_admin_perms_set(self):

        a1_auth = AuthUser(user_id=self.a1.user_id)

        perms = {

            'repositories_groups': {},

            'global': set([u'hg.admin', 'hg.create.write_on_repogroup.true']),

            'repositories': {u'vcs_test_hg': u'repository.admin'}

        }

        self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],

                         perms['repositories'][HG_REPO])

        new_perm = 'repository.write'

        RepoModel().grant_user_permission(repo=HG_REPO, user=self.a1,

                                          perm=new_perm)

        Session().commit()

        # cannot really downgrade admins permissions !? they still gets set as

        # admin !

        u1_auth = AuthUser(user_id=self.a1.user_id)

        self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],

                         perms['repositories'][HG_REPO])

    def test_default_group_perms(self):

        self.g1 = fixture.create_repo_group('test1', skip_if_exists=True)

        self.g2 = fixture.create_repo_group('test2', skip_if_exists=True)

        u1_auth = AuthUser(user_id=self.u1.user_id)

        perms = {

            'repositories_groups': {u'test1': 'group.read', u'test2': 'group.read'},

            'global': set(Permission.DEFAULT_USER_PERMISSIONS),

        #disable global perms on specific user

        user_model.revoke_perm(self.u1, 'hg.create.repository')

        user_model.grant_perm(self.u1, 'hg.create.none')

        user_model.revoke_perm(self.u1, 'hg.fork.repository')

        user_model.grant_perm(self.u1, 'hg.fork.none')

        # make sure inherit flag is turned off

        self.u1.inherit_default_permissions = False

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have non inherited permissions from he's

        # explicitly set permissions

        self.assertEqual(u1_auth.permissions['global'],

                         set(['hg.create.none', 'hg.fork.none',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read', 'hg.create.write_on_repogroup.true']))

    def test_non_inherited_permissions_from_default_on_user_disabled(self):

        user_model = UserModel()

        # disable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.repository')

        user_model.grant_perm(usr, 'hg.create.none')

        user_model.revoke_perm(usr, 'hg.fork.repository')

        user_model.grant_perm(usr, 'hg.fork.none')

        #enable global perms on specific user

        user_model.revoke_perm(self.u1, 'hg.create.none')

        user_model.grant_perm(self.u1, 'hg.create.repository')

        user_model.revoke_perm(self.u1, 'hg.fork.none')

        user_model.grant_perm(self.u1, 'hg.fork.repository')

        # make sure inherit flag is turned off

        self.u1.inherit_default_permissions = False

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have non inherited permissions from he's

        # explicitly set permissions

        self.assertEqual(u1_auth.permissions['global'],

                         set(['hg.create.repository', 'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read', 'hg.create.write_on_repogroup.true']))

    def test_owner_permissions_doesnot_get_overwritten_by_group(self):

        #create repo as USER,

        self.test_repo = fixture.create_repo(name='myownrepo',

                                             repo_type='hg',

                                             cur_user=self.u1)

        #he has permissions of admin as owner

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

                         'repository.admin')

        #set his permission as user group, he should still be admin

        self.ug1 = fixture.create_user_group('G1')

        UserGroupModel().add_user_to_group(self.ug1, self.u1)

        RepoModel().grant_user_group_permission(self.test_repo,

                                                 group_name=self.ug1,

                                                 perm='repository.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

                         'repository.admin')

    def test_owner_permissions_doesnot_get_overwritten_by_others(self):

        #create repo as USER,

        self.test_repo = fixture.create_repo(name='myownrepo',

                                             repo_type='hg',

                                             cur_user=self.u1)

        #he has permissions of admin as owner

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

                         'repository.admin')

        #set his permission as user, he should still be admin

        RepoModel().grant_user_permission(self.test_repo, user=self.u1,

                                          perm='repository.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

                         'repository.admin')

    def _test_def_perm_equal(self, user, change_factor=0):

        perms = UserToPerm.query()\

                .filter(UserToPerm.user == user)\

                .all()

        self.assertEqual(len(perms),

                         len(Permission.DEFAULT_USER_PERMISSIONS,)+change_factor,

                         msg=perms)