try:

                    _set.add(ip.ip_addr)

                except ObjectDeletedError:

                    # since we use heavy caching sometimes it happens that we get

                    # deleted objects here, we just skip them

                    pass

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate pylons globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current pylons config instance

    """

    log.info('getting information about all available permissions')

    try:

        sa = meta.Session

        all_perms = sa.query(Permission).all()

        config['available_permissions'] = [x.permission_name for x in all_perms]

    finally:

        meta.Session.remove()

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def redirect_to_login(message=None):

    from kallithea.lib import helpers as h

    p = url.current()

    log.debug('Redirecting to login page, origin: %s' % p)

    return redirect(url('login_home', came_from=p))

class LoginRequired(object):

    """

    Must be logged in to execute this function else

    redirect to login page

    :param api_access: if enabled this checks only for valid auth token

        and grants access based on valid token

    """

    def __init__(self, api_access=False):

        self.api_access = api_access

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = cls.authuser

        loc = "%s:%s" % (cls.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s' % (user, loc))

        # check if our IP is allowed

        if not user.ip_allowed:

            return redirect_to_login(_('IP %s not allowed' % (user.ip_addr)))

        # check if we used an API key and it's a valid one

        api_key = request.GET.get('api_key')

        if api_key is not None:

            # explicit controller is enabled or API is in our whitelist

            if self.api_access or allowed_api_access(loc, api_key=api_key):

                if api_key in user.api_keys:

                    log.info('user %s authenticated with API key ****%s @ %s'

                             % (user, api_key[-4:], loc))

                    return func(*fargs, **fkwargs)

                else:

                    log.warning('API key ****%s is NOT valid' % api_key[-4:])

                    return redirect_to_login(_('Invalid API key'))

            else:

                # controller does not allow API access

                log.warning('API access to %s is not allowed' % loc)

                return abort(403)

        # CSRF protection - POSTs with session auth must contain correct token

        if request.POST and user.is_authenticated:

            token = request.POST.get(secure_form.token_key)