def check_group_skip_path(environ, match_dict):

        """

        check for valid repository group for proper 404 handling, but skips

        verification of existing path

        :param environ:

        :param match_dict:

        """

        repos_group_name = match_dict.get('group_name')

        return is_valid_repos_group(repos_group_name, config['base_path'],

                                    skip_path_check=True)

    def check_int(environ, match_dict):

        return match_dict.get('id').isdigit()

    # The ErrorController route (handles 404/500 error pages); it should

    # likely stay at the top, ensuring it can always be resolved

    rmap.connect('/error/{action}', controller='error')

    rmap.connect('/error/{action}/{id}', controller='error')

    #==========================================================================

    # CUSTOM ROUTES HERE

    #==========================================================================

                  action="index", conditions=dict(method=["GET"]))

        m.connect("formatted_users_groups", "/users_groups.{format}",

                  action="index", conditions=dict(method=["GET"]))

        m.connect("new_users_group", "/users_groups/new",

                  action="new", conditions=dict(method=["GET"]))

        m.connect("formatted_new_users_group", "/users_groups/new.{format}",

                  action="new", conditions=dict(method=["GET"]))

        m.connect("update_users_group", "/users_groups/{id}",

                  action="update", conditions=dict(method=["PUT"]))

        m.connect("delete_users_group", "/users_groups/{id}",

                  action="delete", conditions=dict(method=["DELETE"]))

        m.connect("edit_users_group", "/users_groups/{id}/edit",

        m.connect("formatted_edit_users_group",

                  "/users_groups/{id}.{format}/edit",

                  action="edit", conditions=dict(method=["GET"]))

        m.connect("users_group", "/users_groups/{id}",

                  action="show", conditions=dict(method=["GET"]))

        m.connect("formatted_users_group", "/users_groups/{id}.{format}",

                  action="show", conditions=dict(method=["GET"]))

        #EXTRAS USER ROUTES

        # update

        m.connect("users_group_perm", "/users_groups/{id}/update_global_perm",

                  action="update_perm", conditions=dict(method=["PUT"]))

class PermissionsController(BaseController):

    """REST Controller styled on the Atom Publishing Protocol"""

    # To properly map this controller, ensure your config/routing.py

    # file has a resource setup:

    #     map.resource('permission', 'permissions')

    @LoginRequired()

    @HasPermissionAllDecorator('hg.admin')

    def __before__(self):

        super(PermissionsController, self).__before__()

                                   ('repository.read', _('Read'),),

                                   ('repository.write', _('Write'),),

                                   ('repository.admin', _('Admin'),)]

            ('hg.register.none',

                _('Disabled')),

            ('hg.register.manual_activate',

                _('Allowed with manual account activation')),

            ('hg.register.auto_activate',

                _('Allowed with automatic account activation')), ]

    def index(self, format='html'):

        """GET /permissions: All items in the collection"""

        # url('permissions')

    def create(self):

        """POST /permissions: Create a new item"""

        # url('permissions')

    def new(self, format='html'):

        """GET /permissions/new: Form to create a new item"""

        # url('new_permission')

    def update(self, id):

        """PUT /permissions/id: Update an existing item"""

        # Forms posted to this method should contain a hidden field:

        #    <input type="hidden" name="_method" value="PUT" />

        # Or using helpers:

        #    h.form(url('permission', id=ID),

        #           method='put')

        # url('permission', id=ID)

        if id == 'default':

            c.perm_user = AuthUser(user_id=default_user.user_id)

            c.user_ip_map = UserIpMap.query()\

                            .filter(UserIpMap.user == default_user).all()

            _form = DefaultPermissionsForm(

            try:

                form_result = _form.to_python(dict(request.POST))

                form_result.update({'perm_user_name': id})

                Session().commit()

                h.flash(_('Default permissions updated successfully'),

                        category='success')

            except formencode.Invalid, errors:

                defaults = errors.value

                return htmlfill.render(

                    render('admin/permissions/permissions.html'),

                    defaults=defaults,

                    errors=errors.error_dict or {},

                    prefix_error=False,

    def show(self, id, format='html'):

        """GET /permissions/id: Show a specific item"""

        # url('permission', id=ID)

        Permission.get_or_404(-1)

    def edit(self, id, format='html'):

        """GET /permissions/id/edit: Form to edit an existing item"""

        #url('edit_permission', id=ID)

        #this form can only edit default user permissions

        if id == 'default':

            c.user_ip_map = UserIpMap.query()\

                if p.permission.permission_name.startswith('repository.'):

                    defaults['default_repo_perm'] = p.permission.permission_name

                if p.permission.permission_name.startswith('group.'):

                    defaults['default_group_perm'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.register.'):

                    defaults['default_register'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.fork.'):

                    defaults['default_fork'] = p.permission.permission_name

            return htmlfill.render(

                render('admin/permissions/permissions.html'),

                defaults=defaults,

                encoding="UTF-8",

                force_defaults=False

            )

        else:

            return redirect(url('admin_home'))

        c.repo_info = db_repo = Repository.get_by_repo_name(repo_name)

        repo = db_repo.scm_instance

        if c.repo_info is None:

            h.not_mapped_error(repo_name)

            return redirect(url('repos'))

        ##override defaults for exact repo info here git/hg etc

        choices, c.landing_revs = ScmModel().get_repo_landing_revs(c.repo_info)

        c.landing_revs_choices = choices

        c.in_public_journal = UserFollowing.query()\

            .filter(UserFollowing.user_id == c.default_user_id)\

            .filter(UserFollowing.follows_repository == c.repo_info).scalar()

        if c.repo_info.stats:

            # this is on what revision we ended up so we add +1 for count

            last_rev = c.repo_info.stats.stat_on_revision + 1

        else:

            last_rev = 0

        c.stats_revision = last_rev

        c.repo_last_rev = repo.count() if repo.revisions else 0

        """

        Set's this repository to be visible in public journal,

        in other words assing default user to follow this repo

        :param repo_name:

        """

        cur_token = request.POST.get('auth_token')

        token = get_token()

        if cur_token == token:

            try:

                repo_id = Repository.get_by_repo_name(repo_name).repo_id

                self.scm_model.toggle_following_repo(repo_id, user_id)

                h.flash(_('Updated repository visibility in public journal'),

                        category='success')

                Session().commit()

            except Exception:

                h.flash(_('An error occurred during setting this'

                          ' repository in public journal'),

                        category='error')

        else:

            h.flash(_('Token mismatch'), category='error')

        return redirect(url('edit_repo', repo_name=repo_name))

        :param repo_name:

        """

        self.__load_defaults()

        c.repo_info = db_repo = Repository.get_by_repo_name(repo_name)

        repo = db_repo.scm_instance

        if c.repo_info is None:

            h.not_mapped_error(repo_name)

            return redirect(url('repos'))

        c.in_public_journal = UserFollowing.query()\

            .filter(UserFollowing.user_id == c.default_user_id)\

            .filter(UserFollowing.follows_repository == c.repo_info).scalar()

        if c.repo_info.stats:

            last_rev = c.repo_info.stats.stat_on_revision+1

        else:

            last_rev = 0

        c.stats_revision = last_rev

        c.repo_last_rev = repo.count() if repo.revisions else 0

                return htmlfill.render(

                    render('/login.html'),

                    defaults=errors.value,

                    errors=errors.error_dict or {},

                    prefix_error=False,

                    encoding="UTF-8")

        return render('/login.html')

    @HasPermissionAnyDecorator('hg.admin', 'hg.register.auto_activate',

                               'hg.register.manual_activate')

    def register(self):

            .AuthUser.permissions['global']

        if request.POST:

            register_form = RegisterForm()()

            try:

                form_result = register_form.to_python(dict(request.POST))

                form_result['active'] = c.auto_active

                UserModel().create_registration(form_result)

                h.flash(_('You have successfully registered into RhodeCode'),

                            category='success')

                Session().commit()

                return redirect(url('login_home'))

                (user_dn, ldap_attrs) = aldap.authenticate_ldap(username,

                                                                password)

                log.debug('Got ldap DN response %s' % user_dn)

                get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\

                                                           .get(k), [''])[0]

                user_attrs = {

                 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')),

                 'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')),

                 'email': get_ldap_attr('ldap_attr_email'),

                 'active': 'hg.register.auto_activate' in User\

                }

                # don't store LDAP password since we don't need it. Override

                # with some random generated password

                _password = PasswordGenerator().gen_password(length=8)

                # create this user on the fly if it doesn't exist in rhodecode

                # database

                if user_model.create_ldap(username, _password, user_dn,

                                          user_attrs):

                    log.info('created new ldap user %s' % username)

                Session().commit()

                pass

    return False

def login_container_auth(username):

    user = User.get_by_username(username)

    if user is None:

        user_attrs = {

            'name': username,

            'lastname': None,

            'email': None,

            'active': 'hg.register.auto_activate' in User\

        }

        user = UserModel().create_for_container_auth(username, user_attrs)

        if not user:

            return None

        log.info('User %s was created by container authentication' % username)

    if not user.active:

        return None

    user.update_lastlogin()

    Session().commit()

            ('default_repo_enable_downloads', False),

            ('default_repo_enable_statistics', False),

            ('default_repo_private', False),

            ('default_repo_type', 'hg')]:

            if skip_existing and RhodeCodeSetting.get_by_name(k) != None:

                log.debug('Skipping option %s' % k)

                continue

            setting = RhodeCodeSetting(k, v)

            self.sa.add(setting)

    def fixup_groups(self):

        for g in RepoGroup.query().all():

            g.group_name = g.get_new_name(g.name)

            self.sa.add(g)

            # get default perm

            default = UserRepoGroupToPerm.query()\

                .filter(UserRepoGroupToPerm.group == g)\

                .filter(UserRepoGroupToPerm.user == def_usr)\

                .scalar()

            if default is None:

                log.debug('missing default permission for group %s adding' % g)

                perm_obj = ReposGroupModel()._create_default_perms(g)

        # create default user for handling default permissions.

        UserModel().create_or_update(username='default',

                              password=str(uuid.uuid1())[:8],

                              email='anonymous@rhodecode.org',

                              firstname='Anonymous', lastname='User')

    def create_permissions(self):

        """

        Creates all permissions defined in the system

        """

        # module.(access|create|change|delete)_[name]

        # module.(none|read|write|admin)

    def populate_default_permissions(self):

        """

        Populate default permissions. It will create only the default

        permissions that are missing, and not alter already defined ones

        """

        log.info('creating default user permissions')

        PermissionModel(self.sa).create_default_permissions(user=User.DEFAULT_USER)

    @staticmethod

    def check_waitress():

        """

from rhodecode.lib.vcs.utils.helpers import get_scm

from rhodecode.lib.vcs.exceptions import VCSError

from rhodecode.lib.caching_query import FromCache

from rhodecode.model import meta

from rhodecode.model.db import Repository, User, RhodeCodeUi, \

    UserLog, RepoGroup, RhodeCodeSetting, CacheInvalidation, UserGroup

from rhodecode.model.meta import Session

from rhodecode.model.repos_group import ReposGroupModel

from rhodecode.lib.utils2 import safe_str, safe_unicode

from rhodecode.lib.vcs.utils.fakemod import create_module

log = logging.getLogger(__name__)

REMOVED_REPO_PAT = re.compile(r'rm__\d{8}_\d{6}_\d{6}__.*')

def recursive_replace(str_, replace=' '):

    """

    Recursive replace of given sign to just one instance

    :param str_: given string

    :param replace: char to find and replace multiple instances

    """

    slug = remove_formatting(value)

    slug = strip_tags(slug)

    for c in """`?=[]\;'"<>,/~!@#$%^&*()+{}|: """:

        slug = slug.replace(c, '-')

    slug = recursive_replace(slug, '-')

    slug = collapse(slug, '-')

    return slug

def get_repo_slug(request):

    _repo = request.environ['pylons.routes_dict'].get('repo_name')

    if _repo:

        _repo = _repo.rstrip('/')

    return _repo

def get_repos_group_slug(request):

    _group = request.environ['pylons.routes_dict'].get('group_name')

    if _group:

        _group = _group.rstrip('/')

    return _group

def get_user_group_slug(request):

    _group = request.environ['pylons.routes_dict'].get('id')

    return _group

def action_logger(user, action, repo, ipaddr='', sa=None, commit=False):

    """

    Action logger for various actions made by users

    :param user: user that made this action, can be a unique username string or

        object containing user_id attribute

    :param action: action to log, should be on of predefined unique actions for

        easy translations

    :param repo: string name of repository or object containing repo_id,

         'mysql_charset': 'utf8'},

    )

    users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    users_group_name = Column("users_group_name", String(255, convert_unicode=False, assert_unicode=None), nullable=False, unique=True, default=None)

    users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)

    inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)

    members = relationship('UserGroupMember', cascade="all, delete, delete-orphan", lazy="joined")

    users_group_to_perm = relationship('UserGroupToPerm', cascade='all')

    users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all')

    user_user_group_to_perm = relationship('UserUserGroupToPerm ', cascade='all')

    user = relationship('User')

    def __unicode__(self):

        return u"<%s('id:%s:%s')>" % (self.__class__.__name__,

                                      self.users_group_id,

                                      self.users_group_name)

    @classmethod

    def get_by_group_name(cls, group_name, cache=False,

                          case_insensitive=False):

        if case_insensitive:

        ('repository.admin', _('Repository admin access')),

        ('group.none', _('Repository group no access')),

        ('group.read', _('Repository group read access')),

        ('group.write', _('Repository group write access')),

        ('group.admin', _('Repository group admin access')),

        ('usergroup.none', _('User group no access')),

        ('usergroup.read', _('User group read access')),

        ('usergroup.write', _('User group write access')),

        ('usergroup.admin', _('User group admin access')),

        ('hg.create.none', _('Repository creation disabled')),

        ('hg.create.repository', _('Repository creation enabled')),

        ('hg.fork.none', _('Repository forking disabled')),

        ('hg.fork.repository', _('Repository forking enabled')),

        ('hg.register.none', _('Register disabled')),

        ('hg.register.manual_activate', _('Register new user with RhodeCode '

                                          'with manual activation')),

        ('hg.register.auto_activate', _('Register new user with RhodeCode '

                                        'with auto activation')),

    #definition of system default permissions for DEFAULT user

    DEFAULT_USER_PERMISSIONS = [

        'repository.read',

        'group.read',

        'usergroup.read',

        'hg.create.repository',

        'hg.fork.repository',

        'hg.register.manual_activate',

    ]

    # defines which permissions are more important higher the more important

    PERM_WEIGHTS = {

        'repository.none': 0,

        'repository.read': 1,

        'repository.write': 3,

        'repository.admin': 4,

        'group.none': 0,

        'group.read': 1,

        'group.write': 3,

        'group.admin': 4,

        'usergroup.none': 0,

        'usergroup.read': 1,

        'usergroup.write': 3,

        'usergroup.admin': 4,

        'hg.fork.none': 0,

        'hg.fork.repository': 1,

        'hg.create.none': 0,

        'hg.create.repository': 1

    }

    permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    permission_name = Column("permission_name", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    permission_longname = Column("permission_longname", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    def __unicode__(self):

        hooks_changegroup_repo_size = v.StringBoolean(if_missing=False)

        hooks_changegroup_push_logger = v.StringBoolean(if_missing=False)

        hooks_outgoing_pull_logger = v.StringBoolean(if_missing=False)

        extensions_largefiles = v.StringBoolean(if_missing=False)

        extensions_hgsubversion = v.StringBoolean(if_missing=False)

        extensions_hggit = v.StringBoolean(if_missing=False)

    return _ApplicationUiSettingsForm

def DefaultPermissionsForm(repo_perms_choices, group_perms_choices,

    class _DefaultPermissionsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        overwrite_default_repo = v.StringBoolean(if_missing=False)

        overwrite_default_group = v.StringBoolean(if_missing=False)

        anonymous = v.StringBoolean(if_missing=False)

        default_repo_perm = v.OneOf(repo_perms_choices)

        default_group_perm = v.OneOf(group_perms_choices)

        default_fork = v.OneOf(fork_choices)

    return _DefaultPermissionsForm

def DefaultsForm(edit=False, old_data={}, supported_backends=BACKENDS.keys()):

    class _DefaultsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        default_repo_type = v.OneOf(supported_backends)

        default_repo_private = v.StringBoolean(if_missing=False)

        default_repo_enable_statistics = v.StringBoolean(if_missing=False)

        default_repo_enable_downloads = v.StringBoolean(if_missing=False)

        default_repo_enable_locking = v.StringBoolean(if_missing=False)

from rhodecode.lib.utils2 import str2bool

log = logging.getLogger(__name__)

class PermissionModel(BaseModel):

    """

    Permissions model for RhodeCode

    """

    cls = Permission

    def create_default_permissions(self, user):

        """

        Creates only missing default permissions for user

        :param user:

        """

        user = self._get_user(user)

        def _make_perm(perm):

            new_perm = UserToPerm()

            new_perm.user = user

            new_perm.permission = Permission.get_by_key(perm)

    def update(self, form_result):

        perm_user = User.get_by_username(username=form_result['perm_user_name'])

        try:

            # stage 1 set anonymous access

            if perm_user.username == 'default':

                perm_user.active = str2bool(form_result['anonymous'])

                self.sa.add(perm_user)

            # stage 2 reset defaults and set them from form data

            def _make_new(usr, perm_name):

                new = UserToPerm()

                new.user = usr

                new.permission = Permission.get_by_key(perm_name)

                return new

            # clear current entries, to make this function idempotent

            # it will fix even if we define more permissions or permissions

            # are somehow missing

            u2p = self.sa.query(UserToPerm)\

                .filter(UserToPerm.user == perm_user)\

                .all()

            for p in u2p:

                self.sa.delete(p)

            #create fresh set of permissions

            for def_perm_key in ['default_repo_perm', 'default_group_perm',

                p = _make_new(perm_user, form_result[def_perm_key])

                self.sa.add(p)

            #stage 3 update all default permissions for repos if checked

            if form_result['overwrite_default_repo'] == True:

                _def_name = form_result['default_repo_perm'].split('repository.')[-1]

                _def = Permission.get_by_key('repository.' + _def_name)

                # repos

                for r2p in self.sa.query(UserRepoToPerm)\

                               .filter(UserRepoToPerm.user == perm_user)\

                               .all():

    def _get_user_group(self, users_group):

        return self._get_instance(UserGroup, users_group,

                                  callback=UserGroup.get_by_group_name)

    def _get_repo_group(self, repos_group):

        return self._get_instance(RepoGroup, repos_group,

                                  callback=RepoGroup.get_by_group_name)

    def _create_default_perms(self, repository, private):

        # create default permission

        default = 'repository.read'

        for p in def_user.user_perms:

            if p.permission.permission_name.startswith('repository.'):

                default = p.permission.permission_name

                break

        default_perm = 'repository.none' if private else default

        repo_to_perm = UserRepoToPerm()

        repo_to_perm.permission = Permission.get_by_key(default_perm)

        repo_to_perm.repository = repository

        repo_to_perm.user_id = def_user.user_id

    @LazyProperty

    def repos_path(self):

        """

        Get's the repositories root path from database

        """

        q = RhodeCodeUi.get_by_key('/')

        return q.ui_value

    def _create_default_perms(self, new_group):

        # create default permission

        default_perm = 'group.read'

        for p in def_user.user_perms:

            if p.permission.permission_name.startswith('group.'):

                default_perm = p.permission.permission_name

                break