perm = perm.replace('group.', 'repository.')

                RepoModel().grant_user_permission(

                    repo=obj, user=user, perm=perm

                )

        def _set_perm_group(obj, users_group, perm):

            if isinstance(obj, RepoGroup):

                ReposGroupModel().grant_users_group_permission(

                    repos_group=obj, group_name=users_group, perm=perm

                )

            elif isinstance(obj, Repository):

                # we set group permission but we have to switch to repo

                # permission

                perm = perm.replace('group.', 'repository.')

                RepoModel().grant_users_group_permission(

                    repo=obj, group_name=users_group, perm=perm

                )

        updates = []

        log.debug('Now updating permissions for %s in recursive mode:%s'

                  % (repos_group, recursive))

        for obj in repos_group.recursive_groups_and_repos():

            if not recursive:

                obj = repos_group

            # update permissions

            for member, perm, member_type in perms_updates:

                ## set for user

                if member_type == 'user':

                    # this updates also current one if found

                    _set_perm_user(obj, user=member, perm=perm)

                ## set for users group

                else:

                    _set_perm_group(obj, users_group=member, perm=perm)

            # set new permissions

            for member, perm, member_type in perms_new:

                if member_type == 'user':

                    _set_perm_user(obj, user=member, perm=perm)

                else:

                    _set_perm_group(obj, users_group=member, perm=perm)

            updates.append(obj)

            #if it's not recursive call

            # break the loop and don't proceed with other changes

            if not recursive:

                break

        return updates

    def update(self, repos_group_id, form_data):

        try:

            repos_group = RepoGroup.get(repos_group_id)

            recursive = form_data['recursive']

            # iterate over all members(if in recursive mode) of this groups and

            # set the permissions !

            # this can be potentially heavy operation

            self._update_permissions(repos_group, form_data['perms_new'],

                                     form_data['perms_updates'], recursive)

            old_path = repos_group.full_path

            # change properties

            repos_group.group_description = form_data['group_description']

            repos_group.parent_group = RepoGroup.get(form_data['group_parent_id'])

            repos_group.group_parent_id = form_data['group_parent_id']

            repos_group.enable_locking = form_data['enable_locking']

            repos_group.group_name = repos_group.get_new_name(form_data['group_name'])

            new_path = repos_group.full_path

            self.sa.add(repos_group)

            # iterate over all members of this groups and set the locking !

            # this can be potentially heavy operation

            for obj in repos_group.recursive_groups_and_repos():

                #set the value from it's parent

                obj.enable_locking = repos_group.enable_locking

                self.sa.add(obj)

            # we need to get all repositories from this new group and

            # rename them accordingly to new group path

            for r in repos_group.repositories:

                r.repo_name = r.get_new_name(r.just_name)

                self.sa.add(r)

            self.__rename_group(old_path, new_path)

            return repos_group

        except:

            log.error(traceback.format_exc())

            raise

    def delete(self, repos_group, force_delete=False):

        repos_group = self._get_repos_group(repos_group)

        try:

            self.sa.delete(repos_group)

            self.__delete_group(repos_group, force_delete)

        except:

            raise

    def delete_permission(self, repos_group, obj, obj_type, recursive):

        """

        Revokes permission for repos_group for given obj(user or users_group),

        obj_type can be user or users group

        :param repos_group:

        :param obj: user or users group id

        :param obj_type: user or users group type

        :param recursive: recurse to all children of group

        """

        from rhodecode.model.repo import RepoModel

        repos_group = self._get_repos_group(repos_group)

        for el in repos_group.recursive_groups_and_repos():

            if not recursive:

                # if we don't recurse set the permission on only the top level

                # object

                el = repos_group

            if isinstance(el, RepoGroup):

                if obj_type == 'user':

                    ReposGroupModel().revoke_user_permission(el, user=obj)

                elif obj_type == 'users_group':

                    ReposGroupModel().revoke_users_group_permission(el, group_name=obj)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            elif isinstance(el, Repository):

                if obj_type == 'user':

                    RepoModel().revoke_user_permission(el, user=obj)

                elif obj_type == 'users_group':

                    RepoModel().revoke_users_group_permission(el, group_name=obj)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            #if it's not recursive call

            # break the loop and don't proceed with other changes

            if not recursive:

                break

    def grant_user_permission(self, repos_group, user, perm):

        """

        Grant permission for user on given repositories group, or update

        existing one if found

        :param repos_group: Instance of ReposGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        repos_group = self._get_repos_group(repos_group)

        user = self._get_user(user)

        permission = self._get_perm(perm)

        # check if we have that permission already

        obj = self.sa.query(UserRepoGroupToPerm)\

            .filter(UserRepoGroupToPerm.user == user)\

            .filter(UserRepoGroupToPerm.group == repos_group)\

            .scalar()

        if obj is None:

            # create new !

            obj = UserRepoGroupToPerm()

        obj.group = repos_group

        obj.user = user

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s' % (perm, user, repos_group))

    def revoke_user_permission(self, repos_group, user):

        """

        Revoke permission for user on given repositories group

        :param repos_group: Instance of ReposGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        """

        repos_group = self._get_repos_group(repos_group)

        user = self._get_user(user)

        obj = self.sa.query(UserRepoGroupToPerm)\

            .filter(UserRepoGroupToPerm.user == user)\

            .filter(UserRepoGroupToPerm.group == repos_group)\

            .scalar()

        if obj:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s' % (repos_group, user))

    def grant_users_group_permission(self, repos_group, group_name, perm):

        """

        Grant permission for users group on given repositories group, or update

        existing one if found

        :param repos_group: Instance of ReposGroup, repositories_group_id,