Changeset - af049a957506
Parent rev.
Child rev.
[Not reviewed]
beta
0 4 0
Marcin Kuzminski - 13 years ago 2013-04-10 02:55:21
marcin@python-works.com
fixed default permissions population during upgrades
- it often happen that introducing new permission
caused default permission to reset it's state to installation
default.
new version makes sure that only missing permissions are
created while leaving old defaults
4 files changed with 146 insertions and 39 deletions:
rhodecode/lib/db_manage.py
10
21
rhodecode/model/db.py
22
5
rhodecode/model/permission.py
43
7
rhodecode/tests/models/test_permissions.py
71
6
0 comments (0 inline, 0 general)
rhodecode/lib/db_manage.py
Show inline comments
 
@@ -35,24 +35,25 @@ from rhodecode import __dbversion__, __p
 
from rhodecode.model.user import UserModel
 
from rhodecode.lib.utils import ask_ok
 
from rhodecode.model import init_model
 
from rhodecode.model.db import User, Permission, RhodeCodeUi, \
 
    RhodeCodeSetting, UserToPerm, DbMigrateVersion, RepoGroup, \
 
    UserRepoGroupToPerm
 

			




	
	
	
		
 
from sqlalchemy.engine import create_engine

			




	
	
	
		
 
from rhodecode.model.repos_group import ReposGroupModel

			




	
	
	
		
 
#from rhodecode.model import meta

			




	
	
	
		
 
from rhodecode.model.meta import Session, Base

			




	
	
	
		
 
from rhodecode.model.repo import RepoModel

			




	
	
	
		
 
from rhodecode.model.permission import PermissionModel

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
log = logging.getLogger(__name__)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def notify(msg):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Notification for migrations messages

			




	
	
	
		
 
    """

			




	
	
	
		
 
    ml = len(msg) + (4 * 2)

			




	
	
	
		
 
    print >> sys.stdout, ('*** %s ***\n%s' % (msg, '*' * ml)).upper()

			




	
	
	
		
 

			




	
	
		
 
@@ -541,25 +542,25 @@ class DbManage(object):

			




	
	
	
		
 
        bad permissions, we must clean them up

			




	
	
	
		
 

			




	
	
	
		
 
        :param username:

			




	
	
	
		
 
        :type username:

			




	
	
	
		
 
        """

			




	
	
	
		
 
        default_user = User.get_by_username(username)

			




	
	
	
		
 
        if not default_user:

			




	
	
	
		
 
            return

			




	
	
	
		
 

			




	
	
	
		
 
        u2p = UserToPerm.query()\

			




	
	
	
		
 
            .filter(UserToPerm.user == default_user).all()

			




	
	
	
		
 
        fixed = False

			




	
	
	
		
 
        if len(u2p) != len(User.DEFAULT_PERMISSIONS):

			




	
	
	
		
 
        if len(u2p) != len(Permission.DEFAULT_USER_PERMISSIONS):

			




	
	
	
		
 
            for p in u2p:

			




	
	
	
		
 
                Session().delete(p)

			




	
	
	
		
 
            fixed = True

			




	
	
	
		
 
            self.populate_default_permissions()

			




	
	
	
		
 
        return fixed

			




	
	
	
		
 

			




	
	
	
		
 
    def update_repo_info(self):

			




	
	
	
		
 
        RepoModel.update_repoinfo()

			




	
	
	
		
 

			




	
	
	
		
 
    def config_prompt(self, test_repo_path='', retries=3):

			




	
	
	
		
 
        defaults = self.cli_args

			




	
	
	
		
 
        _path = defaults.get('repos_location')

			




	
	
		
 
@@ -673,54 +674,42 @@ class DbManage(object):

			




	
	
	
		
 
                                     firstname='RhodeCode', lastname='Admin',

			




	
	
	
		
 
                                     active=True, admin=admin)

			




	
	
	
		
 

			




	
	
	
		
 
    def create_default_user(self):

			




	
	
	
		
 
        log.info('creating default user')

			




	
	
	
		
 
        # create default user for handling default permissions.

			




	
	
	
		
 
        UserModel().create_or_update(username='default',

			




	
	
	
		
 
                              password=str(uuid.uuid1())[:8],

			




	
	
	
		
 
                              email='anonymous@rhodecode.org',

			




	
	
	
		
 
                              firstname='Anonymous', lastname='User')

			




	
	
	
		
 

			




	
	
	
		
 
    def create_permissions(self):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Creates all permissions defined in the system

			




	
	
	
		
 
        """

			




	
	
	
		
 
        # module.(access|create|change|delete)_[name]

			




	
	
	
		
 
        # module.(none|read|write|admin)

			




	
	
	
		
 

			




	
	
	
		
 
        for p in Permission.PERMS:

			




	
	
	
		
 
            if not Permission.get_by_key(p[0]):

			




	
	
	
		
 
                new_perm = Permission()

			




	
	
	
		
 
                new_perm.permission_name = p[0]

			




	
	
	
		
 
                new_perm.permission_longname = p[0]

			




	
	
	
		
 
                self.sa.add(new_perm)

			




	
	
	
		
 

			




	
	
	
		
 
    def populate_default_permissions(self):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Populate default permissions. It will create only the default

			




	
	
	
		
 
        permissions that are missing, and not alter already defined ones

			




	
	
	
		
 
        """

			




	
	
	
		
 
        log.info('creating default user permissions')

			




	
	
	
		
 

			




	
	
	
		
 
        default_user = User.get_by_username('default')

			




	
	
	
		
 

			




	
	
	
		
 
        for def_perm in User.DEFAULT_PERMISSIONS:

			




	
	
	
		
 

			




	
	
	
		
 
            perm = self.sa.query(Permission)\

			




	
	
	
		
 
             .filter(Permission.permission_name == def_perm)\

			




	
	
	
		
 
             .scalar()

			




	
	
	
		
 
            if not perm:

			




	
	
	
		
 
                raise Exception(

			




	
	
	
		
 
                  'CRITICAL: permission %s not found inside database !!'

			




	
	
	
		
 
                  % def_perm

			




	
	
	
		
 
                )

			




	
	
	
		
 
            if not UserToPerm.query()\

			




	
	
	
		
 
                .filter(UserToPerm.permission == perm)\

			




	
	
	
		
 
                .filter(UserToPerm.user == default_user).scalar():

			




	
	
	
		
 
                reg_perm = UserToPerm()

			




	
	
	
		
 
                reg_perm.user = default_user

			




	
	
	
		
 
                reg_perm.permission = perm

			




	
	
	
		
 
                self.sa.add(reg_perm)

			




	
	
	
		
 
        PermissionModel(self.sa).create_default_permissions(user=User.DEFAULT_USER)

			




	
	
	
		
 

			




	
	
	
		
 
    @staticmethod

			




	
	
	
		
 
    def check_waitress():

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Function executed at the end of setup

			




	
	
	
		
 
        """

			




	
	
	
		
 
        if not __py_version__ >= (2, 6):

			




	
	
	
		
 
            notify('Python2.5 detected, please switch '

			




	
	
	
		
 
                   'egg:waitress#main -> egg:Paste#http '

			




	
	
	
		
 
                   'in your .ini file')

			




        

    


    
    

    

        

                

                    rhodecode/model/db.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -311,28 +311,25 @@ class RhodeCodeUi(Base, BaseModel):

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class User(Base, BaseModel):

			




	
	
	
		
 
    __tablename__ = 'users'

			




	
	
	
		
 
    __table_args__ = (

			




	
	
	
		
 
        UniqueConstraint('username'), UniqueConstraint('email'),

			




	
	
	
		
 
        Index('u_username_idx', 'username'),

			




	
	
	
		
 
        Index('u_email_idx', 'email'),

			




	
	
	
		
 
        {'extend_existing': True, 'mysql_engine': 'InnoDB',

			




	
	
	
		
 
         'mysql_charset': 'utf8'}

			




	
	
	
		
 
    )

			




	
	
	
		
 
    DEFAULT_USER = 'default'

			




	
	
	
		
 
    DEFAULT_PERMISSIONS = [

			




	
	
	
		
 
        'hg.register.manual_activate', 'hg.create.repository',

			




	
	
	
		
 
        'hg.fork.repository', 'repository.read', 'group.read'

			




	
	
	
		
 
    ]

			




	
	
	
		
 

			




	
	
	
		
 
    user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

			




	
	
	
		
 
    username = Column("username", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

			




	
	
	
		
 
    password = Column("password", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

			




	
	
	
		
 
    active = Column("active", Boolean(), nullable=True, unique=None, default=True)

			




	
	
	
		
 
    admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)

			




	
	
	
		
 
    name = Column("firstname", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

			




	
	
	
		
 
    lastname = Column("lastname", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

			




	
	
	
		
 
    _email = Column("email", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

			




	
	
	
		
 
    last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)

			




	
	
	
		
 
    ldap_dn = Column("ldap_dn", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

			




	
	
	
		
 
    api_key = Column("api_key", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

			




	
	
	
		
 
    inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)

			




	
	
		
 
@@ -493,24 +490,31 @@ class User(Base, BaseModel):

			




	
	
	
		
 
        """Update user lastlogin"""

			




	
	
	
		
 
        self.last_login = datetime.datetime.now()

			




	
	
	
		
 
        Session().add(self)

			




	
	
	
		
 
        log.debug('updated user %s lastlogin' % self.username)

			




	
	
	
		
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def get_first_admin(cls):

			




	
	
	
		
 
        user = User.query().filter(User.admin == True).first()

			




	
	
	
		
 
        if user is None:

			




	
	
	
		
 
            raise Exception('Missing administrative account!')

			




	
	
	
		
 
        return user

			




	
	
	
		
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def get_default_user(cls, cache=False):

			




	
	
	
		
 
        user = User.get_by_username(User.DEFAULT_USER, cache=cache)

			




	
	
	
		
 
        if user is None:

			




	
	
	
		
 
            raise Exception('Missing default account!')

			




	
	
	
		
 
        return user

			




	
	
	
		
 

			




	
	
	
		
 
    def get_api_data(self):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Common function for generating user related data for API

			




	
	
	
		
 
        """

			




	
	
	
		
 
        user = self

			




	
	
	
		
 
        data = dict(

			




	
	
	
		
 
            user_id=user.user_id,

			




	
	
	
		
 
            username=user.username,

			




	
	
	
		
 
            firstname=user.name,

			




	
	
	
		
 
            lastname=user.lastname,

			




	
	
	
		
 
            email=user.email,

			




	
	
	
		
 
            emails=user.emails,

			




	
	
		
 
@@ -1396,52 +1400,65 @@ class RepoGroup(Base, BaseModel):

			




	
	
	
		
 
                       self.parent_group else [])

			




	
	
	
		
 
        return RepoGroup.url_sep().join(path_prefix + [group_name])

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class Permission(Base, BaseModel):

			




	
	
	
		
 
    __tablename__ = 'permissions'

			




	
	
	
		
 
    __table_args__ = (

			




	
	
	
		
 
        Index('p_perm_name_idx', 'permission_name'),

			




	
	
	
		
 
        {'extend_existing': True, 'mysql_engine': 'InnoDB',

			




	
	
	
		
 
         'mysql_charset': 'utf8'},

			




	
	
	
		
 
    )

			




	
	
	
		
 
    PERMS = [

			




	
	
	
		
 
        ('hg.admin', _('RhodeCode Administrator')),

			




	
	
	
		
 

			




	
	
	
		
 
        ('repository.none', _('Repository no access')),

			




	
	
	
		
 
        ('repository.read', _('Repository read access')),

			




	
	
	
		
 
        ('repository.write', _('Repository write access')),

			




	
	
	
		
 
        ('repository.admin', _('Repository admin access')),

			




	
	
	
		
 

			




	
	
	
		
 
        ('group.none', _('Repository group no access')),

			




	
	
	
		
 
        ('group.read', _('Repository group read access')),

			




	
	
	
		
 
        ('group.write', _('Repository group write access')),

			




	
	
	
		
 
        ('group.admin', _('Repository group admin access')),

			




	
	
	
		
 

			




	
	
	
		
 
        ('usergroup.none', _('User group no access')),

			




	
	
	
		
 
        ('usergroup.read', _('User group read access')),

			




	
	
	
		
 
        ('usergroup.write', _('User group write access')),

			




	
	
	
		
 
        ('usergroup.admin', _('User group admin access')),

			




	
	
	
		
 

			




	
	
	
		
 
        ('hg.admin', _('RhodeCode Administrator')),

			




	
	
	
		
 
        ('hg.create.none', _('Repository creation disabled')),

			




	
	
	
		
 
        ('hg.create.repository', _('Repository creation enabled')),

			




	
	
	
		
 

			




	
	
	
		
 
        ('hg.fork.none', _('Repository forking disabled')),

			




	
	
	
		
 
        ('hg.fork.repository', _('Repository forking enabled')),

			




	
	
	
		
 

			




	
	
	
		
 
        ('hg.register.none', _('Register disabled')),

			




	
	
	
		
 
        ('hg.register.manual_activate', _('Register new user with RhodeCode '

			




	
	
	
		
 
                                          'with manual activation')),

			




	
	
	
		
 

			




	
	
	
		
 
        ('hg.register.auto_activate', _('Register new user with RhodeCode '

			




	
	
	
		
 
                                        'with auto activation')),

			




	
	
	
		
 
    ]

			




	
	
	
		
 

			




	
	
	
		
 
    #definition of system default permissions for DEFAULT user

			




	
	
	
		
 
    DEFAULT_USER_PERMISSIONS = [

			




	
	
	
		
 
        'repository.read',

			




	
	
	
		
 
        'group.read',

			




	
	
	
		
 
        'usergroup.read',

			




	
	
	
		
 
        'hg.create.repository',

			




	
	
	
		
 
        'hg.fork.repository',

			




	
	
	
		
 
        'hg.register.manual_activate',

			




	
	
	
		
 
    ]

			




	
	
	
		
 

			




	
	
	
		
 
    # defines which permissions are more important higher the more important

			




	
	
	
		
 
    PERM_WEIGHTS = {

			




	
	
	
		
 
        'repository.none': 0,

			




	
	
	
		
 
        'repository.read': 1,

			




	
	
	
		
 
        'repository.write': 3,

			




	
	
	
		
 
        'repository.admin': 4,

			




	
	
	
		
 

			




	
	
	
		
 
        'group.none': 0,

			




	
	
	
		
 
        'group.read': 1,

			




	
	
	
		
 
        'group.write': 3,

			




	
	
	
		
 
        'group.admin': 4,

			




	
	
	
		
 

			




        

    


    
    

    

        

                

                    rhodecode/model/permission.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -34,68 +34,104 @@ from rhodecode.model.db import User, Per

			




	
	
	
		
 
from rhodecode.lib.utils2 import str2bool

			




	
	
	
		
 

			




	
	
	
		
 
log = logging.getLogger(__name__)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class PermissionModel(BaseModel):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Permissions model for RhodeCode

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    cls = Permission

			




	
	
	
		
 

			




	
	
	
		
 
    def create_default_permissions(self, user):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Creates only missing default permissions for user

			




	
	
	
		
 

			




	
	
	
		
 
        :param user:

			




	
	
	
		
 
        """

			




	
	
	
		
 
        user = self._get_user(user)

			




	
	
	
		
 

			




	
	
	
		
 
        def _make_perm(perm):

			




	
	
	
		
 
            new_perm = UserToPerm()

			




	
	
	
		
 
            new_perm.user = user

			




	
	
	
		
 
            new_perm.permission = Permission.get_by_key(perm)

			




	
	
	
		
 
            return new_perm

			




	
	
	
		
 

			




	
	
	
		
 
        def _get_group(perm_name):

			




	
	
	
		
 
            return '.'.join(perm_name.split('.')[:1])

			




	
	
	
		
 

			




	
	
	
		
 
        perms = UserToPerm.query().filter(UserToPerm.user == user).all()

			




	
	
	
		
 
        defined_perms_groups = map(_get_group,

			




	
	
	
		
 
                                (x.permission.permission_name for x in perms))

			




	
	
	
		
 
        log.debug('GOT ALREADY DEFINED:%s' % perms)

			




	
	
	
		
 
        DEFAULT_PERMS = Permission.DEFAULT_USER_PERMISSIONS

			




	
	
	
		
 

			




	
	
	
		
 
        # for every default permission that needs to be created, we check if

			




	
	
	
		
 
        # it's group is already defined, if it's not we create default perm

			




	
	
	
		
 
        for perm_name in DEFAULT_PERMS:

			




	
	
	
		
 
            gr = _get_group(perm_name)

			




	
	
	
		
 
            if gr not in defined_perms_groups:

			




	
	
	
		
 
                log.debug('GR:%s not found, creating permission %s'

			




	
	
	
		
 
                          % (gr, perm_name))

			




	
	
	
		
 
                new_perm = _make_perm(perm_name)

			




	
	
	
		
 
                self.sa.add(new_perm)

			




	
	
	
		
 

			




	
	
	
		
 
    def update(self, form_result):

			




	
	
	
		
 
        perm_user = User.get_by_username(username=form_result['perm_user_name'])

			




	
	
	
		
 
        u2p = self.sa.query(UserToPerm).filter(UserToPerm.user == perm_user).all()

			




	
	
	
		
 

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            # stage 1 set anonymous access

			




	
	
	
		
 
            if perm_user.username == 'default':

			




	
	
	
		
 
                perm_user.active = str2bool(form_result['anonymous'])

			




	
	
	
		
 
                self.sa.add(perm_user)

			




	
	
	
		
 

			




	
	
	
		
 
            # stage 2 reset defaults and set them from form data

			




	
	
	
		
 
            def _make_new(usr, perm_name):

			




	
	
	
		
 
                new = UserToPerm()

			




	
	
	
		
 
                new.user = usr

			




	
	
	
		
 
                new.permission = Permission.get_by_key(perm_name)

			




	
	
	
		
 
                return new

			




	
	
	
		
 
            # clear current entries, to make this function idempotent

			




	
	
	
		
 
            # it will fix even if we define more permissions or permissions

			




	
	
	
		
 
            # are somehow missing

			




	
	
	
		
 
            u2p = self.sa.query(UserToPerm)\

			




	
	
	
		
 
                .filter(UserToPerm.user == perm_user)\

			




	
	
	
		
 
                .all()

			




	
	
	
		
 
            for p in u2p:

			




	
	
	
		
 
                self.sa.delete(p)

			




	
	
	
		
 
            #create fresh set of permissions

			




	
	
	
		
 
            for def_perm_key in ['default_repo_perm', 'default_group_perm',

			




	
	
	
		
 
                                 'default_register', 'default_create',

			




	
	
	
		
 
                                 'default_fork']:

			




	
	
	
		
 
                p = _make_new(perm_user, form_result[def_perm_key])

			




	
	
	
		
 
                self.sa.add(p)

			




	
	
	
		
 

			




	
	
	
		
 
            #stage 2 update all default permissions for repos if checked

			




	
	
	
		
 
            #stage 3 update all default permissions for repos if checked

			




	
	
	
		
 
            if form_result['overwrite_default_repo'] == True:

			




	
	
	
		
 
                _def_name = form_result['default_repo_perm'].split('repository.')[-1]

			




	
	
	
		
 
                _def = Permission.get_by_key('repository.' + _def_name)

			




	
	
	
		
 
                # repos

			




	
	
	
		
 
                for r2p in self.sa.query(UserRepoToPerm)\

			




	
	
	
		
 
                               .filter(UserRepoToPerm.user == perm_user)\

			




	
	
	
		
 
                               .all():

			




	
	
	
		
 

			




	
	
	
		
 
                    #don't reset PRIVATE repositories

			




	
	
	
		
 
                    if not r2p.repository.private:

			




	
	
	
		
 
                        r2p.permission = _def

			




	
	
	
		
 
                        self.sa.add(r2p)

			




	
	
	
		
 

			




	
	
	
		
 
            if form_result['overwrite_default_group'] == True:

			




	
	
	
		
 
                _def_name = form_result['default_group_perm'].split('group.')[-1]

			




	
	
	
		
 
                # groups

			




	
	
	
		
 
                _def = Permission.get_by_key('group.' + _def_name)

			




	
	
	
		
 
                for g2p in self.sa.query(UserRepoGroupToPerm)\

			




	
	
	
		
 
                               .filter(UserRepoGroupToPerm.user == perm_user)\

			




	
	
	
		
 
                               .all():

			




	
	
	
		
 
                    g2p.permission = _def

			




	
	
	
		
 
                    self.sa.add(g2p)

			




	
	
	
		
 

			




	
	
	
		
 
            # stage 3 set anonymous access

			




	
	
	
		
 
            if perm_user.username == 'default':

			




	
	
	
		
 
                perm_user.active = str2bool(form_result['anonymous'])

			




	
	
	
		
 
                self.sa.add(perm_user)

			




	
	
	
		
 

			




	
	
	
		
 
            self.sa.commit()

			




	
	
	
		
 
        except (DatabaseError,):

			




	
	
	
		
 
            log.error(traceback.format_exc())

			




	
	
	
		
 
            self.sa.rollback()

			




	
	
	
		
 
            raise

			




        

    


    
    

    

        

                

                    rhodecode/tests/models/test_permissions.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
	
		
 
import os

			




	
	
	
		
 
import unittest

			




	
	
	
		
 
from rhodecode.tests import *

			




	
	
	
		
 
from rhodecode.tests.fixture import Fixture

			




	
	
	
		
 
from rhodecode.model.repos_group import ReposGroupModel

			




	
	
	
		
 
from rhodecode.model.repo import RepoModel

			




	
	
	
		
 
from rhodecode.model.db import RepoGroup, User, UserGroupRepoGroupToPerm

			




	
	
	
		
 
from rhodecode.model.db import RepoGroup, User, UserGroupRepoGroupToPerm,\

			




	
	
	
		
 
    Permission, UserToPerm

			




	
	
	
		
 
from rhodecode.model.user import UserModel

			




	
	
	
		
 

			




	
	
	
		
 
from rhodecode.model.meta import Session

			




	
	
	
		
 
from rhodecode.model.users_group import UserGroupModel

			




	
	
	
		
 
from rhodecode.lib.auth import AuthUser

			




	
	
	
		
 
from rhodecode.model.permission import PermissionModel

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
fixture = Fixture()

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class TestPermissions(unittest.TestCase):

			




	
	
	
		
 
    def __init__(self, methodName='runTest'):

			




	
	
	
		
 
        super(TestPermissions, self).__init__(methodName=methodName)

			




	
	
	
		
 

			




	
	
	
		
 
    def setUp(self):

			




	
	
	
		
 
        self.u1 = UserModel().create_or_update(

			




	
	
	
		
 
            username=u'u1', password=u'qweqwe',

			




	
	
		
 
@@ -92,31 +94,33 @@ class TestPermissions(unittest.TestCase)

			




	
	
	
		
 
        # cannot really downgrade admins permissions !? they still get's set as

			




	
	
	
		
 
        # admin !

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.a1.user_id)

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],

			




	
	
	
		
 
                         perms['repositories'][HG_REPO])

			




	
	
	
		
 

			




	
	
	
		
 
    def test_default_group_perms(self):

			




	
	
	
		
 
        self.g1 = fixture.create_group('test1', skip_if_exists=True)

			




	
	
	
		
 
        self.g2 = fixture.create_group('test2', skip_if_exists=True)

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        perms = {

			




	
	
	
		
 
            'repositories_groups': {u'test1': 'group.read', u'test2': 'group.read'},

			




	
	
	
		
 
            'global': set([u'hg.create.repository', u'repository.read', u'hg.register.manual_activate']),

			




	
	
	
		
 
            'global': set(Permission.DEFAULT_USER_PERMISSIONS),

			




	
	
	
		
 
            'repositories': {u'vcs_test_hg': u'repository.read'}

			




	
	
	
		
 
        }

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],

			




	
	
	
		
 
                         perms['repositories'][HG_REPO])

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['repositories_groups'],

			




	
	
	
		
 
                         perms['repositories_groups'])

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['global'],

			




	
	
	
		
 
                         perms['global'])

			




	
	
	
		
 

			




	
	
	
		
 
    def test_default_admin_group_perms(self):

			




	
	
	
		
 
        self.g1 = fixture.create_group('test1', skip_if_exists=True)

			




	
	
	
		
 
        self.g2 = fixture.create_group('test2', skip_if_exists=True)

			




	
	
	
		
 
        a1_auth = AuthUser(user_id=self.a1.user_id)

			




	
	
	
		
 
        perms = {

			




	
	
	
		
 
            'repositories_groups': {u'test1': 'group.admin', u'test2': 'group.admin'},

			




	
	
	
		
 
            'global': set(['hg.admin']),

			




	
	
	
		
 
            'repositories': {u'vcs_test_hg': 'repository.admin'}

			




	
	
	
		
 
        }

			




	
	
	
		
 

			




	
	
	
		
 
        self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],

			




	
	
		
 
@@ -338,43 +342,45 @@ class TestPermissions(unittest.TestCase)

			




	
	
	
		
 
        user_model.revoke_perm(usr, 'hg.create.none')

			




	
	
	
		
 
        user_model.grant_perm(usr, 'hg.create.repository')

			




	
	
	
		
 
        user_model.revoke_perm(usr, 'hg.fork.none')

			




	
	
	
		
 
        user_model.grant_perm(usr, 'hg.fork.repository')

			




	
	
	
		
 
        # make sure inherit flag is turned on

			




	
	
	
		
 
        self.u1.inherit_default_permissions = True

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        # this user will have inherited permissions from default user

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['global'],

			




	
	
	
		
 
                         set(['hg.create.repository', 'hg.fork.repository',

			




	
	
	
		
 
                              'hg.register.manual_activate',

			




	
	
	
		
 
                              'repository.read', 'group.read']))

			




	
	
	
		
 
                              'repository.read', 'group.read',

			




	
	
	
		
 
                              'usergroup.read']))

			




	
	
	
		
 

			




	
	
	
		
 
    def test_inherited_permissions_from_default_on_user_disabled(self):

			




	
	
	
		
 
        user_model = UserModel()

			




	
	
	
		
 
        # disable fork and create on default user

			




	
	
	
		
 
        usr = 'default'

			




	
	
	
		
 
        user_model.revoke_perm(usr, 'hg.create.repository')

			




	
	
	
		
 
        user_model.grant_perm(usr, 'hg.create.none')

			




	
	
	
		
 
        user_model.revoke_perm(usr, 'hg.fork.repository')

			




	
	
	
		
 
        user_model.grant_perm(usr, 'hg.fork.none')

			




	
	
	
		
 
        # make sure inherit flag is turned on

			




	
	
	
		
 
        self.u1.inherit_default_permissions = True

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        # this user will have inherited permissions from default user

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['global'],

			




	
	
	
		
 
                         set(['hg.create.none', 'hg.fork.none',

			




	
	
	
		
 
                              'hg.register.manual_activate',

			




	
	
	
		
 
                              'repository.read', 'group.read']))

			




	
	
	
		
 
                              'repository.read', 'group.read',

			




	
	
	
		
 
                              'usergroup.read']))

			




	
	
	
		
 

			




	
	
	
		
 
    def test_non_inherited_permissions_from_default_on_user_enabled(self):

			




	
	
	
		
 
        user_model = UserModel()

			




	
	
	
		
 
        # enable fork and create on default user

			




	
	
	
		
 
        usr = 'default'

			




	
	
	
		
 
        user_model.revoke_perm(usr, 'hg.create.none')

			




	
	
	
		
 
        user_model.grant_perm(usr, 'hg.create.repository')

			




	
	
	
		
 
        user_model.revoke_perm(usr, 'hg.fork.none')

			




	
	
	
		
 
        user_model.grant_perm(usr, 'hg.fork.repository')

			




	
	
	
		
 

			




	
	
	
		
 
        #disable global perms on specific user

			




	
	
	
		
 
        user_model.revoke_perm(self.u1, 'hg.create.repository')

			




	
	
		
 
@@ -382,25 +388,26 @@ class TestPermissions(unittest.TestCase)

			




	
	
	
		
 
        user_model.revoke_perm(self.u1, 'hg.fork.repository')

			




	
	
	
		
 
        user_model.grant_perm(self.u1, 'hg.fork.none')

			




	
	
	
		
 

			




	
	
	
		
 
        # make sure inherit flag is turned off

			




	
	
	
		
 
        self.u1.inherit_default_permissions = False

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        # this user will have non inherited permissions from he's

			




	
	
	
		
 
        # explicitly set permissions

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['global'],

			




	
	
	
		
 
                         set(['hg.create.none', 'hg.fork.none',

			




	
	
	
		
 
                              'hg.register.manual_activate',

			




	
	
	
		
 
                              'repository.read', 'group.read']))

			




	
	
	
		
 
                              'repository.read', 'group.read',

			




	
	
	
		
 
                              'usergroup.read']))

			




	
	
	
		
 

			




	
	
	
		
 
    def test_non_inherited_permissions_from_default_on_user_disabled(self):

			




	
	
	
		
 
        user_model = UserModel()

			




	
	
	
		
 
        # disable fork and create on default user

			




	
	
	
		
 
        usr = 'default'

			




	
	
	
		
 
        user_model.revoke_perm(usr, 'hg.create.repository')

			




	
	
	
		
 
        user_model.grant_perm(usr, 'hg.create.none')

			




	
	
	
		
 
        user_model.revoke_perm(usr, 'hg.fork.repository')

			




	
	
	
		
 
        user_model.grant_perm(usr, 'hg.fork.none')

			




	
	
	
		
 

			




	
	
	
		
 
        #enable global perms on specific user

			




	
	
	
		
 
        user_model.revoke_perm(self.u1, 'hg.create.none')

			




	
	
		
 
@@ -408,25 +415,26 @@ class TestPermissions(unittest.TestCase)

			




	
	
	
		
 
        user_model.revoke_perm(self.u1, 'hg.fork.none')

			




	
	
	
		
 
        user_model.grant_perm(self.u1, 'hg.fork.repository')

			




	
	
	
		
 

			




	
	
	
		
 
        # make sure inherit flag is turned off

			




	
	
	
		
 
        self.u1.inherit_default_permissions = False

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        # this user will have non inherited permissions from he's

			




	
	
	
		
 
        # explicitly set permissions

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['global'],

			




	
	
	
		
 
                         set(['hg.create.repository', 'hg.fork.repository',

			




	
	
	
		
 
                              'hg.register.manual_activate',

			




	
	
	
		
 
                              'repository.read', 'group.read']))

			




	
	
	
		
 
                              'repository.read', 'group.read',

			




	
	
	
		
 
                              'usergroup.read']))

			




	
	
	
		
 

			




	
	
	
		
 
    def test_owner_permissions_doesnot_get_overwritten_by_group(self):

			




	
	
	
		
 
        #create repo as USER,

			




	
	
	
		
 
        self.test_repo = fixture.create_repo(name='myownrepo',

			




	
	
	
		
 
                                             repo_type='hg',

			




	
	
	
		
 
                                             cur_user=self.u1)

			




	
	
	
		
 

			




	
	
	
		
 
        #he has permissions of admin as owner

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

			




	
	
	
		
 
                         'repository.admin')

			




	
	
	
		
 
        #set his permission as user group, he should still be admin

			




	
	
		
 
@@ -449,12 +457,69 @@ class TestPermissions(unittest.TestCase)

			




	
	
	
		
 

			




	
	
	
		
 
        #he has permissions of admin as owner

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

			




	
	
	
		
 
                         'repository.admin')

			




	
	
	
		
 
        #set his permission as user, he should still be admin

			




	
	
	
		
 
        RepoModel().grant_user_permission(self.test_repo, user=self.u1,

			




	
	
	
		
 
                                          perm='repository.none')

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

			




	
	
	
		
 
                         'repository.admin')

			




	
	
	
		
 

			




	
	
	
		
 
    def _test_def_perm_equal(self, user, change_factor=0):

			




	
	
	
		
 
        perms = UserToPerm.query()\

			




	
	
	
		
 
                .filter(UserToPerm.user == user)\

			




	
	
	
		
 
                .all()

			




	
	
	
		
 
        self.assertEqual(len(perms),

			




	
	
	
		
 
                         len(Permission.DEFAULT_USER_PERMISSIONS,)+change_factor,

			




	
	
	
		
 
                         msg=perms)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_set_default_permissions(self):

			




	
	
	
		
 
        PermissionModel().create_default_permissions(user=self.u1)

			




	
	
	
		
 
        self._test_def_perm_equal(user=self.u1)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_set_default_permissions_after_one_is_missing(self):

			




	
	
	
		
 
        PermissionModel().create_default_permissions(user=self.u1)

			




	
	
	
		
 
        self._test_def_perm_equal(user=self.u1)

			




	
	
	
		
 
        #now we delete one, it should be re-created after another call

			




	
	
	
		
 
        perms = UserToPerm.query()\

			




	
	
	
		
 
                .filter(UserToPerm.user == self.u1)\

			




	
	
	
		
 
                .all()

			




	
	
	
		
 
        Session().delete(perms[0])

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 

			




	
	
	
		
 
        self._test_def_perm_equal(user=self.u1, change_factor=-1)

			




	
	
	
		
 

			




	
	
	
		
 
        #create missing one !

			




	
	
	
		
 
        PermissionModel().create_default_permissions(user=self.u1)

			




	
	
	
		
 
        self._test_def_perm_equal(user=self.u1)

			




	
	
	
		
 

			




	
	
	
		
 
    @parameterized.expand([

			




	
	
	
		
 
        ('repository.read', 'repository.none'),

			




	
	
	
		
 
        ('group.read', 'group.none'),

			




	
	
	
		
 
        ('usergroup.read', 'usergroup.none'),

			




	
	
	
		
 
        ('hg.create.repository', 'hg.create.none'),

			




	
	
	
		
 
        ('hg.fork.repository', 'hg.fork.none'),

			




	
	
	
		
 
        ('hg.register.manual_activate', 'hg.register.auto_activate',)

			




	
	
	
		
 
    ])

			




	
	
	
		
 
    def test_set_default_permissions_after_modification(self, perm, modify_to):

			




	
	
	
		
 
        PermissionModel().create_default_permissions(user=self.u1)

			




	
	
	
		
 
        self._test_def_perm_equal(user=self.u1)

			




	
	
	
		
 

			




	
	
	
		
 
        old = Permission.get_by_key(perm)

			




	
	
	
		
 
        new = Permission.get_by_key(modify_to)

			




	
	
	
		
 
        self.assertNotEqual(old, None)

			




	
	
	
		
 
        self.assertNotEqual(new, None)

			




	
	
	
		
 

			




	
	
	
		
 
        #now modify permissions

			




	
	
	
		
 
        p = UserToPerm.query()\

			




	
	
	
		
 
                .filter(UserToPerm.user == self.u1)\

			




	
	
	
		
 
                .filter(UserToPerm.permission == old)\

			




	
	
	
		
 
                .one()

			




	
	
	
		
 
        p.permission = new

			




	
	
	
		
 
        Session().add(p)

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 

			




	
	
	
		
 
        PermissionModel().create_default_permissions(user=self.u1)

			




	
	
	
		
 
        self._test_def_perm_equal(user=self.u1)

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.