# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.model.base

~~~~~~~~~~~~~~~~~~~~

The application's model objects

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Nov 25, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

from kallithea.model import meta

from kallithea.lib.utils2 import obfuscate_url_pw

log = logging.getLogger(__name__)

def init_model(engine):

    """

    Initializes db session, bind the engine with the metadata,

    Call this before using any of the tables or classes in the model,

    preferably once in application start

    :param engine: engine to bind to

    """

    engine_str = obfuscate_url_pw(str(engine.url))

    log.info("initializing db for %s", engine_str)

    meta.Base.metadata.bind = engine

class BaseModel(object):

    """

    Base Model for all Kallithea models, it adds sql alchemy session

    into instance of model

    :param sa: If passed it reuses this session instead of creating a new one

    """

    def __init__(self, sa=None):

        if sa is not None:

            self.sa = sa

        else:

            self.sa = meta.Session()

                            check_perms=True):

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        # update permissions

        for member, perm, member_type in perms_updates:

            if member_type == 'user':

                # this updates existing one

                self.grant_user_permission(

                    repo=repo, user=member, perm=perm

                )

            else:

                #check if we have permissions to alter this usergroup

                req_perms = (

                    'usergroup.read', 'usergroup.write', 'usergroup.admin')

                if not check_perms or HasUserGroupPermissionAny(*req_perms)(

                        member):

                    self.grant_user_group_permission(

                        repo=repo, group_name=member, perm=perm

                    )

            # set new permissions

        for member, perm, member_type in perms_new:

            if member_type == 'user':

                self.grant_user_permission(

                    repo=repo, user=member, perm=perm

                )

            else:

                #check if we have permissions to alter this usergroup

                req_perms = (

                    'usergroup.read', 'usergroup.write', 'usergroup.admin')

                if not check_perms or HasUserGroupPermissionAny(*req_perms)(

                        member):

                    self.grant_user_group_permission(

                        repo=repo, group_name=member, perm=perm

                    )

    def create_fork(self, form_data, cur_user):

        """

        Simple wrapper into executing celery task for fork creation

        :param form_data:

        :param cur_user:

        """

        from kallithea.lib.celerylib import tasks

        return tasks.create_repo_fork(form_data, cur_user)

    def delete(self, repo, forks=None, fs_remove=True, cur_user=None):

        """

        Delete given repository, forks parameter defines what do do with

        attached forks. Throws AttachedForksError if deleted repo has attached

        forks

        :param repo:

        :param forks: str 'delete' or 'detach'

        :param fs_remove: remove(archive) repo from filesystem

        """

        if not cur_user:

            cur_user = getattr(get_current_authuser(), 'username', None)

        repo = Repository.guess_instance(repo)

        if repo is not None:

            if forks == 'detach':

                for r in repo.forks:

                    r.fork = None

                    self.sa.add(r)

            elif forks == 'delete':

                for r in repo.forks:

                    self.delete(r, forks='delete')

            elif [f for f in repo.forks]:

                raise AttachedForksError()

            old_repo_dict = repo.get_dict()

            try:

                self.sa.delete(repo)

                if fs_remove:

                    self._delete_filesystem_repo(repo)

                else:

                    log.debug('skipping removal from filesystem')

                log_delete_repository(old_repo_dict,

                                      deleted_by=cur_user)

            except Exception:

                log.error(traceback.format_exc())

                raise

    def grant_user_permission(self, repo, user, perm):

        """

        Grant permission for user on given repository, or update existing one

        if found

        :param repo: Instance of Repository, repository_id, or repository name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        user = User.guess_instance(user)

        repo = Repository.guess_instance(repo)

        # check if we have that permission already

        obj = self.sa.query(UserRepoToPerm) \

            .filter(UserRepoToPerm.user == user) \

            .filter(UserRepoToPerm.repository == repo) \

            .scalar()

        if obj is None:

            # create new !

            obj = UserRepoToPerm()

        obj.repository = repo

        obj.user = user

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s', perm, user, repo)

        return obj

    def revoke_user_permission(self, repo, user):

        """

        Revoke permission for user on given repository

        :param repo: Instance of Repository, repository_id, or repository name

        :param user: Instance of User, user_id or username

        """

        user = User.guess_instance(user)

        repo = Repository.guess_instance(repo)

        obj = self.sa.query(UserRepoToPerm) \

            .filter(UserRepoToPerm.repository == repo) \

            .filter(UserRepoToPerm.user == user) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s', repo, user)

    def grant_user_group_permission(self, repo, group_name, perm):

        """

        Grant permission for user group on given repository, or update

        existing one if found

        :param repo: Instance of Repository, repository_id, or repository name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        :param perm: Instance of Permission, or permission_name

        """

        repo = Repository.guess_instance(repo)

        group_name = self._get_user_group(group_name)

        # check if we have that permission already

        obj = self.sa.query(UserGroupRepoToPerm) \

            .filter(UserGroupRepoToPerm.users_group == group_name) \

            .filter(UserGroupRepoToPerm.repository == repo) \

            .scalar()

        if obj is None:

            # create new

            obj = UserGroupRepoToPerm()

        obj.repository = repo

        obj.users_group = group_name

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s', perm, group_name, repo)

        return obj

    def revoke_user_group_permission(self, repo, group_name):

        """

        Revoke permission for user group on given repository

        :param repo: Instance of Repository, repository_id, or repository name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        """

        repo = Repository.guess_instance(repo)

        group_name = self._get_user_group(group_name)

        obj = self.sa.query(UserGroupRepoToPerm) \

            .filter(UserGroupRepoToPerm.repository == repo) \

            .filter(UserGroupRepoToPerm.users_group == group_name) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm to %s on %s', repo, group_name)

    def delete_stats(self, repo_name):

        """

        removes stats for given repo

        :param repo_name:

        """

        repo = Repository.guess_instance(repo_name)

        try:

            obj = self.sa.query(Statistics) \

                .filter(Statistics.repository == repo).scalar()

            if obj is not None:

                self.sa.delete(obj)

        except Exception:

            log.error(traceback.format_exc())

            raise

    def _create_filesystem_repo(self, repo_name, repo_type, repo_group,

                                clone_uri=None, repo_store_location=None):

        """

        Makes repository on filesystem. Operation is group aware, meaning that it will create

        a repository within a group, and alter the paths accordingly to the group location.

        :param repo_name:

        :param alias:

        :param parent:

        :param clone_uri:

        :param repo_store_location:

        """

        from kallithea.lib.utils import is_valid_repo, is_valid_repo_group

        from kallithea.model.scm import ScmModel

        if '/' in repo_name:

            raise ValueError('repo_name must not contain groups got `%s`' % repo_name)

        if isinstance(repo_group, RepoGroup):

            new_parent_path = os.sep.join(repo_group.full_path_splitted)

        else:

            new_parent_path = repo_group or ''

        if repo_store_location:

            _paths = [repo_store_location]

        else:

            _paths = [self.repos_path, new_parent_path, repo_name]

            # we need to make it str for mercurial

        repo_path = os.path.join(*map(lambda x: safe_str(x), _paths))

        # check if this path is not a repository

        if is_valid_repo(repo_path, self.repos_path):

            raise Exception('This path %s is a valid repository' % repo_path)

        # check if this path is a group

        if is_valid_repo_group(repo_path, self.repos_path):

            raise Exception('This path %s is a valid group' % repo_path)

        log.info('creating repo %s in %s from url: `%s`',

            repo_name, safe_unicode(repo_path),

            obfuscate_url_pw(clone_uri))

        backend = get_backend(repo_type)

                    continue

            elif recursive == 'groups':

                # skip repos

                if isinstance(obj, Repository):

                    continue

            else:  # recursive == 'none': # DEFAULT don't apply to iterated objects

                obj = repo_group

                # also we do a break at the end of this loop.

            # update permissions

            for member, perm, member_type in perms_updates:

                ## set for user

                if member_type == 'user':

                    # this updates also current one if found

                    _set_perm_user(obj, user=member, perm=perm)

                ## set for user group

                else:

                    #check if we have permissions to alter this usergroup

                    req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')

                    if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):

                        _set_perm_group(obj, users_group=member, perm=perm)

            # set new permissions

            for member, perm, member_type in perms_new:

                if member_type == 'user':

                    _set_perm_user(obj, user=member, perm=perm)

                else:

                    #check if we have permissions to alter this usergroup

                    req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')

                    if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):

                        _set_perm_group(obj, users_group=member, perm=perm)

            updates.append(obj)

            # if it's not recursive call for all,repos,groups

            # break the loop and don't proceed with other changes

            if recursive not in ['all', 'repos', 'groups']:

                break

        return updates

    def update(self, repo_group, form_data):

        try:

            repo_group = self._get_repo_group(repo_group)

            old_path = repo_group.full_path

            # change properties

            repo_group.group_description = form_data['group_description']

            repo_group.parent_group_id = form_data['parent_group_id']

            repo_group.enable_locking = form_data['enable_locking']

            repo_group.parent_group = RepoGroup.get(form_data['parent_group_id'])

            repo_group.group_name = repo_group.get_new_name(form_data['group_name'])

            new_path = repo_group.full_path

            self.sa.add(repo_group)

            # iterate over all members of this groups and do fixes

            # set locking if given

            # if obj is a repoGroup also fix the name of the group according

            # to the parent

            # if obj is a Repo fix it's name

            # this can be potentially heavy operation

            for obj in repo_group.recursive_groups_and_repos():

                #set the value from it's parent

                obj.enable_locking = repo_group.enable_locking

                if isinstance(obj, RepoGroup):

                    new_name = obj.get_new_name(obj.name)

                    log.debug('Fixing group %s to new name %s' \

                                % (obj.group_name, new_name))

                    obj.group_name = new_name

                elif isinstance(obj, Repository):

                    # we need to get all repositories from this new group and

                    # rename them accordingly to new group path

                    new_name = obj.get_new_name(obj.just_name)

                    log.debug('Fixing repo %s to new name %s' \

                                % (obj.repo_name, new_name))

                    obj.repo_name = new_name

                self.sa.add(obj)

            self._rename_group(old_path, new_path)

            return repo_group

        except Exception:

            log.error(traceback.format_exc())

            raise

    def delete(self, repo_group, force_delete=False):

        repo_group = self._get_repo_group(repo_group)

        try:

            self.sa.delete(repo_group)

            self._delete_group(repo_group, force_delete)

        except Exception:

            log.error('Error removing repo_group %s', repo_group)

            raise

    def add_permission(self, repo_group, obj, obj_type, perm, recursive):

        from kallithea.model.repo import RepoModel

        repo_group = self._get_repo_group(repo_group)

        for el in repo_group.recursive_groups_and_repos():

            # iterated obj is an instance of a repos group or repository in

            # that group, recursive option can be: none, repos, groups, all

            if recursive == 'all':

                pass

            elif recursive == 'repos':

                # skip groups, other than this one

                if isinstance(el, RepoGroup) and not el == repo_group:

                    continue

            elif recursive == 'groups':

                # skip repos

                if isinstance(el, Repository):

                    continue

            else:  # recursive == 'none': # DEFAULT don't apply to iterated objects

                el = repo_group

                # also we do a break at the end of this loop.

            if isinstance(el, RepoGroup):

                if obj_type == 'user':

                    RepoGroupModel().grant_user_permission(el, user=obj, perm=perm)

                elif obj_type == 'user_group':

                    RepoGroupModel().grant_user_group_permission(el, group_name=obj, perm=perm)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            elif isinstance(el, Repository):

                # for repos we need to hotfix the name of permission

                _perm = perm.permission_name.replace('group.', 'repository.')

                if obj_type == 'user':

                    RepoModel().grant_user_permission(el, user=obj, perm=_perm)

                elif obj_type == 'user_group':

                    RepoModel().grant_user_group_permission(el, group_name=obj, perm=_perm)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            else:

                raise Exception('el should be instance of Repository or '

                                'RepositoryGroup got %s instead' % type(el))

            # if it's not recursive call for all,repos,groups

            # break the loop and don't proceed with other changes

            if recursive not in ['all', 'repos', 'groups']:

                break

    def delete_permission(self, repo_group, obj, obj_type, recursive):

        """

        Revokes permission for repo_group for given obj(user or users_group),

        obj_type can be user or user group

        :param repo_group:

        :param obj: user or user group id

        :param obj_type: user or user group type

        :param recursive: recurse to all children of group

        """

        from kallithea.model.repo import RepoModel

        repo_group = self._get_repo_group(repo_group)

        for el in repo_group.recursive_groups_and_repos():

            # iterated obj is an instance of a repos group or repository in

            # that group, recursive option can be: none, repos, groups, all

            if recursive == 'all':

                pass

            elif recursive == 'repos':

                # skip groups, other than this one

                if isinstance(el, RepoGroup) and not el == repo_group:

                    continue

            elif recursive == 'groups':

                # skip repos

                if isinstance(el, Repository):

                    continue

            else:  # recursive == 'none': # DEFAULT don't apply to iterated objects

                el = repo_group

                # also we do a break at the end of this loop.

            if isinstance(el, RepoGroup):

                if obj_type == 'user':

                    RepoGroupModel().revoke_user_permission(el, user=obj)

                elif obj_type == 'user_group':

                    RepoGroupModel().revoke_user_group_permission(el, group_name=obj)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            elif isinstance(el, Repository):

                if obj_type == 'user':

                    RepoModel().revoke_user_permission(el, user=obj)

                elif obj_type == 'user_group':

                    RepoModel().revoke_user_group_permission(el, group_name=obj)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            else:

                raise Exception('el should be instance of Repository or '

                                'RepositoryGroup got %s instead' % type(el))

            # if it's not recursive call for all,repos,groups

            # break the loop and don't proceed with other changes

            if recursive not in ['all', 'repos', 'groups']:

                break

    def grant_user_permission(self, repo_group, user, perm):

        """

        Grant permission for user on given repository group, or update

        existing one if found

        :param repo_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        :param perm: Instance of Permission, or permission_name

        """

        repo_group = self._get_repo_group(repo_group)

        user = User.guess_instance(user)

        # check if we have that permission already

        obj = self.sa.query(UserRepoGroupToPerm) \

            .filter(UserRepoGroupToPerm.user == user) \

            .filter(UserRepoGroupToPerm.group == repo_group) \

            .scalar()

        if obj is None:

            # create new !

            obj = UserRepoGroupToPerm()

        obj.group = repo_group

        obj.user = user

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s', perm, user, repo_group)

        return obj

    def revoke_user_permission(self, repo_group, user):

        """

        Revoke permission for user on given repository group

        :param repo_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        """

        repo_group = self._get_repo_group(repo_group)

        user = User.guess_instance(user)

        obj = self.sa.query(UserRepoGroupToPerm) \

            .filter(UserRepoGroupToPerm.user == user) \

            .filter(UserRepoGroupToPerm.group == repo_group) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s', repo_group, user)

    def grant_user_group_permission(self, repo_group, group_name, perm):

        """

        Grant permission for user group on given repository group, or update

        existing one if found

        :param repo_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        :param perm: Instance of Permission, or permission_name

        """

        repo_group = self._get_repo_group(repo_group)

        group_name = self._get_user_group(group_name)

        # check if we have that permission already

        obj = self.sa.query(UserGroupRepoGroupToPerm) \

            .filter(UserGroupRepoGroupToPerm.group == repo_group) \

            .filter(UserGroupRepoGroupToPerm.users_group == group_name) \

            .scalar()

        if obj is None:

            # create new

            obj = UserGroupRepoGroupToPerm()

        obj.group = repo_group

        obj.users_group = group_name

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s', perm, group_name, repo_group)

        return obj

    def revoke_user_group_permission(self, repo_group, group_name):

        """

        Revoke permission for user group on given repository group

        :param repo_group: Instance of RepoGroup, repositories_group_id,

            or repositories_group name

        :param group_name: Instance of UserGroup, users_group_id,

            or user group name

        """

        repo_group = self._get_repo_group(repo_group)

        group_name = self._get_user_group(group_name)

        obj = self.sa.query(UserGroupRepoGroupToPerm) \

            .filter(UserGroupRepoGroupToPerm.group == repo_group) \

            .filter(UserGroupRepoGroupToPerm.users_group == group_name) \

            .scalar()

        if obj is not None:

            self.sa.delete(obj)

            log.debug('Revoked perm to %s on %s', repo_group, group_name)

# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.model.user

~~~~~~~~~~~~~~~~~~~~

users model for Kallithea

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 9, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import hashlib

import hmac

import logging

import time

import traceback

from pylons import config

from pylons.i18n.translation import _

from sqlalchemy.exc import DatabaseError

from kallithea.lib.utils2 import safe_str, generate_api_key, get_current_authuser

from kallithea.lib.caching_query import FromCache

from kallithea.model.base import BaseModel

    UserEmailMap, UserIpMap

from kallithea.lib.exceptions import DefaultUserException, \

    UserOwnsReposException

from kallithea.model.meta import Session

log = logging.getLogger(__name__)

class UserModel(BaseModel):

    password_reset_token_lifetime = 86400 # 24 hours

    def get(self, user_id, cache=False):

        user = self.sa.query(User)

        if cache:

            user = user.options(FromCache("sql_cache_short",

                                          "get_user_%s" % user_id))

        return user.get(user_id)

    def get_user(self, user):

        return User.guess_instance(user)

    def create(self, form_data, cur_user=None):

        if not cur_user:

            cur_user = getattr(get_current_authuser(), 'username', None)

        from kallithea.lib.hooks import log_create_user, \

            check_allowed_create_user

        _fd = form_data

        user_data = {

            'username': _fd['username'],

            'password': _fd['password'],

            'email': _fd['email'],

            'firstname': _fd['firstname'],

            'lastname': _fd['lastname'],

            'active': _fd['active'],

            'admin': False

        }

        # raises UserCreationError if it's not allowed

        check_allowed_create_user(user_data, cur_user)

        from kallithea.lib.auth import get_crypt_password

        new_user = User()

        for k, v in form_data.items():

            if k == 'password':

                v = get_crypt_password(v)

            if k == 'firstname':

                k = 'name'

            setattr(new_user, k, v)

        new_user.api_key = generate_api_key()

        Session().add(new_user)

        Session().flush() # make database assign new_user.user_id

        log_create_user(new_user.get_dict(), cur_user)

        return new_user

    def create_or_update(self, username, password, email, firstname=u'',

                         lastname=u'', active=True, admin=False,

                         extern_type=None, extern_name=None, cur_user=None):

        """

        Creates a new instance if not found, or updates current one

        :param username:

        :param password:

        :param email:

        :param active:

        :param firstname:

        :param lastname:

        :param active:

        :param admin:

        :param extern_name:

        :param extern_type:

        :param cur_user:

        """

        if not cur_user:

            cur_user = getattr(get_current_authuser(), 'username', None)

        from kallithea.lib.auth import get_crypt_password, check_password

        from kallithea.lib.hooks import log_create_user, \

            check_allowed_create_user

        user_data = {

            'username': username, 'password': password,

            'email': email, 'firstname': firstname, 'lastname': lastname,

            'active': active, 'admin': admin

        }

        # raises UserCreationError if it's not allowed

        check_allowed_create_user(user_data, cur_user)

        log.debug('Checking for %s account in Kallithea database', username)

        user = User.get_by_username(username, case_insensitive=True)

        if user is None:

            log.debug('creating new user %s', username)

            new_user = User()

            edit = False

        else:

        reset confirmation page with all information (including the token)

        pre-filled. Also returns URL of that page, only without the token,

        allowing users to copy-paste or manually enter the token from the

        email.

        """

        from kallithea.lib.celerylib import tasks

        from kallithea.model.notification import EmailNotificationModel

        import kallithea.lib.helpers as h

        user_email = data['email']

        user = User.get_by_email(user_email)

        timestamp = int(time.time())

        if user is not None:

            if self.can_change_password(user):

                log.debug('password reset user %s found', user)

                token = self.get_reset_password_token(user,

                                                      timestamp,

                                                      h.authentication_token())

                # URL must be fully qualified; but since the token is locked to

                # the current browser session, we must provide a URL with the

                # current scheme and hostname, rather than the canonical_url.

                link = h.url('reset_password_confirmation', qualified=True,

                             email=user_email,

                             timestamp=timestamp,

                             token=token)

            else:

                log.debug('password reset user %s found but was managed', user)

                token = link = None

            reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET

            body = EmailNotificationModel().get_email_tmpl(

                reg_type, 'txt',

                user=user.short_contact,

                reset_token=token,

                reset_url=link)

            html_body = EmailNotificationModel().get_email_tmpl(

                reg_type, 'html',

                user=user.short_contact,

                reset_token=token,

                reset_url=link)

            log.debug('sending email')

            tasks.send_email([user_email], _("Password reset link"), body, html_body)

            log.info('send new password mail to %s', user_email)

        else:

            log.debug("password reset email %s not found", user_email)

        return h.url('reset_password_confirmation',

                     email=user_email,

                     timestamp=timestamp)

    def verify_reset_password_token(self, email, timestamp, token):

        from kallithea.lib.celerylib import tasks

        from kallithea.lib import auth

        import kallithea.lib.helpers as h

        user = User.get_by_email(email)

        if user is None:

            log.debug("user with email %s not found", email)

            return False

        token_age = int(time.time()) - int(timestamp)

        if token_age < 0:

            log.debug('timestamp is from the future')

            return False

        if token_age > UserModel.password_reset_token_lifetime:

            log.debug('password reset token expired')

            return False

        expected_token = self.get_reset_password_token(user,

                                                       timestamp,

                                                       h.authentication_token())

        log.debug('computed password reset token: %s', expected_token)

        log.debug('received password reset token: %s', token)

        return expected_token == token

    def reset_password(self, user_email, new_passwd):

        from kallithea.lib.celerylib import tasks

        from kallithea.lib import auth

        user = User.get_by_email(user_email)

        if user is not None:

            if not self.can_change_password(user):

                raise Exception('trying to change password for external user')

            user.password = auth.get_crypt_password(new_passwd)

            Session().commit()

            log.info('change password for %s', user_email)

        if new_passwd is None:

            raise Exception('unable to set new password')

        tasks.send_email([user_email],

                 _('Password reset notification'),

                 _('The password to your account %s has been changed using password reset form.') % (user.username,))

        log.info('send password reset mail to %s', user_email)

        return True

    def has_perm(self, user, perm):

        user = User.guess_instance(user)

        return UserToPerm.query().filter(UserToPerm.user == user) \

            .filter(UserToPerm.permission == perm).scalar() is not None

    def grant_perm(self, user, perm):

        """

        Grant user global permissions

        :param user:

        :param perm:

        """