This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 21, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

from tg import request, session, tmpl_context as c

from tg.i18n import ugettext as _

from webob.exc import HTTPFound, HTTPNotFound, HTTPBadRequest

import kallithea.lib.helpers as h

from kallithea.config.routing import url

from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator

from kallithea.lib.base import BaseRepoController, render

from kallithea.lib.graphmod import graph_data

from kallithea.lib.page import RepoPage

from kallithea.lib.vcs.exceptions import RepositoryError, ChangesetDoesNotExistError, \

    ChangesetError, NodeDoesNotExistError, EmptyRepositoryError

from kallithea.lib.utils2 import safe_int, safe_str

log = logging.getLogger(__name__)

class ChangelogController(BaseRepoController):

    def _before(self, *args, **kwargs):

        super(ChangelogController, self)._before(*args, **kwargs)

        c.affected_files_cut_off = 60

    @staticmethod

    def __get_cs(rev, repo):

        """

        Safe way to get changeset. If error occur fail with error message.

        :param rev: revision to fetch

        :param repo: repo instance

        """

        try:

            return c.db_repo_scm_instance.get_changeset(rev)

        except EmptyRepositoryError as e:

        except RepositoryError as e:

            log.error(traceback.format_exc())

            h.flash(safe_str(e), category='error')

        raise HTTPBadRequest()

    @LoginRequired(allow_default_user=True)

    @HasRepoPermissionLevelDecorator('read')

    def index(self, repo_name, revision=None, f_path=None):

        limit = 2000

        default = 100

        if request.GET.get('size'):

            c.size = max(min(safe_int(request.GET.get('size')), limit), 1)

            session['changelog_size'] = c.size

            session.save()

        else:

            c.size = int(session.get('changelog_size', default))

        # min size must be 1

        c.size = max(c.size, 1)

        p = safe_int(request.GET.get('page'), 1)

        branch_name = request.GET.get('branch', None)

        if (branch_name and

            branch_name not in c.db_repo_scm_instance.branches and

            branch_name not in c.db_repo_scm_instance.closed_branches and

            not revision):

            raise HTTPFound(location=url('changelog_file_home', repo_name=c.repo_name,

                                    revision=branch_name, f_path=f_path or ''))

        if revision == 'tip':

            revision = None

        c.changelog_for_path = f_path

        try:

            if f_path:

                log.debug('generating changelog for path %s', f_path)

                # get the history for the file !

                tip_cs = c.db_repo_scm_instance.get_changeset()

                try:

                    collection = tip_cs.get_file_history(f_path)

                except (NodeDoesNotExistError, ChangesetError):

                    # this node is not present at tip !

                    try:

                        cs = self.__get_cs(revision, repo_name)

                        collection = cs.get_file_history(f_path)

                    except RepositoryError as e:

                        h.flash(safe_str(e), category='warning')

                        raise HTTPFound(location=h.url('changelog_home', repo_name=repo_name))

                collection = list(reversed(collection))

        c.from_ = request.GET.get('from_') or ''

        c.closed = request.GET.get('closed') or ''

        p = safe_int(request.GET.get('page'), 1)

        q = PullRequest.query(include_closed=c.closed, sorted=True)

        if c.from_:

            q = q.filter_by(org_repo=c.db_repo)

        else:

            q = q.filter_by(other_repo=c.db_repo)

        c.pull_requests = q.all()

        c.pullrequests_pager = Page(c.pull_requests, page=p, items_per_page=100)

        return render('/pullrequests/pullrequest_show_all.html')

    @LoginRequired()

    def show_my(self):

        c.closed = request.GET.get('closed') or ''

        c.my_pull_requests = PullRequest.query(

            include_closed=c.closed,

            sorted=True,

        ).filter_by(owner_id=request.authuser.user_id).all()

        c.participate_in_pull_requests = []

        c.participate_in_pull_requests_todo = []

        done_status = set([ChangesetStatus.STATUS_APPROVED, ChangesetStatus.STATUS_REJECTED])

        for pr in PullRequest.query(

            include_closed=c.closed,

            reviewer_id=request.authuser.user_id,

            sorted=True,

        ):

            status = pr.user_review_status(request.authuser.user_id) # very inefficient!!!

            if status in done_status:

                c.participate_in_pull_requests.append(pr)

            else:

                c.participate_in_pull_requests_todo.append(pr)

        return render('/pullrequests/pullrequest_show_my.html')

    @LoginRequired()

    @HasRepoPermissionLevelDecorator('read')

    def index(self):

        org_repo = c.db_repo

        org_scm_instance = org_repo.scm_instance

        try:

            org_scm_instance.get_changeset()

        except EmptyRepositoryError as e:

                    category='warning')

            raise HTTPFound(location=url('summary_home', repo_name=org_repo.repo_name))

        org_rev = request.GET.get('rev_end')

        # rev_start is not directly useful - its parent could however be used

        # as default for other and thus give a simple compare view

        rev_start = request.GET.get('rev_start')

        other_rev = None

        if rev_start:

            starters = org_repo.get_changeset(rev_start).parents

            if starters:

                other_rev = starters[0].raw_id

            else:

                other_rev = org_repo.scm_instance.EMPTY_CHANGESET

        branch = request.GET.get('branch')

        c.cs_repos = [(org_repo.repo_name, org_repo.repo_name)]

        c.default_cs_repo = org_repo.repo_name

        c.cs_refs, c.default_cs_ref = self._get_repo_refs(org_scm_instance, rev=org_rev, branch=branch)

        default_cs_ref_type, default_cs_branch, default_cs_rev = c.default_cs_ref.split(':')

        if default_cs_ref_type != 'branch':

            default_cs_branch = org_repo.get_changeset(default_cs_rev).branch

        # add org repo to other so we can open pull request against peer branches on itself

        c.a_repos = [(org_repo.repo_name, '%s (self)' % org_repo.repo_name)]

        if org_repo.parent:

            # add parent of this fork also and select it.

            # use the same branch on destination as on source, if available.

            c.a_repos.append((org_repo.parent.repo_name, '%s (parent)' % org_repo.parent.repo_name))

            c.a_repo = org_repo.parent

            c.a_refs, c.default_a_ref = self._get_repo_refs(

                    org_repo.parent.scm_instance, branch=default_cs_branch, rev=other_rev)

        else:

            c.a_repo = org_repo

            c.a_refs, c.default_a_ref = self._get_repo_refs(org_scm_instance, rev=other_rev)

        # gather forks and add to this list ... even though it is rare to

        # request forks to pull from their parent

        for fork in org_repo.forks:

            c.a_repos.append((fork.repo_name, fork.repo_name))

        return render('/pullrequests/pullrequest.html')

    @LoginRequired()

    @HasRepoPermissionLevelDecorator('read')

                except ObjectDeletedError:

                    # since we use heavy caching sometimes it happens that we get

                    # deleted objects here, we just skip them

                    pass

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current config instance

    """

    log.info('getting information about all available permissions')

    try:

        all_perms = Session().query(Permission).all()

        config['available_permissions'] = [x.permission_name for x in all_perms]

    finally:

        Session.remove()

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def _redirect_to_login(message=None):

    """Return an exception that must be raised. It will redirect to the login

    page which will redirect back to the current URL after authentication.

    The optional message will be shown in a flash message."""

    from kallithea.lib import helpers as h

    if message:

    p = request.path_qs

    log.debug('Redirecting to login page, origin: %s', p)

    return HTTPFound(location=url('login_home', came_from=p))

# Use as decorator

class LoginRequired(object):

    """Client must be logged in as a valid User, or we'll redirect to the login

    page.

    If the "default" user is enabled and allow_default_user is true, that is

    considered valid too.

    Also checks that IP address is allowed, and if using API key instead

    of regular cookie authentication, checks that API key access is allowed

    (based on `api_access` parameter and the API view whitelist).

    """

    def __init__(self, api_access=False, allow_default_user=False):

        self.api_access = api_access

        self.allow_default_user = allow_default_user

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        controller = fargs[0]

        user = request.authuser

        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s', user, loc)

        # Check if we used an API key to authenticate.

        api_key = user.authenticating_api_key

        if api_key is not None:

            # Check that controller is enabled for API key usage.

            if not self.api_access and not allowed_api_access(loc, api_key=api_key):

                # controller does not allow API access

                log.warning('API access to %s is not allowed', loc)

                raise HTTPForbidden()

            log.info('user %s authenticated with API key ****%s @ %s',

                     user, api_key[-4:], loc)

            return func(*fargs, **fkwargs)

        # CSRF protection: Whenever a request has ambient authority (whether

        # through a session cookie or its origin IP address), it must include

        # the correct token, unless the HTTP method is GET or HEAD (and thus

        # guaranteed to be side effect free. In practice, the only situation

            log.info('IP: %s User: %s accessed %s',

                request.ip_addr, request.authuser,

                safe_unicode(_get_access_path(environ)),

            )

            return super(BaseController, self).__call__(environ, context)

        except webob.exc.HTTPException as e:

            return e

class BaseRepoController(BaseController):

    """

    Base class for controllers responsible for loading all needed data for

    repository loaded items are

    c.db_repo_scm_instance: instance of scm repository

    c.db_repo: instance of db

    c.repository_followers: number of followers

    c.repository_forks: number of forks

    c.repository_following: weather the current user is following the current repo

    """

    def _before(self, *args, **kwargs):

        super(BaseRepoController, self)._before(*args, **kwargs)

        if c.repo_name:  # extracted from routes

            _dbr = Repository.get_by_repo_name(c.repo_name)

            if not _dbr:

                return

            log.debug('Found repository in database %s with state `%s`',

                      safe_unicode(_dbr), safe_unicode(_dbr.repo_state))

            route = getattr(request.environ.get('routes.route'), 'name', '')

            # allow to delete repos that are somehow damages in filesystem

            if route in ['delete_repo']:

                return

            if _dbr.repo_state in [Repository.STATE_PENDING]:

                if route in ['repo_creating_home']:

                    return

                check_url = url('repo_creating_home', repo_name=c.repo_name)

                raise webob.exc.HTTPFound(location=check_url)

            dbr = c.db_repo = _dbr

            c.db_repo_scm_instance = c.db_repo.scm_instance

            if c.db_repo_scm_instance is None:

                log.error('%s this repository is present in database but it '

                          'cannot be created as an scm instance', c.repo_name)

                from kallithea.lib import helpers as h

                        category='error')

                raise webob.exc.HTTPNotFound()

            # some globals counter for menu

            c.repository_followers = self.scm_model.get_followers(dbr)

            c.repository_forks = self.scm_model.get_forks(dbr)

            c.repository_pull_requests = self.scm_model.get_pull_requests(dbr)

            c.repository_following = self.scm_model.is_following_repo(

                                    c.repo_name, request.authuser.user_id)

    @staticmethod

    def _get_ref_rev(repo, ref_type, ref_name, returnempty=False):

        """

        Safe way to get changeset. If error occurs show error.

        """

        from kallithea.lib import helpers as h

        try:

            return repo.scm_instance.get_ref_revision(ref_type, ref_name)

        except EmptyRepositoryError as e:

            if returnempty:

                return repo.scm_instance.EMPTY_CHANGESET

            raise webob.exc.HTTPNotFound()

        except ChangesetDoesNotExistError as e:

                    category='error')

            raise webob.exc.HTTPNotFound()

        except RepositoryError as e:

            log.error(traceback.format_exc())

            h.flash(safe_str(e), category='error')

            raise webob.exc.HTTPBadRequest()

@decorator.decorator

def jsonify(func, *args, **kwargs):

    """Action decorator that formats output for JSON

    Given a function that will return content, this decorator will turn

    the result into JSON, with a content-type of 'application/json' and

    output it.

    """

    response.headers['Content-Type'] = 'application/json; charset=utf-8'

    data = func(*args, **kwargs)

    if isinstance(data, (list, tuple)):

        # A JSON list response is syntactically valid JavaScript and can be

        # loaded and executed as JavaScript by a malicious third-party site

        # using <script>, which can lead to cross-site data leaks.

        # JSON responses should therefore be scalars or objects (i.e. Python

        # dicts), because a JSON object is a syntax error if intepreted as JS.

        msg = "JSON responses with Array envelopes are susceptible to " \

              "cross-site data leak attacks, see " \

              "https://web.archive.org/web/20120519231904/http://wiki.pylonshq.com/display/pylonsfaq/Warnings"

        warnings.warn(msg, Warning, 2)

        log.warning(msg)

    log.debug("Returning JSON wrapped action output")

    return json.dumps(data, encoding='utf-8')

## -*- coding: utf-8 -*-

## upgrade block rendered afte on-click check

<div class="alert ${'alert-warning' if c.should_upgrade else 'alert-success'}">

<p>

%if c.should_upgrade:

    A <b>new version</b> is available:

    %if c.latest_data.get('title'):

    %else:

        <b>${c.latest_ver}</b>

    %endif

%else:

    You already have the <b>latest</b> stable version.

%endif

</p>

% if c.should_upgrade and c.important_notices:

<div class="alert alert-warning">

    Important notes for this release:

    <ul>

    % for notice in c.important_notices:

        <li>- ${notice}</li>

    % endfor

    </ul>

</div>

% endif

</div>

## snippet for displaying default permission box

## usage:

##    <%namespace name="dpb" file="/base/default_perms_box.html"/>

##    ${dpb.default_perms_box(<url_to_form>)}

<%def name="default_perms_box(form_url)">

${h.form(form_url)}

    <div class="form">

            <div class="form-group">

                <label class="control-label" for="inherit_default_permissions">${_('Inherit defaults')}:</label>

                <div>

                    ${h.checkbox('inherit_default_permissions',value=True)}

                    <span class="help-block">

                        ${h.literal(_('Select to inherit global settings, IP whitelist and permissions from the %s.')

                                    % h.link_to('default permissions', url('admin_permissions')))}

                    </span>

                </div>

            </div>

            <div id="inherit_overlay">

            <div class="form-group">

                <label class="control-label" for="create_repo_perm">${_('Create repositories')}:</label>

                <div>

                    ${h.checkbox('create_repo_perm',value=True)}

                    <span class="help-block">

                    </span>

                </div>

            </div>

            <div class="form-group">

                <label class="control-label" for="create_user_group_perm">${_('Create user groups')}:</label>

                <div>

                    ${h.checkbox('create_user_group_perm',value=True)}

                    <span class="help-block">

                    </span>

                </div>

            </div>

            <div class="form-group">

                <label class="control-label" for="fork_repo_perm">${_('Fork repositories')}:</label>

                <div>

                    ${h.checkbox('fork_repo_perm',value=True)}

                    <span class="help-block">

                    </span>

                </div>

            </div>

            </div>

            <div class="form-group">

                <div class="buttons">

                    ${h.submit('save',_('Save'),class_="btn btn-default")}

                    ${h.reset('reset',_('Reset'),class_="btn btn-default")}

                </div>

            </div>

    </div>

${h.end_form()}

## JS

<script>

$(document).ready(function(e){

    var show_custom_perms = function(inherit_default){

        if(inherit_default){

            $('#inherit_overlay').hide();

        }else{

            $('#inherit_overlay').show();

        }

    };

    show_custom_perms($('#inherit_default_permissions').prop('checked'));

    $('#inherit_default_permissions').change(function(){

        show_custom_perms($('#inherit_default_permissions').prop('checked'));

    });

});

</script>

</%def>