from sqlalchemy.orm import joinedload

from sqlalchemy.sql.expression import func

from webob.exc import HTTPInternalServerError

import kallithea

from kallithea.config.routing import url

from kallithea.lib import helpers as h

from kallithea.lib.exceptions import UserGroupsAssignedException, \

    RepoGroupAssignmentError

from kallithea.lib.utils2 import safe_unicode, safe_int

from kallithea.lib.auth import LoginRequired, \

from kallithea.lib.base import BaseController, render

from kallithea.model.scm import UserGroupList

from kallithea.model.user_group import UserGroupModel

from kallithea.model.repo import RepoModel

from kallithea.model.db import User, UserGroup, UserGroupToPerm, \

    UserGroupRepoToPerm, UserGroupRepoGroupToPerm

from kallithea.model.forms import UserGroupForm, UserGroupPermsForm, \

    CustomDefaultPermissionsForm

from kallithea.model.meta import Session

from kallithea.lib.utils import action_logger

from kallithea.lib.compat import json

        Load defaults settings for edit, and update

        :param user_group_id:

        """

        user_group = UserGroup.get_or_404(user_group_id)

        data = user_group.get_dict()

        return data

    def index(self, format='html'):

        _list = UserGroup.query() \

                        .order_by(func.lower(UserGroup.users_group_name)) \

                        .all()

        user_groups_data = []

        total_records = len(group_iter)

        _tmpl_lookup = kallithea.CONFIG['pylons.app_globals'].mako_lookup

        template = _tmpl_lookup.get_template('data_table/_dt_elements.html')

        user_group_name = lambda user_group_id, user_group_name: (

            template.get_def("user_group_name")

            .render(user_group_id, user_group_name, _=_, h=h, c=c)

        )

        user_group_actions = lambda user_group_id, user_group_name: (

            template.get_def("user_group_actions")

            .render(user_group_id, user_group_name, _=_, h=h, c=c)

                force_defaults=False)

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('Error occurred during creation of user group %s') \

                    % request.POST.get('users_group_name'), category='error')

        raise HTTPFound(location=url('users_groups'))

    @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')

    def new(self, format='html'):

        return render('admin/user_groups/user_group_add.html')

    def update(self, id):

        c.user_group = UserGroup.get_or_404(id)

        c.active = 'settings'

        self.__load_data(id)

        available_members = [safe_unicode(x[0]) for x in c.available_members]

        users_group_form = UserGroupForm(edit=True,

                                         old_data=c.user_group.get_dict(),

                                         available_members=available_members)()

        try:

                defaults=defaults,

                errors=e,

                prefix_error=False,

                encoding="UTF-8",

                force_defaults=False)

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('Error occurred during update of user group %s') \

                    % request.POST.get('users_group_name'), category='error')

        raise HTTPFound(location=url('edit_users_group', id=id))

    def delete(self, id):

        usr_gr = UserGroup.get_or_404(id)

        try:

            UserGroupModel().delete(usr_gr)

            Session().commit()

            h.flash(_('Successfully deleted user group'), category='success')

        except UserGroupsAssignedException as e:

            h.flash(e, category='error')

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('An error occurred during deletion of user group'),

                    category='error')

        raise HTTPFound(location=url('users_groups'))

    def edit(self, id, format='html'):

        c.user_group = UserGroup.get_or_404(id)

        c.active = 'settings'

        self.__load_data(id)

        defaults = self.__load_defaults(id)

        return htmlfill.render(

            render('admin/user_groups/user_group_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False

        )

    def edit_perms(self, id):

        c.user_group = UserGroup.get_or_404(id)

        c.active = 'perms'

        repo_model = RepoModel()

        c.users_array = repo_model.get_users_js()

        c.user_groups_array = repo_model.get_user_groups_js()

        defaults = {}

        # fill user group users

        for p in c.user_group.user_user_group_to_perm:

            defaults.update({'u_perm_%s' % p.user.username:

        for p in c.user_group.user_group_user_group_to_perm:

            defaults.update({'g_perm_%s' % p.user_group.users_group_name:

                             p.permission.permission_name})

        return htmlfill.render(

            render('admin/user_groups/user_group_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False

        )

    def update_perms(self, id):

        """

        grant permission for given usergroup

        :param id:

        """

        user_group = UserGroup.get_or_404(id)

        form = UserGroupPermsForm()().to_python(request.POST)

        # set the permissions !

        try:

            UserGroupModel()._update_permissions(user_group, form['perms_new'],

                                                 form['perms_updates'])

        except RepoGroupAssignmentError:

            h.flash(_('Target group cannot be the same'), category='error')

            raise HTTPFound(location=url('edit_user_group_perms', id=id))

        #TODO: implement this

        #action_logger(request.authuser, 'admin_changed_repo_permissions',

        #              repo_name, request.ip_addr, self.sa)

        Session().commit()

        h.flash(_('User group permissions updated'), category='success')

        raise HTTPFound(location=url('edit_user_group_perms', id=id))

    def delete_perms(self, id):

        try:

            obj_type = request.POST.get('obj_type')

            obj_id = None

            if obj_type == 'user':

                obj_id = safe_int(request.POST.get('user_id'))

            elif obj_type == 'user_group':

                obj_id = safe_int(request.POST.get('user_group_id'))

            if not request.authuser.is_admin:

                if obj_type == 'user' and request.authuser.user_id == obj_id:

                    msg = _('Cannot revoke permission for yourself as admin')

                UserGroupModel().revoke_user_permission(user_group=id,

                                                        user=obj_id)

            elif obj_type == 'user_group':

                UserGroupModel().revoke_user_group_permission(target_user_group=id,

                                                              user_group=obj_id)

            Session().commit()

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('An error occurred during revoking of permission'),

                    category='error')

            raise HTTPInternalServerError()

    def edit_default_perms(self, id):

        c.user_group = UserGroup.get_or_404(id)

        c.active = 'default_perms'

        permissions = {

            'repositories': {},

            'repositories_groups': {}

        }

        ugroup_repo_perms = UserGroupRepoToPerm.query() \

            .options(joinedload(UserGroupRepoToPerm.permission)) \

            .options(joinedload(UserGroupRepoToPerm.repository)) \

            .filter(UserGroupRepoToPerm.users_group_id == id) \

                                                        'hg.usergroup.create.true'),

            'fork_repo_perm': ug_model.has_perm(c.user_group,

                                                'hg.fork.repository'),

        })

        return htmlfill.render(

            render('admin/user_groups/user_group_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False

        )

    def update_default_perms(self, id):

        user_group = UserGroup.get_or_404(id)

        try:

            form = CustomDefaultPermissionsForm()()

            form_result = form.to_python(request.POST)

            inherit_perms = form_result['inherit_default_permissions']

            user_group.inherit_default_permissions = inherit_perms

            usergroup_model = UserGroupModel()

            defs = UserGroupToPerm.query() \

            else:

                usergroup_model.grant_perm(id, 'hg.fork.none')

            h.flash(_("Updated permissions"), category='success')

            Session().commit()

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('An error occurred during permissions saving'),

                    category='error')

        raise HTTPFound(location=url('edit_user_group_default_perms', id=id))

    def edit_advanced(self, id):

        c.user_group = UserGroup.get_or_404(id)

        c.active = 'advanced'

        c.group_members_obj = sorted((x.user for x in c.user_group.members),

                                     key=lambda u: u.username.lower())

        return render('admin/user_groups/user_group_edit.html')

    def edit_members(self, id):

        c.user_group = UserGroup.get_or_404(id)

        c.active = 'members'

        c.group_members_obj = sorted((x.user for x in c.user_group.members),

                                     key=lambda u: u.username.lower())

        c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]

        return render('admin/user_groups/user_group_edit.html')

import time

import traceback

import logging

from sqlalchemy import or_

from pylons import request

from kallithea.controllers.api import JSONRPCController, JSONRPCError

from kallithea.lib.auth import (

    PasswordGenerator, AuthUser, HasPermissionAnyDecorator,

    HasPermissionAnyDecorator, HasPermissionAny, HasRepoPermissionLevel,

from kallithea.lib.utils import map_groups, repo2db_mapper

from kallithea.lib.utils2 import (

    str2bool, time_to_datetime, safe_int, Optional, OAttr)

from kallithea.model.meta import Session

from kallithea.model.repo_group import RepoGroupModel

from kallithea.model.scm import ScmModel, UserGroupList

from kallithea.model.repo import RepoModel

from kallithea.model.user import UserModel

from kallithea.model.user_group import UserGroupModel

from kallithea.model.gist import GistModel

from kallithea.model.db import (

    Repository, Setting, UserIpMap, Permission, User, Gist,

            result : None if group not exist

                     {

                       "users_group_id" : "<id>",

                       "group_name" :     "<groupname>",

                       "active":          "<bool>",

                       "members" :  [<user_obj>,...]

                     }

            error : null

        """

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

                raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

        data = user_group.get_api_data()

        return data

    # permission check inside

    def get_user_groups(self):

        """

        Lists all existing user groups. This command can be executed only using

        api_key belonging to user with admin rights or user who has at least

        read access to user group.

        OUTPUT::

            id : <id_given_in_input>

            result : [<user_group_obj>,...]

            error : null

        """

        result = []

            result.append(user_group.get_api_data())

        return result

    @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')

    def create_user_group(self, group_name, description=Optional(''),

                          owner=Optional(OAttr('apiuser')), active=Optional(True)):

        """

        Creates new user group. This command can be executed only using api_key

        belonging to user with admin rights or an user who has create user group

        permission

        :param group_name: name of new user group

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to update user group `<user group name>`"

          }

        """

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

                raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

        if not isinstance(owner, Optional):

            owner = get_user_or_error(owner)

        updates = {}

        store_update(updates, group_name, 'users_group_name')

        store_update(updates, description, 'user_group_description')

        store_update(updates, owner, 'owner')

        store_update(updates, active, 'users_group_active')

        try:

            UserGroupModel().update(user_group, updates)

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to delete user group ID:<user_group_id> <user_group_name>"

            or

            "RepoGroup assigned to <repo_groups_list>"

          }

        """

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

                raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

        try:

            UserGroupModel().delete(user_group)

            Session().commit()

            return dict(

                msg='deleted user group ID:%s %s' %

                    (user_group.users_group_id, user_group.users_group_name),

                user_group=None

            )

        except UserGroupsAssignedException as e:

            log.error(traceback.format_exc())

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to add member to user group `<user_group_name>`"

          }

        """

        user = get_user_or_error(userid)

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

                raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

        try:

            ugm = UserGroupModel().add_user_to_group(user_group, user)

            success = True if ugm != True else False

            msg = 'added member `%s` to user group `%s`' % (

                user.username, user_group.users_group_name

            )

            msg = msg if success else 'User is already in that group'

            Session().commit()

            return dict(

            id : <id_given_in_input>

            result: {

                      "success":  True|False,  # depends on if member is in group

                      "msg": "removed member <username> from user group <groupname> |

                              User wasn't in group"

                    }

            error:  null

        """

        user = get_user_or_error(userid)

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

                raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

        try:

            success = UserGroupModel().remove_user_from_group(user_group, user)

            msg = 'removed member `%s` from user group `%s`' % (

                user.username, user_group.users_group_name

            )

            msg = msg if success else "User wasn't in group"

            Session().commit()

            return dict(success=success, msg=msg)

        except Exception:

            log.error(traceback.format_exc())

          error :  {

            "failed to edit permission for user group: `<usergroup>` in repo `<repo>`'

          }

        """

        repo = get_repo_or_error(repoid)

        perm = get_perm_or_error(perm)

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

            if not HasRepoPermissionLevel('admin')(repo.repo_name):

                raise JSONRPCError('repository `%s` does not exist' % (repoid,))

                raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

        try:

            RepoModel().grant_user_group_permission(

                repo=repo, group_name=user_group, perm=perm)

            Session().commit()

            return dict(

                msg='Granted perm: `%s` for user group: `%s` in '

                    'repo: `%s`' % (

                        perm.permission_name, user_group.users_group_name,

                        repo.repo_name

            result: {

                      "msg" : "Revoked perm for group: `<usersgroupname>` in repo: `<reponame>`",

                      "success": true

                    }

            error:  null

        """

        repo = get_repo_or_error(repoid)

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

            if not HasRepoPermissionLevel('admin')(repo.repo_name):

                raise JSONRPCError('repository `%s` does not exist' % (repoid,))

                raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

        try:

            RepoModel().revoke_user_group_permission(

                repo=repo, group_name=user_group)

            Session().commit()

            return dict(

                msg='Revoked perm for user group: `%s` in repo: `%s`' % (

                    user_group.users_group_name, repo.repo_name

                ),

                success=True

            "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"

          }

        """

        repo_group = get_repo_group_or_error(repogroupid)

        perm = get_perm_or_error(perm, prefix='group.')

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

            if not HasRepoGroupPermissionLevel('admin')(repo_group.group_name):

                raise JSONRPCError(

                    'repository group `%s` does not exist' % (repogroupid,))

                raise JSONRPCError(

                    'user group `%s` does not exist' % (usergroupid,))

        apply_to_children = Optional.extract(apply_to_children)

        try:

            RepoGroupModel().add_permission(repo_group=repo_group,

                                            obj=user_group,

                                            obj_type="user_group",

                                            perm=perm,

                                            recursive=apply_to_children)

            Session().commit()

            "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"

          }

        """

        repo_group = get_repo_group_or_error(repogroupid)

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

            if not HasRepoGroupPermissionLevel('admin')(repo_group.group_name):

                raise JSONRPCError(

                    'repository group `%s` does not exist' % (repogroupid,))

                raise JSONRPCError(

                    'user group `%s` does not exist' % (usergroupid,))

        apply_to_children = Optional.extract(apply_to_children)

        try:

            RepoGroupModel().delete_permission(repo_group=repo_group,

                                               obj=user_group,

                                               obj_type="user_group",

                                               recursive=apply_to_children)

            Session().commit()

            return dict(

    def has_repository_group_permission_level(self, repo_group_name, level, purpose=None):

        required_perms = {

            'read': ['group.read', 'group.write', 'group.admin'],

            'write': ['group.write', 'group.admin'],

            'admin': ['group.admin'],

        }[level]

        actual_perm = self.permissions['repositories_groups'].get(repo_group_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r repo group %r (%s): %s (has %r)',

            self.username, level, repo_group_name, purpose, ok, actual_perm)

        return ok

    @property

    def api_keys(self):

        return self._get_api_keys()

    def __get_perms(self, user, explicit=True, algo='higherwin', cache=False):

        """

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: `AuthUser` instance

        :param explicit: In case there are permissions both for user and a group

class HasRepoGroupPermissionLevelDecorator(_PermsDecorator):

    """

    Checks the user has any of given permissions for the requested repository group.

    """

    def check_permissions(self, user):

        repo_group_name = get_repo_group_slug(request)

        (level,) = self.required_perms

        return user.has_repository_group_permission_level(repo_group_name, level)

    """

    Checks for access permission for any of given predicates for specific

    user group. In order to fulfill the request any of predicates must be meet

    """

    def check_permissions(self, user):

        user_group_name = get_user_group_slug(request)

#==============================================================================

# CHECK FUNCTIONS

#==============================================================================

class _PermsFunction(object):

    """Base function for other check functions"""

    def __init__(self, *required_perms):

        self.required_perms = required_perms # usually very short - a list is thus fine

    def __call__(self, repo_name, purpose=None):

        (level,) = self.required_perms

        return request.user.has_repository_permission_level(repo_name, level, purpose)

class HasRepoGroupPermissionLevel(_PermsFunction):

    def __call__(self, group_name, purpose=None):

        (level,) = self.required_perms

        return request.user.has_repository_group_permission_level(group_name, level, purpose)

    def __call__(self, user_group_name, purpose=None):

#==============================================================================

# SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH

#==============================================================================

class HasPermissionAnyMiddleware(object):

    def __init__(self, *perms):

        self.required_perms = set(perms)

    def __call__(self, user, repo_name, purpose=None):

        # repo_name MUST be unicode, since we handle keys in ok

from kallithea.lib.compat import json

from kallithea.lib.utils2 import LazyProperty, safe_str, safe_unicode, \

    remove_prefix, obfuscate_url_pw, get_current_authuser

from kallithea.lib.caching_query import FromCache

from kallithea.lib.hooks import log_delete_repository

from kallithea.model.base import BaseModel

from kallithea.model.db import Repository, UserRepoToPerm, UserGroupRepoToPerm, \

    UserRepoGroupToPerm, UserGroupRepoGroupToPerm, User, Permission, \

    Statistics, UserGroup, Ui, RepoGroup, RepositoryField

from kallithea.lib import helpers as h

from kallithea.lib.exceptions import AttachedForksError

from kallithea.model.scm import UserGroupList

log = logging.getLogger(__name__)

class RepoModel(BaseModel):

    URL_SEPARATOR = Repository.url_sep()

    def _create_default_perms(self, repository, private):

        # create default permission

                'nname': u.username,

                'gravatar_lnk': h.gravatar_url(u.email, size=28, default='default'),

                'gravatar_size': 14,

            } for u in users]

        )

    def get_user_groups_js(self):

        user_groups = self.sa.query(UserGroup) \

            .filter(UserGroup.users_group_active == True) \

            .order_by(UserGroup.users_group_name) \

            .options(subqueryload(UserGroup.members)) \

            .all()

        return json.dumps([

            {

                'id': gr.users_group_id,

                'grname': gr.users_group_name,

                'grmembers': len(gr.members),

            } for gr in user_groups]

        )

    @classmethod

    def _render_datatable(cls, tmpl, *args, **kwargs):

        import kallithea

        from pylons import tmpl_context as c, request

            perms_new = []

        if not perms_updates:

            perms_updates = []

        # update permissions

        for member, perm, member_type in perms_updates:

            if member_type == 'user':

                # this updates existing one

                self.grant_user_permission(

                    repo=repo, user=member, perm=perm

                )

            else:

                    self.grant_user_group_permission(

                        repo=repo, group_name=member, perm=perm

                    )

            # set new permissions

        for member, perm, member_type in perms_new:

            if member_type == 'user':

                self.grant_user_permission(

                    repo=repo, user=member, perm=perm

                )

            else:

                    self.grant_user_group_permission(

                        repo=repo, group_name=member, perm=perm

                    )

    def create_fork(self, form_data, cur_user):

        """

        Simple wrapper into executing celery task for fork creation

        :param form_data:

        :param cur_user:

        """

        from kallithea.lib.celerylib import tasks

                self.sa.flush()

                self._create_group(new_repo_group.group_name)

            return new_repo_group

        except Exception:

            log.error(traceback.format_exc())

            raise

    def _update_permissions(self, repo_group, perms_new=None,

                            perms_updates=None, recursive=None,

                            check_perms=True):

        from kallithea.model.repo import RepoModel

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        def _set_perm_user(obj, user, perm):

            if isinstance(obj, RepoGroup):

                self.grant_user_permission(repo_group=obj, user=user, perm=perm)

            elif isinstance(obj, Repository):

                user = User.guess_instance(user)

            else:  # recursive == 'none': # DEFAULT don't apply to iterated objects

                obj = repo_group

                # also we do a break at the end of this loop.

            # update permissions

            for member, perm, member_type in perms_updates:

                ## set for user

                if member_type == 'user':

                    # this updates also current one if found

                    _set_perm_user(obj, user=member, perm=perm)

                ## set for user group

                else: