:param algo: algorithm to decide what permission should be choose if

            it's multiple defined, eg user in two different groups. It also

            decides if explicit flag is turned off how to specify the permission

            for case when user is in a group + have defined separate permission

        """

        user_id = user.user_id

        user_is_admin = user.is_admin

        user_inherit_default_permissions = user.inherit_default_permissions

        log.debug('Getting PERMISSION tree')

        compute = conditional_cache('short_term', 'cache_desc',

                                    condition=cache, func=_cached_perms_data)

        return compute(user_id, user_is_admin,

                       user_inherit_default_permissions, explicit, algo)

    def _get_api_keys(self):

        api_keys = [self.api_key]

        for api_key in UserApiKeys.query() \

                .filter_by(user_id=self.user_id, is_expired=False):

            api_keys.append(api_key.api_key)

        return api_keys

    @property

    def is_admin(self):

        return self.admin

    @property

    def repositories_admin(self):

        """

        Returns list of repositories you're an admin of

        """

        return [x[0] for x in self.permissions['repositories'].iteritems()

                if x[1] == 'repository.admin']

    @property

    def repository_groups_admin(self):

        """

        Returns list of repository groups you're an admin of

        """

        return [x[0] for x in self.permissions['repositories_groups'].iteritems()

                if x[1] == 'group.admin']

    @property

    def user_groups_admin(self):

        """

        Returns list of user groups you're an admin of

        """

        return [x[0] for x in self.permissions['user_groups'].iteritems()

                if x[1] == 'usergroup.admin']

    @staticmethod

    def check_ip_allowed(user, ip_addr):

        """

        Check if the given IP address (a `str`) is allowed for the given

        user (an `AuthUser` or `db.User`).

        """

        allowed_ips = AuthUser.get_allowed_ips(user.user_id, cache=True,

            inherit_from_default=user.inherit_default_permissions)

        if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):

            log.debug('IP:%s is in range of %s', ip_addr, allowed_ips)

            return True

        else:

            log.info('Access for IP:%s forbidden, '

                     'not in %s' % (ip_addr, allowed_ips))

            return False

    def __repr__(self):

        return "<AuthUser('id:%s[%s] auth:%s')>" \

            % (self.user_id, self.username, (self.is_authenticated or self.is_default_user))

    def to_cookie(self):

        """ Serializes this login session to a cookie `dict`. """

        return {

            'user_id': self.user_id,

            'is_external_auth': self.is_external_auth,

        }

    @staticmethod

    def from_cookie(cookie):

        """

        Deserializes an `AuthUser` from a cookie `dict`.

        """

        au = AuthUser(

            user_id=cookie.get('user_id'),

            is_external_auth=cookie.get('is_external_auth', False),

        )

        au.is_authenticated = True

        return au

    @classmethod

    def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):

        _set = set()

        if inherit_from_default:

            if cache:

                default_ips = default_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_default"))

            # populate from default user

            for ip in default_ips:

                try:

                    _set.add(ip.ip_addr)

                except ObjectDeletedError:

                    # since we use heavy caching sometimes it happens that we get

                    # deleted objects here, we just skip them

                    pass

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current config instance

    """

    log.info('getting information about all available permissions')

    try:

        all_perms = Session().query(Permission).all()

        config['available_permissions'] = [x.permission_name for x in all_perms]

    finally:

        Session.remove()

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def _redirect_to_login(message=None):

    """Return an exception that must be raised. It will redirect to the login

    page which will redirect back to the current URL after authentication.

    The optional message will be shown in a flash message."""

    from kallithea.lib import helpers as h

    if message:

        h.flash(h.literal(message), category='warning')

    p = request.path_qs

    log.debug('Redirecting to login page, origin: %s', p)

    return HTTPFound(location=url('login_home', came_from=p))

# Use as decorator

class LoginRequired(object):

    """Client must be logged in as a valid User, or we'll redirect to the login

    page.

    If the "default" user is enabled and allow_default_user is true, that is

    considered valid too.

    Also checks that IP address is allowed, and if using API key instead

    of regular cookie authentication, checks that API key access is allowed

    (based on `api_access` parameter and the API view whitelist).

    """

    def __init__(self, api_access=False, allow_default_user=False):

        self.api_access = api_access

        self.allow_default_user = allow_default_user

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        controller = fargs[0]

        user = request.authuser

        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s', user, loc)

        if not AuthUser.check_ip_allowed(user, request.ip_addr):

            raise _redirect_to_login(_('IP %s not allowed') % request.ip_addr)

        # Check if we used an API key to authenticate.

        api_key = user.authenticating_api_key

        if api_key is not None:

            # Check that controller is enabled for API key usage.

            if not self.api_access and not allowed_api_access(loc, api_key=api_key):