Files @ f734d107296e
Branch filter:

Location: kallithea/LICENSE.md

f734d107296e 7.1 KiB text/markdown Show Annotation Show as Raw Download as Raw
Mads Kiilerich
auth: for default permissions, use existing explicit query result values instead of following dot references in ORM result objects

There has been reports of spurious crashes on resolving references like
.repository from Permissions:

File ".../kallithea/lib/auth.py", line 678, in __wrapper
if self.check_permissions(user):
File ".../kallithea/lib/auth.py", line 718, in check_permissions
return user.has_repository_permission_level(repo_name, self.required_perm)
File ".../kallithea/lib/auth.py", line 450, in has_repository_permission_level
actual_perm = self.permissions['repositories'].get(repo_name)
File ".../kallithea/lib/vcs/utils/lazy.py", line 41, in __get__
value = self._func(obj)
File ".../kallithea/lib/auth.py", line 442, in permissions
return self.__get_perms(user=self, cache=False)
File ".../kallithea/lib/auth.py", line 498, in __get_perms
return compute(user_id, user_is_admin)
File ".../kallithea/lib/auth.py", line 190, in _cached_perms_data
r_k = perm.UserRepoToPerm.repository.repo_name
File ".../sqlalchemy/orm/attributes.py", line 285, in __get__
return self.impl.get(instance_state(instance), dict_)
File ".../sqlalchemy/orm/attributes.py", line 721, in get
value = self.callable_(state, passive)
File ".../sqlalchemy/orm/strategies.py", line 710, in _load_for_state
% (orm_util.state_str(state), self.key)

sqlalchemy.orm.exc.DetachedInstanceError: Parent instance <UserRepoToPerm at ...> is not bound to a Session; lazy load operation of attribute 'repository' cannot proceed (Background on this error at: http://sqlalche.me/e/bhk3)

Permissions are cached between requests: SA result records are stored in in
beaker.cache.sql_cache_short and resued in following requests after the initial
session as been removed. References in Permission objects would usually give
lazy lookup ... but not outside the original session, where we would get an
error like this.

Permissions are indeed implemented/used incorrectly. That might explain a part
of the problem. Even if not fully explaining or fixing this problem, it is
still worth fixing:

Permissions are fetched from the database using Session().query with multiple
class/table names (joined together in way that happens to match the references
specified in the table definitions) - including Repository. The results are
thus "structs" with selected objects. If repositories always were retrieved
using this selected repository, everything would be fine. In some places, this
was what we did.

But in some places, the code happened to do what was more intuitive: just use
.repository and rely on "lazy" resolving. SA was not aware that this one
already was present in the result struct, and would try to fetch it again. Best
case, that could be inefficient. Worst case, it would fail as we see here.

Fix this by only querying from one table but use the "joinedload" option to
also fetch other referenced tables in the same select. (This might
inefficiently return the main record multiple times ... but that was already
the case with the previous approach.)

This change is thus doing multiple things with circular dependencies that can't
be split up in minor parts without taking detours:

The existing repository join like:
.join((Repository, UserGroupRepoToPerm.repository_id == Repository.repo_id))
is thus replaced by:
.options(joinedload(UserGroupRepoToPerm.repository))

Since we only are doing Session.query() on one table, the results will be of
that type instead of "structs" with multiple objects. If only querying for
UserRepoToPerm this means:
- perm.UserRepoToPerm.repository becomes perm.repository
- perm.Permission.permission_name looked at the explicitly queried Permission
in the result struct - instead it should look in the the dereferenced
repository as perm.permission.permission_name
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
Kallithea License
=================

Kallithea as a whole is copyrighted by various authors and is licensed under
the terms of the GNU General Public License, version 3 (GPLv3), which is a
license published by the Free Software Foundation,
Inc. [A copy of GPLv3](/COPYING) is included herein.

Some individual files have copyright notices and those who offer changes to
those files should update the copyright notices in those specific files if
they so chose.

However, the definitive list of copyright holders for this project is kept in
[the about page template](kallithea/templates/about.html) so that it is
displayed appropriately when Kallithea is installed.  This is the most
important place to update copyright notices.

Third-Party Code Incorporated in Kallithea
==========================================

Various third-party code under GPLv3-compatible licenses is included as part
of Kallithea.


Alembic
-------

Kallithea incorporates an [Alembic](http://alembic.zzzcomputing.com/en/latest/)
"migration environment" in `kallithea/alembic`, portions of which is:

Copyright &copy; 2009-2016 by Michael Bayer.
Alembic is a trademark of Michael Bayer.

and licensed under the MIT-permissive license, which is
[included in this distribution](MIT-Permissive-License.txt).


Bootstrap
---------

Kallithea uses the web framework called
[Bootstrap](http://getbootstrap.com/), which is:

Copyright &copy; 2011-2016 Twitter, Inc.

and licensed under the MIT-permissive license, which is
[included in this distribution](MIT-Permissive-License.txt).

It is not distributed with Kallithea, but will be downloaded
using the ''kallithea-cli front-end-build'' command.



Codemirror
----------

Kallithea uses the Javascript system called
[Codemirror](http://codemirror.net/), version 4.7.0, which is primarily:

Copyright &copy; 2013-2014 by Marijn Haverbeke <marijnh@gmail.com>

and licensed under the MIT-permissive license, which is
[included in this distribution](MIT-Permissive-License.txt).

Additional files from upstream Codemirror are copyrighted by various authors
and licensed under other permissive licenses.

It is not distributed with Kallithea, but will be downloaded
using the ''kallithea-cli front-end-build'' command.



jQuery
------

Kallithea uses the Javascript system called
[jQuery](http://jquery.org/).

It is Copyright 2013 jQuery Foundation and other contributors http://jquery.com/ and is under an
[MIT-permissive license](MIT-Permissive-License.txt).

It is not distributed with Kallithea, but will be downloaded
using the ''kallithea-cli front-end-build'' command.



At.js
-----

Kallithea uses the Javascript system called
[At.js](http://ichord.github.com/At.js),
which can be found together with its Corresponding Source in
https://github.com/ichord/At.js at tag v1.5.4.

It is Copyright 2013 chord.luo@gmail.com and is under an
[MIT-permissive license](MIT-Permissive-License.txt).

It is not distributed with Kallithea, but will be downloaded
using the ''kallithea-cli front-end-build'' command.



Caret.js
--------

Kallithea uses the Javascript system called
[Caret.js](http://ichord.github.com/Caret.js/),
which can be found together with its Corresponding Source in
https://github.com/ichord/Caret.js at tag v0.3.1.

It is Copyright 2013 chord.luo@gmail.com and is under an
[MIT-permissive license](MIT-Permissive-License.txt).

It is not distributed with Kallithea, but will be downloaded
using the ''kallithea-cli front-end-build'' command.



DataTables
----------

Kallithea uses the Javascript system called
[DataTables](http://www.datatables.net/).

It is Copyright 2008-2015 SpryMedia Ltd. and is under an
[MIT-permissive license](MIT-Permissive-License.txt).

It is not distributed with Kallithea, but will be downloaded
using the ''kallithea-cli front-end-build'' command.



Mergely
-------

Kallithea incorporates some code from the Javascript system called
[Mergely](http://www.mergely.com/), version 3.3.9.
[Mergely's license](http://www.mergely.com/license.php), a
[copy of which is included in this repository](LICENSE-MERGELY.html),
is (GPL|LGPL|MPL).  Kallithea as GPLv3'd project chooses the GPL arm of that
tri-license.



Select2
-------

Kallithea uses the Javascript system called
[Select2](http://ivaynberg.github.io/select2/), which is:

Copyright 2012 Igor Vaynberg (and probably others)

and is licensed [under the following license](https://github.com/ivaynberg/select2/blob/master/LICENSE):

> This software is licensed under the Apache License, Version 2.0 (the
> "Apache License") or the GNU General Public License version 2 (the "GPL
> License"). You may choose either license to govern your use of this
> software only upon the condition that you accept all of the terms of either
> the Apache License or the GPL License.

A [copy of the Apache License 2.0](Apache-License-2.0.txt) is also included
in this distribution.

Kallithea will take the Apache license fork of the dual license, since
Kallithea is GPLv3'd.

It is not distributed with Kallithea, but will be downloaded
using the ''kallithea-cli front-end-build'' command.



Select2-Bootstrap-CSS
---------------------

Kallithea uses some CSS from a system called
[Select2-bootstrap-css](https://github.com/t0m/select2-bootstrap-css), which
is:

Copyright &copy; 2013 Tom Terrace (and likely others)

and licensed under the MIT-permissive license, which is
[included in this distribution](MIT-Permissive-License.txt).

It is not distributed with Kallithea, but will be downloaded
using the ''kallithea-cli front-end-build'' command.



Flot
----

Kallithea uses some parts of a Javascript system called
[Flot](http://www.flotcharts.org/), which is:

Copyright (c) 2007-2014 IOLA and Ole Laursen

Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following
conditions:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.

It is not distributed with Kallithea, but will be downloaded
using the ''kallithea-cli front-end-build'' command.



Icon fonts
----------

Kallithea incorporates subsets of both
[Font Awesome](http://fontawesome.io) and
[GitHub Octicons](https://octicons.github.com) for icons. Font Awesome is:

Copyright (c) 2016, Dave Gandy

Octicons is:

Copyright (c) 2012-2014 GitHub

These two sets are distributed under [SIL OFL 1.1](http://scripts.sil.org/OFL)
and have been combined into one font called "kallithea."


EOF
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.