kallithea: rhodecode/lib/auth.py annotate

annotate rhodecode/lib/auth.py @ 1056:520d27f40b51 beta

#113 removed anonymous access from forking, added system messages in login box.

author	Marcin Kuzminski <marcin@python-works.com>
date	Tue, 15 Feb 2011 23:19:01 +0100
parents	8e49b6ceffe1
children	716911af91e1

rev	line source
895 62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	1 # -- coding: utf-8 --
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	2 """
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	3 rhodecode.lib.auth
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	4 ~~~~~~~~~~~~~~~~~~
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	5
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	6 authentication and permission libraries
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	7
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	8 :created_on: Apr 4, 2010
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	9 :copyright: (c) 2010 by marcink.
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	10 :license: LICENSE_NAME, see LICENSE_FILE for more details.
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	11 """
252 3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	12 # This program is free software; you can redistribute it and/or
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	13 # modify it under the terms of the GNU General Public License
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	14 # as published by the Free Software Foundation; version 2
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	15 # of the License or (at your opinion) any later version of the license.
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	16 #
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	17 # This program is distributed in the hope that it will be useful,
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	18 # but WITHOUT ANY WARRANTY; without even the implied warranty of
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	19 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	20 # GNU General Public License for more details.
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	21 #
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	22 # You should have received a copy of the GNU General Public License
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	23 # along with this program; if not, write to the Free Software
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	24 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
3782a6d698af licensing updates, code cleanups Marcin Kuzminski <marcin@python-works.com> parents: 239 diff changeset	25 # MA 02110-1301, USA.
381 55377fdc1fc6 cleared global application settings. Marcin Kuzminski <marcin@python-works.com> parents: 380 diff changeset	26
895 62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	27 import bcrypt
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	28 import random
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	29 import logging
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	30 import traceback
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	31
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	32 from decorator import decorator
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	33
343 6484963056cd implemented cache for repeated queries in simplehg mercurial requests Marcin Kuzminski <marcin@python-works.com> parents: 339 diff changeset	34 from pylons import config, session, url, request
52 25e516447a33 implemented autentication marcink parents: 48 diff changeset	35 from pylons.controllers.util import abort, redirect
1056 520d27f40b51 #113 removed anonymous access from forking, added system messages in login box. Marcin Kuzminski <marcin@python-works.com> parents: 1040 diff changeset	36 from pylons.i18n.translation import _
895 62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	37
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	38 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError
547 1e757ac98988 renamed project to rhodecode Marcin Kuzminski <marcin@python-works.com> parents: 508 diff changeset	39 from rhodecode.lib.utils import get_repo_slug
713 1bb0fcdec895 fixed #72 show warning on removal when user still is owner of existing repositories Marcin Kuzminski <marcin@python-works.com> parents: 705 diff changeset	40 from rhodecode.lib.auth_ldap import AuthLdap
895 62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	41
547 1e757ac98988 renamed project to rhodecode Marcin Kuzminski <marcin@python-works.com> parents: 508 diff changeset	42 from rhodecode.model import meta
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	43 from rhodecode.model.user import UserModel
547 1e757ac98988 renamed project to rhodecode Marcin Kuzminski <marcin@python-works.com> parents: 508 diff changeset	44 from rhodecode.model.db import User, RepoToPerm, Repository, Permission, \
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	45 UserToPerm, UsersGroupToPerm, UsersGroupMember
895 62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	46
343 6484963056cd implemented cache for repeated queries in simplehg mercurial requests Marcin Kuzminski <marcin@python-works.com> parents: 339 diff changeset	47
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	48 log = logging.getLogger(__name__)
41 71ffa932799d Added app basic auth. Marcin Kuzminski <marcin@python-blog.com> parents: diff changeset	49
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	50
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	51 PERM_WEIGHTS = {'repository.none':0,
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	52 'repository.read':1,
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	53 'repository.write':3,
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	54 'repository.admin':3}
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	55
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	56
474 a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	57 class PasswordGenerator(object):
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	58 """This is a simple class for generating password from
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	59 different sets of characters
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	60 usage:
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	61 passwd_gen = PasswordGenerator()
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	62 #print 8-letter password containing only big and small letters of alphabet
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	63 print passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	64 """
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	65 ALPHABETS_NUM = r'''1234567890'''#[0]
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	66 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''#[1]
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	67 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''#[2]
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	68 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}\|:"<>?''' #[3]
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	69 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM + ALPHABETS_SPECIAL#[4]
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	70 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM#[5]
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	71 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	72 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM#[6]
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	73 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM#[7]
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	74
474 a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	75 def __init__(self, passwd=''):
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	76 self.passwd = passwd
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	77
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	78 def gen_password(self, len, type):
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	79 self.passwd = ''.join([random.choice(type) for _ in xrange(len)])
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	80 return self.passwd
a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	81
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	82
64 08707974eae4 Changed auth lib for sqlalchemy Marcin Kuzminski <marcin@python-blog.com> parents: 52 diff changeset	83 def get_crypt_password(password):
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	84 """Cryptographic function used for password hashing based on pybcrypt
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	85
604 5cc96df705b9 fixed @repo into :repo for docs Marcin Kuzminski <marcin@python-works.com> parents: 564 diff changeset	86 :param password: password to hash
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	87 """
415 04e8b31fb245 Changed password crypting scheme to bcrypt, added dependency for setup Marcin Kuzminski <marcin@python-works.com> parents: 412 diff changeset	88 return bcrypt.hashpw(password, bcrypt.gensalt(10))
04e8b31fb245 Changed password crypting scheme to bcrypt, added dependency for setup Marcin Kuzminski <marcin@python-works.com> parents: 412 diff changeset	89
04e8b31fb245 Changed password crypting scheme to bcrypt, added dependency for setup Marcin Kuzminski <marcin@python-works.com> parents: 412 diff changeset	90 def check_password(password, hashed):
04e8b31fb245 Changed password crypting scheme to bcrypt, added dependency for setup Marcin Kuzminski <marcin@python-works.com> parents: 412 diff changeset	91 return bcrypt.hashpw(password, hashed) == hashed
343 6484963056cd implemented cache for repeated queries in simplehg mercurial requests Marcin Kuzminski <marcin@python-works.com> parents: 339 diff changeset	92
41 71ffa932799d Added app basic auth. Marcin Kuzminski <marcin@python-blog.com> parents: diff changeset	93 def authfunc(environ, username, password):
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	94 """Dummy authentication function used in Mercurial/Git/ and access control,
761 56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	95
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	96 :param environ: needed only for using in Basic auth
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	97 """
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	98 return authenticate(username, password)
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	99
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	100
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	101 def authenticate(username, password):
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	102 """Authentication function used for access control,
699 52da7cba88a6 Code refactor for auth func, preparing for ldap support Marcin Kuzminski <marcin@python-works.com> parents: 692 diff changeset	103 firstly checks for db authentication then if ldap is enabled for ldap
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	104 authentication, also creates ldap user if not in database
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	105
699 52da7cba88a6 Code refactor for auth func, preparing for ldap support Marcin Kuzminski <marcin@python-works.com> parents: 692 diff changeset	106 :param username: username
52da7cba88a6 Code refactor for auth func, preparing for ldap support Marcin Kuzminski <marcin@python-works.com> parents: 692 diff changeset	107 :param password: password
52da7cba88a6 Code refactor for auth func, preparing for ldap support Marcin Kuzminski <marcin@python-works.com> parents: 692 diff changeset	108 """
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	109 user_model = UserModel()
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	110 user = user_model.get_by_username(username, cache=False)
699 52da7cba88a6 Code refactor for auth func, preparing for ldap support Marcin Kuzminski <marcin@python-works.com> parents: 692 diff changeset	111
761 56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	112 log.debug('Authenticating user using RhodeCode account')
991 b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	113 if user is not None and not user.ldap_dn:
64 08707974eae4 Changed auth lib for sqlalchemy Marcin Kuzminski <marcin@python-blog.com> parents: 52 diff changeset	114 if user.active:
674 99875a8f2ad1 #49 Enabled anonymous access push and pull commands Marcin Kuzminski <marcin@python-works.com> parents: 673 diff changeset	115
99875a8f2ad1 #49 Enabled anonymous access push and pull commands Marcin Kuzminski <marcin@python-works.com> parents: 673 diff changeset	116 if user.username == 'default' and user.active:
761 56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	117 log.info('user %s authenticated correctly as anonymous user',
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	118 username)
674 99875a8f2ad1 #49 Enabled anonymous access push and pull commands Marcin Kuzminski <marcin@python-works.com> parents: 673 diff changeset	119 return True
99875a8f2ad1 #49 Enabled anonymous access push and pull commands Marcin Kuzminski <marcin@python-works.com> parents: 673 diff changeset	120
99875a8f2ad1 #49 Enabled anonymous access push and pull commands Marcin Kuzminski <marcin@python-works.com> parents: 673 diff changeset	121 elif user.username == username and check_password(password, user.password):
41 71ffa932799d Added app basic auth. Marcin Kuzminski <marcin@python-blog.com> parents: diff changeset	122 log.info('user %s authenticated correctly', username)
71ffa932799d Added app basic auth. Marcin Kuzminski <marcin@python-blog.com> parents: diff changeset	123 return True
71ffa932799d Added app basic auth. Marcin Kuzminski <marcin@python-blog.com> parents: diff changeset	124 else:
761 56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	125 log.warning('user %s is disabled', username)
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	126
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	127 else:
761 56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	128 log.debug('Regular authentication failed')
742 1377a9d4bdb9 #78, fixed more reliable case insensitive searches Marcin Kuzminski <marcin@python-works.com> parents: 741 diff changeset	129 user_obj = user_model.get_by_username(username, cache=False,
1377a9d4bdb9 #78, fixed more reliable case insensitive searches Marcin Kuzminski <marcin@python-works.com> parents: 741 diff changeset	130 case_insensitive=True)
761 56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	131
991 b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	132 if user_obj is not None and not user_obj.ldap_dn:
749 fcd4fb51526e added debug message for ldap auth Marcin Kuzminski <marcin@python-works.com> parents: 748 diff changeset	133 log.debug('this user already exists as non ldap')
748 88338675a0f7 fixed ldap issue and small template fix Marcin Kuzminski <marcin@python-works.com> parents: 742 diff changeset	134 return False
88338675a0f7 fixed ldap issue and small template fix Marcin Kuzminski <marcin@python-works.com> parents: 742 diff changeset	135
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	136 from rhodecode.model.settings import SettingsModel
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	137 ldap_settings = SettingsModel().get_ldap_settings()
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	138
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	139 #======================================================================
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	140 # FALLBACK TO LDAP AUTH IF ENABLE
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	141 #======================================================================
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	142 if ldap_settings.get('ldap_active', False):
761 56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	143 log.debug("Authenticating user using ldap")
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	144 kwargs = {
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	145 'server':ldap_settings.get('ldap_host', ''),
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	146 'base_dn':ldap_settings.get('ldap_base_dn', ''),
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	147 'port':ldap_settings.get('ldap_port'),
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	148 'bind_dn':ldap_settings.get('ldap_dn_user'),
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	149 'bind_pass':ldap_settings.get('ldap_dn_pass'),
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	150 'use_ldaps':ldap_settings.get('ldap_ldaps'),
991 b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	151 'tls_reqcert':ldap_settings.get('ldap_tls_reqcert'),
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	152 'ldap_filter':ldap_settings.get('ldap_filter'),
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	153 'search_scope':ldap_settings.get('ldap_search_scope'),
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	154 'attr_login':ldap_settings.get('ldap_attr_login'),
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	155 'ldap_version':3,
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	156 }
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	157 log.debug('Checking for ldap authentication')
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	158 try:
9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	159 aldap = AuthLdap(**kwargs)
991 b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	160 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	161 log.debug('Got ldap DN response %s', user_dn)
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	162
991 b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	163 user_attrs = {
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	164 'name' : ldap_attrs[ldap_settings.get('ldap_attr_firstname')][0],
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	165 'lastname' : ldap_attrs[ldap_settings.get('ldap_attr_lastname')][0],
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	166 'email' : ldap_attrs[ldap_settings.get('ldap_attr_email')][0],
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	167 }
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	168
b232a36cc51f Improve LDAP authentication Thayne Harbaugh <thayne@fusionio.com> parents: 895 diff changeset	169 if user_model.create_ldap(username, password, user_dn, user_attrs):
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	170 log.info('created new ldap user %s', username)
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	171
761 56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	172 return True
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	173 except (LdapUsernameError, LdapPasswordError,):
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	174 pass
56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	175 except (Exception,):
705 9e9f1b919c0c implements #60, ldap configuration and authentication. Marcin Kuzminski <marcin@python-works.com> parents: 699 diff changeset	176 log.error(traceback.format_exc())
761 56c2850a5b5f ldap auth rewrite, moved split authfunc into two functions, Marcin Kuzminski <marcin@python-works.com> parents: 749 diff changeset	177 pass
41 71ffa932799d Added app basic auth. Marcin Kuzminski <marcin@python-blog.com> parents: diff changeset	178 return False
71ffa932799d Added app basic auth. Marcin Kuzminski <marcin@python-blog.com> parents: diff changeset	179
190 d8eb7ee27b4c Added LoginRequired decorator, empty User data container, hash functions Marcin Kuzminski <marcin@python-works.com> parents: 96 diff changeset	180 class AuthUser(object):
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	181 """A simple object that handles a mercurial username for authentication
190 d8eb7ee27b4c Added LoginRequired decorator, empty User data container, hash functions Marcin Kuzminski <marcin@python-works.com> parents: 96 diff changeset	182 """
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	183
190 d8eb7ee27b4c Added LoginRequired decorator, empty User data container, hash functions Marcin Kuzminski <marcin@python-works.com> parents: 96 diff changeset	184 def __init__(self):
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	185 self.username = 'None'
355 5bbcc0cac389 added session remove in forms, and added name and lastname to auth user Marcin Kuzminski <marcin@python-works.com> parents: 350 diff changeset	186 self.name = ''
5bbcc0cac389 added session remove in forms, and added name and lastname to auth user Marcin Kuzminski <marcin@python-works.com> parents: 350 diff changeset	187 self.lastname = ''
404 a10bdd0b05a7 fixed user email for gravatars Marcin Kuzminski <marcin@python-works.com> parents: 399 diff changeset	188 self.email = ''
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	189 self.user_id = None
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	190 self.is_authenticated = False
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	191 self.is_admin = False
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	192 self.permissions = {}
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	193
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	194 def __repr__(self):
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	195 return "<AuthUser('id:%s:%s')>" % (self.user_id, self.username)
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	196
b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	197 def set_available_permissions(config):
895 62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	198 """This function will propagate pylons globals with all available defined
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	199 permission given in db. We don't want to check each time from db for new
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	200 permissions since adding a new permission also requires application restart
b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	201 ie. to decorate new views with the newly created permission
895 62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	202
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	203 :param config: current pylons config instance
62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	204
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	205 """
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	206 log.info('getting information about all available permissions')
350 664a5b8c551a Added application settings, are now customizable from database Marcin Kuzminski <marcin@python-works.com> parents: 343 diff changeset	207 try:
629 7e536d1af60d Code refactoring,models renames Marcin Kuzminski <marcin@python-works.com> parents: 612 diff changeset	208 sa = meta.Session()
350 664a5b8c551a Added application settings, are now customizable from database Marcin Kuzminski <marcin@python-works.com> parents: 343 diff changeset	209 all_perms = sa.query(Permission).all()
629 7e536d1af60d Code refactoring,models renames Marcin Kuzminski <marcin@python-works.com> parents: 612 diff changeset	210 except:
7e536d1af60d Code refactoring,models renames Marcin Kuzminski <marcin@python-works.com> parents: 612 diff changeset	211 pass
350 664a5b8c551a Added application settings, are now customizable from database Marcin Kuzminski <marcin@python-works.com> parents: 343 diff changeset	212 finally:
664a5b8c551a Added application settings, are now customizable from database Marcin Kuzminski <marcin@python-works.com> parents: 343 diff changeset	213 meta.Session.remove()
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	214
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	215 config['available_permissions'] = [x.permission_name for x in all_perms]
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	216
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	217 def fill_perms(user):
895 62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	218 """Fills user permission attribute with permissions taken from database
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	219 works for permissions given for repositories, and for permissions that
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	220 as part of beeing group member
895 62c04c5cc971 Added some more details into user edit permissions view Marcin Kuzminski <marcin@python-works.com> parents: 779 diff changeset	221
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	222 :param user: user instance to fill his perms
367 a26f48ad7a8a fixes issue #16 reimplementation of database repository, for using generic pk instead of repo naming as pk. Which caused to many problems. Marcin Kuzminski <marcin@python-works.com> parents: 355 diff changeset	223 """
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	224
629 7e536d1af60d Code refactoring,models renames Marcin Kuzminski <marcin@python-works.com> parents: 612 diff changeset	225 sa = meta.Session()
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	226 user.permissions['repositories'] = {}
371 5cd6616b8673 routes python 2.5 compatible Marcin Kuzminski <marcin@python-works.com> parents: 367 diff changeset	227 user.permissions['global'] = set()
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	228
417 3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	229 #===========================================================================
3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	230 # fetch default permissions
3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	231 #===========================================================================
692 cb0d9ce6ac5c #50 on point cache invalidation changes. Marcin Kuzminski <marcin@python-works.com> parents: 686 diff changeset	232 default_user = UserModel().get_by_username('default', cache=True)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	233
423 16253f330094 fixes #30. Rewrite default permissions query + some other small fixes Marcin Kuzminski <marcin@python-works.com> parents: 418 diff changeset	234 default_perms = sa.query(RepoToPerm, Repository, Permission)\
399 f5c1eec9f376 rename repo2perm into repo_to_perm Marcin Kuzminski <marcin@python-works.com> parents: 382 diff changeset	235 .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\
f5c1eec9f376 rename repo2perm into repo_to_perm Marcin Kuzminski <marcin@python-works.com> parents: 382 diff changeset	236 .join((Permission, RepoToPerm.permission_id == Permission.permission_id))\
609 c1c1cf772337 moved out sqlalchemy cache from meta to the config files. Marcin Kuzminski <marcin@python-works.com> parents: 564 diff changeset	237 .filter(RepoToPerm.user == default_user).all()
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	238
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	239 if user.is_admin:
417 3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	240 #=======================================================================
423 16253f330094 fixes #30. Rewrite default permissions query + some other small fixes Marcin Kuzminski <marcin@python-works.com> parents: 418 diff changeset	241 # #admin have all default rights set to admin
417 3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	242 #=======================================================================
371 5cd6616b8673 routes python 2.5 compatible Marcin Kuzminski <marcin@python-works.com> parents: 367 diff changeset	243 user.permissions['global'].add('hg.admin')
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	244
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	245 for perm in default_perms:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	246 p = 'repository.admin'
399 f5c1eec9f376 rename repo2perm into repo_to_perm Marcin Kuzminski <marcin@python-works.com> parents: 382 diff changeset	247 user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	248
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	249 else:
417 3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	250 #=======================================================================
3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	251 # set default permissions
3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	252 #=======================================================================
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	253
417 3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	254 #default global
423 16253f330094 fixes #30. Rewrite default permissions query + some other small fixes Marcin Kuzminski <marcin@python-works.com> parents: 418 diff changeset	255 default_global_perms = sa.query(UserToPerm)\
741 54684e071457 fixes issue #78, ldap makes user validation caseInsensitive Marcin Kuzminski <marcin@python-works.com> parents: 713 diff changeset	256 .filter(UserToPerm.user == sa.query(User)\
54684e071457 fixes issue #78, ldap makes user validation caseInsensitive Marcin Kuzminski <marcin@python-works.com> parents: 713 diff changeset	257 .filter(User.username == 'default').one())
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	258
423 16253f330094 fixes #30. Rewrite default permissions query + some other small fixes Marcin Kuzminski <marcin@python-works.com> parents: 418 diff changeset	259 for perm in default_global_perms:
16253f330094 fixes #30. Rewrite default permissions query + some other small fixes Marcin Kuzminski <marcin@python-works.com> parents: 418 diff changeset	260 user.permissions['global'].add(perm.permission.permission_name)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	261
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	262 #default for repositories
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	263 for perm in default_perms:
380 ca54622e39a1 Added separate create repository views for non administrative users. Marcin Kuzminski <marcin@python-works.com> parents: 377 diff changeset	264 if perm.Repository.private and not perm.Repository.user_id == user.user_id:
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	265 #disable defaults for private repos,
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	266 p = 'repository.none'
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	267 elif perm.Repository.user_id == user.user_id:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	268 #set admin if owner
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	269 p = 'repository.admin'
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	270 else:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	271 p = perm.Permission.permission_name
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	272
399 f5c1eec9f376 rename repo2perm into repo_to_perm Marcin Kuzminski <marcin@python-works.com> parents: 382 diff changeset	273 user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	274
417 3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	275 #=======================================================================
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	276 # overwrite default with user permissions if any
417 3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	277 #=======================================================================
423 16253f330094 fixes #30. Rewrite default permissions query + some other small fixes Marcin Kuzminski <marcin@python-works.com> parents: 418 diff changeset	278 user_perms = sa.query(RepoToPerm, Permission, Repository)\
399 f5c1eec9f376 rename repo2perm into repo_to_perm Marcin Kuzminski <marcin@python-works.com> parents: 382 diff changeset	279 .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\
f5c1eec9f376 rename repo2perm into repo_to_perm Marcin Kuzminski <marcin@python-works.com> parents: 382 diff changeset	280 .join((Permission, RepoToPerm.permission_id == Permission.permission_id))\
f5c1eec9f376 rename repo2perm into repo_to_perm Marcin Kuzminski <marcin@python-works.com> parents: 382 diff changeset	281 .filter(RepoToPerm.user_id == user.user_id).all()
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	282
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	283 for perm in user_perms:
417 3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	284 if perm.Repository.user_id == user.user_id:#set admin if owner
3ed2d46a2ca7 permission refactoring, Marcin Kuzminski <marcin@python-works.com> parents: 415 diff changeset	285 p = 'repository.admin'
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	286 else:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	287 p = perm.Permission.permission_name
399 f5c1eec9f376 rename repo2perm into repo_to_perm Marcin Kuzminski <marcin@python-works.com> parents: 382 diff changeset	288 user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	289
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	290
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	291 #=======================================================================
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	292 # check if user is part of groups for this repository and fill in
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	293 # (or replace with higher) permissions
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	294 #=======================================================================
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	295 user_perms_from_users_groups = sa.query(UsersGroupToPerm, Permission, Repository,)\
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	296 .join((Repository, UsersGroupToPerm.repository_id == Repository.repo_id))\
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	297 .join((Permission, UsersGroupToPerm.permission_id == Permission.permission_id))\
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	298 .join((UsersGroupMember, UsersGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	299 .filter(UsersGroupMember.user_id == user.user_id).all()
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	300
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	301 for perm in user_perms_from_users_groups:
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	302 p = perm.Permission.permission_name
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	303 cur_perm = user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name]
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	304 #overwrite permission only if it's greater than permission given from other sources
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	305 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	306 user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name] = p
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	307
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	308 meta.Session.remove()
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	309 return user
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	310
299 d303aacb3349 repos crud controllers - change id into repo_name for compatability, added ajax repo perm user function variuos html fixes, permissions forms and managment fixes. Marcin Kuzminski <marcin@python-works.com> parents: 265 diff changeset	311 def get_user(session):
1016 3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	312 """Gets user from session, and wraps permissions into user
3790279d2538 #56 added propagation of permission from group Marcin Kuzminski <marcin@python-works.com> parents: 991 diff changeset	313
604 5cc96df705b9 fixed @repo into :repo for docs Marcin Kuzminski <marcin@python-works.com> parents: 564 diff changeset	314 :param session:
299 d303aacb3349 repos crud controllers - change id into repo_name for compatability, added ajax repo perm user function variuos html fixes, permissions forms and managment fixes. Marcin Kuzminski <marcin@python-works.com> parents: 265 diff changeset	315 """
548 b75b77ef649d renamed hg_app to rhodecode Marcin Kuzminski <marcin@python-works.com> parents: 547 diff changeset	316 user = session.get('rhodecode_user', AuthUser())
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	317 #if the user is not logged in we check for anonymous access
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	318 #if user is logged and it's a default user check if we still have anonymous
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	319 #access enabled
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	320 if user.user_id is None or user.username == 'default':
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	321 anonymous_user = UserModel().get_by_username('default', cache=True)
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	322 if anonymous_user.active is True:
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	323 #then we set this user is logged in
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	324 user.is_authenticated = True
686 ff6a8196ebfe fixed anonymous access bug. Marcin Kuzminski <marcin@python-works.com> parents: 674 diff changeset	325 user.user_id = anonymous_user.user_id
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	326 else:
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	327 user.is_authenticated = False
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	328
299 d303aacb3349 repos crud controllers - change id into repo_name for compatability, added ajax repo perm user function variuos html fixes, permissions forms and managment fixes. Marcin Kuzminski <marcin@python-works.com> parents: 265 diff changeset	329 if user.is_authenticated:
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	330 user = UserModel().fill_data(user)
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	331
412 b6a25169c005 fixes #25 removed crypt based password hashing and changed it into sha1 based. Marcin Kuzminski <marcin@python-works.com> parents: 404 diff changeset	332 user = fill_perms(user)
548 b75b77ef649d renamed hg_app to rhodecode Marcin Kuzminski <marcin@python-works.com> parents: 547 diff changeset	333 session['rhodecode_user'] = user
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	334 session.save()
299 d303aacb3349 repos crud controllers - change id into repo_name for compatability, added ajax repo perm user function variuos html fixes, permissions forms and managment fixes. Marcin Kuzminski <marcin@python-works.com> parents: 265 diff changeset	335 return user
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	336
190 d8eb7ee27b4c Added LoginRequired decorator, empty User data container, hash functions Marcin Kuzminski <marcin@python-works.com> parents: 96 diff changeset	337 #===============================================================================
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	338 # CHECK DECORATORS
190 d8eb7ee27b4c Added LoginRequired decorator, empty User data container, hash functions Marcin Kuzminski <marcin@python-works.com> parents: 96 diff changeset	339 #===============================================================================
d8eb7ee27b4c Added LoginRequired decorator, empty User data container, hash functions Marcin Kuzminski <marcin@python-works.com> parents: 96 diff changeset	340 class LoginRequired(object):
779 389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	341 """Must be logged in to execute this function else
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	342 redirect to login page"""
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	343
190 d8eb7ee27b4c Added LoginRequired decorator, empty User data container, hash functions Marcin Kuzminski <marcin@python-works.com> parents: 96 diff changeset	344 def __call__(self, func):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	345 return decorator(self.__wrapper, func)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	346
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	347 def __wrapper(self, func, fargs, *fkwargs):
548 b75b77ef649d renamed hg_app to rhodecode Marcin Kuzminski <marcin@python-works.com> parents: 547 diff changeset	348 user = session.get('rhodecode_user', AuthUser())
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	349 log.debug('Checking login required for user:%s', user.username)
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	350 if user.is_authenticated:
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	351 log.debug('user %s is authenticated', user.username)
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	352 return func(fargs, *fkwargs)
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	353 else:
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	354 log.warn('user %s not authenticated', user.username)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	355
508 fdb78a140ae4 fixes #35 hg-app does not respect SCRIPT_NAME Marcin Kuzminski <marcin@python-works.com> parents: 474 diff changeset	356 p = ''
fdb78a140ae4 fixes #35 hg-app does not respect SCRIPT_NAME Marcin Kuzminski <marcin@python-works.com> parents: 474 diff changeset	357 if request.environ.get('SCRIPT_NAME') != '/':
fdb78a140ae4 fixes #35 hg-app does not respect SCRIPT_NAME Marcin Kuzminski <marcin@python-works.com> parents: 474 diff changeset	358 p += request.environ.get('SCRIPT_NAME')
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	359
508 fdb78a140ae4 fixes #35 hg-app does not respect SCRIPT_NAME Marcin Kuzminski <marcin@python-works.com> parents: 474 diff changeset	360 p += request.environ.get('PATH_INFO')
437 930f8182a884 Added redirection to page that request came from, after login in Marcin Kuzminski <marcin@python-works.com> parents: 424 diff changeset	361 if request.environ.get('QUERY_STRING'):
474 a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	362 p += '?' + request.environ.get('QUERY_STRING')
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	363
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	364 log.debug('redirecting to login page with %s', p)
474 a3d9d24acbec Implemented password reset(forms/models/ tasks) and mailing tasks. Marcin Kuzminski <marcin@python-works.com> parents: 442 diff changeset	365 return redirect(url('login_home', came_from=p))
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	366
779 389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	367 class NotAnonymous(object):
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	368 """Must be logged in to execute this function else
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	369 redirect to login page"""
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	370
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	371 def __call__(self, func):
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	372 return decorator(self.__wrapper, func)
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	373
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	374 def __wrapper(self, func, fargs, *fkwargs):
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	375 user = session.get('rhodecode_user', AuthUser())
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	376 log.debug('Checking if user is not anonymous')
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	377
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	378 anonymous = user.username == 'default'
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	379
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	380 if anonymous:
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	381 p = ''
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	382 if request.environ.get('SCRIPT_NAME') != '/':
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	383 p += request.environ.get('SCRIPT_NAME')
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	384
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	385 p += request.environ.get('PATH_INFO')
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	386 if request.environ.get('QUERY_STRING'):
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	387 p += '?' + request.environ.get('QUERY_STRING')
1056 520d27f40b51 #113 removed anonymous access from forking, added system messages in login box. Marcin Kuzminski <marcin@python-works.com> parents: 1040 diff changeset	388
520d27f40b51 #113 removed anonymous access from forking, added system messages in login box. Marcin Kuzminski <marcin@python-works.com> parents: 1040 diff changeset	389 import rhodecode.lib.helpers as h
520d27f40b51 #113 removed anonymous access from forking, added system messages in login box. Marcin Kuzminski <marcin@python-works.com> parents: 1040 diff changeset	390 h.flash(_('You need to be a registered user to perform this action'),
520d27f40b51 #113 removed anonymous access from forking, added system messages in login box. Marcin Kuzminski <marcin@python-works.com> parents: 1040 diff changeset	391 category='warning')
779 389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	392 return redirect(url('login_home', came_from=p))
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	393 else:
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	394 return func(fargs, *fkwargs)
389d02a5df52 Added isanonymous decorator for checking permissions for anonymous access Marcin Kuzminski <marcin@python-works.com> parents: 761 diff changeset	395
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	396 class PermsDecorator(object):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	397 """Base class for decorators"""
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	398
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	399 def __init__(self, *required_perms):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	400 available_perms = config['available_permissions']
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	401 for perm in required_perms:
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	402 if perm not in available_perms:
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	403 raise Exception("'%s' permission is not defined" % perm)
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	404 self.required_perms = set(required_perms)
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	405 self.user_perms = None
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	406
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	407 def __call__(self, func):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	408 return decorator(self.__wrapper, func)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	409
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	410
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	411 def __wrapper(self, func, fargs, *fkwargs):
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	412 # _wrapper.__name__ = func.__name__
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	413 # _wrapper.__dict__.update(func.__dict__)
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	414 # _wrapper.__doc__ = func.__doc__
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	415 self.user = session.get('rhodecode_user', AuthUser())
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	416 self.user_perms = self.user.permissions
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	417 log.debug('checking %s permissions %s for %s %s',
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	418 self.__class__.__name__, self.required_perms, func.__name__,
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	419 self.user)
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	420
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	421 if self.check_permissions():
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	422 log.debug('Permission granted for %s %s', func.__name__, self.user)
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	423
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	424 return func(fargs, *fkwargs)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	425
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	426 else:
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	427 log.warning('Permission denied for %s %s', func.__name__, self.user)
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	428 #redirect with forbidden ret code
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	429 return abort(403)
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	430
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	431
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	432
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	433 def check_permissions(self):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	434 """Dummy function for overriding"""
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	435 raise Exception('You have to write this function in child class')
b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	436
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	437 class HasPermissionAllDecorator(PermsDecorator):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	438 """Checks for access permission for all given predicates. All of them
bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	439 have to be meet in order to fulfill the request
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	440 """
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	441
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	442 def check_permissions(self):
339 5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	443 if self.required_perms.issubset(self.user_perms.get('global')):
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	444 return True
b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	445 return False
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	446
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	447
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	448 class HasPermissionAnyDecorator(PermsDecorator):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	449 """Checks for access permission for any of given predicates. In order to
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	450 fulfill the request any of predicates must be meet
b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	451 """
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	452
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	453 def check_permissions(self):
339 5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	454 if self.required_perms.intersection(self.user_perms.get('global')):
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	455 return True
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	456 return False
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	457
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	458 class HasRepoPermissionAllDecorator(PermsDecorator):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	459 """Checks for access permission for all given predicates for specific
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	460 repository. All of them have to be meet in order to fulfill the request
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	461 """
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	462
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	463 def check_permissions(self):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	464 repo_name = get_repo_slug(request)
339 5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	465 try:
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	466 user_perms = set([self.user_perms['repositories'][repo_name]])
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	467 except KeyError:
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	468 return False
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	469 if self.required_perms.issubset(user_perms):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	470 return True
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	471 return False
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	472
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	473
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	474 class HasRepoPermissionAnyDecorator(PermsDecorator):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	475 """Checks for access permission for any of given predicates for specific
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	476 repository. In order to fulfill the request any of predicates must be meet
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	477 """
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	478
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	479 def check_permissions(self):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	480 repo_name = get_repo_slug(request)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	481
339 5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	482 try:
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	483 user_perms = set([self.user_perms['repositories'][repo_name]])
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	484 except KeyError:
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	485 return False
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	486 if self.required_perms.intersection(user_perms):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	487 return True
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	488 return False
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	489 #===============================================================================
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	490 # CHECK FUNCTIONS
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	491 #===============================================================================
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	492
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	493 class PermsFunction(object):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	494 """Base function for other check functions"""
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	495
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	496 def __init__(self, *perms):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	497 available_perms = config['available_permissions']
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	498
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	499 for perm in perms:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	500 if perm not in available_perms:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	501 raise Exception("'%s' permission in not defined" % perm)
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	502 self.required_perms = set(perms)
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	503 self.user_perms = None
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	504 self.granted_for = ''
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	505 self.repo_name = None
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	506
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	507 def __call__(self, check_Location=''):
548 b75b77ef649d renamed hg_app to rhodecode Marcin Kuzminski <marcin@python-works.com> parents: 547 diff changeset	508 user = session.get('rhodecode_user', False)
333 f5f290d68646 fixed auth bug Marcin Kuzminski <marcin@python-works.com> parents: 316 diff changeset	509 if not user:
f5f290d68646 fixed auth bug Marcin Kuzminski <marcin@python-works.com> parents: 316 diff changeset	510 return False
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	511 self.user_perms = user.permissions
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	512 self.granted_for = user.username
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	513 log.debug('checking %s %s %s', self.__class__.__name__,
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	514 self.required_perms, user)
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	515
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	516 if self.check_permissions():
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	517 log.debug('Permission granted for %s @ %s %s', self.granted_for,
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	518 check_Location, user)
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	519 return True
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	520
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	521 else:
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	522 log.warning('Permission denied for %s @ %s %s', self.granted_for,
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	523 check_Location, user)
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	524 return False
dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	525
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	526 def check_permissions(self):
377 bd8b25ad058d Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible Marcin Kuzminski <marcin@python-works.com> parents: 371 diff changeset	527 """Dummy function for overriding"""
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	528 raise Exception('You have to write this function in child class')
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	529
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	530 class HasPermissionAll(PermsFunction):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	531 def check_permissions(self):
339 5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	532 if self.required_perms.issubset(self.user_perms.get('global')):
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	533 return True
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	534 return False
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	535
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	536 class HasPermissionAny(PermsFunction):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	537 def check_permissions(self):
339 5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	538 if self.required_perms.intersection(self.user_perms.get('global')):
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	539 return True
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	540 return False
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	541
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	542 class HasRepoPermissionAll(PermsFunction):
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	543
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	544 def __call__(self, repo_name=None, check_Location=''):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	545 self.repo_name = repo_name
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	546 return super(HasRepoPermissionAll, self).__call__(check_Location)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	547
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	548 def check_permissions(self):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	549 if not self.repo_name:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	550 self.repo_name = get_repo_slug(request)
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	551
339 5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	552 try:
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	553 self.user_perms = set([self.user_perms['repositories']\
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	554 [self.repo_name]])
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	555 except KeyError:
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	556 return False
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	557 self.granted_for = self.repo_name
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	558 if self.required_perms.issubset(self.user_perms):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	559 return True
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	560 return False
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	561
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	562 class HasRepoPermissionAny(PermsFunction):
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	563
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	564 def __call__(self, repo_name=None, check_Location=''):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	565 self.repo_name = repo_name
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	566 return super(HasRepoPermissionAny, self).__call__(check_Location)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	567
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	568 def check_permissions(self):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	569 if not self.repo_name:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	570 self.repo_name = get_repo_slug(request)
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	571
339 5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	572 try:
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	573 self.user_perms = set([self.user_perms['repositories']\
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	574 [self.repo_name]])
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	575 except KeyError:
5d517bbf0a0d some extra checks for auth lib Marcin Kuzminski <marcin@python-works.com> parents: 333 diff changeset	576 return False
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	577 self.granted_for = self.repo_name
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	578 if self.required_perms.intersection(self.user_perms):
b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	579 return True
b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	580 return False
b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	581
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	582 #===============================================================================
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	583 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	584 #===============================================================================
239 b18f89d6d17f Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system. Marcin Kuzminski <marcin@python-works.com> parents: 234 diff changeset	585
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	586 class HasPermissionAnyMiddleware(object):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	587 def __init__(self, *perms):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	588 self.required_perms = set(perms)
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	589
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	590 def __call__(self, user, repo_name):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	591 usr = AuthUser()
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	592 usr.user_id = user.user_id
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	593 usr.username = user.username
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	594 usr.is_admin = user.admin
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	595
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	596 try:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	597 self.user_perms = set([fill_perms(usr)\
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	598 .permissions['repositories'][repo_name]])
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	599 except:
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	600 self.user_perms = set()
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	601 self.granted_for = ''
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	602 self.username = user.username
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	603 self.repo_name = repo_name
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	604 return self.check_permissions()
673 dd532af216d9 #49 Enabled anonymous access for web interface controllable from permissions pannel Marcin Kuzminski <marcin@python-works.com> parents: 629 diff changeset	605
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	606 def check_permissions(self):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	607 log.debug('checking mercurial protocol '
1040 8e49b6ceffe1 fixes fixes fixes ! optimized queries on journal Marcin Kuzminski <marcin@python-works.com> parents: 1036 diff changeset	608 'permissions %s for user:%s repository:%s', self.user_perms,
316 d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	609 self.username, self.repo_name)
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	610 if self.required_perms.intersection(self.user_perms):
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	611 log.debug('permission granted')
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	612 return True
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	613 log.debug('permission denied')
d6e2817734d2 Full rewrite of auth module, new functions/decorators. FIxed auth user Marcin Kuzminski <marcin@python-works.com> parents: 299 diff changeset	614 return False

Mercurial > kallithea

annotate rhodecode/lib/auth.py @ 1056:520d27f40b51 beta