Mercurial > kallithea
annotate rhodecode/lib/auth.py @ 3903:ddd05df2aced beta
added more info into __repr__ of auth user for better debugging and logging
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Tue, 28 May 2013 16:21:27 +0200 |
| parents | 100be6988bb0 |
| children | 5293d4bbb1ea |
| rev | line source |
|---|---|
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
1 # -*- coding: utf-8 -*- |
|
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
2 """ |
|
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
3 rhodecode.lib.auth |
|
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
4 ~~~~~~~~~~~~~~~~~~ |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
5 |
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
6 authentication and permission libraries |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
7 |
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
8 :created_on: Apr 4, 2010 |
|
1824
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1818
diff
changeset
|
9 :author: marcink |
|
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1818
diff
changeset
|
10 :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> |
|
1532
2afe9320d5e6
updated docstrings
Marcin Kuzminski <marcin@python-works.com>
parents:
1530
diff
changeset
|
11 :license: GPLv3, see COPYING for more details. |
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
12 """ |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
13 # This program is free software: you can redistribute it and/or modify |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
14 # it under the terms of the GNU General Public License as published by |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
15 # the Free Software Foundation, either version 3 of the License, or |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
16 # (at your option) any later version. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
17 # |
|
252
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
18 # This program is distributed in the hope that it will be useful, |
|
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
21 # GNU General Public License for more details. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
22 # |
|
252
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
23 # You should have received a copy of the GNU General Public License |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
381
55377fdc1fc6
cleared global application settings.
Marcin Kuzminski <marcin@python-works.com>
parents:
380
diff
changeset
|
25 |
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
26 import random |
|
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
27 import logging |
|
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
28 import traceback |
|
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
29 import hashlib |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
30 |
|
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
31 from tempfile import _RandomNameSequence |
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
32 from decorator import decorator |
|
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
33 |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
34 from pylons import config, url, request |
| 52 | 35 from pylons.controllers.util import abort, redirect |
|
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
36 from pylons.i18n.translation import _ |
|
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
37 from sqlalchemy.orm.exc import ObjectDeletedError |
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
38 |
|
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
39 from rhodecode import __platform__, is_windows, is_unix |
|
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
40 from rhodecode.model.meta import Session |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
41 |
|
3751
78c7e8efe658
new feature: API access white list definition from .ini files
Marcin Kuzminski <marcin@python-works.com>
parents:
3734
diff
changeset
|
42 from rhodecode.lib.utils2 import str2bool, safe_unicode, aslist |
|
3632
1ec67ddcaffe
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap
Mads Kiilerich <madski@unity3d.com>
parents:
3625
diff
changeset
|
43 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError,\ |
|
1ec67ddcaffe
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap
Mads Kiilerich <madski@unity3d.com>
parents:
3625
diff
changeset
|
44 LdapImportError |
|
3714
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
45 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug,\ |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
46 get_user_group_slug |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
47 from rhodecode.lib.auth_ldap import AuthLdap |
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
48 |
|
547
1e757ac98988
renamed project to rhodecode
Marcin Kuzminski <marcin@python-works.com>
parents:
508
diff
changeset
|
49 from rhodecode.model import meta |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
50 from rhodecode.model.user import UserModel |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
51 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap |
|
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
52 from rhodecode.lib.caching_query import FromCache |
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
53 |
| 1246 | 54 log = logging.getLogger(__name__) |
|
343
6484963056cd
implemented cache for repeated queries in simplehg mercurial requests
Marcin Kuzminski <marcin@python-works.com>
parents:
339
diff
changeset
|
55 |
|
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
56 |
|
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
57 class PasswordGenerator(object): |
|
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
58 """ |
|
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
59 This is a simple class for generating password from different sets of |
|
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
60 characters |
|
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
61 usage:: |
|
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
62 |
|
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
63 passwd_gen = PasswordGenerator() |
| 1246 | 64 #print 8-letter password containing only big and small letters |
| 65 of alphabet | |
|
2278
24095abde696
print statement cleanup
Marcin Kuzminski <marcin@python-works.com>
parents:
2125
diff
changeset
|
66 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL) |
|
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
67 """ |
| 1246 | 68 ALPHABETS_NUM = r'''1234567890''' |
| 69 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm''' | |
| 70 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM''' | |
| 71 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?''' | |
| 72 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \ | |
| 73 + ALPHABETS_NUM + ALPHABETS_SPECIAL | |
| 74 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM | |
|
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
75 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL |
| 1246 | 76 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM |
| 77 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM | |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
78 |
|
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
79 def __init__(self, passwd=''): |
|
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
80 self.passwd = passwd |
|
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
81 |
|
1993
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
82 def gen_password(self, length, type_=None): |
|
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
83 if type_ is None: |
|
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
84 type_ = self.ALPHABETS_FULL |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
85 self.passwd = ''.join([random.choice(type_) for _ in xrange(length)]) |
|
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
86 return self.passwd |
|
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
87 |
| 1246 | 88 |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
89 class RhodeCodeCrypto(object): |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
90 |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
91 @classmethod |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
92 def hash_string(cls, str_): |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
93 """ |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
94 Cryptographic function used for password hashing based on pybcrypt |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
95 or pycrypto in windows |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
96 |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
97 :param password: password to hash |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
98 """ |
|
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
99 if is_windows: |
|
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
100 from hashlib import sha256 |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
101 return sha256(str_).hexdigest() |
|
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
102 elif is_unix: |
|
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
103 import bcrypt |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
104 return bcrypt.hashpw(str_, bcrypt.gensalt(10)) |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
105 else: |
| 1246 | 106 raise Exception('Unknown or unsupported platform %s' \ |
| 107 % __platform__) | |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
108 |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
109 @classmethod |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
110 def hash_check(cls, password, hashed): |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
111 """ |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
112 Checks matching password with it's hashed value, runs different |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
113 implementation based on platform it runs on |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
114 |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
115 :param password: password |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
116 :param hashed: password in hashed form |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
117 """ |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
118 |
|
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
119 if is_windows: |
|
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
120 from hashlib import sha256 |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
121 return sha256(password).hexdigest() == hashed |
|
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
122 elif is_unix: |
|
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
123 import bcrypt |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
124 return bcrypt.hashpw(password, hashed) == hashed |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
125 else: |
| 1246 | 126 raise Exception('Unknown or unsupported platform %s' \ |
| 127 % __platform__) | |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
128 |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
129 |
|
64
08707974eae4
Changed auth lib for sqlalchemy
Marcin Kuzminski <marcin@python-blog.com>
parents:
52
diff
changeset
|
130 def get_crypt_password(password): |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
131 return RhodeCodeCrypto.hash_string(password) |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
132 |
| 1246 | 133 |
|
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
134 def check_password(password, hashed): |
|
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
135 return RhodeCodeCrypto.hash_check(password, hashed) |
|
415
04e8b31fb245
Changed password crypting scheme to bcrypt, added dependency for setup
Marcin Kuzminski <marcin@python-works.com>
parents:
412
diff
changeset
|
136 |
|
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
137 |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
138 def generate_api_key(str_, salt=None): |
|
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
139 """ |
|
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
140 Generates API KEY from given string |
|
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
141 |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
142 :param str_: |
|
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
143 :param salt: |
|
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
144 """ |
|
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
145 |
|
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
146 if salt is None: |
|
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
147 salt = _RandomNameSequence().next() |
|
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
148 |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
149 return hashlib.sha1(str_ + salt).hexdigest() |
|
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
150 |
| 1246 | 151 |
|
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
152 def authfunc(environ, username, password): |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
153 """ |
|
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
154 Dummy authentication wrapper function used in Mercurial and Git for |
| 1644 | 155 access control. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
156 |
|
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
157 :param environ: needed only for using in Basic auth |
|
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
158 """ |
|
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
159 return authenticate(username, password) |
|
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
160 |
|
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
161 |
|
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
162 def authenticate(username, password): |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
163 """ |
|
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
164 Authentication function used for access control, |
|
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
165 firstly checks for db authentication then if ldap is enabled for ldap |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
166 authentication, also creates ldap user if not in database |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
167 |
|
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
168 :param username: username |
|
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
169 :param password: password |
|
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
170 """ |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
171 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
172 user_model = UserModel() |
|
1530
04027bdb876c
Refactoring of model get functions
Marcin Kuzminski <marcin@python-works.com>
parents:
1425
diff
changeset
|
173 user = User.get_by_username(username) |
|
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
174 |
|
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
175 log.debug('Authenticating user using RhodeCode account') |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
176 if user is not None and not user.ldap_dn: |
|
64
08707974eae4
Changed auth lib for sqlalchemy
Marcin Kuzminski <marcin@python-blog.com>
parents:
52
diff
changeset
|
177 if user.active: |
|
674
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
178 if user.username == 'default' and user.active: |
|
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
179 log.info('user %s authenticated correctly as anonymous user' % |
|
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
180 username) |
|
674
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
181 return True |
|
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
182 |
| 1246 | 183 elif user.username == username and check_password(password, |
| 184 user.password): | |
| 1976 | 185 log.info('user %s authenticated correctly' % username) |
|
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
186 return True |
|
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
187 else: |
|
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
188 log.warning('user %s tried auth but is disabled' % username) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
189 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
190 else: |
|
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
191 log.debug('Regular authentication failed') |
|
1530
04027bdb876c
Refactoring of model get functions
Marcin Kuzminski <marcin@python-works.com>
parents:
1425
diff
changeset
|
192 user_obj = User.get_by_username(username, case_insensitive=True) |
|
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
193 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
194 if user_obj is not None and not user_obj.ldap_dn: |
|
749
fcd4fb51526e
added debug message for ldap auth
Marcin Kuzminski <marcin@python-works.com>
parents:
748
diff
changeset
|
195 log.debug('this user already exists as non ldap') |
|
748
88338675a0f7
fixed ldap issue and small template fix
Marcin Kuzminski <marcin@python-works.com>
parents:
742
diff
changeset
|
196 return False |
|
88338675a0f7
fixed ldap issue and small template fix
Marcin Kuzminski <marcin@python-works.com>
parents:
742
diff
changeset
|
197 |
|
1633
2c0d35e336b5
refactoring of models names for repoGroup permissions
Marcin Kuzminski <marcin@python-works.com>
parents:
1630
diff
changeset
|
198 ldap_settings = RhodeCodeSetting.get_ldap_settings() |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
199 #====================================================================== |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
200 # FALLBACK TO LDAP AUTH IF ENABLE |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
201 #====================================================================== |
|
1135
1aa1655bf019
fixed some config bool converter problems with ldap
Marcin Kuzminski <marcin@python-works.com>
parents:
1122
diff
changeset
|
202 if str2bool(ldap_settings.get('ldap_active')): |
|
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
203 log.debug("Authenticating user using ldap") |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
204 kwargs = { |
| 1246 | 205 'server': ldap_settings.get('ldap_host', ''), |
| 206 'base_dn': ldap_settings.get('ldap_base_dn', ''), | |
| 207 'port': ldap_settings.get('ldap_port'), | |
| 208 'bind_dn': ldap_settings.get('ldap_dn_user'), | |
| 209 'bind_pass': ldap_settings.get('ldap_dn_pass'), | |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1288
diff
changeset
|
210 'tls_kind': ldap_settings.get('ldap_tls_kind'), |
| 1246 | 211 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'), |
| 212 'ldap_filter': ldap_settings.get('ldap_filter'), | |
| 213 'search_scope': ldap_settings.get('ldap_search_scope'), | |
| 214 'attr_login': ldap_settings.get('ldap_attr_login'), | |
| 215 'ldap_version': 3, | |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
216 } |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
217 log.debug('Checking for ldap authentication') |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
218 try: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
219 aldap = AuthLdap(**kwargs) |
| 1246 | 220 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, |
| 221 password) | |
| 1976 | 222 log.debug('Got ldap DN response %s' % user_dn) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
223 |
| 1307 | 224 get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\ |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
225 .get(k), [''])[0] |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
226 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
227 user_attrs = { |
|
1425
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
228 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')), |
|
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
229 'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')), |
|
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
230 'email': get_ldap_attr('ldap_attr_email'), |
|
3786
222e6769e7b5
Added separate default permission for external_auth account
Marcin Kuzminski <marcin@python-works.com>
parents:
3751
diff
changeset
|
231 'active': 'hg.extern_activate.auto' in User.get_default_user()\ |
|
222e6769e7b5
Added separate default permission for external_auth account
Marcin Kuzminski <marcin@python-works.com>
parents:
3751
diff
changeset
|
232 .AuthUser.permissions['global'] |
|
1425
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
233 } |
|
2000
72c525a7e7ad
added migrations from 1.2.X to 1.3
Marcin Kuzminski <marcin@python-works.com>
parents:
1993
diff
changeset
|
234 |
|
72c525a7e7ad
added migrations from 1.2.X to 1.3
Marcin Kuzminski <marcin@python-works.com>
parents:
1993
diff
changeset
|
235 # don't store LDAP password since we don't need it. Override |
|
1992
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
236 # with some random generated password |
|
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
237 _password = PasswordGenerator().gen_password(length=8) |
|
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
238 # create this user on the fly if it doesn't exist in rhodecode |
|
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
239 # database |
|
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
240 if user_model.create_ldap(username, _password, user_dn, |
| 1246 | 241 user_attrs): |
| 1976 | 242 log.info('created new ldap user %s' % username) |
|
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
243 |
|
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
244 Session().commit() |
|
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
245 return True |
|
3632
1ec67ddcaffe
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap
Mads Kiilerich <madski@unity3d.com>
parents:
3625
diff
changeset
|
246 except (LdapUsernameError, LdapPasswordError, LdapImportError): |
|
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
247 pass |
|
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
248 except (Exception,): |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
249 log.error(traceback.format_exc()) |
|
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
250 pass |
|
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
251 return False |
|
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
252 |
|
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
253 |
|
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
254 def login_container_auth(username): |
|
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
255 user = User.get_by_username(username) |
|
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
256 if user is None: |
|
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
257 user_attrs = { |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
258 'name': username, |
|
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
259 'lastname': None, |
|
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
260 'email': None, |
|
3786
222e6769e7b5
Added separate default permission for external_auth account
Marcin Kuzminski <marcin@python-works.com>
parents:
3751
diff
changeset
|
261 'active': 'hg.extern_activate.auto' in User.get_default_user()\ |
|
222e6769e7b5
Added separate default permission for external_auth account
Marcin Kuzminski <marcin@python-works.com>
parents:
3751
diff
changeset
|
262 .AuthUser.permissions['global'] |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
263 } |
|
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
264 user = UserModel().create_for_container_auth(username, user_attrs) |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
265 if not user: |
|
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
266 return None |
| 1976 | 267 log.info('User %s was created by container authentication' % username) |
|
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
268 |
|
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
269 if not user.active: |
|
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
270 return None |
|
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
271 |
|
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
272 user.update_lastlogin() |
|
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
273 Session().commit() |
|
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
274 |
|
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
275 log.debug('User %s is now logged in by container authentication', |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
276 user.username) |
|
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
277 return user |
|
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
278 |
|
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
279 |
|
3173
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
280 def get_container_username(environ, config, clean_username=False): |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
281 """ |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
282 Get's the container_auth username (or email). It tries to get username |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
283 from REMOTE_USER if container_auth_enabled is enabled, if that fails |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
284 it tries to get username from HTTP_X_FORWARDED_USER if proxypass_auth_enabled |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
285 is enabled. clean_username extracts the username from this data if it's |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
286 having @ in it. |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
287 |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
288 :param environ: |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
289 :param config: |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
290 :param clean_username: |
|
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
291 """ |
|
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
292 username = None |
|
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
293 |
|
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
294 if str2bool(config.get('container_auth_enabled', False)): |
|
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
295 from paste.httpheaders import REMOTE_USER |
|
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
296 username = REMOTE_USER(environ) |
|
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
297 log.debug('extracted REMOTE_USER:%s' % (username)) |
|
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
298 |
|
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
299 if not username and str2bool(config.get('proxypass_auth_enabled', False)): |
|
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
300 username = environ.get('HTTP_X_FORWARDED_USER') |
|
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
301 log.debug('extracted HTTP_X_FORWARDED_USER:%s' % (username)) |
|
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
302 |
|
3173
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
303 if username and clean_username: |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
304 # Removing realm and domain from username |
|
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
305 username = username.partition('@')[0] |
|
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
306 username = username.rpartition('\\')[2] |
|
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
307 log.debug('Received username %s from container' % username) |
|
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
308 |
|
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
309 return username |
| 1246 | 310 |
|
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
311 |
|
2030
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
312 class CookieStoreWrapper(object): |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
313 |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
314 def __init__(self, cookie_store): |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
315 self.cookie_store = cookie_store |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
316 |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
317 def __repr__(self): |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
318 return 'CookieStore<%s>' % (self.cookie_store) |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
319 |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
320 def get(self, key, other=None): |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
321 if isinstance(self.cookie_store, dict): |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
322 return self.cookie_store.get(key, other) |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
323 elif isinstance(self.cookie_store, AuthUser): |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
324 return self.cookie_store.__dict__.get(key, other) |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
325 |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
326 |
|
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
327 class AuthUser(object): |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
328 """ |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
329 A simple object that handles all attributes of user in RhodeCode |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
330 |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
331 It does lookup based on API key,given user, or user present in session |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
332 Then it fills all required information for such user. It also checks if |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
333 anonymous access is enabled and if so, it returns default user as logged |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
334 in |
|
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
335 """ |
|
1016
3790279d2538
#56 added propagation of permission from group
Marcin Kuzminski <marcin@python-works.com>
parents:
991
diff
changeset
|
336 |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
337 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None): |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
338 |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
339 self.user_id = user_id |
|
1120
a8d759613d8f
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1118
diff
changeset
|
340 self.api_key = None |
|
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
341 self.username = username |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
342 self.ip_addr = ip_addr |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
343 |
|
355
5bbcc0cac389
added session remove in forms, and added name and lastname to auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
350
diff
changeset
|
344 self.name = '' |
|
5bbcc0cac389
added session remove in forms, and added name and lastname to auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
350
diff
changeset
|
345 self.lastname = '' |
|
404
a10bdd0b05a7
fixed user email for gravatars
Marcin Kuzminski <marcin@python-works.com>
parents:
399
diff
changeset
|
346 self.email = '' |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
347 self.is_authenticated = False |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
348 self.admin = False |
|
2714
a2eaa0054430
fixed error when disabled anonymous access lead to error on server
Marcin Kuzminski <marcin@python-works.com>
parents:
2709
diff
changeset
|
349 self.inherit_default_permissions = False |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
350 self.permissions = {} |
|
1120
a8d759613d8f
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1118
diff
changeset
|
351 self._api_key = api_key |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
352 self.propagate_data() |
|
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
353 self._instance = None |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
354 |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
355 def propagate_data(self): |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
356 user_model = UserModel() |
|
1728
07e56179633e
- fixes celery sqlalchemy session issues for async forking
Marcin Kuzminski <marcin@python-works.com>
parents:
1718
diff
changeset
|
357 self.anonymous_user = User.get_by_username('default', cache=True) |
|
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
358 is_user_loaded = False |
|
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
359 |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
360 # try go get user by api key |
|
1122
31e82d872631
disabled api key for anonymous users, and added api_key to rss/atom links for other users
Marcin Kuzminski <marcin@python-works.com>
parents:
1120
diff
changeset
|
361 if self._api_key and self._api_key != self.anonymous_user.api_key: |
| 1976 | 362 log.debug('Auth User lookup by API KEY %s' % self._api_key) |
|
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
363 is_user_loaded = user_model.fill_data(self, api_key=self._api_key) |
|
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
364 # lookup by userid |
|
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
365 elif (self.user_id is not None and |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
366 self.user_id != self.anonymous_user.user_id): |
| 1976 | 367 log.debug('Auth User lookup by USER ID %s' % self.user_id) |
|
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
368 is_user_loaded = user_model.fill_data(self, user_id=self.user_id) |
|
1808
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
369 # lookup by username |
|
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
370 elif self.username and \ |
|
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
371 str2bool(config.get('container_auth_enabled', False)): |
|
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
372 |
| 1976 | 373 log.debug('Auth User lookup by USER NAME %s' % self.username) |
|
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
374 dbuser = login_container_auth(self.username) |
|
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
375 if dbuser is not None: |
|
2709
d2d35cf2b351
RhodeCode now has a option to explicitly set forking permissions. ref #508
Marcin Kuzminski <marcin@python-works.com>
parents:
2634
diff
changeset
|
376 log.debug('filling all attributes to object') |
|
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
377 for k, v in dbuser.get_dict().items(): |
|
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
378 setattr(self, k, v) |
|
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
379 self.set_authenticated() |
|
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
380 is_user_loaded = True |
|
2045
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
381 else: |
|
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
382 log.debug('No data in %s that could been used to log in' % self) |
|
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
383 |
|
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
384 if not is_user_loaded: |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
385 # if we cannot authenticate user try anonymous |
|
3625
260a7a01b054
follow Python conventions for boolean values
Mads Kiilerich <madski@unity3d.com>
parents:
3415
diff
changeset
|
386 if self.anonymous_user.active: |
|
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
387 user_model.fill_data(self, user_id=self.anonymous_user.user_id) |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
388 # then we set this user is logged in |
|
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
389 self.is_authenticated = True |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
390 else: |
|
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
391 self.user_id = None |
|
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
392 self.username = None |
|
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
393 self.is_authenticated = False |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
394 |
|
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
395 if not self.username: |
|
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
396 self.username = 'None' |
|
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
397 |
| 1976 | 398 log.debug('Auth User is now %s' % self) |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
399 user_model.fill_perms(self) |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
400 |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
401 @property |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
402 def is_admin(self): |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
403 return self.admin |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
404 |
|
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
405 @property |
|
3865
100be6988bb0
show admin menu and list for users who are admins of repos.
Marcin Kuzminski <marcin@python-works.com>
parents:
3786
diff
changeset
|
406 def repositories_admin(self): |
|
3371
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
407 """ |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
408 Returns list of repositories you're an admin of |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
409 """ |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
410 return [x[0] for x in self.permissions['repositories'].iteritems() |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
411 if x[1] == 'repository.admin'] |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
412 |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
413 @property |
|
3714
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
414 def repository_groups_admin(self): |
|
3371
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
415 """ |
|
3415
b8f929bff7e3
fixed tests and missing replacements from 5f1850e4712a
Marcin Kuzminski <marcin@python-works.com>
parents:
3371
diff
changeset
|
416 Returns list of repository groups you're an admin of |
|
3371
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
417 """ |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
418 return [x[0] for x in self.permissions['repositories_groups'].iteritems() |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
419 if x[1] == 'group.admin'] |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
420 |
|
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
421 @property |
|
3714
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
422 def user_groups_admin(self): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
423 """ |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
424 Returns list of user groups you're an admin of |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
425 """ |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
426 return [x[0] for x in self.permissions['user_groups'].iteritems() |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
427 if x[1] == 'usergroup.admin'] |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
428 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
429 @property |
|
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
430 def ip_allowed(self): |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
431 """ |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
432 Checks if ip_addr used in constructor is allowed from defined list of |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
433 allowed ip_addresses for user |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
434 |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
435 :returns: boolean, True if ip is in allowed ip range |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
436 """ |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
437 #check IP |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
438 allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True) |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
439 if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips): |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
440 log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips)) |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
441 return True |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
442 else: |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
443 log.info('Access for IP:%s forbidden, ' |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
444 'not in %s' % (self.ip_addr, allowed_ips)) |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
445 return False |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
446 |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
447 def __repr__(self): |
|
3903
ddd05df2aced
added more info into __repr__ of auth user for better debugging and logging
Marcin Kuzminski <marcin@python-works.com>
parents:
3865
diff
changeset
|
448 return "<AuthUser('id:%s[%s] ip:%s auth:%s')>"\ |
|
ddd05df2aced
added more info into __repr__ of auth user for better debugging and logging
Marcin Kuzminski <marcin@python-works.com>
parents:
3865
diff
changeset
|
449 % (self.user_id, self.username, self.ip_addr, self.is_authenticated) |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
450 |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
451 def set_authenticated(self, authenticated=True): |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
452 if self.user_id != self.anonymous_user.user_id: |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
453 self.is_authenticated = authenticated |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
454 |
|
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
455 def get_cookie_store(self): |
|
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
456 return {'username': self.username, |
|
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
457 'user_id': self.user_id, |
|
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
458 'is_authenticated': self.is_authenticated} |
|
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
459 |
|
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
460 @classmethod |
|
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
461 def from_cookie_store(cls, cookie_store): |
|
2030
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
462 """ |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
463 Creates AuthUser from a cookie store |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
464 |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
465 :param cls: |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
466 :param cookie_store: |
|
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
467 """ |
|
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
468 user_id = cookie_store.get('user_id') |
|
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
469 username = cookie_store.get('username') |
|
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
470 api_key = cookie_store.get('api_key') |
|
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
471 return AuthUser(user_id, api_key, username) |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
472 |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
473 @classmethod |
|
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
474 def get_allowed_ips(cls, user_id, cache=False): |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
475 _set = set() |
|
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
476 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id) |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
477 if cache: |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
478 user_ips = user_ips.options(FromCache("sql_cache_short", |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
479 "get_user_ips_%s" % user_id)) |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
480 for ip in user_ips: |
|
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
481 try: |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
482 _set.add(ip.ip_addr) |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
483 except ObjectDeletedError: |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
484 # since we use heavy caching sometimes it happens that we get |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
485 # deleted objects here, we just skip them |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
486 pass |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
487 return _set or set(['0.0.0.0/0', '::/0']) |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
488 |
|
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
489 |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
490 def set_available_permissions(config): |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
491 """ |
|
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
492 This function will propagate pylons globals with all available defined |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
493 permission given in db. We don't want to check each time from db for new |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
494 permissions since adding a new permission also requires application restart |
|
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
495 ie. to decorate new views with the newly created permission |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
496 |
|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
497 :param config: current pylons config instance |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
498 |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
499 """ |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
500 log.info('getting information about all available permissions') |
|
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
501 try: |
|
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
502 sa = meta.Session |
|
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
503 all_perms = sa.query(Permission).all() |
|
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
504 except Exception: |
|
629
7e536d1af60d
Code refactoring,models renames
Marcin Kuzminski <marcin@python-works.com>
parents:
612
diff
changeset
|
505 pass |
|
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
506 finally: |
|
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
507 meta.Session.remove() |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
508 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
509 config['available_permissions'] = [x.permission_name for x in all_perms] |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
510 |
| 1246 | 511 |
| 512 #============================================================================== | |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
513 # CHECK DECORATORS |
| 1246 | 514 #============================================================================== |
|
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
515 class LoginRequired(object): |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
516 """ |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
517 Must be logged in to execute this function else |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
518 redirect to login page |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
519 |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
520 :param api_access: if enabled this checks only for valid auth token |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
521 and grants access based on valid token |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
522 """ |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
523 |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
524 def __init__(self, api_access=False): |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
525 self.api_access = api_access |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
526 |
|
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
527 def __call__(self, func): |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
528 return decorator(self.__wrapper, func) |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
529 |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
530 def __wrapper(self, func, *fargs, **fkwargs): |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
531 cls = fargs[0] |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
532 user = cls.rhodecode_user |
|
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
533 loc = "%s:%s" % (cls.__class__.__name__, func.__name__) |
|
3751
78c7e8efe658
new feature: API access white list definition from .ini files
Marcin Kuzminski <marcin@python-works.com>
parents:
3734
diff
changeset
|
534 # defined whitelist of controllers which API access will be enabled |
|
78c7e8efe658
new feature: API access white list definition from .ini files
Marcin Kuzminski <marcin@python-works.com>
parents:
3734
diff
changeset
|
535 whitelist = aslist(config.get('api_access_controllers_whitelist'), |
|
78c7e8efe658
new feature: API access white list definition from .ini files
Marcin Kuzminski <marcin@python-works.com>
parents:
3734
diff
changeset
|
536 sep=',') |
|
78c7e8efe658
new feature: API access white list definition from .ini files
Marcin Kuzminski <marcin@python-works.com>
parents:
3734
diff
changeset
|
537 api_access_whitelist = loc in whitelist |
|
78c7e8efe658
new feature: API access white list definition from .ini files
Marcin Kuzminski <marcin@python-works.com>
parents:
3734
diff
changeset
|
538 log.debug('loc:%s is in API whitelist:%s:%s' % (loc, whitelist, |
|
78c7e8efe658
new feature: API access white list definition from .ini files
Marcin Kuzminski <marcin@python-works.com>
parents:
3734
diff
changeset
|
539 api_access_whitelist)) |
|
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
540 #check IP |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
541 ip_access_ok = True |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
542 if not user.ip_allowed: |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
543 from rhodecode.lib import helpers as h |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
544 h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))), |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
545 category='warning') |
|
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
546 ip_access_ok = False |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
547 |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
548 api_access_ok = False |
|
3751
78c7e8efe658
new feature: API access white list definition from .ini files
Marcin Kuzminski <marcin@python-works.com>
parents:
3734
diff
changeset
|
549 if self.api_access or api_access_whitelist: |
| 1976 | 550 log.debug('Checking API KEY access for %s' % cls) |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
551 if user.api_key == request.GET.get('api_key'): |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
552 api_access_ok = True |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
553 else: |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
554 log.debug("API KEY token not valid") |
|
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
555 |
|
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
556 log.debug('Checking if %s is authenticated @ %s' % (user.username, loc)) |
|
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
557 if (user.is_authenticated or api_access_ok) and ip_access_ok: |
|
2458
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
558 reason = 'RegularAuth' if user.is_authenticated else 'APIAuth' |
|
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
559 log.info('user %s is authenticated and granted access to %s ' |
|
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
560 'using %s' % (user.username, loc, reason) |
|
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
561 ) |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
562 return func(*fargs, **fkwargs) |
|
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
563 else: |
|
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
564 log.warn('user %s NOT authenticated on func: %s' % ( |
|
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
565 user, loc) |
|
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
566 ) |
|
1207
e61b7ba293db
changed the way of generating url for came_from
Marcin Kuzminski <marcin@python-works.com>
parents:
1206
diff
changeset
|
567 p = url.current() |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
568 |
| 1976 | 569 log.debug('redirecting to login page with %s' % p) |
|
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
570 return redirect(url('login_home', came_from=p)) |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
571 |
| 1246 | 572 |
|
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
573 class NotAnonymous(object): |
|
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
574 """ |
|
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
575 Must be logged in to execute this function else |
|
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
576 redirect to login page""" |
|
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
577 |
|
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
578 def __call__(self, func): |
|
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
579 return decorator(self.__wrapper, func) |
|
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
580 |
|
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
581 def __wrapper(self, func, *fargs, **fkwargs): |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
582 cls = fargs[0] |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
583 self.user = cls.rhodecode_user |
|
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
584 |
| 1976 | 585 log.debug('Checking if user is not anonymous @%s' % cls) |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
586 |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
587 anonymous = self.user.username == 'default' |
|
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
588 |
|
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
589 if anonymous: |
|
1335
40c8d18102a9
fixed redirection link in notAnonymous decorator
Marcin Kuzminski <marcin@python-works.com>
parents:
1307
diff
changeset
|
590 p = url.current() |
|
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
591 |
|
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
592 import rhodecode.lib.helpers as h |
| 1246 | 593 h.flash(_('You need to be a registered user to ' |
| 594 'perform this action'), | |
|
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
595 category='warning') |
|
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
596 return redirect(url('login_home', came_from=p)) |
|
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
597 else: |
|
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
598 return func(*fargs, **fkwargs) |
|
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
599 |
| 1246 | 600 |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
601 class PermsDecorator(object): |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
602 """Base class for controller decorators""" |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
603 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
604 def __init__(self, *required_perms): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
605 available_perms = config['available_permissions'] |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
606 for perm in required_perms: |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
607 if perm not in available_perms: |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
608 raise Exception("'%s' permission is not defined" % perm) |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
609 self.required_perms = set(required_perms) |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
610 self.user_perms = None |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
611 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
612 def __call__(self, func): |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
613 return decorator(self.__wrapper, func) |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
614 |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
615 def __wrapper(self, func, *fargs, **fkwargs): |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
616 cls = fargs[0] |
|
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
617 self.user = cls.rhodecode_user |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
618 self.user_perms = self.user.permissions |
|
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
619 log.debug('checking %s permissions %s for %s %s', |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
620 self.__class__.__name__, self.required_perms, cls, self.user) |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
621 |
|
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
622 if self.check_permissions(): |
| 1976 | 623 log.debug('Permission granted for %s %s' % (cls, self.user)) |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
624 return func(*fargs, **fkwargs) |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
625 |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
626 else: |
|
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
627 log.debug('Permission denied for %s %s' % (cls, self.user)) |
|
1336
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
628 anonymous = self.user.username == 'default' |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
629 |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
630 if anonymous: |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
631 p = url.current() |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
632 |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
633 import rhodecode.lib.helpers as h |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
634 h.flash(_('You need to be a signed in to ' |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
635 'view this page'), |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
636 category='warning') |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
637 return redirect(url('login_home', came_from=p)) |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
638 |
|
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
639 else: |
|
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
640 # redirect with forbidden ret code |
|
1336
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
641 return abort(403) |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
642 |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
643 def check_permissions(self): |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
644 """Dummy function for overriding""" |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
645 raise Exception('You have to write this function in child class') |
|
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
646 |
| 1246 | 647 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
648 class HasPermissionAllDecorator(PermsDecorator): |
|
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
649 """ |
|
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
650 Checks for access permission for all given predicates. All of them |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
651 have to be meet in order to fulfill the request |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
652 """ |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
653 |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
654 def check_permissions(self): |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
655 if self.required_perms.issubset(self.user_perms.get('global')): |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
656 return True |
|
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
657 return False |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
658 |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
659 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
660 class HasPermissionAnyDecorator(PermsDecorator): |
|
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
661 """ |
|
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
662 Checks for access permission for any of given predicates. In order to |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
663 fulfill the request any of predicates must be meet |
|
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
664 """ |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
665 |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
666 def check_permissions(self): |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
667 if self.required_perms.intersection(self.user_perms.get('global')): |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
668 return True |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
669 return False |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
670 |
| 1246 | 671 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
672 class HasRepoPermissionAllDecorator(PermsDecorator): |
|
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
673 """ |
|
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
674 Checks for access permission for all given predicates for specific |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
675 repository. All of them have to be meet in order to fulfill the request |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
676 """ |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
677 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
678 def check_permissions(self): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
679 repo_name = get_repo_slug(request) |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
680 try: |
|
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
681 user_perms = set([self.user_perms['repositories'][repo_name]]) |
|
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
682 except KeyError: |
|
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
683 return False |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
684 if self.required_perms.issubset(user_perms): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
685 return True |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
686 return False |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
687 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
688 |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
689 class HasRepoPermissionAnyDecorator(PermsDecorator): |
|
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
690 """ |
|
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
691 Checks for access permission for any of given predicates for specific |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
692 repository. In order to fulfill the request any of predicates must be meet |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
693 """ |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
694 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
695 def check_permissions(self): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
696 repo_name = get_repo_slug(request) |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
697 try: |
|
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
698 user_perms = set([self.user_perms['repositories'][repo_name]]) |
|
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
699 except KeyError: |
|
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
700 return False |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
701 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
702 if self.required_perms.intersection(user_perms): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
703 return True |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
704 return False |
| 1246 | 705 |
| 706 | |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
707 class HasReposGroupPermissionAllDecorator(PermsDecorator): |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
708 """ |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
709 Checks for access permission for all given predicates for specific |
|
3714
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
710 repository group. All of them have to be meet in order to fulfill the request |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
711 """ |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
712 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
713 def check_permissions(self): |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
714 group_name = get_repos_group_slug(request) |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
715 try: |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
716 user_perms = set([self.user_perms['repositories_groups'][group_name]]) |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
717 except KeyError: |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
718 return False |
|
3222
b4daef4cc26d
Group management delegation:
Marcin Kuzminski <marcin@python-works.com>
parents:
3212
diff
changeset
|
719 |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
720 if self.required_perms.issubset(user_perms): |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
721 return True |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
722 return False |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
723 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
724 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
725 class HasReposGroupPermissionAnyDecorator(PermsDecorator): |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
726 """ |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
727 Checks for access permission for any of given predicates for specific |
|
3714
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
728 repository group. In order to fulfill the request any of predicates must be meet |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
729 """ |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
730 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
731 def check_permissions(self): |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
732 group_name = get_repos_group_slug(request) |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
733 try: |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
734 user_perms = set([self.user_perms['repositories_groups'][group_name]]) |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
735 except KeyError: |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
736 return False |
|
3222
b4daef4cc26d
Group management delegation:
Marcin Kuzminski <marcin@python-works.com>
parents:
3212
diff
changeset
|
737 |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
738 if self.required_perms.intersection(user_perms): |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
739 return True |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
740 return False |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
741 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
742 |
|
3714
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
743 class HasUserGroupPermissionAllDecorator(PermsDecorator): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
744 """ |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
745 Checks for access permission for all given predicates for specific |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
746 user group. All of them have to be meet in order to fulfill the request |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
747 """ |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
748 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
749 def check_permissions(self): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
750 group_name = get_user_group_slug(request) |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
751 try: |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
752 user_perms = set([self.user_perms['user_groups'][group_name]]) |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
753 except KeyError: |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
754 return False |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
755 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
756 if self.required_perms.issubset(user_perms): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
757 return True |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
758 return False |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
759 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
760 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
761 class HasUserGroupPermissionAnyDecorator(PermsDecorator): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
762 """ |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
763 Checks for access permission for any of given predicates for specific |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
764 user group. In order to fulfill the request any of predicates must be meet |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
765 """ |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
766 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
767 def check_permissions(self): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
768 group_name = get_user_group_slug(request) |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
769 try: |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
770 user_perms = set([self.user_perms['user_groups'][group_name]]) |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
771 except KeyError: |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
772 return False |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
773 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
774 if self.required_perms.intersection(user_perms): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
775 return True |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
776 return False |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
777 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
778 |
| 1246 | 779 #============================================================================== |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
780 # CHECK FUNCTIONS |
| 1246 | 781 #============================================================================== |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
782 class PermsFunction(object): |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
783 """Base function for other check functions""" |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
784 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
785 def __init__(self, *perms): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
786 available_perms = config['available_permissions'] |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
787 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
788 for perm in perms: |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
789 if perm not in available_perms: |
|
2105
926f55b038bc
added initial rc-extension module
Marcin Kuzminski <marcin@python-works.com>
parents:
2100
diff
changeset
|
790 raise Exception("'%s' permission is not defined" % perm) |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
791 self.required_perms = set(perms) |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
792 self.user_perms = None |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
793 self.repo_name = None |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
794 self.group_name = None |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
795 |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
796 def __call__(self, check_location=''): |
|
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
797 #TODO: put user as attribute here |
|
1728
07e56179633e
- fixes celery sqlalchemy session issues for async forking
Marcin Kuzminski <marcin@python-works.com>
parents:
1718
diff
changeset
|
798 user = request.user |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
799 cls_name = self.__class__.__name__ |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
800 check_scope = { |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
801 'HasPermissionAll': '', |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
802 'HasPermissionAny': '', |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
803 'HasRepoPermissionAll': 'repo:%s' % self.repo_name, |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
804 'HasRepoPermissionAny': 'repo:%s' % self.repo_name, |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
805 'HasReposGroupPermissionAll': 'group:%s' % self.group_name, |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
806 'HasReposGroupPermissionAny': 'group:%s' % self.group_name, |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
807 }.get(cls_name, '?') |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
808 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name, |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
809 self.required_perms, user, check_scope, |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
810 check_location or 'unspecified location') |
| 333 | 811 if not user: |
|
2045
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
812 log.debug('Empty request user') |
| 333 | 813 return False |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
814 self.user_perms = user.permissions |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
815 if self.check_permissions(): |
|
3137
6c705abed11a
logging: include more info in grant/deny log entries
Mads Kiilerich <madski@unity3d.com>
parents:
3125
diff
changeset
|
816 log.debug('Permission to %s granted for user: %s @ %s', self.repo_name, user, |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
817 check_location or 'unspecified location') |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
818 return True |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
819 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
820 else: |
|
3137
6c705abed11a
logging: include more info in grant/deny log entries
Mads Kiilerich <madski@unity3d.com>
parents:
3125
diff
changeset
|
821 log.debug('Permission to %s denied for user: %s @ %s', self.repo_name, user, |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
822 check_location or 'unspecified location') |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
823 return False |
|
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
824 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
825 def check_permissions(self): |
|
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
826 """Dummy function for overriding""" |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
827 raise Exception('You have to write this function in child class') |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
828 |
| 1246 | 829 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
830 class HasPermissionAll(PermsFunction): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
831 def check_permissions(self): |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
832 if self.required_perms.issubset(self.user_perms.get('global')): |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
833 return True |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
834 return False |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
835 |
| 1246 | 836 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
837 class HasPermissionAny(PermsFunction): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
838 def check_permissions(self): |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
839 if self.required_perms.intersection(self.user_perms.get('global')): |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
840 return True |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
841 return False |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
842 |
| 1246 | 843 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
844 class HasRepoPermissionAll(PermsFunction): |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
845 def __call__(self, repo_name=None, check_location=''): |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
846 self.repo_name = repo_name |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
847 return super(HasRepoPermissionAll, self).__call__(check_location) |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
848 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
849 def check_permissions(self): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
850 if not self.repo_name: |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
851 self.repo_name = get_repo_slug(request) |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
852 |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
853 try: |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
854 self._user_perms = set( |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
855 [self.user_perms['repositories'][self.repo_name]] |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
856 ) |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
857 except KeyError: |
|
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
858 return False |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
859 if self.required_perms.issubset(self._user_perms): |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
860 return True |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
861 return False |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
862 |
| 1246 | 863 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
864 class HasRepoPermissionAny(PermsFunction): |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
865 def __call__(self, repo_name=None, check_location=''): |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
866 self.repo_name = repo_name |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
867 return super(HasRepoPermissionAny, self).__call__(check_location) |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
868 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
869 def check_permissions(self): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
870 if not self.repo_name: |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
871 self.repo_name = get_repo_slug(request) |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
872 |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
873 try: |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
874 self._user_perms = set( |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
875 [self.user_perms['repositories'][self.repo_name]] |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
876 ) |
|
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
877 except KeyError: |
|
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
878 return False |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
879 if self.required_perms.intersection(self._user_perms): |
|
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
880 return True |
|
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
881 return False |
|
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
882 |
| 1246 | 883 |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
884 class HasReposGroupPermissionAny(PermsFunction): |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
885 def __call__(self, group_name=None, check_location=''): |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
886 self.group_name = group_name |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
887 return super(HasReposGroupPermissionAny, self).__call__(check_location) |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
888 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
889 def check_permissions(self): |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
890 try: |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
891 self._user_perms = set( |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
892 [self.user_perms['repositories_groups'][self.group_name]] |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
893 ) |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
894 except KeyError: |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
895 return False |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
896 if self.required_perms.intersection(self._user_perms): |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
897 return True |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
898 return False |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
899 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
900 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
901 class HasReposGroupPermissionAll(PermsFunction): |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
902 def __call__(self, group_name=None, check_location=''): |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
903 self.group_name = group_name |
|
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
904 return super(HasReposGroupPermissionAll, self).__call__(check_location) |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
905 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
906 def check_permissions(self): |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
907 try: |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
908 self._user_perms = set( |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
909 [self.user_perms['repositories_groups'][self.group_name]] |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
910 ) |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
911 except KeyError: |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
912 return False |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
913 if self.required_perms.issubset(self._user_perms): |
|
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
914 return True |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
915 return False |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
916 |
|
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
917 |
|
3714
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
918 class HasUserGroupPermissionAny(PermsFunction): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
919 def __call__(self, user_group_name=None, check_location=''): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
920 self.user_group_name = user_group_name |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
921 return super(HasUserGroupPermissionAny, self).__call__(check_location) |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
922 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
923 def check_permissions(self): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
924 try: |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
925 self._user_perms = set( |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
926 [self.user_perms['user_groups'][self.user_group_name]] |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
927 ) |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
928 except KeyError: |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
929 return False |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
930 if self.required_perms.intersection(self._user_perms): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
931 return True |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
932 return False |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
933 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
934 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
935 class HasUserGroupPermissionAll(PermsFunction): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
936 def __call__(self, user_group_name=None, check_location=''): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
937 self.user_group_name = user_group_name |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
938 return super(HasUserGroupPermissionAll, self).__call__(check_location) |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
939 |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
940 def check_permissions(self): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
941 try: |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
942 self._user_perms = set( |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
943 [self.user_perms['user_groups'][self.user_group_name]] |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
944 ) |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
945 except KeyError: |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
946 return False |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
947 if self.required_perms.issubset(self._user_perms): |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
948 return True |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
949 return False |
|
7e3d89d9d3a2
- Manage User’s Groups: create, delete, rename, add/remove users inside.
Marcin Kuzminski <marcin@python-works.com>
parents:
3632
diff
changeset
|
950 |
| 1246 | 951 #============================================================================== |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
952 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH |
| 1246 | 953 #============================================================================== |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
954 class HasPermissionAnyMiddleware(object): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
955 def __init__(self, *perms): |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
956 self.required_perms = set(perms) |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
957 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
958 def __call__(self, user, repo_name): |
|
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
959 # repo_name MUST be unicode, since we handle keys in permission |
|
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
960 # dict by unicode |
|
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
961 repo_name = safe_unicode(repo_name) |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
962 usr = AuthUser(user.user_id) |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
963 try: |
|
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
964 self.user_perms = set([usr.permissions['repositories'][repo_name]]) |
|
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
965 except Exception: |
| 2109 | 966 log.error('Exception while accessing permissions %s' % |
|
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
967 traceback.format_exc()) |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
968 self.user_perms = set() |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
969 self.username = user.username |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
970 self.repo_name = repo_name |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
971 return self.check_permissions() |
|
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
972 |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
973 def check_permissions(self): |
|
2726
aa17c7a1b8a5
Implemented basic locking functionality.
Marcin Kuzminski <marcin@python-works.com>
parents:
2714
diff
changeset
|
974 log.debug('checking VCS protocol ' |
|
1040
8e49b6ceffe1
fixes fixes fixes ! optimized queries on journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1036
diff
changeset
|
975 'permissions %s for user:%s repository:%s', self.user_perms, |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
976 self.username, self.repo_name) |
|
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
977 if self.required_perms.intersection(self.user_perms): |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
978 log.debug('permission granted for user:%s on repo:%s' % ( |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
979 self.username, self.repo_name |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
980 ) |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
981 ) |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
982 return True |
|
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
983 log.debug('permission denied for user:%s on repo:%s' % ( |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
984 self.username, self.repo_name |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
985 ) |
|
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
986 ) |
|
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
987 return False |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
988 |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
989 |
|
3161
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
990 #============================================================================== |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
991 # SPECIAL VERSION TO HANDLE API AUTH |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
992 #============================================================================== |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
993 class _BaseApiPerm(object): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
994 def __init__(self, *perms): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
995 self.required_perms = set(perms) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
996 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
997 def __call__(self, check_location='unspecified', user=None, repo_name=None): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
998 cls_name = self.__class__.__name__ |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
999 check_scope = 'user:%s, repo:%s' % (user, repo_name) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1000 log.debug('checking cls:%s %s %s @ %s', cls_name, |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1001 self.required_perms, check_scope, check_location) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1002 if not user: |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1003 log.debug('Empty User passed into arguments') |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1004 return False |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1005 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1006 ## process user |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1007 if not isinstance(user, AuthUser): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1008 user = AuthUser(user.user_id) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1009 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1010 if self.check_permissions(user.permissions, repo_name): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1011 log.debug('Permission to %s granted for user: %s @ %s', repo_name, |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1012 user, check_location) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1013 return True |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1014 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1015 else: |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1016 log.debug('Permission to %s denied for user: %s @ %s', repo_name, |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1017 user, check_location) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1018 return False |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1019 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1020 def check_permissions(self, perm_defs, repo_name): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1021 """ |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1022 implement in child class should return True if permissions are ok, |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1023 False otherwise |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1024 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1025 :param perm_defs: dict with permission definitions |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1026 :param repo_name: repo name |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1027 """ |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1028 raise NotImplementedError() |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1029 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1030 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1031 class HasPermissionAllApi(_BaseApiPerm): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1032 def __call__(self, user, check_location=''): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1033 return super(HasPermissionAllApi, self)\ |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1034 .__call__(check_location=check_location, user=user) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1035 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1036 def check_permissions(self, perm_defs, repo): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1037 if self.required_perms.issubset(perm_defs.get('global')): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1038 return True |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1039 return False |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1040 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1041 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1042 class HasPermissionAnyApi(_BaseApiPerm): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1043 def __call__(self, user, check_location=''): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1044 return super(HasPermissionAnyApi, self)\ |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1045 .__call__(check_location=check_location, user=user) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1046 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1047 def check_permissions(self, perm_defs, repo): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1048 if self.required_perms.intersection(perm_defs.get('global')): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1049 return True |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1050 return False |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1051 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1052 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1053 class HasRepoPermissionAllApi(_BaseApiPerm): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1054 def __call__(self, user, repo_name, check_location=''): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1055 return super(HasRepoPermissionAllApi, self)\ |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1056 .__call__(check_location=check_location, user=user, |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1057 repo_name=repo_name) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1058 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1059 def check_permissions(self, perm_defs, repo_name): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1060 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1061 try: |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1062 self._user_perms = set( |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1063 [perm_defs['repositories'][repo_name]] |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1064 ) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1065 except KeyError: |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1066 log.warning(traceback.format_exc()) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1067 return False |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1068 if self.required_perms.issubset(self._user_perms): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1069 return True |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1070 return False |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1071 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1072 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1073 class HasRepoPermissionAnyApi(_BaseApiPerm): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1074 def __call__(self, user, repo_name, check_location=''): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1075 return super(HasRepoPermissionAnyApi, self)\ |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1076 .__call__(check_location=check_location, user=user, |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1077 repo_name=repo_name) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1078 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1079 def check_permissions(self, perm_defs, repo_name): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1080 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1081 try: |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1082 _user_perms = set( |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1083 [perm_defs['repositories'][repo_name]] |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1084 ) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1085 except KeyError: |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1086 log.warning(traceback.format_exc()) |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1087 return False |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1088 if self.required_perms.intersection(_user_perms): |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1089 return True |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1090 return False |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1091 |
|
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1092 |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1093 def check_ip_access(source_ip, allowed_ips=None): |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1094 """ |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1095 Checks if source_ip is a subnet of any of allowed_ips. |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1096 |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1097 :param source_ip: |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1098 :param allowed_ips: list of allowed ips together with mask |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1099 """ |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1100 from rhodecode.lib import ipaddr |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1101 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips)) |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1102 if isinstance(allowed_ips, (tuple, list, set)): |
|
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1103 for ip in allowed_ips: |
|
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1104 try: |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1105 if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip): |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1106 return True |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1107 # for any case we cannot determine the IP, don't crash just |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1108 # skip it and log as error, we want to say forbidden still when |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1109 # sending bad IP |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1110 except Exception: |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1111 log.error(traceback.format_exc()) |
|
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1112 continue |
|
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1113 return False |