Mercurial > kallithea
comparison kallithea/controllers/admin/repo_groups.py @ 8991:2e1059de6751 stable
repo groups: make it possible to remove own explicit permissions, now when group owners always have admin permissions
Until recently, group owners very given explicit admin permissions on repo
group, and special care was taken to make sure they didn't remove themselves.
Now we always give admin permissions to owners, and don't care about the
explicit permissions. We no longer add them when creating groups or changing
owner. There is no migration step to remove redundant permissions, but we
should allow group admins to remove them. This change will thus remove the
mechanism for preventing removal of own/owner permissions.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Tue, 09 May 2023 17:42:44 +0200 |
parents | abc29122c7f2 |
children |
comparison
equal
deleted
inserted
replaced
8990:1aa109aea143 | 8991:2e1059de6751 |
---|---|
87 for p in repo_group.users_group_to_perm: | 87 for p in repo_group.users_group_to_perm: |
88 data.update({'g_perm_%s' % p.users_group.users_group_name: | 88 data.update({'g_perm_%s' % p.users_group.users_group_name: |
89 p.permission.permission_name}) | 89 p.permission.permission_name}) |
90 | 90 |
91 return data | 91 return data |
92 | |
93 def _revoke_perms_on_yourself(self, form_result): | |
94 _up = [u for u in form_result['perms_updates'] if request.authuser.username == u[0]] | |
95 _new = [u for u in form_result['perms_new'] if request.authuser.username == u[0]] | |
96 if _new and _new[0][1] != 'group.admin' or _up and _up[0][1] != 'group.admin': | |
97 return True | |
98 return False | |
99 | 92 |
100 def index(self, format='html'): | 93 def index(self, format='html'): |
101 _list = db.RepoGroup.query(sorted=True).all() | 94 _list = db.RepoGroup.query(sorted=True).all() |
102 group_iter = RepoGroupList(_list, perm_level='admin') | 95 group_iter = RepoGroupList(_list, perm_level='admin') |
103 repo_groups_data = [] | 96 repo_groups_data = [] |
347 """ | 340 """ |
348 | 341 |
349 c.repo_group = db.RepoGroup.guess_instance(group_name) | 342 c.repo_group = db.RepoGroup.guess_instance(group_name) |
350 valid_recursive_choices = ['none', 'repos', 'groups', 'all'] | 343 valid_recursive_choices = ['none', 'repos', 'groups', 'all'] |
351 form_result = RepoGroupPermsForm(valid_recursive_choices)().to_python(request.POST) | 344 form_result = RepoGroupPermsForm(valid_recursive_choices)().to_python(request.POST) |
352 if not request.authuser.is_admin: | |
353 if self._revoke_perms_on_yourself(form_result): | |
354 msg = _('Cannot revoke permission for yourself as admin') | |
355 webutils.flash(msg, category='warning') | |
356 raise HTTPFound(location=url('edit_repo_group_perms', group_name=group_name)) | |
357 recursive = form_result['recursive'] | 345 recursive = form_result['recursive'] |
358 # iterate over all members(if in recursive mode) of this groups and | 346 # iterate over all members(if in recursive mode) of this groups and |
359 # set the permissions ! | 347 # set the permissions ! |
360 # this can be potentially heavy operation | 348 # this can be potentially heavy operation |
361 RepoGroupModel()._update_permissions(c.repo_group, | 349 RepoGroupModel()._update_permissions(c.repo_group, |
377 if obj_type == 'user': | 365 if obj_type == 'user': |
378 obj_id = safe_int(request.POST.get('user_id')) | 366 obj_id = safe_int(request.POST.get('user_id')) |
379 elif obj_type == 'user_group': | 367 elif obj_type == 'user_group': |
380 obj_id = safe_int(request.POST.get('user_group_id')) | 368 obj_id = safe_int(request.POST.get('user_group_id')) |
381 | 369 |
382 if not request.authuser.is_admin: | |
383 if obj_type == 'user' and request.authuser.user_id == obj_id: | |
384 msg = _('Cannot revoke permission for yourself as admin') | |
385 webutils.flash(msg, category='warning') | |
386 raise Exception('revoke admin permission on self') | |
387 recursive = request.POST.get('recursive', 'none') | 370 recursive = request.POST.get('recursive', 'none') |
388 if obj_type == 'user': | 371 if obj_type == 'user': |
389 RepoGroupModel().delete_permission(repo_group=group_name, | 372 RepoGroupModel().delete_permission(repo_group=group_name, |
390 obj=obj_id, obj_type='user', | 373 obj=obj_id, obj_type='user', |
391 recursive=recursive) | 374 recursive=recursive) |