# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1586629109 -7200
# Node ID 2ce710e81e61219bc1fc9a60b9fff4d40c877ee3
# Parent  c19e720cbb21f41aef9404012bd74a5b4fafb6d1
permissions: drop hg.create.write_on_repogroup "Repository creation with group write access" setting

Simplify permissions system and get rid of some confusing tech debt.

Before, the global 'write_on_repogroup' setting controlled what write
permission on a repo group meant.

With this change, users can create repositories in a repo group if and only if
they have write access. Write access to a repo group will now mean the
permission to create repositories in it.

Write access to repo groups must be granted explicitly. There should not be any
other reason to grant write access than to allow users to create repos. There
is thus no upgrade concerns for this change.

An admin that doesn't want users to create repos in a repogroup should just not
give them write access.

These global settings might still exist in the database, but is ignored and no
longer used and do no harm.

diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/controllers/admin/permissions.py
--- a/kallithea/controllers/admin/permissions.py	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/controllers/admin/permissions.py	Sat Apr 11 20:18:29 2020 +0200
@@ -89,11 +89,6 @@
         c.repo_create_choices = [('hg.create.none', _('Disabled')),
                                  ('hg.create.repository', _('Enabled'))]
 
-        c.repo_create_on_write_choices = [
-            ('hg.create.write_on_repogroup.true', _('Enabled')),
-            ('hg.create.write_on_repogroup.false', _('Disabled')),
-        ]
-
         c.user_group_create_choices = [('hg.usergroup.create.false', _('Disabled')),
                                        ('hg.usergroup.create.true', _('Enabled'))]
 
@@ -109,7 +104,6 @@
                 [x[0] for x in c.group_perms_choices],
                 [x[0] for x in c.user_group_perms_choices],
                 [x[0] for x in c.repo_create_choices],
-                [x[0] for x in c.repo_create_on_write_choices],
                 [x[0] for x in c.repo_group_create_choices],
                 [x[0] for x in c.user_group_create_choices],
                 [x[0] for x in c.fork_choices],
@@ -154,9 +148,6 @@
             if p.permission.permission_name.startswith('usergroup.'):
                 defaults['default_user_group_perm'] = p.permission.permission_name
 
-            if p.permission.permission_name.startswith('hg.create.write_on_repogroup.'):
-                defaults['create_on_write'] = p.permission.permission_name
-
             elif p.permission.permission_name.startswith('hg.create.'):
                 defaults['default_repo_create'] = p.permission.permission_name
 
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/controllers/admin/repos.py
--- a/kallithea/controllers/admin/repos.py	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/controllers/admin/repos.py	Sat Apr 11 20:18:29 2020 +0200
@@ -39,7 +39,7 @@
 import kallithea
 from kallithea.config.routing import url
 from kallithea.lib import helpers as h
-from kallithea.lib.auth import HasPermissionAny, HasRepoPermissionLevelDecorator, LoginRequired, NotAnonymous
+from kallithea.lib.auth import HasRepoPermissionLevelDecorator, LoginRequired, NotAnonymous
 from kallithea.lib.base import BaseRepoController, jsonify, render
 from kallithea.lib.exceptions import AttachedForksError
 from kallithea.lib.utils import action_logger
@@ -76,13 +76,9 @@
         return repo_obj
 
     def __load_defaults(self, repo=None):
-        if HasPermissionAny('hg.create.write_on_repogroup.true')():
-            repo_group_perm_level = 'write'
-        else:
-            repo_group_perm_level = 'admin'
         extras = [] if repo is None else [repo.group]
 
-        c.repo_groups = AvailableRepoGroupChoices(repo_group_perm_level, extras)
+        c.repo_groups = AvailableRepoGroupChoices('write', extras)
 
         c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs(repo)
 
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/controllers/forks.py
--- a/kallithea/controllers/forks.py	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/controllers/forks.py	Sat Apr 11 20:18:29 2020 +0200
@@ -38,7 +38,7 @@
 import kallithea
 import kallithea.lib.helpers as h
 from kallithea.config.routing import url
-from kallithea.lib.auth import HasPermissionAny, HasPermissionAnyDecorator, HasRepoPermissionLevel, HasRepoPermissionLevelDecorator, LoginRequired
+from kallithea.lib.auth import HasPermissionAnyDecorator, HasRepoPermissionLevel, HasRepoPermissionLevelDecorator, LoginRequired
 from kallithea.lib.base import BaseRepoController, render
 from kallithea.lib.page import Page
 from kallithea.lib.utils2 import safe_int
@@ -54,11 +54,7 @@
 class ForksController(BaseRepoController):
 
     def __load_defaults(self):
-        if HasPermissionAny('hg.create.write_on_repogroup.true')():
-            repo_group_perm_level = 'write'
-        else:
-            repo_group_perm_level = 'admin'
-        c.repo_groups = AvailableRepoGroupChoices(repo_group_perm_level)
+        c.repo_groups = AvailableRepoGroupChoices('write')
 
         c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs()
 
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/lib/auth.py
--- a/kallithea/lib/auth.py	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/lib/auth.py	Sat Apr 11 20:18:29 2020 +0200
@@ -149,7 +149,6 @@
         # based on default permissions, just set everything to admin
         #==================================================================
         permissions[GLOBAL].add('hg.admin')
-        permissions[GLOBAL].add('hg.create.write_on_repogroup.true')
 
         # repositories
         for perm in default_repo_perms:
@@ -242,7 +241,7 @@
 
     # for each kind of global permissions, only keep the one with heighest weight
     kind_max_perm = {}
-    for perm in sorted(permissions[GLOBAL], key=lambda n: PERM_WEIGHTS[n]):
+    for perm in sorted(permissions[GLOBAL], key=lambda n: PERM_WEIGHTS.get(n, -1)):
         kind = perm.rsplit('.', 1)[0]
         kind_max_perm[kind] = perm
     permissions[GLOBAL] = set(kind_max_perm.values())
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/model/db.py
--- a/kallithea/model/db.py	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/model/db.py	Sat Apr 11 20:18:29 2020 +0200
@@ -1562,9 +1562,6 @@
         ('hg.create.none', _('Only admins can create top level repositories')),
         ('hg.create.repository', _('Non-admins can create top level repositories')),
 
-        ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
-        ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
-
         ('hg.fork.none', _('Only admins can fork repositories')),
         ('hg.fork.repository', _('Non-admins can fork repositories')),
 
@@ -1582,7 +1579,6 @@
         'group.read',
         'usergroup.read',
         'hg.create.repository',
-        'hg.create.write_on_repogroup.true',
         'hg.fork.repository',
         'hg.register.manual_activate',
         'hg.extern_activate.auto',
@@ -1616,9 +1612,6 @@
         'hg.create.none': 0,
         'hg.create.repository': 1,
 
-        'hg.create.write_on_repogroup.false': 0,
-        'hg.create.write_on_repogroup.true': 1,
-
         'hg.register.none': 0,
         'hg.register.manual_activate': 1,
         'hg.register.auto_activate': 2,
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/model/forms.py
--- a/kallithea/model/forms.py	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/model/forms.py	Sat Apr 11 20:18:29 2020 +0200
@@ -396,7 +396,7 @@
 
 def DefaultPermissionsForm(repo_perms_choices, group_perms_choices,
                            user_group_perms_choices, create_choices,
-                           create_on_write_choices, repo_group_create_choices,
+                           repo_group_create_choices,
                            user_group_create_choices, fork_choices,
                            register_choices, extern_activate_choices):
     class _DefaultPermissionsForm(formencode.Schema):
@@ -411,7 +411,6 @@
         default_user_group_perm = v.OneOf(user_group_perms_choices)
 
         default_repo_create = v.OneOf(create_choices)
-        create_on_write = v.OneOf(create_on_write_choices)
         default_user_group_create = v.OneOf(user_group_create_choices)
         default_fork = v.OneOf(fork_choices)
 
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/model/permission.py
--- a/kallithea/model/permission.py	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/model/permission.py	Sat Apr 11 20:18:29 2020 +0200
@@ -119,7 +119,6 @@
                                  'default_group_perm',
                                  'default_user_group_perm',
                                  'default_repo_create',
-                                 'create_on_write', # special case for create repos on write access to group
                                  'default_user_group_create',
                                  'default_fork',
                                  'default_register',
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/model/validators.py
--- a/kallithea/model/validators.py	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/model/validators.py	Sat Apr 11 20:18:29 2020 +0200
@@ -456,12 +456,11 @@
             gr_name = gr.group_name if gr is not None else None # None means ROOT location
 
             # create repositories with write permission on group is set to true
-            create_on_write = HasPermissionAny('hg.create.write_on_repogroup.true')()
             group_admin = HasRepoGroupPermissionLevel('admin')(gr_name,
                                             'can write into group validator')
             group_write = HasRepoGroupPermissionLevel('write')(gr_name,
                                             'can write into group validator')
-            forbidden = not (group_admin or (group_write and create_on_write))
+            forbidden = not (group_admin or group_write)
             can_create_repos = HasPermissionAny('hg.admin', 'hg.create.repository')
             gid = (old_data['repo_group'].get('group_id')
                    if (old_data and 'repo_group' in old_data) else None)
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/templates/admin/permissions/permissions_globals.html
--- a/kallithea/templates/admin/permissions/permissions_globals.html	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/templates/admin/permissions/permissions_globals.html	Sat Apr 11 20:18:29 2020 +0200
@@ -58,13 +58,6 @@
                 </div>
             </div>
             <div class="form-group">
-                <label class="control-label" for="create_on_write">${_('Repository creation with group write access')}:</label>
-                <div>
-                    ${h.select('create_on_write','',c.repo_create_on_write_choices,class_='form-control')}
-                    <span class="help-block">${_('With this, write permission to a repository group allows creating repositories inside that group. Without this, group write permissions mean nothing.')}</span>
-                </div>
-            </div>
-            <div class="form-group">
                 <label class="control-label" for="default_user_group_create">${_('User group creation')}:</label>
                 <div>
                     ${h.select('default_user_group_create','',c.user_group_create_choices,class_='form-control')}
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/templates/index_base.html
--- a/kallithea/templates/index_base.html	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/templates/index_base.html	Sat Apr 11 20:18:29 2020 +0200
@@ -16,11 +16,10 @@
                 <%
                     gr_name = c.group.group_name if c.group else None
                     # create repositories with write permission on group is set to true
-                    create_on_write = h.HasPermissionAny('hg.create.write_on_repogroup.true')()
                     group_admin = h.HasRepoGroupPermissionLevel('admin')(gr_name, 'can write into group index page')
                     group_write = h.HasRepoGroupPermissionLevel('write')(gr_name, 'can write into group index page')
                 %>
-                %if h.HasPermissionAny('hg.admin','hg.create.repository')() or (group_admin or (group_write and create_on_write)):
+                %if h.HasPermissionAny('hg.admin','hg.create.repository')() or group_admin or group_write:
                   %if c.group:
                         <a href="${h.url('new_repo',parent_group=c.group.group_id)}" class="btn btn-default btn-xs"><i class="icon-plus"></i>${_('Add Repository')}</a>
                         %if h.HasPermissionAny('hg.admin')() or h.HasRepoGroupPermissionLevel('admin')(c.group.group_name):
diff -r c19e720cbb21 -r 2ce710e81e61 kallithea/tests/models/test_permissions.py
--- a/kallithea/tests/models/test_permissions.py	Sun Apr 12 01:07:32 2020 +0200
+++ b/kallithea/tests/models/test_permissions.py	Sat Apr 11 20:18:29 2020 +0200
@@ -290,7 +290,7 @@
                               'hg.register.manual_activate',
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
-                              'usergroup.read', 'hg.create.write_on_repogroup.true'])
+                              'usergroup.read'])
 
     def test_inherit_sad_permissions_from_default_user(self):
         user_model = UserModel()
@@ -307,7 +307,7 @@
                               'hg.register.manual_activate',
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
-                              'usergroup.read', 'hg.create.write_on_repogroup.true'])
+                              'usergroup.read'])
 
     def test_inherit_more_permissions_from_default_user(self):
         user_model = UserModel()
@@ -333,7 +333,7 @@
                               'hg.register.manual_activate',
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
-                              'usergroup.read', 'hg.create.write_on_repogroup.true'])
+                              'usergroup.read'])
 
     def test_inherit_less_permissions_from_default_user(self):
         user_model = UserModel()
@@ -359,7 +359,7 @@
                               'hg.register.manual_activate',
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
-                              'usergroup.read', 'hg.create.write_on_repogroup.true'])
+                              'usergroup.read'])
 
     def test_inactive_user_group_does_not_affect_global_permissions(self):
         # Add user to inactive user group, set specific permissions on user
@@ -391,7 +391,7 @@
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
                               'usergroup.read',
-                              'hg.create.write_on_repogroup.true'])
+                              ])
 
     def test_inactive_user_group_does_not_affect_global_permissions_inverse(self):
         # Add user to inactive user group, set specific permissions on user
@@ -423,7 +423,7 @@
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
                               'usergroup.read',
-                              'hg.create.write_on_repogroup.true'])
+                              ])
 
     def test_inactive_user_group_does_not_affect_repo_permissions(self):
         self.ug1 = fixture.create_user_group('G1')