# HG changeset patch # User Marcin Kuzminski # Date 1366678550 -7200 # Node ID 32f66c839c54b54335b6769f75d594259a8f555a # Parent d9b89874edf9dbe94c3f1e6693c78ef84331561c managing users groups enforce permissions checks. User needs at least a read permissions on usergroup to be able to assign it somewhere. diff -r d9b89874edf9 -r 32f66c839c54 rhodecode/model/repo.py --- a/rhodecode/model/repo.py Tue Apr 23 02:18:31 2013 +0200 +++ b/rhodecode/model/repo.py Tue Apr 23 02:55:50 2013 +0200 @@ -41,8 +41,9 @@ Statistics, UserGroup, UserGroupRepoToPerm, RhodeCodeUi, RepoGroup,\ RhodeCodeSetting, RepositoryField from rhodecode.lib import helpers as h -from rhodecode.lib.auth import HasRepoPermissionAny +from rhodecode.lib.auth import HasRepoPermissionAny, HasUserGroupPermissionAny from rhodecode.lib.exceptions import AttachedForksError +from rhodecode.model.scm import UserGroupList log = logging.getLogger(__name__) @@ -140,7 +141,9 @@ def get_users_groups_js(self): users_groups = self.sa.query(UserGroup)\ .filter(UserGroup.users_group_active == True).all() - + users_groups = UserGroupList(users_groups, perm_set=['usergroup.read', + 'usergroup.write', + 'usergroup.admin']) return json.dumps([ { 'id': gr.users_group_id, @@ -472,9 +475,12 @@ repo=repo, user=member, perm=perm ) else: - self.grant_users_group_permission( - repo=repo, group_name=member, perm=perm - ) + #check if we have permissions to alter this usergroup + if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write', + 'usergroup.admin')(member): + self.grant_users_group_permission( + repo=repo, group_name=member, perm=perm + ) # set new permissions for member, perm, member_type in perms_new: if member_type == 'user': @@ -482,9 +488,12 @@ repo=repo, user=member, perm=perm ) else: - self.grant_users_group_permission( - repo=repo, group_name=member, perm=perm - ) + #check if we have permissions to alter this usergroup + if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write', + 'usergroup.admin')(member): + self.grant_users_group_permission( + repo=repo, group_name=member, perm=perm + ) def create_fork(self, form_data, cur_user): """ diff -r d9b89874edf9 -r 32f66c839c54 rhodecode/model/repos_group.py --- a/rhodecode/model/repos_group.py Tue Apr 23 02:18:31 2013 +0200 +++ b/rhodecode/model/repos_group.py Tue Apr 23 02:55:50 2013 +0200 @@ -169,6 +169,7 @@ def _update_permissions(self, repos_group, perms_new=None, perms_updates=None, recursive=False): from rhodecode.model.repo import RepoModel + from rhodecode.lib.auth import HasUserGroupPermissionAny if not perms_new: perms_new = [] if not perms_updates: @@ -220,13 +221,19 @@ _set_perm_user(obj, user=member, perm=perm) ## set for user group else: - _set_perm_group(obj, users_group=member, perm=perm) + #check if we have permissions to alter this usergroup + if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write', + 'usergroup.admin')(member): + _set_perm_group(obj, users_group=member, perm=perm) # set new permissions for member, perm, member_type in perms_new: if member_type == 'user': _set_perm_user(obj, user=member, perm=perm) else: - _set_perm_group(obj, users_group=member, perm=perm) + #check if we have permissions to alter this usergroup + if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write', + 'usergroup.admin')(member): + _set_perm_group(obj, users_group=member, perm=perm) updates.append(obj) #if it's not recursive call # break the loop and don't proceed with other changes diff -r d9b89874edf9 -r 32f66c839c54 rhodecode/model/users_group.py --- a/rhodecode/model/users_group.py Tue Apr 23 02:18:31 2013 +0200 +++ b/rhodecode/model/users_group.py Tue Apr 23 02:55:50 2013 +0200 @@ -63,6 +63,7 @@ def _update_permissions(self, user_group, perms_new=None, perms_updates=None): + from rhodecode.lib.auth import HasUserGroupPermissionAny if not perms_new: perms_new = [] if not perms_updates: @@ -76,9 +77,12 @@ user_group=user_group, user=member, perm=perm ) else: - self.grant_users_group_permission( - target_user_group=user_group, user_group=member, perm=perm - ) + #check if we have permissions to alter this usergroup + if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write', + 'usergroup.admin')(member): + self.grant_users_group_permission( + target_user_group=user_group, user_group=member, perm=perm + ) # set new permissions for member, perm, member_type in perms_new: if member_type == 'user': @@ -86,9 +90,12 @@ user_group=user_group, user=member, perm=perm ) else: - self.grant_users_group_permission( - target_user_group=user_group, user_group=member, perm=perm - ) + #check if we have permissions to alter this usergroup + if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write', + 'usergroup.admin')(member): + self.grant_users_group_permission( + target_user_group=user_group, user_group=member, perm=perm + ) def get(self, users_group_id, cache=False): return UserGroup.get(users_group_id)