Mercurial > kallithea
changeset 8554:2ce710e81e61
permissions: drop hg.create.write_on_repogroup "Repository creation with group write access" setting
Simplify permissions system and get rid of some confusing tech debt.
Before, the global 'write_on_repogroup' setting controlled what write
permission on a repo group meant.
With this change, users can create repositories in a repo group if and only if
they have write access. Write access to a repo group will now mean the
permission to create repositories in it.
Write access to repo groups must be granted explicitly. There should not be any
other reason to grant write access than to allow users to create repos. There
is thus no upgrade concerns for this change.
An admin that doesn't want users to create repos in a repogroup should just not
give them write access.
These global settings might still exist in the database, but is ignored and no
longer used and do no harm.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Sat, 11 Apr 2020 20:18:29 +0200 |
parents | c19e720cbb21 |
children | c5a3fe671b54 |
files | kallithea/controllers/admin/permissions.py kallithea/controllers/admin/repos.py kallithea/controllers/forks.py kallithea/lib/auth.py kallithea/model/db.py kallithea/model/forms.py kallithea/model/permission.py kallithea/model/validators.py kallithea/templates/admin/permissions/permissions_globals.html kallithea/templates/index_base.html kallithea/tests/models/test_permissions.py |
diffstat | 11 files changed, 14 insertions(+), 50 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/admin/permissions.py Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/controllers/admin/permissions.py Sat Apr 11 20:18:29 2020 +0200 @@ -89,11 +89,6 @@ c.repo_create_choices = [('hg.create.none', _('Disabled')), ('hg.create.repository', _('Enabled'))] - c.repo_create_on_write_choices = [ - ('hg.create.write_on_repogroup.true', _('Enabled')), - ('hg.create.write_on_repogroup.false', _('Disabled')), - ] - c.user_group_create_choices = [('hg.usergroup.create.false', _('Disabled')), ('hg.usergroup.create.true', _('Enabled'))] @@ -109,7 +104,6 @@ [x[0] for x in c.group_perms_choices], [x[0] for x in c.user_group_perms_choices], [x[0] for x in c.repo_create_choices], - [x[0] for x in c.repo_create_on_write_choices], [x[0] for x in c.repo_group_create_choices], [x[0] for x in c.user_group_create_choices], [x[0] for x in c.fork_choices], @@ -154,9 +148,6 @@ if p.permission.permission_name.startswith('usergroup.'): defaults['default_user_group_perm'] = p.permission.permission_name - if p.permission.permission_name.startswith('hg.create.write_on_repogroup.'): - defaults['create_on_write'] = p.permission.permission_name - elif p.permission.permission_name.startswith('hg.create.'): defaults['default_repo_create'] = p.permission.permission_name
--- a/kallithea/controllers/admin/repos.py Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/controllers/admin/repos.py Sat Apr 11 20:18:29 2020 +0200 @@ -39,7 +39,7 @@ import kallithea from kallithea.config.routing import url from kallithea.lib import helpers as h -from kallithea.lib.auth import HasPermissionAny, HasRepoPermissionLevelDecorator, LoginRequired, NotAnonymous +from kallithea.lib.auth import HasRepoPermissionLevelDecorator, LoginRequired, NotAnonymous from kallithea.lib.base import BaseRepoController, jsonify, render from kallithea.lib.exceptions import AttachedForksError from kallithea.lib.utils import action_logger @@ -76,13 +76,9 @@ return repo_obj def __load_defaults(self, repo=None): - if HasPermissionAny('hg.create.write_on_repogroup.true')(): - repo_group_perm_level = 'write' - else: - repo_group_perm_level = 'admin' extras = [] if repo is None else [repo.group] - c.repo_groups = AvailableRepoGroupChoices(repo_group_perm_level, extras) + c.repo_groups = AvailableRepoGroupChoices('write', extras) c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs(repo)
--- a/kallithea/controllers/forks.py Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/controllers/forks.py Sat Apr 11 20:18:29 2020 +0200 @@ -38,7 +38,7 @@ import kallithea import kallithea.lib.helpers as h from kallithea.config.routing import url -from kallithea.lib.auth import HasPermissionAny, HasPermissionAnyDecorator, HasRepoPermissionLevel, HasRepoPermissionLevelDecorator, LoginRequired +from kallithea.lib.auth import HasPermissionAnyDecorator, HasRepoPermissionLevel, HasRepoPermissionLevelDecorator, LoginRequired from kallithea.lib.base import BaseRepoController, render from kallithea.lib.page import Page from kallithea.lib.utils2 import safe_int @@ -54,11 +54,7 @@ class ForksController(BaseRepoController): def __load_defaults(self): - if HasPermissionAny('hg.create.write_on_repogroup.true')(): - repo_group_perm_level = 'write' - else: - repo_group_perm_level = 'admin' - c.repo_groups = AvailableRepoGroupChoices(repo_group_perm_level) + c.repo_groups = AvailableRepoGroupChoices('write') c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs()
--- a/kallithea/lib/auth.py Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/lib/auth.py Sat Apr 11 20:18:29 2020 +0200 @@ -149,7 +149,6 @@ # based on default permissions, just set everything to admin #================================================================== permissions[GLOBAL].add('hg.admin') - permissions[GLOBAL].add('hg.create.write_on_repogroup.true') # repositories for perm in default_repo_perms: @@ -242,7 +241,7 @@ # for each kind of global permissions, only keep the one with heighest weight kind_max_perm = {} - for perm in sorted(permissions[GLOBAL], key=lambda n: PERM_WEIGHTS[n]): + for perm in sorted(permissions[GLOBAL], key=lambda n: PERM_WEIGHTS.get(n, -1)): kind = perm.rsplit('.', 1)[0] kind_max_perm[kind] = perm permissions[GLOBAL] = set(kind_max_perm.values())
--- a/kallithea/model/db.py Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/model/db.py Sat Apr 11 20:18:29 2020 +0200 @@ -1562,9 +1562,6 @@ ('hg.create.none', _('Only admins can create top level repositories')), ('hg.create.repository', _('Non-admins can create top level repositories')), - ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')), - ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')), - ('hg.fork.none', _('Only admins can fork repositories')), ('hg.fork.repository', _('Non-admins can fork repositories')), @@ -1582,7 +1579,6 @@ 'group.read', 'usergroup.read', 'hg.create.repository', - 'hg.create.write_on_repogroup.true', 'hg.fork.repository', 'hg.register.manual_activate', 'hg.extern_activate.auto', @@ -1616,9 +1612,6 @@ 'hg.create.none': 0, 'hg.create.repository': 1, - 'hg.create.write_on_repogroup.false': 0, - 'hg.create.write_on_repogroup.true': 1, - 'hg.register.none': 0, 'hg.register.manual_activate': 1, 'hg.register.auto_activate': 2,
--- a/kallithea/model/forms.py Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/model/forms.py Sat Apr 11 20:18:29 2020 +0200 @@ -396,7 +396,7 @@ def DefaultPermissionsForm(repo_perms_choices, group_perms_choices, user_group_perms_choices, create_choices, - create_on_write_choices, repo_group_create_choices, + repo_group_create_choices, user_group_create_choices, fork_choices, register_choices, extern_activate_choices): class _DefaultPermissionsForm(formencode.Schema): @@ -411,7 +411,6 @@ default_user_group_perm = v.OneOf(user_group_perms_choices) default_repo_create = v.OneOf(create_choices) - create_on_write = v.OneOf(create_on_write_choices) default_user_group_create = v.OneOf(user_group_create_choices) default_fork = v.OneOf(fork_choices)
--- a/kallithea/model/permission.py Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/model/permission.py Sat Apr 11 20:18:29 2020 +0200 @@ -119,7 +119,6 @@ 'default_group_perm', 'default_user_group_perm', 'default_repo_create', - 'create_on_write', # special case for create repos on write access to group 'default_user_group_create', 'default_fork', 'default_register',
--- a/kallithea/model/validators.py Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/model/validators.py Sat Apr 11 20:18:29 2020 +0200 @@ -456,12 +456,11 @@ gr_name = gr.group_name if gr is not None else None # None means ROOT location # create repositories with write permission on group is set to true - create_on_write = HasPermissionAny('hg.create.write_on_repogroup.true')() group_admin = HasRepoGroupPermissionLevel('admin')(gr_name, 'can write into group validator') group_write = HasRepoGroupPermissionLevel('write')(gr_name, 'can write into group validator') - forbidden = not (group_admin or (group_write and create_on_write)) + forbidden = not (group_admin or group_write) can_create_repos = HasPermissionAny('hg.admin', 'hg.create.repository') gid = (old_data['repo_group'].get('group_id') if (old_data and 'repo_group' in old_data) else None)
--- a/kallithea/templates/admin/permissions/permissions_globals.html Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/templates/admin/permissions/permissions_globals.html Sat Apr 11 20:18:29 2020 +0200 @@ -58,13 +58,6 @@ </div> </div> <div class="form-group"> - <label class="control-label" for="create_on_write">${_('Repository creation with group write access')}:</label> - <div> - ${h.select('create_on_write','',c.repo_create_on_write_choices,class_='form-control')} - <span class="help-block">${_('With this, write permission to a repository group allows creating repositories inside that group. Without this, group write permissions mean nothing.')}</span> - </div> - </div> - <div class="form-group"> <label class="control-label" for="default_user_group_create">${_('User group creation')}:</label> <div> ${h.select('default_user_group_create','',c.user_group_create_choices,class_='form-control')}
--- a/kallithea/templates/index_base.html Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/templates/index_base.html Sat Apr 11 20:18:29 2020 +0200 @@ -16,11 +16,10 @@ <% gr_name = c.group.group_name if c.group else None # create repositories with write permission on group is set to true - create_on_write = h.HasPermissionAny('hg.create.write_on_repogroup.true')() group_admin = h.HasRepoGroupPermissionLevel('admin')(gr_name, 'can write into group index page') group_write = h.HasRepoGroupPermissionLevel('write')(gr_name, 'can write into group index page') %> - %if h.HasPermissionAny('hg.admin','hg.create.repository')() or (group_admin or (group_write and create_on_write)): + %if h.HasPermissionAny('hg.admin','hg.create.repository')() or group_admin or group_write: %if c.group: <a href="${h.url('new_repo',parent_group=c.group.group_id)}" class="btn btn-default btn-xs"><i class="icon-plus"></i>${_('Add Repository')}</a> %if h.HasPermissionAny('hg.admin')() or h.HasRepoGroupPermissionLevel('admin')(c.group.group_name):
--- a/kallithea/tests/models/test_permissions.py Sun Apr 12 01:07:32 2020 +0200 +++ b/kallithea/tests/models/test_permissions.py Sat Apr 11 20:18:29 2020 +0200 @@ -290,7 +290,7 @@ 'hg.register.manual_activate', 'hg.extern_activate.auto', 'repository.read', 'group.read', - 'usergroup.read', 'hg.create.write_on_repogroup.true']) + 'usergroup.read']) def test_inherit_sad_permissions_from_default_user(self): user_model = UserModel() @@ -307,7 +307,7 @@ 'hg.register.manual_activate', 'hg.extern_activate.auto', 'repository.read', 'group.read', - 'usergroup.read', 'hg.create.write_on_repogroup.true']) + 'usergroup.read']) def test_inherit_more_permissions_from_default_user(self): user_model = UserModel() @@ -333,7 +333,7 @@ 'hg.register.manual_activate', 'hg.extern_activate.auto', 'repository.read', 'group.read', - 'usergroup.read', 'hg.create.write_on_repogroup.true']) + 'usergroup.read']) def test_inherit_less_permissions_from_default_user(self): user_model = UserModel() @@ -359,7 +359,7 @@ 'hg.register.manual_activate', 'hg.extern_activate.auto', 'repository.read', 'group.read', - 'usergroup.read', 'hg.create.write_on_repogroup.true']) + 'usergroup.read']) def test_inactive_user_group_does_not_affect_global_permissions(self): # Add user to inactive user group, set specific permissions on user @@ -391,7 +391,7 @@ 'hg.extern_activate.auto', 'repository.read', 'group.read', 'usergroup.read', - 'hg.create.write_on_repogroup.true']) + ]) def test_inactive_user_group_does_not_affect_global_permissions_inverse(self): # Add user to inactive user group, set specific permissions on user @@ -423,7 +423,7 @@ 'hg.extern_activate.auto', 'repository.read', 'group.read', 'usergroup.read', - 'hg.create.write_on_repogroup.true']) + ]) def test_inactive_user_group_does_not_affect_repo_permissions(self): self.ug1 = fixture.create_user_group('G1')