Mercurial > kallithea
changeset 1016:3790279d2538 beta
#56 added propagation of permission from group
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Wed, 09 Feb 2011 18:54:20 +0100 |
| parents | 65129c332d37 |
| children | ade3414a8b61 |
| files | rhodecode/lib/auth.py |
| diffstat | 1 files changed, 43 insertions(+), 17 deletions(-) [+] |
line wrap: on
line diff
--- a/rhodecode/lib/auth.py Wed Feb 09 17:41:27 2011 +0100 +++ b/rhodecode/lib/auth.py Wed Feb 09 18:54:20 2011 +0100 @@ -41,11 +41,18 @@ from rhodecode.model import meta from rhodecode.model.user import UserModel from rhodecode.model.db import User, RepoToPerm, Repository, Permission, \ - UserToPerm + UserToPerm, UsersGroupToPerm, UsersGroupMember log = logging.getLogger(__name__) + +PERM_WEIGHTS = {'repository.none':0, + 'repository.read':1, + 'repository.write':3, + 'repository.admin':3} + + class PasswordGenerator(object): """This is a simple class for generating password from different sets of characters @@ -73,7 +80,8 @@ def get_crypt_password(password): - """Cryptographic function used for password hashing based on sha1 + """Cryptographic function used for password hashing based on pybcrypt + :param password: password to hash """ return bcrypt.hashpw(password, bcrypt.gensalt(10)) @@ -82,8 +90,7 @@ return bcrypt.hashpw(password, hashed) == hashed def authfunc(environ, username, password): - """ - Dummy authentication function used in Mercurial/Git/ and access control, + """Dummy authentication function used in Mercurial/Git/ and access control, :param environ: needed only for using in Basic auth """ @@ -91,8 +98,7 @@ def authenticate(username, password): - """ - Authentication function used for access control, + """Authentication function used for access control, firstly checks for db authentication then if ldap is enabled for ldap authentication, also creates ldap user if not in database @@ -130,7 +136,7 @@ ldap_settings = SettingsModel().get_ldap_settings() #====================================================================== - # FALLBACK TO LDAP AUTH IN ENABLE + # FALLBACK TO LDAP AUTH IF ENABLE #====================================================================== if ldap_settings.get('ldap_active', False): log.debug("Authenticating user using ldap") @@ -160,7 +166,7 @@ } if user_model.create_ldap(username, password, user_dn, user_attrs): - log.info('created new ldap user') + log.info('created new ldap user %s', username) return True except (LdapUsernameError, LdapPasswordError,): @@ -171,9 +177,9 @@ return False class AuthUser(object): + """A simple object that handles a mercurial username for authentication """ - A simple object that handles a mercurial username for authentication - """ + def __init__(self): self.username = 'None' self.name = '' @@ -189,7 +195,7 @@ def set_available_permissions(config): """This function will propagate pylons globals with all available defined - permission given in db. We don't wannt to check each time from db for new + permission given in db. We don't want to check each time from db for new permissions since adding a new permission also requires application restart ie. to decorate new views with the newly created permission @@ -213,9 +219,10 @@ def fill_perms(user): """Fills user permission attribute with permissions taken from database + works for permissions given for repositories, and for permissions that + as part of beeing group member - :param user: - + :param user: user instance to fill his perms """ sa = meta.Session() @@ -255,7 +262,7 @@ for perm in default_global_perms: user.permissions['global'].add(perm.permission.permission_name) - #default repositories + #default for repositories for perm in default_perms: if perm.Repository.private and not perm.Repository.user_id == user.user_id: #disable defaults for private repos, @@ -269,7 +276,7 @@ user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p #======================================================================= - # #overwrite default with user permissions if any + # overwrite default with user permissions if any #======================================================================= user_perms = sa.query(RepoToPerm, Permission, Repository)\ .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\ @@ -282,12 +289,31 @@ else: p = perm.Permission.permission_name user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p + + + #======================================================================= + # check if user is part of groups for this repository and fill in + # (or replace with higher) permissions + #======================================================================= + user_perms_from_users_groups = sa.query(UsersGroupToPerm, Permission, Repository,)\ + .join((Repository, UsersGroupToPerm.repository_id == Repository.repo_id))\ + .join((Permission, UsersGroupToPerm.permission_id == Permission.permission_id))\ + .join((UsersGroupMember, UsersGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\ + .filter(UsersGroupMember.user_id == user.user_id).all() + + for perm in user_perms_from_users_groups: + p = perm.Permission.permission_name + cur_perm = user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name] + #overwrite permission only if it's greater than permission given from other sources + if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]: + user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name] = p + meta.Session.remove() return user def get_user(session): - """ - Gets user from session, and wraps permissions into user + """Gets user from session, and wraps permissions into user + :param session: """ user = session.get('rhodecode_user', AuthUser())