Introduce LDAP system based acl.

1 files changed, 47 insertions, 0 deletions

diff --git a/rhodecode/model/repos_group.py b/rhodecode/model/repos_group.py
index d4162b39..50617d30 100644
--- a/rhodecode/model/repos_group.py
+++ b/rhodecode/model/repos_group.py
@@ -30,6 +30,7 @@ import shutil
 import datetime
 
 from rhodecode.lib.utils2 import LazyProperty
+from rhodecode.lib.helpers import SystemCommand
 
 from rhodecode.model import BaseModel
 from rhodecode.model.db import RepoGroup, RhodeCodeUi, UserRepoGroupToPerm, \
@@ -92,6 +93,7 @@ class ReposGroupModel(BaseModel):
             raise Exception('That directory already exists !')
 
         os.makedirs(create_path)
+        os.chmod(create_path, 0775)
 
     def __rename_group(self, old, new):
         """
@@ -140,6 +142,10 @@ class ReposGroupModel(BaseModel):
                                           group.name)
                 shutil.move(rm_path, os.path.join(self.repos_path, _d))
 
+            system_group_name = "%s-%s" % (group.group_name.rsplit("/",1),
+                                           group.group_id)
+            SystemCommand.delete_group(system_group_name)
+
     def create(self, group_name, group_description, parent=None, just_db=False):
         try:
             new_repos_group = RepoGroup()
@@ -156,6 +162,11 @@ class ReposGroupModel(BaseModel):
                 self.sa.flush()
                 self.__create_group(new_repos_group.group_name)
 
+                # Create corresponding system group.
+                system_group_name = "%s-%s" % (group_name.rsplit("/",1),
+                                               new_repos_group.group_id)
+                SystemCommand.add_group(system_group_name)
+
             return new_repos_group
         except:
             log.error(traceback.format_exc())
@@ -175,6 +186,10 @@ class ReposGroupModel(BaseModel):
                     repos_group=obj, user=user, perm=perm
                 )
             elif isinstance(obj, Repository):
+                #we do this ONLY IF repository is non-private
+                if obj.private:
+                    return
+
                 # we set group permission but we have to switch to repo
                 # permission
                 perm = perm.replace('group.', 'repository.')
@@ -199,6 +214,7 @@ class ReposGroupModel(BaseModel):
                   % (repos_group, recursive))
 
         for obj in repos_group.recursive_groups_and_repos():
+            #obj is an instance of a group or repositories in that group
             if not recursive:
                 obj = repos_group
 
@@ -262,6 +278,12 @@ class ReposGroupModel(BaseModel):
 
             self.__rename_group(old_path, new_path)
 
+            old_system_name = "%s-%s" % (old_path.rsplit("/",1),
+                                         repos_group.group_id)
+            new_system_name = "%s-%s" % (new_path.rsplit("/",1),
+                                         repos_group.group_id)
+            SystemCommand.rename_group(old_system_name, new_system_name)
+
             return repos_group
         except:
             log.error(traceback.format_exc())
@@ -344,6 +366,16 @@ class ReposGroupModel(BaseModel):
         self.sa.add(obj)
         log.debug('Granted perm %s to %s on %s' % (perm, user, repos_group))
 
+        system_group_name = "%s-%s" % (repos_group.group_name.rsplit("/",1),
+                                       repos_group.group_id)
+        SystemCommand.add_user_to_group(system_group_name, user.username)
+        group_path = os.path.join(self.repos_path, repos_group.group_name)
+        if user.username=="default":
+            if perm.permission_name in ["group.none", "group.read"]:
+                os.chmod(group_path, 0775)
+            else:
+                os.chmod(group_path, 0777)
+
     def revoke_user_permission(self, repos_group, user):
         """
         Revoke permission for user on given repositories group
@@ -364,6 +396,10 @@ class ReposGroupModel(BaseModel):
             self.sa.delete(obj)
             log.debug('Revoked perm on %s on %s' % (repos_group, user))
 
+        system_group_name = "%s-%s" % (repos_group.group_name.rsplit("/",1),
+                                       repos_group.group_id)
+        SystemCommand.remove_user_from_group(system_group_name, user.username)
+
     def grant_users_group_permission(self, repos_group, group_name, perm):
         """
         Grant permission for users group on given repositories group, or update
@@ -395,6 +431,11 @@ class ReposGroupModel(BaseModel):
         self.sa.add(obj)
         log.debug('Granted perm %s to %s on %s' % (perm, group_name, repos_group))
 
+        system_group_name = "%s-%s" % (repos_group.group_name.rsplit("/",1),
+                                       repos_group.group_id)
+        for user in group_name.members:
+            SystemCommand.add_user_to_group(system_group_name, user.username)
+
     def revoke_users_group_permission(self, repos_group, group_name):
         """
         Revoke permission for users group on given repositories group
@@ -414,3 +455,9 @@ class ReposGroupModel(BaseModel):
         if obj:
             self.sa.delete(obj)
             log.debug('Revoked perm to %s on %s' % (repos_group, group_name))
+
+        system_group_name = "%s-%s" % (repos_group.group_name.rsplit("/",1),
+                                       repos_group.group_id)
+        for user in group_name.members:
+            SystemCommand.remove_user_from_group(system_group_name,
+                                                 user.username)