Permissions on group can be set in recursive mode setting defined permission to all children

- more explicit permissions
- fixes for empty values in permission form

--HG--
branch : beta

5 files changed, 455 insertions, 15 deletions

diff --git a/rhodecode/tests/models/common.py b/rhodecode/tests/models/common.py
new file mode 100644
index 00000000..377a05ee
--- /dev/null
+++ b/rhodecode/tests/models/common.py
@@ -0,0 +1,116 @@
+import os
+import unittest
+import functools
+from rhodecode.tests import *
+
+
+from rhodecode.model.repos_group import ReposGroupModel
+from rhodecode.model.repo import RepoModel
+from rhodecode.model.db import RepoGroup, Repository, User
+from rhodecode.model.user import UserModel
+
+from rhodecode.lib.auth import AuthUser
+from rhodecode.model.meta import Session
+
+
+def _make_group(path, desc='desc', parent_id=None,
+                 skip_if_exists=False):
+
+    gr = RepoGroup.get_by_group_name(path)
+    if gr and skip_if_exists:
+        return gr
+    if isinstance(parent_id, RepoGroup):
+        parent_id = parent_id.group_id
+    gr = ReposGroupModel().create(path, desc, parent_id)
+    return gr
+
+
+def _make_repo(name, repos_group=None, repo_type='hg'):
+    return RepoModel().create_repo(name, repo_type, 'desc',
+                                   TEST_USER_ADMIN_LOGIN,
+                                   repos_group=repos_group)
+
+
+def _destroy_project_tree(test_u1_id):
+    Session.remove()
+    repos_group = RepoGroup.get_by_group_name(group_name='g0')
+    for el in reversed(repos_group.recursive_groups_and_repos()):
+        if isinstance(el, Repository):
+            RepoModel().delete(el)
+        elif isinstance(el, RepoGroup):
+            ReposGroupModel().delete(el, force_delete=True)
+
+    u = User.get(test_u1_id)
+    Session().delete(u)
+    Session().commit()
+
+
+def _create_project_tree():
+    """
+    Creates a tree of groups and repositories to test permissions
+
+    structure
+     [g0] - group `g0` with 3 subgroups
+     |
+     |__[g0_1] group g0_1 with 2 groups 0 repos
+     |  |
+     |  |__[g0_1_1] group g0_1_1 with 1 group 2 repos
+     |  |   |__<g0/g0_1/g0_1_1/g0_1_1_r1>
+     |  |   |__<g0/g0_1/g0_1_1/g0_1_1_r2>
+     |  |__<g0/g0_1/g0_1_r1>
+     |
+     |__[g0_2] 2 repos
+     |  |
+     |  |__<g0/g0_2/g0_2_r1>
+     |  |__<g0/g0_2/g0_2_r2>
+     |
+     |__[g0_3] 1 repo
+        |
+        |_<g0/g0_3/g0_3_r1>
+
+    """
+    test_u1 = UserModel().create_or_update(
+        username=u'test_u1', password=u'qweqwe',
+        email=u'test_u1@rhodecode.org', firstname=u'test_u1', lastname=u'test_u1'
+    )
+    g0 = _make_group('g0')
+    g0_1 = _make_group('g0_1', parent_id=g0)
+    g0_1_1 = _make_group('g0_1_1', parent_id=g0_1)
+    g0_1_1_r1 = _make_repo('g0/g0_1/g0_1_1/g0_1_1_r1', repos_group=g0_1_1)
+    g0_1_1_r2 = _make_repo('g0/g0_1/g0_1_1/g0_1_1_r2', repos_group=g0_1_1)
+    g0_1_r1 = _make_repo('g0/g0_1/g0_1_r1', repos_group=g0_1)
+    g0_2 = _make_group('g0_2', parent_id=g0)
+    g0_2_r1 = _make_repo('g0/g0_2/g0_2_r1', repos_group=g0_2)
+    g0_2_r2 = _make_repo('g0/g0_2/g0_2_r2', repos_group=g0_2)
+    g0_3 = _make_group('g0_3', parent_id=g0)
+    g0_3_r1 = _make_repo('g0/g0_3/g0_3_r1', repos_group=g0_3)
+    return test_u1
+
+
+def expected_count(group_name, objects=False):
+    repos_group = RepoGroup.get_by_group_name(group_name=group_name)
+    objs = repos_group.recursive_groups_and_repos()
+    if objects:
+        return objs
+    return len(objs)
+
+
+def _check_expected_count(items, repo_items, expected):
+    should_be = len(items + repo_items)
+    there_are = len(expected)
+    assert  should_be == there_are, ('%s != %s' % ((items + repo_items), expected))
+
+
+def check_tree_perms(obj_name, repo_perm, prefix, expected_perm):
+    assert repo_perm == expected_perm, ('obj:`%s` got perm:`%s` should:`%s`'
+                                    % (obj_name, repo_perm, expected_perm))
+
+
+def _get_perms(filter_='', recursive=True, key=None, test_u1_id=None):
+    test_u1 = AuthUser(user_id=test_u1_id)
+    for k, v in test_u1.permissions[key].items():
+        if recursive and k.startswith(filter_):
+            yield k, v
+        elif not recursive:
+            if k == filter_:
+                yield k, v
diff --git a/rhodecode/tests/models/test_permissions.py b/rhodecode/tests/models/test_permissions.py
index 9329fe8a..5ed2e9d0 100644
--- a/rhodecode/tests/models/test_permissions.py
+++ b/rhodecode/tests/models/test_permissions.py
@@ -1,7 +1,7 @@
 import os
 import unittest
 from rhodecode.tests import *
-
+from rhodecode.tests.models.common import _make_group
 from rhodecode.model.repos_group import ReposGroupModel
 from rhodecode.model.repo import RepoModel
 from rhodecode.model.db import RepoGroup, User, UsersGroupRepoGroupToPerm
@@ -12,16 +12,6 @@ from rhodecode.model.users_group import UsersGroupModel
 from rhodecode.lib.auth import AuthUser
 
 
-def _make_group(path, desc='desc', parent_id=None,
-                 skip_if_exists=False):
-
-    gr = RepoGroup.get_by_group_name(path)
-    if gr and skip_if_exists:
-        return gr
-
-    gr = ReposGroupModel().create(path, desc, parent_id)
-    return gr
-
 
 class TestPermissions(unittest.TestCase):
     def __init__(self, methodName='runTest'):
diff --git a/rhodecode/tests/models/test_repos_groups.py b/rhodecode/tests/models/test_repos_groups.py
index 500cbd1a..e0f82ee2 100644
--- a/rhodecode/tests/models/test_repos_groups.py
+++ b/rhodecode/tests/models/test_repos_groups.py
@@ -4,7 +4,7 @@ from rhodecode.tests import *
 
 from rhodecode.model.repos_group import ReposGroupModel
 from rhodecode.model.repo import RepoModel
-from rhodecode.model.db import RepoGroup, User
+from rhodecode.model.db import RepoGroup, User, Repository
 from rhodecode.model.meta import Session
 from sqlalchemy.exc import IntegrityError
 
@@ -15,7 +15,8 @@ def _make_group(path, desc='desc', parent_id=None,
     gr = RepoGroup.get_by_group_name(path)
     if gr and skip_if_exists:
         return gr
-
+    if isinstance(parent_id, RepoGroup):
+        parent_id = parent_id.group_id
     gr = ReposGroupModel().create(path, desc, parent_id)
     return gr
 
@@ -54,7 +55,8 @@ class TestReposGroups(unittest.TestCase):
             group_parent_id=parent_id,
             perms_updates=[],
             perms_new=[],
-            enable_locking=False
+            enable_locking=False,
+            recursive=False
         )
         gr = ReposGroupModel().update(id_, form_data)
         return gr
@@ -132,7 +134,8 @@ class TestReposGroups(unittest.TestCase):
                          repo_type='hg',
                          clone_uri=None,
                          landing_rev='tip',
-                         enable_locking=False)
+                         enable_locking=False,
+                         recursive=False)
         cur_user = User.get_by_username(TEST_USER_ADMIN_LOGIN)
         r = RepoModel().create(form_data, cur_user)
 
diff --git a/rhodecode/tests/models/test_user_permissions_on_groups.py b/rhodecode/tests/models/test_user_permissions_on_groups.py
new file mode 100644
index 00000000..6acf50c5
--- /dev/null
+++ b/rhodecode/tests/models/test_user_permissions_on_groups.py
@@ -0,0 +1,161 @@
+import os
+import unittest
+import functools
+from rhodecode.tests import *
+
+from rhodecode.model.repos_group import ReposGroupModel
+from rhodecode.model.db import RepoGroup, Repository, User
+
+from rhodecode.model.meta import Session
+from nose.tools import with_setup
+from rhodecode.tests.models.common import _create_project_tree, check_tree_perms, \
+    _get_perms, _check_expected_count, expected_count, _destroy_project_tree
+from rhodecode.model.repo import RepoModel
+
+
+test_u1_id = None
+_get_repo_perms = None
+_get_group_perms = None
+
+
+def permissions_setup_func(group_name='g0', perm='group.read', recursive=True):
+    """
+    Resets all permissions to perm attribute
+    """
+    repos_group = RepoGroup.get_by_group_name(group_name=group_name)
+    if not repos_group:
+        raise Exception('Cannot get group %s' % group_name)
+    perms_updates = [[test_u1_id, perm, 'user']]
+    ReposGroupModel()._update_permissions(repos_group,
+                                          perms_updates=perms_updates,
+                                          recursive=recursive)
+    Session().commit()
+
+
+def setup_module():
+    global test_u1_id, _get_repo_perms, _get_group_perms
+    test_u1 = _create_project_tree()
+    Session().commit()
+    test_u1_id = test_u1.user_id
+    _get_repo_perms = functools.partial(_get_perms, key='repositories',
+                                        test_u1_id=test_u1_id)
+    _get_group_perms = functools.partial(_get_perms, key='repositories_groups',
+                                         test_u1_id=test_u1_id)
+
+
+def teardown_module():
+    _destroy_project_tree(test_u1_id)
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_without_recursive_mode():
+    # set permission to g0 non-recursive mode
+    recursive = False
+    group = 'g0'
+    permissions_setup_func(group, 'group.write', recursive=recursive)
+
+    items = [x for x in _get_repo_perms(group, recursive)]
+    expected = 0
+    assert len(items) == expected, ' %s != %s' % (len(items), expected)
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'repository.read'
+
+    items = [x for x in _get_group_perms(group, recursive)]
+    expected = 1
+    assert len(items) == expected, ' %s != %s' % (len(items), expected)
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.write'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_without_recursive_mode_subgroup():
+    # set permission to g0 non-recursive mode
+    recursive = False
+    group = 'g0/g0_1'
+    permissions_setup_func(group, 'group.write', recursive=recursive)
+
+    items = [x for x in _get_repo_perms(group, recursive)]
+    expected = 0
+    assert len(items) == expected, ' %s != %s' % (len(items), expected)
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'repository.read'
+
+    items = [x for x in _get_group_perms(group, recursive)]
+    expected = 1
+    assert len(items) == expected, ' %s != %s' % (len(items), expected)
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.write'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_with_recursive_mode():
+
+    # set permission to g0 recursive mode, all children including
+    # other repos and groups should have this permission now set !
+    recursive = True
+    group = 'g0'
+    permissions_setup_func(group, 'group.write', recursive=recursive)
+
+    repo_items = [x for x in _get_repo_perms(group, recursive)]
+    items = [x for x in _get_group_perms(group, recursive)]
+    _check_expected_count(items, repo_items, expected_count(group, True))
+
+    for name, perm in repo_items:
+        yield check_tree_perms, name, perm, group, 'repository.write'
+
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.write'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_with_recursive_mode_inner_group():
+    ## set permission to g0_3 group to none
+    recursive = True
+    group = 'g0/g0_3'
+    permissions_setup_func(group, 'group.none', recursive=recursive)
+
+    repo_items = [x for x in _get_repo_perms(group, recursive)]
+    items = [x for x in _get_group_perms(group, recursive)]
+    _check_expected_count(items, repo_items, expected_count(group, True))
+
+    for name, perm in repo_items:
+        yield check_tree_perms, name, perm, group, 'repository.none'
+
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.none'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_with_recursive_mode_deepest():
+    ## set permission to g0_3 group to none
+    recursive = True
+    group = 'g0/g0_1/g0_1_1'
+    permissions_setup_func(group, 'group.write', recursive=recursive)
+
+    repo_items = [x for x in _get_repo_perms(group, recursive)]
+    items = [x for x in _get_group_perms(group, recursive)]
+    _check_expected_count(items, repo_items, expected_count(group, True))
+
+    for name, perm in repo_items:
+        yield check_tree_perms, name, perm, group, 'repository.write'
+
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.write'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_with_recursive_mode_only_with_repos():
+    ## set permission to g0_3 group to none
+    recursive = True
+    group = 'g0/g0_2'
+    permissions_setup_func(group, 'group.admin', recursive=recursive)
+
+    repo_items = [x for x in _get_repo_perms(group, recursive)]
+    items = [x for x in _get_group_perms(group, recursive)]
+    _check_expected_count(items, repo_items, expected_count(group, True))
+
+    for name, perm in repo_items:
+        yield check_tree_perms, name, perm, group, 'repository.admin'
+
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.admin'
diff --git a/rhodecode/tests/models/test_users_group_permissions_on_groups.py b/rhodecode/tests/models/test_users_group_permissions_on_groups.py
new file mode 100644
index 00000000..1e94bb27
--- /dev/null
+++ b/rhodecode/tests/models/test_users_group_permissions_on_groups.py
@@ -0,0 +1,170 @@
+import os
+import unittest
+import functools
+from rhodecode.tests import *
+
+from rhodecode.model.repos_group import ReposGroupModel
+from rhodecode.model.db import RepoGroup, Repository, User
+
+from rhodecode.model.meta import Session
+from nose.tools import with_setup
+from rhodecode.tests.models.common import _create_project_tree, check_tree_perms, \
+    _get_perms, _check_expected_count, expected_count, _destroy_project_tree
+from rhodecode.model.users_group import UsersGroupModel
+from rhodecode.model.repo import RepoModel
+
+
+test_u2_id = None
+test_u2_gr_id = None
+_get_repo_perms = None
+_get_group_perms = None
+
+
+def permissions_setup_func(group_name='g0', perm='group.read', recursive=True):
+    """
+    Resets all permissions to perm attribute
+    """
+    repos_group = RepoGroup.get_by_group_name(group_name=group_name)
+    if not repos_group:
+        raise Exception('Cannot get group %s' % group_name)
+    perms_updates = [[test_u2_gr_id, perm, 'users_group']]
+    ReposGroupModel()._update_permissions(repos_group,
+                                          perms_updates=perms_updates,
+                                          recursive=recursive)
+    Session().commit()
+
+
+def setup_module():
+    global test_u2_id, test_u2_gr_id, _get_repo_perms, _get_group_perms
+    test_u2 = _create_project_tree()
+    Session().commit()
+    test_u2_id = test_u2.user_id
+
+    gr1 = UsersGroupModel().create(name='perms_group_1')
+    Session().commit()
+    test_u2_gr_id = gr1.users_group_id
+    UsersGroupModel().add_user_to_group(gr1, user=test_u2_id)
+    Session().commit()
+
+    _get_repo_perms = functools.partial(_get_perms, key='repositories',
+                                        test_u1_id=test_u2_id)
+    _get_group_perms = functools.partial(_get_perms, key='repositories_groups',
+                                         test_u1_id=test_u2_id)
+
+
+def teardown_module():
+    _destroy_project_tree(test_u2_id)
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_without_recursive_mode():
+    # set permission to g0 non-recursive mode
+    recursive = False
+    group = 'g0'
+    permissions_setup_func(group, 'group.write', recursive=recursive)
+
+    items = [x for x in _get_repo_perms(group, recursive)]
+    expected = 0
+    assert len(items) == expected, ' %s != %s' % (len(items), expected)
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'repository.read'
+
+    items = [x for x in _get_group_perms(group, recursive)]
+    expected = 1
+    assert len(items) == expected, ' %s != %s' % (len(items), expected)
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.write'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_without_recursive_mode_subgroup():
+    # set permission to g0 non-recursive mode
+    recursive = False
+    group = 'g0/g0_1'
+    permissions_setup_func(group, 'group.write', recursive=recursive)
+
+    items = [x for x in _get_repo_perms(group, recursive)]
+    expected = 0
+    assert len(items) == expected, ' %s != %s' % (len(items), expected)
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'repository.read'
+
+    items = [x for x in _get_group_perms(group, recursive)]
+    expected = 1
+    assert len(items) == expected, ' %s != %s' % (len(items), expected)
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.write'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_with_recursive_mode():
+
+    # set permission to g0 recursive mode, all children including
+    # other repos and groups should have this permission now set !
+    recursive = True
+    group = 'g0'
+    permissions_setup_func(group, 'group.write', recursive=recursive)
+
+    repo_items = [x for x in _get_repo_perms(group, recursive)]
+    items = [x for x in _get_group_perms(group, recursive)]
+    _check_expected_count(items, repo_items, expected_count(group, True))
+
+    for name, perm in repo_items:
+        yield check_tree_perms, name, perm, group, 'repository.write'
+
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.write'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_with_recursive_mode_inner_group():
+    ## set permission to g0_3 group to none
+    recursive = True
+    group = 'g0/g0_3'
+    permissions_setup_func(group, 'group.none', recursive=recursive)
+
+    repo_items = [x for x in _get_repo_perms(group, recursive)]
+    items = [x for x in _get_group_perms(group, recursive)]
+    _check_expected_count(items, repo_items, expected_count(group, True))
+
+    for name, perm in repo_items:
+        yield check_tree_perms, name, perm, group, 'repository.none'
+
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.none'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_with_recursive_mode_deepest():
+    ## set permission to g0_3 group to none
+    recursive = True
+    group = 'g0/g0_1/g0_1_1'
+    permissions_setup_func(group, 'group.write', recursive=recursive)
+
+    repo_items = [x for x in _get_repo_perms(group, recursive)]
+    items = [x for x in _get_group_perms(group, recursive)]
+    _check_expected_count(items, repo_items, expected_count(group, True))
+
+    for name, perm in repo_items:
+        yield check_tree_perms, name, perm, group, 'repository.write'
+
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.write'
+
+
+@with_setup(permissions_setup_func)
+def test_user_permissions_on_group_with_recursive_mode_only_with_repos():
+    ## set permission to g0_3 group to none
+    recursive = True
+    group = 'g0/g0_2'
+    permissions_setup_func(group, 'group.admin', recursive=recursive)
+
+    repo_items = [x for x in _get_repo_perms(group, recursive)]
+    items = [x for x in _get_group_perms(group, recursive)]
+    _check_expected_count(items, repo_items, expected_count(group, True))
+
+    for name, perm in repo_items:
+        yield check_tree_perms, name, perm, group, 'repository.admin'
+
+    for name, perm in items:
+        yield check_tree_perms, name, perm, group, 'group.admin'