+ """Add the _block_users field

+ 

+ Revision ID: 1a510f2216c0

+ Revises: 003fcd9e8860

+ Create Date: 2019-03-14 12:24:32.139377

+ 

+ """

+ 

+ from alembic import op

+ import sqlalchemy as sa

+ 

+ 

+ # revision identifiers, used by Alembic.

+ revision = '1a510f2216c0'

+ down_revision = '003fcd9e8860'

+ 

+ 

+ def upgrade():

+     ''' Add the column _block_users to the table projects.

+     '''

+     op.add_column(

+         'projects',

+         sa.Column('_block_users', sa.Text, nullable=True)

+     )

+ 

+ 

+ def downgrade():

+     ''' Drop the column _block_users from the table projects.

+     '''

+     op.drop_column('projects', '_block_users')

+     EUBLOCKED = "You have been blocked from this project"

+ 

+             # Block all POST request from blocked users

+             if flask.request.method == "POST":

+                 # Retrieve the variables in the URL

+                 url_args = flask.request.view_args or {}

+                 # Check if there is a `repo` and an `username`

+                 repo = url_args.get("repo")

+                 username = url_args.get("username")

+                 namespace = url_args.get("namespace")

+ 

+                 if repo:

+                     flask.g.repo = pagure.lib.query.get_authorized_project(

+                         flask.g.session,

+                         repo,

+                         user=username,

+                         namespace=namespace,

+                     )

+ 

+                     if (

+                         flask.g.repo

+                         and flask.g.fas_user.username

+                         in flask.g.repo.block_users

+                     ):

+                         output = {

+                             "error": APIERROR.EUBLOCKED.value,

+                             "error_code": APIERROR.EUBLOCKED.name,

+                         }

+                         response = flask.jsonify(output)

+                         response.status_code = 403

+                         return response

+ 

+     api_project_block_user_doc = load_doc(project.api_project_block_user)

+             api_project_block_user_doc,

+  (c) 2015-2019 - Copyright Red Hat Inc

+ from pagure.api.utils import _get_repo, _check_token

+     repo = _get_repo(repo, username, namespace)

+     repo = _get_repo(repo, username, namespace)

+     repo = _get_repo(repo, username, namespace)

+     git_urls = {}

+     repo = _get_repo(repo, username, namespace)

+     repo = _get_repo(repo, username, namespace)

+     project = _get_repo(repo, namespace=namespace)

+     _check_token(project, project_token=False)

+     project = _get_repo(repo, username, namespace)

+     _check_token(project, project_token=False)

+     project = _get_repo(repo, username, namespace)

+     _check_token(project, project_token=False)

+     repo = _get_repo(repo, username, namespace)

+     repo = _get_repo(repo, username, namespace)

+     _check_token(repo, project_token=False)

+     project = _get_repo(repo, username, namespace)

+     _check_token(project)

+     project = _get_repo(repo, username, namespace)

+     _check_token(project, project_token=False)

+     project = _get_repo(repo, username, namespace)

+     _check_token(project, project_token=False)

+     project = _get_repo(repo, username, namespace)

+     _check_token(project, project_token=False)

+     project = _get_repo(repo, username, namespace)

+     _check_token(project, project_token=False)

+     project = _get_repo(repo, username, namespace)

+     _check_token(project, project_token=False)

+ 

+ 

+ @API.route("/<repo>/blockuser", methods=["POST"])

+ @API.route("/<namespace>/<repo>/blockuser", methods=["POST"])

+ @API.route("/fork/<username>/<repo>/blockuser", methods=["POST"])

+ @API.route("/fork/<username>/<namespace>/<repo>/blockuser", methods=["POST"])

+ @api_login_required(acls=["modify_project"])

+ @api_method

+ def api_project_block_user(repo, namespace=None, username=None):

+     """

+     Block an user from a project

+     ----------------------------

+     Block an user from interacting with the project

+ 

+     This is restricted to project admins.

+ 

+     ::

+ 

+         POST /api/0/<repo>/blockuser

+         POST /api/0/<namespace>/<repo>/blockuser

+ 

+     ::

+ 

+         POST /api/0/fork/<username>/<repo>/blockuser

+         POST /api/0/fork/<username>/<namespace>/<repo>/blockuser

+ 

+ 

+     Input

+     ^^^^^

+ 

+     +------------------+---------+---------------+---------------------------+

+     | Key              | Type    | Optionality   | Description               |

+     +==================+=========+===============+===========================+

+     | ``username``     | String  | optional      | The username of the user  |

+     |                  |         |               | to block on this project  |

+     +------------------+---------+---------------+---------------------------+

+ 

+     Beware that this API endpoint updates **all** the users blocked in the

+     project, so if you are updating this list, do not submit just one username,

+     submit the updated list.

+ 

+ 

+     Sample response

+     ^^^^^^^^^^^^^^^

+ 

+     ::

+ 

+         {"message": "User(s) blocked"}

+ 

+     """

+     output = {}

+ 

+     project = _get_repo(repo, username, namespace)

+     _check_token(project)

+ 

+     authorized_users = [project.user.username]

+     authorized_users.extend(

+         [user.user for user in project.access_users["admin"]]

+     )

+     if flask.g.fas_user.username not in authorized_users:

+         raise pagure.exceptions.APIError(

+             401, error_code=APIERROR.ENOTHIGHENOUGH

+         )

+ 

+     usernames = flask.request.form.getlist("username")

+ 

+     try:

+         users = set()

+         for user in usernames:

+             user = user.strip()

+             if user:

+                 pagure.lib.query.get_user(flask.g.session, user)

+                 users.add(user)

+         project.block_users = list(users)

+         flask.g.session.add(project)

+         flask.g.session.commit()

+         output = {"message": "User(s) blocked"}

+     except pagure.exceptions.PagureException as err:

+         raise pagure.exceptions.APIError(

+             400, error_code=APIERROR.ENOCODE, error=str(err)

+         )

+     except SQLAlchemyError as err:  # pragma: no cover

+         flask.g.session.rollback()

+         _log.exception(err)

+         raise pagure.exceptions.APIError(400, error_code=APIERROR.EDBERROR)

+ 

+     jsonout = flask.jsonify(output)

+     return jsonout

+             # Block all POST request from blocked users

+             if flask.g.repo and flask.request.method != "GET":

+                 if flask.g.fas_user.username in flask.g.repo.block_users:

+                     flask.abort(403, "You have been blocked from this project")

+ 

+     _block_users = sa.Column(sa.Text, nullable=True)

+     def block_users(self):

+         """ Return the dict stored as string in the database as an actual

+         dict object.

+         """

+         block_users = []

+ 

+         if self._block_users:

+             block_users = json.loads(self._block_users)

+ 

+         return block_users

+ 

+     @block_users.setter

+     def block_users(self, block_users):

+         """ Ensures the block_users are properly saved. """

+         self._block_users = json.dumps(block_users)

+ 

+     @property

+           {% if repo.user.user == g.fas_user.username or pagure_admin %}

+           <a class="nav-item nav-link" id="blockusers" data-toggle="tab"

+             href="#blockusers-tab" role="tab" aria-controls="blockusers">Block Users</a>

+           {% endif %}

+ 

+           <div class="tab-pane fade" id="blockusers-tab" role="tabpanel" aria-labelledby="blockusers-tab">

+             {% include 'settings_block_users.html' %}

+           </div>

+ 

+ 

+ $('.ajaxed').click(function(e) {

+   _form = $(this).closest('form')

+   $.ajax({

+       url: _form.prop('action') ,

+       type: 'POST',

+       data: _form.serialize(),

+       dataType: 'json',

+       success: function(res) {

+         console.log(res);

+         if ( res.message ) {

+           var _html = '<div class="container pt-2">'

+               + '  <div class="alert alert-info border border-secondary bg-white alert-dismissible" role="alert">'

+               + '      <button type="button" class="close" data-dismiss="alert" aria-label="Close">'

+               + '      <span aria-hidden="true">×</span>'

+               + '      <span class="sr-only">Close</span>'

+               + '    </button>'

+               + '    <div class="text-info font-weight-bold">'

+               + '      <i class="fa fa-fw fa-info-circle"></i>' + res.message

+               + '    </div>'

+               + '  </div>'

+               + '</div>';

+           $('.bodycontent').prepend(_html)

+         }

+       },

+       error: function(res) {

+         console.log(res);

+         alert('Request failed');

+       }

+   });

+   return false;

+ });

+ 

+ 

+ <h3 class="font-weight-bold mb-3">

+     Block users

+ </h3>

+ <p>

+   You can block any users from interacting with your project. They will be able

+   to view but nothing more.

+ </p>

+ <form action="{{ url_for(

+   'api_ns.api_project_block_user',

+   repo=repo.name,

+   username=username,

+   namespace=repo.namespace) }}"

+     method="post" class="icon">

+     <div class="row">

+       <div class="col-sm-12">

+         <strong>Users</strong>

+       </div>

+     </div>

+   <div class="form-group settings-field-rows" id="blockusers-list">

+     <div class="row hidden blank-field">

+       <div class="col-sm-11" >

+         <input type="text" name="username"

+                 value="" class="form-control"/>

+       </div>

+ 

+       <div class="col-sm-1">

+         <a href="javascript:void(0)" class="btn btn-outline-danger remove-settings-field-row"><i class="fa fa-trash"></i></a>

+       </div>

+     </div>

+     {% for user in repo.block_users | sort %}

+       <div class="row {{'hidden blank-field' if status == ''}}">

+         <div class="col-sm-11" >

+           <input type="text" name="username"

+                  value="{{ user }}" class="form-control"/>

+         </div>

+ 

+         <div class="col-sm-1">

+           <a href="javascript:void(0)" class="btn btn-outline-danger remove-settings-field-row"><i class="fa fa-trash"></i></a>

+         </div>

+       </div>

+     {% endfor %}

+   </div>

+   <a href="javascript:void(0)" class="btn btn-secondary pt-2 btn-sm btn-block add-settings-field-row" data-target="#blockusers-list">

+       <i class="fa fa-plus"></i> Add new user

+   </a>

+ 

+   <div class="row p-t-1">

+   </div>

+   <div class="row p-t-1">

+     <div class="col-sm-12">

+       <button class="btn btn-primary float-right mt-3 ajaxed" type="submit"

+           title="Update the blocked user">

+         Update

+       </button>

+     </div>

+   </div>

+ </form>

+         self.assertEqual(len(data), 36)

+             sorted([

+                 'EUBLOCKED',

+             ])

+ # -*- coding: utf-8 -*-

+ 

+ """

+  (c) 2019 - Copyright Red Hat Inc

+ 

+  Authors:

+    Pierre-Yves Chibon <pingou@pingoured.fr>

+ 

+ """

+ 

+ from __future__ import unicode_literals, absolute_import

+ 

+ import arrow

+ import copy

+ import datetime

+ import unittest

+ import shutil

+ import sys

+ import time

+ import os

+ 

+ import flask

+ import json

+ import munch

+ from mock import patch, MagicMock

+ from sqlalchemy.exc import SQLAlchemyError

+ 

+ sys.path.insert(

+     0, os.path.join(os.path.dirname(os.path.abspath(__file__)), "..")

+ )

+ 

+ import pagure.lib.query

+ import tests

+ 

+ 

+ class PagureFlaskApiProjectBlockuserTests(tests.SimplePagureTest):

+     """ Tests for the flask API of pagure for assigning a PR """

+ 

+     maxDiff = None

+ 

+     @patch("pagure.lib.git.update_git", MagicMock(return_value=True))

+     @patch("pagure.lib.notify.send_email", MagicMock(return_value=True))

+     def setUp(self):

+         """ Set up the environnment, ran before every tests. """

+         super(PagureFlaskApiProjectBlockuserTests, self).setUp()

+ 

+         tests.create_projects(self.session)

+         tests.create_projects_git(

+             os.path.join(self.path, 'repos'), bare=True)

+         tests.create_tokens(self.session)

+         tests.create_tokens_acl(self.session)

+ 

+         item = pagure.lib.model.Token(

+             id="aaabbbcccdddeee",

+             user_id=2,

+             project_id=1,

+             expiration=datetime.datetime.utcnow()

+             + datetime.timedelta(days=30),

+         )

+         self.session.add(item)

+         self.session.commit()

+         tests.create_tokens_acl(self.session, token_id="aaabbbcccdddeee")

+ 

+         project = pagure.lib.query.get_authorized_project(self.session, "test")

+         self.assertEqual(project.block_users, [])

+         self.blocked_users = []

+ 

+         project = pagure.lib.query.get_authorized_project(self.session, "test2")

+         project.block_users = ["foo"]

+         self.session.add(project)

+         self.session.commit()

+ 

+     def tearDown(self):

+         """ Tears down the environment at the end of the tests. """

+         project = pagure.lib.query.get_authorized_project(self.session, "test")

+         self.assertEqual(project.block_users, self.blocked_users)

+ 

+         super(PagureFlaskApiProjectBlockuserTests, self).tearDown()

+ 

+     def test_api_blockuser_no_token(self):

+         """ Test api_project_block_user method when no token is provided.

+         """

+ 

+         # No token

+         output = self.app.post("/api/0/test/blockuser")

+         self.assertEqual(output.status_code, 401)

+         data = json.loads(output.get_data(as_text=True))

+         self.assertDictEqual(

+             data,

+             {

+                 "error": "Invalid or expired token. Please visit "

+                 "http://localhost.localdomain/settings#api-keys to "

+                 "get or renew your API token.",

+                 "error_code": "EINVALIDTOK",

+                 "errors": "Invalid token",

+             },

+         )

+ 

+     def test_api_blockuser_invalid_token(self):

+         """ Test api_project_block_user method when the token provided is invalid.

+         """

+ 

+         headers = {"Authorization": "token aaabbbcccd"}

+ 

+         # Invalid token

+         output = self.app.post("/api/0/test/blockuser", headers=headers)

+         self.assertEqual(output.status_code, 401)

+         data = json.loads(output.get_data(as_text=True))

+         self.assertDictEqual(

+             data,

+             {

+                 "error": "Invalid or expired token. Please visit "

+                 "http://localhost.localdomain/settings#api-keys to "

+                 "get or renew your API token.",

+                 "error_code": "EINVALIDTOK",

+                 "errors": "Invalid token",

+             },

+         )

+ 

+     def test_api_blockuser_no_data(self):

+         """ Test api_project_block_user method when no data is provided.

+         """

+ 

+         headers = {"Authorization": "token aaabbbcccddd"}

+ 

+         # No user blocked

+         output = self.app.post("/api/0/test/blockuser", headers=headers)

+         self.assertEqual(output.status_code, 200)

+         data = json.loads(output.get_data(as_text=True))

+         self.assertDictEqual(data, {"message": "User(s) blocked"})

+ 

+     def test_api_blockuser_invalid_user(self):

+         """ Test api_project_block_user method when the data provided includes

+         an invalid username.

+         """

+ 

+         headers = {"Authorization": "token aaabbbcccddd"}

+         data = {"username": ["invalid"]}

+ 

+         # No user blocked

+         output = self.app.post(

+             "/api/0/test/blockuser", headers=headers, data=data

+         )

+         self.assertEqual(output.status_code, 400)

+         data = json.loads(output.get_data(as_text=True))

+         self.assertDictEqual(

+             data, {"error": 'No user "invalid" found', "error_code": "ENOCODE"}

+         )

+ 

+     def test_api_blockuser_insufficient_rights(self):

+         """ Test api_project_block_user method when the user doing the action

+         does not have admin priviledges.

+         """

+ 

+         headers = {"Authorization": "token aaabbbcccdddeee"}

+         data = {"username": ["invalid"]}

+ 

+         # No user blocked

+         output = self.app.post(

+             "/api/0/test/blockuser", headers=headers, data=data

+         )

+         self.assertEqual(output.status_code, 401)

+         data = json.loads(output.get_data(as_text=True))

+         self.assertDictEqual(

+             data,

+             {

+                 "error": "You do not have sufficient permissions to perform "

+                 "this action",

+                 "error_code": "ENOTHIGHENOUGH",

+             },

+         )

+ 

+     def test_api_blockuser_with_data(self):

+         """ Test api_pull_request_assign method when the project doesn't exist.

+         """

+         self.blocked_users = ["foo"]

+ 

+         headers = {"Authorization": "token aaabbbcccddd"}

+         data = {"username": ["foo"]}

+ 

+         # user blocked

+         output = self.app.post(

+             "/api/0/test/blockuser", headers=headers, data=data

+         )

+         self.assertEqual(output.status_code, 200)

+         data = json.loads(output.get_data(as_text=True))

+         self.assertDictEqual(data, {"message": "User(s) blocked"})

+ 

+         # Second request, no changes

+         headers = {"Authorization": "token aaabbbcccddd"}

+         data = {"username": ["foo"]}

+ 

+         output = self.app.post(

+             "/api/0/test/blockuser", headers=headers, data=data