+ """Add branch info to projects_groups

+ 

+ Revision ID: 2b39a728a38f

+ Revises: 318a4793b360

+ Create Date: 2020-03-26 21:50:45.899760

+ 

+ """

+ 

+ from alembic import op

+ import sqlalchemy as sa

+ 

+ 

+ # revision identifiers, used by Alembic.

+ revision = '2b39a728a38f'

+ down_revision = '318a4793b360'

+ 

+ 

+ def upgrade():

+     ''' Add the column branches to the table projects_groups.

+     '''

+     op.add_column(

+         'projects_groups',

+         sa.Column('branches', sa.Text, nullable=True)

+     )

+ 

+ 

+ def downgrade():

+     ''' Drop the column branches from the table projects_groups.

+     '''

+     op.drop_column('projects_groups', 'branches')

+ """Add branch info to user_projects

+ 

+ Revision ID: 318a4793b360

+ Revises: 060b20d6d6e6

+ Create Date: 2020-03-26 21:49:17.632967

+ 

+ """

+ 

+ from alembic import op

+ import sqlalchemy as sa

+ 

+ 

+ # revision identifiers, used by Alembic.

+ revision = '318a4793b360'

+ down_revision = '060b20d6d6e6'

+ 

+ 

+ def upgrade():

+     ''' Add the column branches to the table user_projects.

+     '''

+     op.add_column(

+         'user_projects',

+         sa.Column('branches', sa.Text, nullable=True)

+     )

+ 

+ 

+ def downgrade():

+     ''' Drop the column branches from the table user_projects.

+     '''

+     op.drop_column('user_projects', 'branches')

+         if flask.g.authenticated and not flask.g.repo_committer:

+             flask.g.repo_committer = flask.g.fas_user.username in [

+                 u.user.username for u in flask.g.repo.collaborators

+             ]

+ 

+     branches = wtforms.StringField(

+         'Git branches <span class="error">*</span>',

+         [wtforms.validators.Optional()],

+     )

+     branches = wtforms.StringField(

+         'Git branches <span class="error">*</span>',

+         [wtforms.validators.Optional()],

+     )

+     """ Determines whether a user has read access to the requested repo. """

+     _log.info(

+         "Read access granted to %s on: %s" % (remoteuser, project.fullname)

+     )

+ from pagure.utils import is_repo_collaborator, lookup_deploykey

+         is_committer = is_repo_collaborator(

+             project, refname, username, session

+         )

+     for access in ["ticket", "collaborator", "commit", "admin"]:

+     collaborators = relation(

+         "ProjectUser",

+         primaryjoin="and_(projects.c.id==user_projects.c.project_id,\

+                     user_projects.c.access=='collaborator')",

+         viewonly=True,

+     )

+ 

+     collaborator_groups = relation(

+         "ProjectGroup",

+         primaryjoin="and_(projects.c.id==projects_groups.c.project_id,\

+                     projects_groups.c.access=='collaborator')",

+         viewonly=True,

+     )

+ 

+         if access not in ["admin", "commit", "collaborator", "ticket"]:

+             elif access == "collaborator":

+                 return [u.user for u in self.collaborators]

+             elif access == "collaborator":

+                 admins = set(self.admins)

+                 return list(

+                     set([u.user for u in self.collaborators])

+                     - committers

+                     - admins

+                 )

+             elif access == "ticket":

+                 committers = set(self.committers)

+                 collaborators = set([u.user for u in self.collaborators])

+                 return list(users - collaborators - committers - admins)

+         if access not in ["admin", "commit", "collaborator", "ticket"]:

+             elif access == "collaborator":

+                 return self.collaborator_groups

+             elif access == "collaborator":

+                 committers = set(self.committer_groups)

+                 admins = set(self.admin_groups)

+                 return list(

+                     set(self.collaborator_groups) - committers - admins

+                 )

+                 collaborators = set(self.collaborator_groups)

+                 return list(groups - collaborators - committers - admins)

+             "collaborator": sorted(

+                 self.get_project_users(access="collaborator", combine=False)

+             ),

+             "collaborator": sorted(

+                 self.get_project_groups(access="collaborator", combine=False)

+             ),

+     branches = sa.Column(sa.Text, nullable=True,)

+     branches = sa.Column(sa.Text, nullable=True,)

+     session,

+     project,

+     new_user,

+     user,

+     access="admin",

+     branches=None,

+     required_groups=None,

+     if new_user in users and access != "collaborator":

+     # Reset the branches to None if the user isn't a collaborator

+     if access != "collaborator":

+         branches = None

+ 

+         access_obj.branches = branches

+                 new_branches=branches,

+         project_id=project.id,

+         user_id=new_user_obj.id,

+         access=access,

+         branches=branches,

+             branches=branches,

+     branches=None,

+     if new_group in groups and access != "collaborator":

+     # Reset the branches to None if the group isn't a collaborator

+     if access != "collaborator":

+         branches = None

+ 

+         access_obj.branches = branches

+                 new_branches=branches,

+         project_id=project.id,

+         group_id=group_obj.id,

+         access=access,

+         branches=branches,

+             branches=branches,

+                     model.ProjectUser.access == "collaborator",

+                     model.ProjectGroup.access == "collaborator",

+                     model.ProjectGroup.access == "collaborator",

+                     model.ProjectUser.access == "collaborator",

+                     model.ProjectGroup.access == "collaborator",

+                     model.ProjectGroup.access == "collaborator",

+         acls = ["main admin", "admin", "collaborator", "commit", "ticket"]

+ <p class="center"> <strong>Access Levels</strong> </p>

+ <p class="justify">

+ <strong>Ticket</strong>: A user or a group with this level of access can only edit metadata

+   of an issue. This includes changing the status of an issue, adding/removing

+   tags from them, adding/removing assignees and every other option which can

+   be accessed when you click "Edit Metadata" button in an issue page. However,

+   this user can not "create" a new tag or "delete" an existing tag because,

+   that would involve access to settings page of the project which this user

+   won't have. It also won't be able to "delete" the issue because, it falls

+   outside of "Edit Metadata".

+ </p>

+ <p class="justify">

+ <strong>Collaborator</strong>: A user or a group with this level of access can do everything what

+   a user/group with ticket access can do + it can commit to some branches in the project.

+   These branches are defined here using their name or a pattern and needs to be comma separated. <br />

+   Some examples:

+     <ul>

+         <li>master,features/*</li>

+         <li>el*</li>

+         <li>master,f*</li>

+     </ul>

+ </p>

+ <p class="justify">

+ <strong>Commit</strong>: A user or a group with this level of access can do everything what

+   a user/group with ticket access can do + it can do everything on the project

+   which doesn't include access to settings page. It can "Edit Metadata" of an issue

+   just like a user with ticket access would do, can merge a pull request, can push

+   to the main repository directly, delete an issue, cancel a pull request etc.

+ </p>

+ <p class="justify">

+ <strong>Admin</strong>: The user/group with this access has access to everything on the project.

+   All the "users" of the project that have been added till now are having this access.

+   They can change the settings of the project, add/remove users/groups on the project.

+ </p>

+         <input class="form-control" name="branches" id="branches" class="hidden"

+           placeholder="A comma separated list of branches" value=""/>

+     {% include '_access_levels_descriptions.html' %}

+ 

+   $("#branches").hide();

+ 

+     $("#branches").val("{{ group_access.branches or ''}}");

+   };

+ 

+   if ($("#access").val() == "collaborator") {

+     $("#branches").show();

+   };

+ 

+   $("#access").on("change", function() {

+     var _acc = $("#access");

+     if (_acc.val() == "collaborator") {

+         $("#branches").show();

+     } else {

+         $("#branches").hide();

+     }

+   });

+ 

+ 

+         <input class="form-control" name="branches" id="branches" class="hidden"

+           placeholder="A comma separated list of branches" value=""/>

+     {% include '_access_levels_descriptions.html' %}

+   $("#branches").hide();

+ 

+     console.log("{{ user_access.branches }}");

+     $("#branches").val("{{ user_access.branches or ''}}");

+   if ($("#access").val() == "collaborator") {

+     $("#branches").show();

+   };

+ 

+   $("#access").on("change", function() {

+     var _acc = $("#access");

+     if (_acc.val() == "collaborator") {

+         $("#branches").show();

+     } else {

+         $("#branches").hide();

+     }

+   });

+ 

+                 branches=form.branches.data,

+                 branches=form.branches.data,

+  (c) 2017-2020 - Copyright Red Hat Inc

+ import fnmatch

+ def is_repo_collaborator(repo_obj, refname, username=None, session=None):

+     """ Return whether the user has commit on the specified branch of the

+     provided repo. """

+     committer = is_repo_committer(repo_obj, username=username, session=session)

+     if committer:

+         _log.debug("User is a committer")

+         return committer

+ 

+     import pagure.lib.query

+ 

+     if username is None:

+         if not authenticated():

+             return False

+         if is_admin():

+             return True

+         username = flask.g.fas_user.username

+         usergroups = set(flask.g.fas_user.groups)

+ 

+     if not session:

+         session = flask.g.session

+     try:

+         user = pagure.lib.query.get_user(session, username)

+         usergroups = set(user.groups)

+     except pagure.exceptions.PagureException:

+         return False

+ 

+     # If they are in the list of committers -> maybe

+     for user in repo_obj.collaborators:

+         if user.user.username == username:

+             # if branch is None when the user tries to read,

+             # so we'll allow that

+             if refname is None:

+                 return True

+             # If the branch is specified: the user is trying to write, we'll

+             # check if they are allowed to

+             for pattern in user.branches.split(","):

+                 pattern = "refs/heads/{}".format(pattern.strip())

+                 if fnmatch.fnmatch(refname, pattern):

+                     return True

+ 

+     # If they are in a group that has commit access -> maybe

+     for project_group in repo_obj.collaborator_groups:

+         if project_group.group.group_name in usergroups:

+             # if branch is None when the user tries to read,

+             # so we'll allow that

+             if refname is None:

+                 return True

+             # If the branch is specified: the user is trying to write, we'll

+             # check if they are allowed to

+             for pattern in project_group.branches.split(","):

+                 pattern = "refs/heads/{}".format(pattern.strip())

+                 if fnmatch.fnmatch(refname, pattern):

+                     return True

+ 

+     return False

+ 

+ 

+     def test_is_repo_collaborator_logged_out(self):

+         """ Test is_repo_committer in pagure when there is no logged in user.

+         """

+         repo = pagure.lib.query._get_project(self.session, "test")

+         with self.app.application.app_context():

+             output = pagure.utils.is_repo_collaborator(repo, "master")

+         self.assertFalse(output)

+ 

+     def test_is_repo_collaborator_logged_in(self):

+         """ Test is_repo_collaborator in pagure with the appropriate user logged

+         in. """

+         repo = pagure.lib.query._get_project(self.session, "test")

+ 

+         g = munch.Munch()

+         g.fas_user = tests.FakeUser(username="pingou")

+         g.authenticated = True

+         g.session = self.session

+         with mock.patch("flask.g", g):

+             output = pagure.utils.is_repo_collaborator(

+                 repo, "refs/heads/master"

+             )

+             self.assertTrue(output)

+ 

+     def test_is_repo_collaborator_invalid_username(self):

+         """ Test is_repo_collaborator in pagure with the appropriate user logged

+         in. """

+         repo = pagure.lib.query._get_project(self.session, "test")

+ 

+         g = munch.Munch()

+         g.fas_user = tests.FakeUser(username="invalid")

+         g.authenticated = True

+         g.session = self.session

+         with mock.patch("flask.g", g):

+             output = pagure.utils.is_repo_collaborator(

+                 repo, "refs/heads/master"

+             )

+             self.assertFalse(output)

+ 

+     @mock.patch.dict("pagure.config.config", {"PAGURE_ADMIN_USERS": ["foo"]})

+     def test_is_repo_collaborator_admin_user(self):

+         """ Test is_repo_collaborator in pagure with the appropriate user logged

+         in. """

+         repo = pagure.lib.query._get_project(self.session, "test")

+ 

+         g = munch.Munch()

+         g.fas_user = tests.FakeUser(username="foo")

+         g.authenticated = True

+         g.session = self.session

+         with mock.patch("flask.g", g):

+             output = pagure.utils.is_repo_collaborator(

+                 repo, "refs/heads/master"

+             )

+             self.assertTrue(output)

+ 

+     def test_is_repo_collaborator_not_in_project(self):

+         """ Test is_repo_collaborator in pagure with the appropriate user logged

+         in. """

+         repo = pagure.lib.query._get_project(self.session, "test")

+ 

+         g = munch.Munch()

+         g.fas_user = tests.FakeUser(username="foo")

+         g.authenticated = True

+         g.session = self.session

+         with mock.patch("flask.g", g):

+             output = pagure.utils.is_repo_collaborator(

+                 repo, "refs/heads/master"

+             )

+             self.assertFalse(output)

+ 

+     def test_is_repo_collaborator_in_project(self):

+         """ Test is_repo_collaborator in pagure with the appropriate user logged

+         in. """

+         repo = pagure.lib.query._get_project(self.session, "test")

+ 

+         # Add user foo to project test

+         msg = pagure.lib.query.add_user_to_project(

+             self.session,

+             project=repo,

+             new_user="foo",

+             user="pingou",

+             access="collaborator",

+             branches="epel*",