Merge branch 'orgs' of https://bitbucket.org/yackob03/quay into orgs
This commit is contained in:
Joseph Schorr
commit
0175bd91bf
12 changed files with 13723 additions and 129 deletions
|
|
@ -14,6 +14,8 @@ logger = logging.getLogger(__name__)
|
|||
|
||||
_ResourceNeed = namedtuple('resource', ['type', 'namespace', 'name', 'role'])
|
||||
_RepositoryNeed = partial(_ResourceNeed, 'repository')
|
||||
_OrganizationNeed = namedtuple('organization', ['orgname', 'role'])
|
||||
_TeamNeed = namedtuple('orgteam', ['orgname', 'teamname', 'role'])
|
||||
|
||||
|
||||
class QuayDeferredPermissionUser(Identity):
|
||||
|
|
@ -27,13 +29,32 @@ class QuayDeferredPermissionUser(Identity):
|
|||
logger.debug('Loading user permissions after deferring.')
|
||||
user_object = model.get_user(self.id)
|
||||
|
||||
for user in model.get_all_user_permissions(user_object):
|
||||
grant = _RepositoryNeed(user.repositorypermission.repository.namespace,
|
||||
user.repositorypermission.repository.name,
|
||||
user.repositorypermission.role.name)
|
||||
# Add the user specific permissions
|
||||
user_grant = UserNeed(user_object.username)
|
||||
self.provides.add(user_grant)
|
||||
|
||||
# Every user is the admin of their own 'org'
|
||||
user_namespace = _OrganizationNeed(user_object.username, 'admin')
|
||||
self.provides.add(user_namespace)
|
||||
|
||||
# Add repository permissions
|
||||
for perm in model.get_all_user_permissions(user_object):
|
||||
grant = _RepositoryNeed(perm.repository.namespace,
|
||||
perm.repository.name, perm.role.name)
|
||||
logger.debug('User added permission: {0}'.format(grant))
|
||||
self.provides.add(grant)
|
||||
|
||||
# Add namespace permissions derived
|
||||
for team in model.get_org_wide_permissions(user_object):
|
||||
grant = _OrganizationNeed(team.organization.username, team.role.name)
|
||||
logger.debug('Organization team added permission: {0}'.format(grant))
|
||||
self.provides.add(grant)
|
||||
|
||||
team_grant = _TeamNeed(team.organization.username, team.name,
|
||||
team.role.name)
|
||||
logger.debug('Team added permission: {0}'.format(team_grant))
|
||||
self.provides.add(team_grant)
|
||||
|
||||
self._permissions_loaded = True
|
||||
|
||||
return super(QuayDeferredPermissionUser, self).can(permission)
|
||||
|
|
@ -43,6 +64,7 @@ class ModifyRepositoryPermission(Permission):
|
|||
def __init__(self, namespace, name):
|
||||
admin_need = _RepositoryNeed(namespace, name, 'admin')
|
||||
write_need = _RepositoryNeed(namespace, name, 'write')
|
||||
org_admin_need = _OrganizationNeed(namespace, 'admin')
|
||||
super(ModifyRepositoryPermission, self).__init__(admin_need, write_need)
|
||||
|
||||
|
||||
|
|
@ -51,14 +73,25 @@ class ReadRepositoryPermission(Permission):
|
|||
admin_need = _RepositoryNeed(namespace, name, 'admin')
|
||||
write_need = _RepositoryNeed(namespace, name, 'write')
|
||||
read_need = _RepositoryNeed(namespace, name, 'read')
|
||||
org_admin_need = _OrganizationNeed(namespace, 'admin')
|
||||
super(ReadRepositoryPermission, self).__init__(admin_need, write_need,
|
||||
read_need)
|
||||
read_need, org_admin_need)
|
||||
|
||||
|
||||
class AdministerRepositoryPermission(Permission):
|
||||
def __init__(self, namespace, name):
|
||||
admin_need = _RepositoryNeed(namespace, name, 'admin')
|
||||
super(AdministerRepositoryPermission, self).__init__(admin_need)
|
||||
org_admin_need = _OrganizationNeed(namespace, 'admin')
|
||||
super(AdministerRepositoryPermission, self).__init__(admin_need,
|
||||
org_admin_need)
|
||||
|
||||
|
||||
class CreateRepositoryPermission(Permission):
|
||||
def __init__(self, namespace):
|
||||
admin_org = _OrganizationNeed(namespace, 'admin')
|
||||
create_repo_org = _OrganizationNeed(namespace, 'creator')
|
||||
super(CreateRepositoryPermission, self).__init__(admin_org,
|
||||
create_repo_org)
|
||||
|
||||
|
||||
class UserPermission(Permission):
|
||||
|
|
@ -67,6 +100,30 @@ class UserPermission(Permission):
|
|||
super(UserPermission, self).__init__(user_need)
|
||||
|
||||
|
||||
class AdministerOrganizationPermission(Permission):
|
||||
def __init__(self, org_name):
|
||||
admin_org = _OrganizationNeed(org_name, 'admin')
|
||||
super(AdministerOrganizationPermission, self).__init__(admin_org)
|
||||
|
||||
|
||||
class OrganizationMemberPermission(Permission):
|
||||
def __init__(self, org_name):
|
||||
admin_org = _OrganizationNeed(org_name, 'admin')
|
||||
repo_creator_org = _OrganizationNeed(org_name, 'creator')
|
||||
org_member = _OrganizationNeed(org_name, 'member')
|
||||
super(OrganizationMemberPermission, self).__init__(admin_org, org_member,
|
||||
repo_creator_org)
|
||||
|
||||
|
||||
class ViewTeamPermission(Permission):
|
||||
def __init__(self, org_name, team_name):
|
||||
team_admin = _TeamNeed(org_name, team_name, 'admin')
|
||||
team_creator = _TeamNeed(org_name, 'creator')
|
||||
team_member = _TeamNeed(org_name, 'member')
|
||||
super(ViewTeamPermission, self).__init__(team_admin, team_creator,
|
||||
team_member)
|
||||
|
||||
|
||||
@identity_loaded.connect_via(app)
|
||||
def on_identity_loaded(sender, identity):
|
||||
logger.debug('Identity loaded: %s' % identity)
|
||||
|
|
|
|||
|
|
@ -37,9 +37,14 @@ class User(BaseModel):
|
|||
organization = BooleanField(default=False, index=True)
|
||||
|
||||
|
||||
class TeamRole(BaseModel):
|
||||
name = CharField(index=True)
|
||||
|
||||
|
||||
class Team(BaseModel):
|
||||
name = CharField(index=True)
|
||||
organization = ForeignKeyField(User, index=True)
|
||||
role = ForeignKeyField(TeamRole)
|
||||
|
||||
class Meta:
|
||||
database = db
|
||||
|
|
@ -117,18 +122,6 @@ class RepositoryPermission(BaseModel):
|
|||
)
|
||||
|
||||
|
||||
class TeamPermission(BaseModel):
|
||||
team = ForeignKeyField(Team, index=True)
|
||||
organization = ForeignKeyField(User, index=True)
|
||||
role = ForeignKeyField(Role)
|
||||
|
||||
class Meta:
|
||||
database = db
|
||||
indexes = (
|
||||
(('team', 'organization'), True),
|
||||
)
|
||||
|
||||
|
||||
def random_string_generator(length=16):
|
||||
def random_string():
|
||||
random = SystemRandom()
|
||||
|
|
@ -212,10 +205,13 @@ def initialize_db():
|
|||
RepositoryPermission, Visibility, RepositoryTag,
|
||||
EmailConfirmation, FederatedLogin, LoginService,
|
||||
QueueItem, RepositoryBuild, Team, TeamMember,
|
||||
TeamPermission])
|
||||
TeamRole])
|
||||
Role.create(name='admin')
|
||||
Role.create(name='write')
|
||||
Role.create(name='read')
|
||||
TeamRole.create(name='admin')
|
||||
TeamRole.create(name='creator')
|
||||
TeamRole.create(name='member')
|
||||
Visibility.create(name='public')
|
||||
Visibility.create(name='private')
|
||||
LoginService.create(name='github')
|
||||
|
|
|
|||
|
|
@ -89,20 +89,17 @@ def create_organization(name, email, creating_user):
|
|||
new_org.save()
|
||||
|
||||
# Create a team for the owners
|
||||
owners_team = create_team('Owners', new_org)
|
||||
owners_team = create_team('Owners', new_org, 'admin')
|
||||
|
||||
# Add the user who created the org to the owners
|
||||
# Add the user who created the org to the owners team
|
||||
add_user_to_team(creating_user, owners_team)
|
||||
|
||||
# Give the owners team admin access to the namespace
|
||||
set_team_org_permission(owners_team, new_org, 'admin')
|
||||
|
||||
return new_org
|
||||
except InvalidUsernameException:
|
||||
raise InvalidOrganizationException('Invalid organization name: %s' % name)
|
||||
|
||||
|
||||
def create_team(name, org):
|
||||
def create_team(name, org, team_role_name):
|
||||
if not validate_username(name):
|
||||
raise InvalidTeamException('Invalid team name: %s' % name)
|
||||
|
||||
|
|
@ -110,7 +107,8 @@ def create_team(name, org):
|
|||
raise InvalidOrganizationException('User with name %s is not an org.' %
|
||||
org.username)
|
||||
|
||||
return Team.create(name=name, organization=org)
|
||||
team_role = TeamRole.get(TeamRole.name == team_role_name)
|
||||
return Team.create(name=name, organization=org, role=team_role)
|
||||
|
||||
|
||||
def add_user_to_team(user, team):
|
||||
|
|
@ -119,10 +117,17 @@ def add_user_to_team(user, team):
|
|||
|
||||
def remove_user_from_team(user, team):
|
||||
try:
|
||||
found = TeamMember.get(user = user, team = team)
|
||||
found = TeamMember.get(user=user, team=team)
|
||||
found.delete_instance()
|
||||
except TeamMember.DoesNotExist:
|
||||
return
|
||||
raise InvalidTeamException('User does not belong to team.')
|
||||
|
||||
|
||||
def set_team_org_permission(team, org, team_role_name):
|
||||
new_role = TeamRole.get(TeamRole.name == tean_role_name)
|
||||
team.role = new_role
|
||||
team.save()
|
||||
return team
|
||||
|
||||
|
||||
def set_team_org_permission(team, org, role_name):
|
||||
|
|
@ -350,10 +355,31 @@ def update_email(user, new_email):
|
|||
|
||||
|
||||
def get_all_user_permissions(user):
|
||||
select = User.select(User, Repository, RepositoryPermission, Role)
|
||||
with_repo = select.join(RepositoryPermission).join(Repository)
|
||||
with_role = with_repo.switch(RepositoryPermission).join(Role)
|
||||
return with_role.where(User.username == user.username)
|
||||
select = RepositoryPermission.select(RepositoryPermission, Role, Repository)
|
||||
with_role = select.join(Role)
|
||||
with_repo = with_role.switch(RepositoryPermission).join(Repository)
|
||||
through_user = with_repo.switch(RepositoryPermission).join(User,
|
||||
JOIN_LEFT_OUTER)
|
||||
as_perm = through_user.switch(RepositoryPermission)
|
||||
through_team = as_perm.join(Team, JOIN_LEFT_OUTER).join(TeamMember,
|
||||
JOIN_LEFT_OUTER)
|
||||
|
||||
UserThroughTeam = User.alias()
|
||||
with_team_member = through_team.join(UserThroughTeam, JOIN_LEFT_OUTER,
|
||||
on=(UserThroughTeam.id ==
|
||||
TeamMember.user))
|
||||
|
||||
return with_team_member.where((User.id == user) |
|
||||
(UserThroughTeam.id == user))
|
||||
|
||||
|
||||
def get_org_wide_permissions(user):
|
||||
Org = User.alias()
|
||||
team_with_role = Team.select(Team, Org, TeamRole).join(TeamRole)
|
||||
with_org = team_with_role.switch(Team).join(Org, on=(Team.organization ==
|
||||
Org.id))
|
||||
with_user = with_org.switch(Team).join(TeamMember).join(User)
|
||||
return with_user.where(User.id == user, Org.organization == True)
|
||||
|
||||
|
||||
def get_all_repo_teams(namespace_name, repository_name):
|
||||
|
|
|
|||
201
endpoints/api.py
201
endpoints/api.py
|
|
@ -23,7 +23,11 @@ from util.names import parse_repository_name
|
|||
from util.gravatar import compute_hash
|
||||
from auth.permissions import (ReadRepositoryPermission,
|
||||
ModifyRepositoryPermission,
|
||||
AdministerRepositoryPermission)
|
||||
AdministerRepositoryPermission,
|
||||
CreateRepositoryPermission,
|
||||
AdministerOrganizationPermission,
|
||||
OrganizationMemberPermission,
|
||||
ViewTeamPermission)
|
||||
from endpoints import registry
|
||||
from endpoints.web import common_login
|
||||
from util.cache import cache_control
|
||||
|
|
@ -57,11 +61,11 @@ def plans_list():
|
|||
@app.route('/api/user/', methods=['GET'])
|
||||
def get_logged_in_user():
|
||||
def org_view(o):
|
||||
# TODO: return whether the user is really the admin of the organization
|
||||
admin_org = AdministerOrganizationPermission(o.username)
|
||||
return {
|
||||
'name': o.username,
|
||||
'gravatar': compute_hash(o.email),
|
||||
'is_org_admin': True
|
||||
'is_org_admin': admin_org.can()
|
||||
}
|
||||
|
||||
if current_user.is_anonymous():
|
||||
|
|
@ -234,6 +238,7 @@ user_files = UserRequestFiles(app.config['AWS_ACCESS_KEY'],
|
|||
app.config['AWS_SECRET_KEY'],
|
||||
app.config['REGISTRY_S3_BUCKET'])
|
||||
|
||||
|
||||
@app.route('/api/organization/<orgname>', methods=['GET'])
|
||||
def get_organization(orgname):
|
||||
def team_view(t):
|
||||
|
|
@ -293,111 +298,120 @@ def member_view(m):
|
|||
'username': m.username
|
||||
}
|
||||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members', methods=['GET'])
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members',
|
||||
methods=['GET'])
|
||||
def get_organization_team_members(orgname, teamname):
|
||||
if current_user.is_anonymous():
|
||||
abort(404)
|
||||
view_permission = ViewTeamPermission(orgname, teamname)
|
||||
edit_permission = AdministerOrganizationPermission(orgname)
|
||||
|
||||
# TODO: determine whether the user has permission to view the members of this team
|
||||
# (i.e. they are a member of the team OR they are an admin of the org)
|
||||
user = current_user.db_user()
|
||||
team = None
|
||||
if view_permission.can():
|
||||
user = current_user.db_user()
|
||||
team = None
|
||||
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
|
||||
members = model.get_organization_team_members(team.id)
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
|
||||
members = model.get_organization_team_members(team.id)
|
||||
return jsonify({
|
||||
'members': { m.username : member_view(m) for m in members },
|
||||
'can_edit': edit_permission.can()
|
||||
})
|
||||
|
||||
# TODO: determine whether the user has permission to *edit* the members of this team.
|
||||
return jsonify({
|
||||
'members': { m.username : member_view(m) for m in members },
|
||||
'can_edit': True
|
||||
})
|
||||
abort(403)
|
||||
|
||||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>', methods=['PUT', 'POST'])
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>',
|
||||
methods=['PUT', 'POST'])
|
||||
def update_organization_team_member(orgname, teamname, membername):
|
||||
if current_user.is_anonymous():
|
||||
abort(404)
|
||||
permission = AdministerOrganizationPermission(orgname)
|
||||
if permission.can():
|
||||
team = None
|
||||
user = None
|
||||
|
||||
# TODO: determine whether the user has permission to put this user as a member of the team.
|
||||
team = None
|
||||
user = None
|
||||
# Find the team.
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
|
||||
# Find the team.
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
# Find the user.
|
||||
user = model.get_user(membername)
|
||||
if not user:
|
||||
abort(400)
|
||||
|
||||
# Add the user to the team.
|
||||
model.add_user_to_team(user, team)
|
||||
|
||||
# Find the user.
|
||||
user = model.get_user(membername)
|
||||
if not user:
|
||||
abort(400)
|
||||
|
||||
# Add the user to the team.
|
||||
model.add_user_to_team(user, team)
|
||||
return jsonify(member_view(user))
|
||||
|
||||
return jsonify(member_view(user))
|
||||
abort(403)
|
||||
|
||||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>', methods=['DELETE'])
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>',
|
||||
methods=['DELETE'])
|
||||
def delete_organization_team_member(orgname, teamname, membername):
|
||||
if current_user.is_anonymous():
|
||||
abort(404)
|
||||
permission = AdministerOrganizationPermission(orgname)
|
||||
if permission.can():
|
||||
team = None
|
||||
user = None
|
||||
|
||||
# TODO: determine whether the user has permission to delete this user as a member of the team.
|
||||
team = None
|
||||
user = None
|
||||
# Find the team.
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
|
||||
# Find the team.
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
# Find the user.
|
||||
user = model.get_user(membername)
|
||||
if not user:
|
||||
abort(400)
|
||||
|
||||
# Remote the user from the team.
|
||||
model.remove_user_from_team(user, team)
|
||||
|
||||
# Find the user.
|
||||
user = model.get_user(membername)
|
||||
if not user:
|
||||
abort(400)
|
||||
|
||||
# Remote the user from the team.
|
||||
model.remove_user_from_team(user, team)
|
||||
|
||||
return jsonify({
|
||||
'success': True
|
||||
})
|
||||
return jsonify({
|
||||
'success': True
|
||||
})
|
||||
|
||||
abort(403)
|
||||
|
||||
|
||||
@app.route('/api/repository', methods=['POST'])
|
||||
@api_login_required
|
||||
def create_repo_api():
|
||||
owner = current_user.db_user()
|
||||
|
||||
# TODO(jake): Verify that the user can create a repo in this namespace.
|
||||
json = request.get_json()
|
||||
namespace_name = json['namespace'] if 'namespace' in json else owner.username
|
||||
repository_name = json['repository']
|
||||
visibility = json['visibility']
|
||||
namespace_name = json['namespace'] if 'namespace' in json else owner.username
|
||||
|
||||
existing = model.get_repository(namespace_name, repository_name)
|
||||
if existing:
|
||||
return make_response('Repository already exists', 400)
|
||||
permission = CreateRepositoryPermission(namespace_name)
|
||||
if permission.can():
|
||||
repository_name = json['repository']
|
||||
visibility = json['visibility']
|
||||
|
||||
visibility = request.get_json()['visibility']
|
||||
existing = model.get_repository(namespace_name, repository_name)
|
||||
if existing:
|
||||
return make_response('Repository already exists', 400)
|
||||
|
||||
repo = model.create_repository(namespace_name, repository_name, owner,
|
||||
visibility)
|
||||
repo.description = json['description']
|
||||
repo.save()
|
||||
visibility = request.get_json()['visibility']
|
||||
|
||||
return jsonify({
|
||||
'namespace': namespace_name,
|
||||
'name': repository_name
|
||||
})
|
||||
repo = model.create_repository(namespace_name, repository_name, owner,
|
||||
visibility)
|
||||
repo.description = json['description']
|
||||
repo.save()
|
||||
|
||||
repo = model.create_repository(namespace_name, repository_name, owner,
|
||||
visibility)
|
||||
repo.description = json['description']
|
||||
repo.save()
|
||||
|
||||
return jsonify({
|
||||
'namespace': namespace_name,
|
||||
'name': repository_name
|
||||
})
|
||||
|
||||
abort(403)
|
||||
|
||||
|
||||
@app.route('/api/find/repository', methods=['GET'])
|
||||
|
|
@ -642,11 +656,10 @@ def request_repo_build(namespace, repository):
|
|||
abort(403) # Permissions denied
|
||||
|
||||
|
||||
def role_view(repo_perm_obj, username=None):
|
||||
# TODO: Determine whether the user (if given) is outside of the organization.
|
||||
def role_view(repo_perm_obj, org_member):
|
||||
return {
|
||||
'role': repo_perm_obj.role.name,
|
||||
'outside_org': username != 'devtable'
|
||||
'outside_org': org_member
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -727,32 +740,36 @@ def list_tag_images(namespace, repository, tag):
|
|||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/team/', methods=['GET'])
|
||||
@app.route('/api/repository/<path:repository>/permissions/team/',
|
||||
methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def list_repo_team_permissions(namespace, repository):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
repo_perms = model.get_all_repo_teams(namespace, repository)
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
|
||||
return jsonify({
|
||||
'permissions': {repo_perm.team.name: role_view(repo_perm)
|
||||
'permissions': {repo_perm.team.name: role_view(repo_perm, org_member)
|
||||
for repo_perm in repo_perms}
|
||||
})
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/user/', methods=['GET'])
|
||||
@app.route('/api/repository/<path:repository>/permissions/user/',
|
||||
methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def list_repo_user_permissions(namespace, repository):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
repo_perms = model.get_all_repo_users(namespace, repository)
|
||||
member = OrganizationMemberPermission(namespace).can()
|
||||
|
||||
return jsonify({
|
||||
'permissions': {repo_perm.user.username: role_view(repo_perm, username=repo_perm.user.username)
|
||||
'permissions': {repo_perm.user.username: role_view(repo_perm, member)
|
||||
for repo_perm in repo_perms}
|
||||
})
|
||||
|
||||
|
|
@ -769,7 +786,8 @@ def get_user_permissions(namespace, repository, username):
|
|||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
perm = model.get_user_reponame_permission(username, namespace, repository)
|
||||
return jsonify(role_view(perm, username=username))
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
return jsonify(role_view(perm, org_member))
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
|
@ -784,7 +802,8 @@ def get_team_permissions(namespace, repository, teamname):
|
|||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
perm = model.get_team_reponame_permission(username, namespace, repository)
|
||||
return jsonify(role_view(perm))
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
return jsonify(role_view(perm, org_member))
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
|
@ -808,7 +827,8 @@ def change_user_permissions(namespace, repository, username):
|
|||
logger.warning('User tried to remove themselves as admin.')
|
||||
abort(409)
|
||||
|
||||
resp = jsonify(role_view(perm, username=username))
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
resp = jsonify(role_view(perm, org_member))
|
||||
if request.method == 'POST':
|
||||
resp.status_code = 201
|
||||
return resp
|
||||
|
|
@ -835,7 +855,8 @@ def change_team_permissions(namespace, repository, teamname):
|
|||
logger.warning('User tried to remove themselves as admin.')
|
||||
abort(409)
|
||||
|
||||
resp = jsonify(role_view(perm))
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
resp = jsonify(role_view(perm, org_member))
|
||||
if request.method == 'POST':
|
||||
resp.status_code = 201
|
||||
return resp
|
||||
|
|
|
|||
|
|
@ -13,8 +13,9 @@ from auth.auth import (process_auth, get_authenticated_user,
|
|||
get_validated_token)
|
||||
from util.names import parse_namespace_repository, parse_repository_name
|
||||
from util.email import send_confirmation_email
|
||||
from auth.permissions import (ModifyRepositoryPermission,
|
||||
ReadRepositoryPermission, UserPermission)
|
||||
from auth.permissions import (ModifyRepositoryPermission, UserPermission,
|
||||
ReadRepositoryPermission,
|
||||
CreateRepositoryPermission)
|
||||
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
|
@ -127,7 +128,9 @@ def create_repository(namespace, repository):
|
|||
abort(403)
|
||||
|
||||
else:
|
||||
if get_authenticated_user().username != namespace:
|
||||
permission = CreateRepoPermission('namespace')
|
||||
if not permission.can():
|
||||
logger.info('Attempt to create a new repo with insufficient perms.')
|
||||
abort(403)
|
||||
|
||||
logger.debug('Creaing repository with owner: %s' %
|
||||
|
|
|
|||
|
|
@ -156,7 +156,7 @@ if __name__ == '__main__':
|
|||
'Repository owned by an org.', False,
|
||||
[], (4, [], ['latest', 'prod']))
|
||||
|
||||
reader_team = model.create_team('Readers', org)
|
||||
reader_team = model.create_team('Readers', org, 'member')
|
||||
model.set_team_repo_permission(reader_team.name, org_repo.namespace,
|
||||
org_repo.name, 'read')
|
||||
model.add_user_to_team(new_user_2, reader_team)
|
||||
|
|
|
|||
|
|
@ -130,10 +130,7 @@ def load(kind=None):
|
|||
"""Returns the right storage class according to the configuration."""
|
||||
global _storage
|
||||
|
||||
# TODO hard code to local for now
|
||||
kind = app.config['STORAGE_KIND']
|
||||
# if not kind:
|
||||
# kind = cfg.storage.lower()
|
||||
if kind in _storage:
|
||||
return _storage[kind]
|
||||
if kind == 's3':
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -0,0 +1,45 @@
|
|||
{
|
||||
"removed": [],
|
||||
"added": [
|
||||
"/opt/elasticsearch-0.90.5/LICENSE.txt",
|
||||
"/opt/elasticsearch-0.90.5/NOTICE.txt",
|
||||
"/opt/elasticsearch-0.90.5/README.textile",
|
||||
"/opt/elasticsearch-0.90.5/bin/elasticsearch",
|
||||
"/opt/elasticsearch-0.90.5/bin/elasticsearch.in.sh",
|
||||
"/opt/elasticsearch-0.90.5/bin/plugin",
|
||||
"/opt/elasticsearch-0.90.5/config/elasticsearch.yml",
|
||||
"/opt/elasticsearch-0.90.5/config/logging.yml",
|
||||
"/opt/elasticsearch-0.90.5/lib/elasticsearch-0.90.5.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/jna-3.3.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/jts-1.12.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/log4j-1.2.17.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-analyzers-common-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-codecs-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-core-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-grouping-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-highlighter-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-join-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-memory-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-misc-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-queries-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-queryparser-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-sandbox-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-spatial-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/lucene-suggest-4.4.0.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-amd64-freebsd-6.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-amd64-linux.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-amd64-solaris.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-ia64-linux.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-sparc-solaris.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-sparc64-solaris.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-universal-macosx.dylib",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-universal64-macosx.dylib",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-x86-freebsd-5.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-x86-freebsd-6.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-x86-linux.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/libsigar-x86-solaris.so",
|
||||
"/opt/elasticsearch-0.90.5/lib/sigar/sigar-1.6.4.jar",
|
||||
"/opt/elasticsearch-0.90.5/lib/spatial4j-0.3.jar"
|
||||
],
|
||||
"changed": []
|
||||
}
|
||||
File diff suppressed because it is too large
Load diff
|
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
"removed": [],
|
||||
"added": [],
|
||||
"changed": []
|
||||
}
|
||||
Binary file not shown.
Reference in a new issue