- Add an entity-search directive for adding a nice search box for users or teams

- Add support for team-based permissions to the repos
This commit is contained in:
Joseph Schorr 2013-11-01 21:48:10 -04:00
parent 09afe0753f
commit 100ec563fa
7 changed files with 362 additions and 93 deletions

View file

@ -207,8 +207,13 @@ def get_user(username):
return None
def get_matching_teams(team_prefix, organization):
query = Team.select().where(Team.name ** (team_prefix + '%'), Team.organization == organization)
return list(query.limit(10))
def get_matching_users(username_prefix):
query = User.select().where(User.username ** (username_prefix + '%'))
query = User.select().where(User.username ** (username_prefix + '%'), User.organization == False)
return list(query.limit(10))
@ -328,6 +333,15 @@ def get_all_user_permissions(user):
return with_role.where(User.username == user.username)
def get_all_repo_teams(namespace_name, repository_name):
select = RepositoryPermission.select(Team.name.alias('team_name'), Role.name,
RepositoryPermission)
with_team = select.join(Team)
with_role = with_team.switch(RepositoryPermission).join(Role)
with_repo = with_role.switch(RepositoryPermission).join(Repository)
return with_repo.where(Repository.namespace == namespace_name,
Repository.name == repository_name)
def get_all_repo_users(namespace_name, repository_name):
select = RepositoryPermission.select(User.username, Role.name,
RepositoryPermission)

View file

@ -188,6 +188,46 @@ def get_matching_users(prefix):
})
@app.route('/api/entities/<prefix>', methods=['GET'])
@api_login_required
def get_matching_entities(prefix):
users = model.get_matching_users(prefix)
teams = []
organization_name = request.args.get('organization', None)
organization = None
if organization_name:
try:
organization = model.get_organization(organization_name)
except:
pass
if organization:
# TODO: ensure that the user has access to the organization
teams = model.get_matching_teams(prefix, organization)
def team_view(team):
return {
'name': team.name,
'kind': 'team'
}
def user_view(user):
# TODO: Return whether the user is outside the organization (if one is
# specified)
return {
'name': user.username,
'kind': 'user',
'outside_org': True
}
team_data = [team_view(team) for team in teams]
user_data = [user_view(user) for user in users]
return jsonify({
'results': team_data + user_data
})
user_files = UserRequestFiles(app.config['AWS_ACCESS_KEY'],
app.config['AWS_SECRET_KEY'],
app.config['REGISTRY_S3_BUCKET'])
@ -225,8 +265,10 @@ def get_organization_private_allowed(orgname):
abort(404)
user = current_user.db_user()
organization = model.lookup_organization(orgname, username = user.username)
if not organization:
try:
organization = model.get_organization(orgname, username = user.username)
except:
abort(404)
private_repos = model.get_private_repo_count(organization.username)
@ -405,6 +447,12 @@ def get_repo_api(namespace, repository):
'image': image_view(image),
}
organization = None
try:
organization = model.get_organization(namespace)
except:
pass
permission = ReadRepositoryPermission(namespace, repository)
is_public = model.repository_is_public(namespace, repository)
if permission.can() or is_public:
@ -426,6 +474,7 @@ def get_repo_api(namespace, repository):
'can_admin': can_admin,
'is_public': is_public,
'is_building': len(active_builds) > 0,
'is_organization': bool(organization)
})
abort(404) # Not fount
@ -501,11 +550,11 @@ def request_repo_build(namespace, repository):
abort(403) # Permissions denied
def user_role_view(repo_perm_obj, username):
# TODO: Determine whether the user is outside of the organization.
def role_view(repo_perm_obj, username=None):
# TODO: Determine whether the user (if given) is outside of the organization.
return {
'role': repo_perm_obj.role.name,
'outside_org': False
'outside_org': username != 'devtable'
}
@ -586,42 +635,73 @@ def list_tag_images(namespace, repository, tag):
abort(403) # Permission denied
@app.route('/api/repository/<path:repository>/permissions/', methods=['GET'])
@app.route('/api/repository/<path:repository>/permissions/team/', methods=['GET'])
@api_login_required
@parse_repository_name
def list_repo_permissions(namespace, repository):
def list_repo_team_permissions(namespace, repository):
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
repo_perms = model.get_all_repo_users(namespace, repository)
repo_perms = model.get_all_repo_teams(namespace, repository)
return jsonify({
'permissions': {repo_perm.user.username: user_role_view(repo_perm, repo_perm.user.username)
'permissions': {repo_perm.team.name: role_view(repo_perm)
for repo_perm in repo_perms}
})
abort(403) # Permission denied
@app.route('/api/repository/<path:repository>/permissions/<username>',
@app.route('/api/repository/<path:repository>/permissions/user/', methods=['GET'])
@api_login_required
@parse_repository_name
def list_repo_user_permissions(namespace, repository):
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
repo_perms = model.get_all_repo_users(namespace, repository)
return jsonify({
'permissions': {repo_perm.user.username: role_view(repo_perm, username=repo_perm.user.username)
for repo_perm in repo_perms}
})
abort(403) # Permission denied
@app.route('/api/repository/<path:repository>/permissions/user/<username>',
methods=['GET'])
@api_login_required
@parse_repository_name
def get_permissions(namespace, repository, username):
def get_user_permissions(namespace, repository, username):
logger.debug('Get repo: %s/%s permissions for user %s' %
(namespace, repository, username))
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
perm = model.get_user_reponame_permission(username, namespace, repository)
return jsonify(user_role_view(perm, username))
return jsonify(role_view(perm, username=username))
abort(403) # Permission denied
@app.route('/api/repository/<path:repository>/permissions/<username>',
@app.route('/api/repository/<path:repository>/permissions/team/<teamname>',
methods=['GET'])
@api_login_required
@parse_repository_name
def get_team_permissions(namespace, repository, teamname):
logger.debug('Get repo: %s/%s permissions for team %s' %
(namespace, repository, teamname))
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
perm = model.get_team_reponame_permission(username, namespace, repository)
return jsonify(role_view(perm))
abort(403) # Permission denied
@app.route('/api/repository/<path:repository>/permissions/user/<username>',
methods=['PUT', 'POST'])
@api_login_required
@parse_repository_name
def change_permissions(namespace, repository, username):
def change_user_permissions(namespace, repository, username):
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
new_permission = request.get_json()
@ -636,7 +716,7 @@ def change_permissions(namespace, repository, username):
logger.warning('User tried to remove themselves as admin.')
abort(409)
resp = jsonify(user_role_view(perm, username))
resp = jsonify(role_view(perm, username=username))
if request.method == 'POST':
resp.status_code = 201
return resp
@ -644,11 +724,38 @@ def change_permissions(namespace, repository, username):
abort(403) # Permission denied
@app.route('/api/repository/<path:repository>/permissions/<username>',
@app.route('/api/repository/<path:repository>/permissions/team/<teamname>',
methods=['PUT', 'POST'])
@api_login_required
@parse_repository_name
def change_team_permissions(namespace, repository, teamname):
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
new_permission = request.get_json()
logger.debug('Setting permission to: %s for team %s' %
(new_permission['role'], teamname))
try:
perm = model.set_team_repo_permission(teamname, namespace, repository,
new_permission['role'])
except model.DataModelException:
logger.warning('User tried to remove themselves as admin.')
abort(409)
resp = jsonify(role_view(perm))
if request.method == 'POST':
resp.status_code = 201
return resp
abort(403) # Permission denied
@app.route('/api/repository/<path:repository>/permissions/user/<username>',
methods=['DELETE'])
@api_login_required
@parse_repository_name
def delete_permissions(namespace, repository, username):
def delete_user_permissions(namespace, repository, username):
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
try:
@ -662,6 +769,24 @@ def delete_permissions(namespace, repository, username):
abort(403) # Permission denied
@app.route('/api/repository/<path:repository>/permissions/team/<teamname>',
methods=['DELETE'])
@api_login_required
@parse_repository_name
def delete_team_permissions(namespace, repository, teamname):
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
try:
model.delete_team_permission(teamname, namespace, repository)
except model.DataModelException:
logger.warning('User tried to remove themselves as admin.')
abort(409)
return make_response('Deleted', 204)
abort(403) # Permission denied
def token_view(token_obj):
return {
'friendlyName': token_obj.friendly_name,

View file

@ -574,14 +574,20 @@ form input.ng-valid.ng-dirty {
}
.user-mini-listing {
.entity-mini-listing {
margin: 2px;
}
.user-mini-listing i {
.entity-mini-listing i {
margin-right: 8px;
}
.entity-mini-listing .warning {
margin-top: 6px;
font-size: 10px;
padding: 4px;
}
.editable {
position: relative;
}
@ -898,6 +904,10 @@ p.editable:hover i {
padding-left: 44px;
}
.repo-admin .entity-search input {
width: 300px;
}
.repo-admin .token-dialog-body .well {
margin-bottom: 0px;
}
@ -916,10 +926,21 @@ p.editable:hover i {
}
.repo-admin .user i {
margin-right: 6px;
margin-left: 2px;
margin-right: 7px;
color: rgb(79, 195, 79);
}
.repo-admin .user {
.repo-admin .user.outside i {
color: rgb(224, 173, 41);
}
.repo-admin .team i {
margin-right: 4px;
color: rgb(79, 195, 79);
}
.repo-admin .entity {
font-size: 1.2em;
min-width: 300px;
}

View file

@ -0,0 +1 @@
<input class="entity-search-control form-control">

View file

@ -233,6 +233,82 @@ quayApp.directive('repoCircle', function () {
});
quayApp.directive('entitySearch', function () {
var number = 0;
var directiveDefinitionObject = {
priority: 0,
templateUrl: '/static/directives/entity-search.html',
replace: false,
transclude: false,
restrict: 'C',
scope: {
'organization': '=organization',
'inputTitle': '=inputTitle',
'entitySelected': '=entitySelected'
},
controller: function($scope, $element) {
if (!$scope.entitySelected) { return; }
number++;
var input = $element[0].firstChild;
$scope.organization = $scope.organization || '';
$(input).typeahead({
name: 'entities' + number,
remote: {
url: '/api/entities/%QUERY',
replace: function (url, uriEncodedQuery) {
url = url.replace('%QUERY', uriEncodedQuery);
if ($scope.organization) {
url += '?organization=' + encodeURIComponent($scope.organization);
}
return url;
},
filter: function(data) {
var datums = [];
for (var i = 0; i < data.results.length; ++i) {
var entity = data.results[i];
datums.push({
'value': entity.name,
'tokens': [entity.name],
'entity': entity
});
}
return datums;
}
},
template: function (datum) {
template = '<div class="entity-mini-listing">';
if (datum.entity.kind == 'user') {
template += '<i class="fa fa-user fa-lg"></i>';
} else if (datum.entity.kind == 'team') {
template += '<i class="fa fa-group fa-lg"></i>';
}
template += '<span class="name">' + datum.value + '</span>';
if (datum.entity.outside_org) {
template += '<div class="alert-warning warning">This user is outside your organization</div>';
}
template += '</div>';
return template;
},
});
$(input).on('typeahead:selected', function(e, datum) {
$(input).typeahead('setQuery', '');
$scope.entitySelected(datum.entity);
});
$scope.$watch('inputTitle', function(title) {
input.setAttribute('placeholder', title);
});
}
};
return directiveDefinitionObject;
});
quayApp.directive('namespaceSelector', function () {
var directiveDefinitionObject = {
priority: 0,

View file

@ -527,39 +527,7 @@ function RepoAdminCtrl($scope, Restangular, $routeParams, $rootScope) {
var namespace = $routeParams.namespace;
var name = $routeParams.name;
$scope.$on('$viewContentLoaded', function() {
// THIS IS BAD, MOVE THIS TO A DIRECTIVE
$('#userSearch').typeahead({
name: 'users',
remote: {
url: '/api/users/%QUERY',
filter: function(data) {
var datums = [];
for (var i = 0; i < data.users.length; ++i) {
var user = data.users[i];
datums.push({
'value': user,
'tokens': [user],
'username': user
});
}
return datums;
}
},
template: function (datum) {
template = '<div class="user-mini-listing">';
template += '<i class="fa fa-user fa-lg"></i>'
template += '<span class="name">' + datum.username + '</span>'
template += '</div>'
return template;
},
});
$('#userSearch').on('typeahead:selected', function(e, datum) {
$('#userSearch').typeahead('setQuery', '');
$scope.addNewPermission(datum.username);
});
});
$scope.permissions = {'team': [], 'user': []};
$scope.isDownloadSupported = function() {
try { return !!new Blob(); } catch(e){}
@ -580,21 +548,34 @@ function RepoAdminCtrl($scope, Restangular, $routeParams, $rootScope) {
saveAs(blob, '.dockercfg');
};
$scope.addNewPermission = function(username) {
$scope.grantRole = function() {
$('#confirmaddoutsideModal').modal('hide');
var entity = $scope.currentAddEntity;
$scope.addRole(entity.name, 'read', entity.kind, entity.outside_org)
$scope.currentAddEntity = null;
};
$scope.addNewPermission = function(entity) {
// Don't allow duplicates.
if ($scope.permissions[username]) { return; }
if ($scope.permissions[entity.kind][entity.name]) { return; }
if (entity.outside_org) {
$scope.currentAddEntity = entity;
$('#confirmaddoutsideModal').modal('show');
return;
}
// Need the $scope.apply for both the permission stuff to change and for
// the XHR call to be made.
$scope.$apply(function() {
$scope.addRole(username, 'read')
$scope.addRole(entity.name, 'read', entity.kind, entity.outside_org)
});
};
$scope.deleteRole = function(username) {
var permissionDelete = Restangular.one('repository/' + namespace + '/' + name + '/permissions/' + username);
$scope.deleteRole = function(entityName, kind) {
var permissionDelete = Restangular.one('repository/' + namespace + '/' + name + '/permissions/' + kind + '/' + entityName);
permissionDelete.customDELETE().then(function() {
delete $scope.permissions[username];
delete $scope.permissions[kind][entityName];
}, function(result) {
if (result.status == 409) {
$('#onlyadminModal').modal({});
@ -604,26 +585,26 @@ function RepoAdminCtrl($scope, Restangular, $routeParams, $rootScope) {
});
};
$scope.addRole = function(username, role) {
$scope.addRole = function(entityName, role, kind, outside_org) {
var permission = {
'role': role
'role': role,
'outside_org': !!outside_org
};
var permissionPost = Restangular.one('repository/' + namespace + '/' + name + '/permissions/' + username);
var permissionPost = Restangular.one('repository/' + namespace + '/' + name + '/permissions/' + kind + '/' + entityName);
permissionPost.customPOST(permission).then(function() {
$scope.permissions[username] = permission;
$scope.permissions = $scope.permissions;
$scope.permissions[kind][entityName] = permission;
}, function(result) {
$('#cannotchangeModal').modal({});
});
};
$scope.setRole = function(username, role) {
var permission = $scope.permissions[username];
$scope.setRole = function(entityName, role, kind) {
var permission = $scope.permissions[kind][entityName];
var currentRole = permission.role;
permission.role = role;
var permissionPut = Restangular.one('repository/' + namespace + '/' + name + '/permissions/' + username);
var permissionPut = Restangular.one('repository/' + namespace + '/' + name + '/permissions/' + kind + '/' + entityName);
permissionPut.customPUT(permission).then(function() {}, function(result) {
if (result.status == 409) {
permission.role = currentRole;
@ -709,6 +690,23 @@ function RepoAdminCtrl($scope, Restangular, $routeParams, $rootScope) {
$scope.loading = true;
var checkLoading = function() {
$scope.loading = !($scope.permissions['user'] && $scope.permissions['team'] && $scope.repo && $scope.tokens);
};
var fetchPermissions = function(kind) {
var permissionsFetch = Restangular.one('repository/' + namespace + '/' + name + '/permissions/' + kind + '/');
permissionsFetch.get().then(function(resp) {
$rootScope.title = 'Settings - ' + namespace + '/' + name;
$scope.permissions[kind] = resp.permissions;
checkLoading();
}, function() {
$scope.permissions[kind] = null;
$rootScope.title = 'Unknown Repository';
$scope.loading = false;
});
};
// Fetch the repository information.
var repositoryFetch = Restangular.one('repository/' + namespace + '/' + name);
repositoryFetch.get().then(function(repo) {
@ -720,23 +718,15 @@ function RepoAdminCtrl($scope, Restangular, $routeParams, $rootScope) {
$scope.loading = false;
});
// Fetch the permissions.
var permissionsFetch = Restangular.one('repository/' + namespace + '/' + name + '/permissions');
permissionsFetch.get().then(function(resp) {
$rootScope.title = 'Settings - ' + namespace + '/' + name;
$scope.permissions = resp.permissions;
$scope.loading = !($scope.permissions && $scope.repo && $scope.tokens);
}, function() {
$scope.permissions = null;
$rootScope.title = 'Unknown Repository';
$scope.loading = false;
});
// Fetch the user and team permissions.
fetchPermissions('user');
fetchPermissions('team');
// Fetch the tokens.
var tokensFetch = Restangular.one('repository/' + namespace + '/' + name + '/tokens/');
tokensFetch.get().then(function(resp) {
$scope.tokens = resp.tokens;
$scope.loading = !($scope.permissions && $scope.repo && $scope.tokens);
checkLoading();
}, function() {
$scope.tokens = null;
$scope.loading = false;

View file

@ -20,36 +20,58 @@
<!-- User Access Permissions -->
<div class="panel panel-default">
<div class="panel-heading">User Access Permissions
<div class="panel-heading">User <span ng-show="repo.is_organization">and Team</span> Access Permissions
<i class="info-icon fa fa-info-circle" data-placement="left" data-content="Allow any number of users to read, write or administer this repository"></i>
<i class="info-icon fa fa-info-circle" data-placement="left" data-content="Allow any number of users or teams to read, write or administer this repository"></i>
</div>
<div class="panel-body">
<table class="permissions">
<thead>
<tr>
<td>User</td>
<td>User<span ng-show="repo.is_organization">/Team</span></td>
<td>Permissions</td>
<td></td>
</tr>
</thead>
<tr ng-repeat="(username, permission) in permissions">
<td class="user">
<i class="fa fa-user"></i>
<span>{{username}}</span>
<!-- Team Permissions -->
<tr ng-repeat="(name, permission) in permissions['team']">
<td class="team entity">
<i class="fa fa-group"></i>
<span>{{name}}</span>
</td>
<td class="user-permissions">
<div class="btn-group btn-group-sm">
<button type="button" class="btn btn-default" ng-click="setRole(username, 'read')" ng-class="{read: 'active', write: '', admin: ''}[permission.role]">Read only</button>
<button type="button" class="btn btn-default" ng-click="setRole(username, 'write')" ng-class="{read: '', write: 'active', admin: ''}[permission.role]">Write</button>
<button type="button" class="btn btn-default" ng-click="setRole(username, 'admin')" ng-class="{read: '', write: '', admin: 'active'}[permission.role]">Admin</button>
<button type="button" class="btn btn-default" ng-click="setRole(name, 'read', 'team')" ng-class="{read: 'active', write: '', admin: ''}[permission.role]">Read only</button>
<button type="button" class="btn btn-default" ng-click="setRole(name, 'write', 'team')" ng-class="{read: '', write: 'active', admin: ''}[permission.role]">Write</button>
<button type="button" class="btn btn-default" ng-click="setRole(name, 'admin', 'team')" ng-class="{read: '', write: '', admin: 'active'}[permission.role]">Admin</button>
</div>
</td>
<td>
<span class="delete-ui" tabindex="0" title="Delete Permission">
<span class="delete-ui-button" ng-click="deleteRole(username)"><button class="btn btn-danger">Delete</button></span>
<span class="delete-ui-button" ng-click="deleteRole(name, 'team')"><button class="btn btn-danger">Delete</button></span>
<i class="fa fa-remove"></i>
</span>
</td>
</tr>
<!-- User Permissions -->
<tr ng-repeat="(name, permission) in permissions['user']">
<td class="{{ 'user entity ' + (permission.outside_org ? 'outside' : '') }}">
<i class="fa fa-user"></i>
<span>{{name}}</span>
</td>
<td class="user-permissions">
<div class="btn-group btn-group-sm">
<button type="button" class="btn btn-default" ng-click="setRole(name, 'read', 'user')" ng-class="{read: 'active', write: '', admin: ''}[permission.role]">Read only</button>
<button type="button" class="btn btn-default" ng-click="setRole(name, 'write', 'user')" ng-class="{read: '', write: 'active', admin: ''}[permission.role]">Write</button>
<button type="button" class="btn btn-default" ng-click="setRole(name, 'admin', 'user')" ng-class="{read: '', write: '', admin: 'active'}[permission.role]">Admin</button>
</div>
</td>
<td>
<span class="delete-ui" tabindex="0" title="Delete Permission">
<span class="delete-ui-button" ng-click="deleteRole(name, 'user')"><button class="btn btn-danger">Delete</button></span>
<i class="fa fa-remove"></i>
</span>
</td>
@ -57,7 +79,7 @@
<tr>
<td colspan="2">
<input id="userSearch" class="form-control" placeholder="Add new user...">
<span class="entity-search" organization="repo.namespace" input-title="'Add a ' + (repo.is_organization ? 'team or ' : '') + 'user...'" entity-selected="addNewPermission"></span>
</td>
</tr>
</table>
@ -283,4 +305,24 @@
</div><!-- /.modal-dialog -->
</div><!-- /.modal -->
<!-- Modal message dialog -->
<div class="modal fade" id="confirmaddoutsideModal">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h4 class="modal-title">Add User?</h4>
</div>
<div class="modal-body">
The selected user is outside of your organization. Are you sure you want to grant the user access to this repository?
</div>
<div class="modal-footer">
<button type="button" class="btn btn-primary" ng-click="grantRole()">Yes, I'm sure</button>
<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
</div>
</div><!-- /.modal-content -->
</div><!-- /.modal-dialog -->
</div><!-- /.modal -->
</div>