From 87e55870b768f00e7fe4947b3ffd0878f8720313 Mon Sep 17 00:00:00 2001
From: Brad Ison <bison@coreos.com>
Date: Tue, 13 Feb 2018 12:34:56 -0500
Subject: [PATCH] Add script for fixing missing admin permissions

Adds a util script to find and fix repositories in user namespaces
that are missing admin permissions for the owning user.  These admin
permissions are required, but were missing in some cases.  See:

  https://github.com/coreos-inc/quay/pull/2998
---
 util/fixuseradmin.py | 70 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 util/fixuseradmin.py

diff --git a/util/fixuseradmin.py b/util/fixuseradmin.py
new file mode 100644
index 000000000..2421f80df
--- /dev/null
+++ b/util/fixuseradmin.py
@@ -0,0 +1,70 @@
+import argparse
+import sys
+
+from app import app
+from data.database import Namespace, Repository, RepositoryPermission, Role
+from data.model.permission import get_user_repo_permissions
+from data.model.user import get_active_users, get_nonrobot_user
+
+DESCRIPTION = '''
+Fix user repositories missing admin permissions for owning user.
+'''
+
+parser = argparse.ArgumentParser(description=DESCRIPTION)
+parser.add_argument('users', nargs='*', help='Users to check')
+parser.add_argument('-a', '--all', action='store_true', help='Check all users')
+parser.add_argument('-n', '--dry-run', action='store_true', help="Don't act")
+
+ADMIN = Role.get(name='admin')
+
+
+def repos_for_namespace(namespace):
+    return (Repository
+            .select(Repository.id, Repository.name, Namespace.username)
+            .join(Namespace)
+            .where(Namespace.username == namespace))
+
+
+def has_admin(user, repo):
+    perms = get_user_repo_permissions(user, repo)
+    return any(p.role == ADMIN for p in perms)
+
+
+def get_users(all_users=False, users_list=None):
+    if all_users:
+        return get_active_users(disabled=False)
+
+    return map(get_nonrobot_user, users_list)
+
+
+def ensure_admin(user, repos, dry_run=False):
+    repos = [repo for repo in repos if not has_admin(user, repo)]
+
+    for repo in repos:
+        print('User {} missing admin on: {}'.format(user.username, repo.name))
+
+        if not dry_run:
+            RepositoryPermission.create(user=user, repository=repo, role=ADMIN)
+            print('Granted {} admin on: {}'.format(user.username, repo.name))
+
+    return len(repos)
+
+
+def main():
+    args = parser.parse_args()
+    found = 0
+
+    if not args.all and len(args.users) == 0:
+        sys.exit('Need a list of users or --all')
+
+    for user in get_users(all_users=args.all, users_list=args.users):
+        if user is not None:
+            repos = repos_for_namespace(user.username)
+            found += ensure_admin(user, repos, dry_run=args.dry_run)
+
+    print('\nFound {} user repos missing admin'
+          ' permissions for owner.'.format(found))
+
+
+if __name__ == '__main__':
+    main()