[api] more porting of find calls

openSUSE · Apr 10, 2012 · 4f83bab · 4f83bab
1 parent 751bfb2
commit 4f83bab
Show file tree

Hide file tree

Showing 13 changed files with 88 additions and 96 deletions.
diff --git a/src/api/app/controllers/active_rbac/group_controller.rb b/src/api/app/controllers/active_rbac/group_controller.rb
@@ -30,8 +30,8 @@ def show
   # Display a form to create a new group on GET. Handle the form submission
   # from this form on POST and display errors if there were any.
   def create
-    # disllow the group create if LDAP_GROUP_SUPPORT and DISALLOW_GROUP_CREATION_WITH_API is :on
-    if defined?( LDAP_GROUP_SUPPORT ) && LDAP_GROUP_SUPPORT == :on
+    # disllow the group create if CONFIG['ldap_group_support'] and DISALLOW_GROUP_CREATION_WITH_API is :on
+    if defined?( CONFIG['ldap_group_support'] ) && CONFIG['ldap_group_support'] == :on
       if defined?( DISALLOW_GROUP_CREATION_WITH_API ) && DISALLOW_GROUP_CREATION_WITH_API == :on
         flash[:error] = 'LDAP mode enabled, groups can only be created via LDAP.'
         redirect_to :action => 'list'

diff --git a/src/api/app/controllers/attribute_controller.rb b/src/api/app/controllers/attribute_controller.rb
@@ -121,7 +121,7 @@ def attribute_definition
     end
 
     if request.get?
-      at = ans.attrib_types.find( :first, :conditions=>{:name=>name} )
+      at = ans.attrib_types.where(:name => name).first
       if at
         render :text => at.render_axml, :content_type => 'text/xml'
       else

diff --git a/src/api/app/models/db_package.rb b/src/api/app/models/db_package.rb
@@ -545,7 +545,7 @@ def store_axml( package )
           unless group
             # check with LDAP
             if defined?( CONFIG['ldap_mode'] ) && CONFIG['ldap_mode'] == :on
-              if defined?( LDAP_GROUP_SUPPORT ) && LDAP_GROUP_SUPPORT == :on
+              if defined?( CONFIG['ldap_group_support'] ) && CONFIG['ldap_group_support'] == :on
                 if User.find_group_with_ldap(ge.groupid)
                   logger.debug "Find and Create group '#{ge.groupid}' from LDAP"
                   newgroup = Group.create( :title => ge.groupid )

diff --git a/src/api/app/models/db_project.rb b/src/api/app/models/db_project.rb
@@ -140,7 +140,7 @@ def check_access?(dbp=self)
             # LDAP
 # FIXME: please do not do special things here for ldap. please cover this in a generic group modell.
             if defined?( CONFIG['ldap_mode'] ) && CONFIG['ldap_mode'] == :on
-              if defined?( LDAP_GROUP_SUPPORT ) && LDAP_GROUP_SUPPORT == :on
+              if defined?( CONFIG['ldap_group_support'] ) && CONFIG['ldap_group_support'] == :on
                 if us.user_in_group_ldap?(User.currentID, group.bs_group_id)
                   ret = ret + 1
                 end
@@ -490,7 +490,7 @@ def store_axml( project, force=nil )
           if !(group=Group.find_by_title(ge.groupid))
             # check with LDAP
             if defined?( CONFIG['ldap_mode'] ) && CONFIG['ldap_mode'] == :on
-              if defined?( LDAP_GROUP_SUPPORT ) && LDAP_GROUP_SUPPORT == :on
+              if defined?( CONFIG['ldap_group_support'] ) && CONFIG['ldap_group_support'] == :on
                 if User.find_group_with_ldap(ge.groupid)
                   logger.debug "Find and Create group '#{ge.groupid}' from LDAP"
                   newgroup = Group.create( :title => ge.groupid )

diff --git a/src/api/app/models/role.rb b/src/api/app/models/role.rb
@@ -20,6 +20,7 @@ class Role < ActiveRecord::Base
   belongs_to :roles_static_permissions
   belongs_to :roles_users
 
+  scope :global, where(:global => true)
 
   class << self
     def rolecache

diff --git a/src/api/app/models/user.rb b/src/api/app/models/user.rb
@@ -95,7 +95,7 @@ def render_axml( watchlist = false )
       end
       person.realname( realname )
 
-      self.roles.find(:all, :conditions => [ "global = true" ]).each do |role|
+      self.roles.global.each do |role|
         person.globalrole( role.title )
       end
 
@@ -270,7 +270,7 @@ def can_create_attribute_definition?(object)
 
     return true  if is_admin?
 
-    abies = object.attrib_namespace_modifiable_bies.find(:all, :include => [:user, :group])
+    abies = object.attrib_namespace_modifiable_bies.includes([:user, :group])
     abies.each do |mod_rule|
       next if mod_rule.user and mod_rule.user != self
       next if mod_rule.group and not is_in_group? mod_rule.group
@@ -358,13 +358,6 @@ def can_access_downloadsrcany?(parm)
     return false
   end
 
-  # add deprecation warning to has_permission method
-  alias_method :has_global_permission?, :has_permission?
-  def has_permission?(*args)
-    logger.warn "DEPRECATION: User#has_permission? is deprecated, use User#has_global_permission?"
-    has_global_permission?(*args)
-  end
-
   def groups_ldap ()
     logger.debug "List the groups #{self.login} is in"
     ldapgroups = Array.new
@@ -397,33 +390,12 @@ def user_in_group_ldap?(user, group)
     return false
   end
 
-  def local_permission_check_with_ldap ( perm_string, object)
-    logger.debug "Checking permission with ldap: object '#{object.name}', perm '#{perm_string}'" 
-    rel = StaticPermission.where("title = ?", perm_string).first
-    if rel
-      static_permission_id = rel.id
-      logger.debug "Get perm_id '#{static_permission_id}'" 
-    else
-      logger.debug "Failed to search the static_permission_id"
-      return false
-    end
-
-    case object
-      when DbPackage
-        rels = PackageGroupRoleRelationship.find :all, :joins => "LEFT OUTER JOIN roles_static_permissions rolperm ON rolperm.role_id = package_group_role_relationships.role_id", 
-                                                  :conditions => ["rolperm.static_permission_id = ? and db_package_id = ?", static_permission_id, object],
-                                                  :include => :group            
-      when DbProject
-        rels = ProjectGroupRoleRelationship.find :all, :joins => "LEFT OUTER JOIN roles_static_permissions rolperm ON rolperm.role_id = project_group_role_relationships.role_id", 
-                                                  :conditions => ["rolperm.static_permission_id = ? and db_project_id = ?", static_permission_id, object],
-                                                  :include => :group
-    end    
-
-    rels.each do |r|
+  def local_permission_check_with_ldap ( group_relationships )
+    group_relationships.each do |r|
       return false if r.group.nil?
       #check whether current user is in this group
-      return true if user_in_group_ldap?(self.login, r.group.title) 
-    end  
+      return true if user_in_group_ldap?(self.login, r.group) 
+    end
     logger.debug "Failed with local_permission_check_with_ldap"
     return false
   end
@@ -433,16 +405,14 @@ def local_role_check_with_ldap (role, object)
     logger.debug "Checking role with ldap: object #{object.name}, role #{role.title}"
     case object
       when DbPackage
-        rels = PackageGroupRoleRelationship.find :all, :conditions => ["db_package_id = ? and role_id = ?", object, role], 
-                                                     :include => [:group]                                              
+        rels = object.package_group_role_relationships.where(:role_id => role.id).includes(:group)
       when DbProject
-        rels = ProjectGroupRoleRelationship.find :all, :conditions => ["db_project_id = ? and role_id = ?", object, role],
-                                                     :include => [:group]
+        rels = object.project_group_role_relationships.where(:role_id => role.id).includes(:group)
     end
     for rel in rels
       return false if rel.group.nil?
       #check whether current user is in this group
-      return true if user_in_group_ldap?(self.login, rel.group.title) 
+      return true if user_in_group_ldap?(self.login, rel.group) 
     end
     logger.debug "Failed with local_role_check_with_ldap"
     return false
@@ -454,8 +424,7 @@ def has_local_role?( role, object )
         logger.debug "running local role package check: user #{self.login}, package #{object.name}, role '#{role.title}'"
         rels = object.package_user_role_relationships.where(:role_id => role.id, :bs_user_id => self.id).first
         return true if rels
-        rels = PackageGroupRoleRelationship.find :first, :joins => "LEFT OUTER JOIN groups_users ug ON ug.group_id = bs_group_id", 
-                                                  :conditions => ["ug.user_id = ? and db_package_id = ? and role_id = ?", self, object, role]
+	rels = object.package_group_role_relationships.joins(:groups_users).where(:groups_users => {:user_id => self.id}).where(:role_id => role.id).first
         return true if rels
 
         # check with LDAP
@@ -468,8 +437,7 @@ def has_local_role?( role, object )
         logger.debug "running local role project check: user #{self.login}, project #{object.name}, role '#{role.title}'"
         rels = object.project_user_role_relationships.where(:role_id => role.id, :bs_user_id => self.id).first
         return true if rels
-        rels = ProjectGroupRoleRelationship.find :first, :joins => "LEFT OUTER JOIN groups_users ug ON ug.group_id = bs_group_id", 
-                                                  :conditions => ["ug.user_id = ? and db_project_id = ? and role_id = ?", self, object, role], :select => "ug.user_id"
+        rels = object.project_group_role_relationships.joins(:groups_users).where(:groups_users => {:user_id => self.id}).where(:role_id => role.id).first
         return true if rels
 
         # check with LDAP
@@ -489,46 +457,44 @@ def has_local_role?( role, object )
   def has_local_permission?( perm_string, object )
     roles = Role.ids_with_permission(perm_string)
     return false unless roles
+    users = nil
+    groups = nil
+    parent = nil
     case object
     when DbPackage
       logger.debug "running local permission check: user #{self.login}, package #{object.name}, permission '#{perm_string}'"
       #check permission for given package
-      rel = object.package_user_role_relationships.where(:bs_user_id => self.id).joins(:role).where("roles.id in (?)", roles).first
-      return true if rel
-      rel = object.package_group_role_relationships.joins(:groups_users).where(:groups_users => {:user_id => self.id}).joins(:role).where("roles.id in (?)", roles).first
-      return true if rel
-
-      # check with LDAP
-      if User.ldapgroup_enabled?
-        return true if local_permission_check_with_ldap(perm_string, object)
-      end
-
-      #check permission of parent project
-      logger.debug "permission not found, trying parent project '#{object.db_project.name}'"
-      return has_local_permission?(perm_string, object.db_project)
+      users = object.package_user_role_relationships
+      groups = object.package_group_role_relationships
+      parent = object.db_project
     when DbProject
       logger.debug "running local permission check: user #{self.login}, project #{object.name}, permission '#{perm_string}'"
       #check permission for given project
-      rel = object.project_user_role_relationships.where(:bs_user_id => self.id).joins(:role).where("roles.id in (?)", roles).first
-      return true if rel
-      rel = object.project_group_role_relationships.joins(:groups_users).where(:groups_users => {:user_id => self.id}).joins(:role).where("roles.id in (?)", roles).first
-      return true if rel
-
-      # check with LDAP
-      if User.ldapgroup_enabled?
-        return true if local_permission_check_with_ldap(perm_string, object)
-      end
-
-      if (parent = object.find_parent)
-        logger.debug "permission not found, trying parent project '#{parent.name}'"
-        #recursively step down through parent projects
-        return has_local_permission?(perm_string, parent)
-      end
-      return false
+      users = object.project_user_role_relationships
+      groups = object.project_group_role_relationships
+      parent = object.find_parent
     when nil
       return has_global_permission?(perm_string)
     else
+      return false
+    end
+    rel = users.where(:bs_user_id => self.id).where("role_id in (?)", roles).first
+    return true if rel
+    rel = groups.joins(:groups_users).where(:groups_users => {:user_id => self.id}).where("role_id in (?)", roles).first
+    return true if rel
+
+    # check with LDAP
+    if User.ldapgroup_enabled?
+      return true if local_permission_check_with_ldap(groups.where("role_id in (?)", roles))
     end
+
+    if parent 
+      #check permission of parent project
+      logger.debug "permission not found, trying parent project '#{object.db_project.name}'"
+      return has_local_permission?(perm_string, parent)
+    end
+
+    return false
   end
 
   def involved_projects_ids

diff --git a/src/api/config/environments/production.rb b/src/api/config/environments/production.rb
@@ -91,7 +91,7 @@
 # Whether to search group info from ldap, it does not take effect
 # when LDAP_GROUP_SUPPOR is not set.
 # Please also set below LDAP_GROUP_* configs correctly to ensure the operation works properly
-LDAP_GROUP_SUPPORT = :off
+CONFIG['ldap_group_support'] = :off
 # OVERRIDE with your company's ldap search base for groups
 LDAP_GROUP_SEARCH_BASE = "ou=OBSGROUPS,dc=EXAMPLE,dc=COM"
 # The attribute the group name is stored in
@@ -105,7 +105,7 @@
 # The attribute the user memberof is stored in
 # LDAP_USER_MEMBEROF_ATTR = "memberof"
 
-# Do not allow creating group via API to avoid the conflicts when LDAP_GROUP_SUPPORT is :on
+# Do not allow creating group via API to avoid the conflicts when CONFIG['ldap_group_support'] is :on
 # If you do want to import the group data from LDAP to OBS DB manuallly, please set if to :off
 DISALLOW_GROUP_CREATION_WITH_API = :on
 

diff --git a/src/api/lib/active_rbac_mixins/user_mixins.rb b/src/api/lib/active_rbac_mixins/user_mixins.rb
@@ -464,12 +464,7 @@ def self.delete_entry_ldap(login)
 
           # Check if ldap group support is enabled?
           def self.ldapgroup_enabled?
-            if defined?( CONFIG['ldap_mode'] ) && CONFIG['ldap_mode'] == :on
-              if defined?( LDAP_GROUP_SUPPORT ) && LDAP_GROUP_SUPPORT == :on
-                return true
-              end
-            end
-            return false
+            return CONFIG['ldap_mode'] == :on && CONFIG['ldap_group_support'] == :on
           end
 
           # This static method tries to find a group with the given gorup_title to check whether the group is in the LDAP server.

diff --git a/src/api/test/fixtures/attrib_namespace_modifiable_bies.yml b/src/api/test/fixtures/attrib_namespace_modifiable_bies.yml
@@ -1,9 +1,9 @@
-attrib_namespace_modifiable_bies_624394835:
+king_can_change_obs:
   id: 624394835
   attrib_namespace_id: 9
   bs_user_id: 2
   bs_group_id: 
-attrib_namespace_modifiable_bies_624394844:
+Admin_can_change_obs:
   id: 624394844
   attrib_namespace_id: 9
   bs_user_id: 280

diff --git a/src/api/test/fixtures/attrib_namespaces.yml b/src/api/test/fixtures/attrib_namespaces.yml
@@ -1,6 +1,6 @@
-attrib_namespaces_8:
+nstest:
   id: 8
   name: NSTEST
-attrib_namespaces_9:
+obs:
   id: 9
   name: OBS
diff --git a/src/api/test/fixtures/db_projects.yml b/src/api/test/fixtures/db_projects.yml
@@ -155,7 +155,7 @@ db_projects_226:
   maintenance_project_id: 
   type_id: 
   develproject_id: 
-db_projects_3000:
+HiddenProject:
   id: 3000
   name: HiddenProject
   title: This project is not visible and not accessable except for adrian

diff --git a/src/api/test/fixtures/project_group_role_relationships.yml b/src/api/test/fixtures/project_group_role_relationships.yml
@@ -1,9 +1,9 @@
-project_group_role_relationships_570062654:
+test_group_maintainer_HiddenProject:
   id: 570062654
   db_project_id: 3000
   bs_group_id: 99
   role_id: 3
-project_group_role_relationships_572565733:
+test_group_maintainer_kde4:
   id: 572565733
   db_project_id: 2
   bs_group_id: 99

diff --git a/src/api/test/unit/user_test.rb b/src/api/test/unit/user_test.rb
@@ -26,6 +26,12 @@ def test_access
     assert !@user.has_local_role?(b, @project )
     assert !@user.has_local_role?(m, db_projects( :kde4 ))
 
+    user = users(:adrian)
+    assert !user.has_local_role?(m, @project )
+    assert !user.has_local_role?(m, db_packages( :TestPack ) )
+    assert user.has_local_role?(m, db_projects( :kde4 ))
+    assert user.has_local_role?(m, db_packages( :kdelibs ))
+
     tom = users( :tom )
     assert !tom.has_local_permission?('change_project', db_projects( :kde4 ))
     assert !tom.has_local_permission?('change_package', db_packages( :kdelibs ))
@@ -34,10 +40,34 @@ def test_access
   def test_group
     assert !@user.is_in_group?("notexistant")
     assert !@user.is_in_group?("test_group")
-    assert users( :adrian).is_in_group?("test_group")
-    assert !users( :adrian).is_in_group?("test_group_b")
-    assert !users( :adrian).is_in_group?("notexistant")
+    assert users(:adrian).is_in_group?("test_group")
+    assert !users(:adrian).is_in_group?("test_group_b")
+    assert !users(:adrian).is_in_group?("notexistant")
   end
 
+  def test_attribute
+    obs = attrib_namespaces( :obs )
+    assert !@user.can_modify_attribute_definition?(obs)
+
+    assert users( :king ).can_modify_attribute_definition?(obs)
+  end
+
+  def test_render_axml
+    axml = users( :king ).render_axml
+    assert_xml_tag axml, :tag => :globalrole, :content => "Admin"
+    axml = users( :tom ).render_axml
+    assert_no_xml_tag axml, :tag => :globalrole, :content => "Admin"
+  end
+
+  def test_ldap
+    assert !@user.local_role_check_with_ldap( roles(:maintainer), @project)
+    ldm, lgs, CONFIG['ldap_mode'], CONFIG['ldap_group_support'] = CONFIG['ldap_mode'], CONFIG['ldap_group_support'], :on, :on
+
+    user = users( :tom )
+    assert !user.has_local_permission?('change_project', db_projects( :kde4) )
+    assert !user.has_local_permission?('change_package', db_packages( :kdelibs ))
+
+    CONFIG['ldap_mode'], CONFIG['ldap_group_support'] = ldm, lgs
+  end
 end