| # Copyright 2016 The Chromium Authors. All rights reserved. |
| # Use of this source code is govered by a BSD-style |
| # license that can be found in the LICENSE file or at |
| # https://developers.google.com/open-source/licenses/bsd |
| |
| """JSON feed for issue autocomplete options.""" |
| |
| import logging |
| from third_party import ezt |
| |
| from framework import framework_helpers |
| from framework import framework_views |
| from framework import jsonfeed |
| from framework import monorailrequest |
| from framework import permissions |
| from project import project_helpers |
| from tracker import tracker_helpers |
| from tracker import tracker_views |
| |
| |
| # Here are some restriction labels to help people do the most common things |
| # that they might want to do with restrictions. |
| _FREQUENT_ISSUE_RESTRICTIONS = [ |
| (permissions.VIEW, permissions.EDIT_ISSUE, |
| 'Only users who can edit the issue may access it'), |
| (permissions.ADD_ISSUE_COMMENT, permissions.EDIT_ISSUE, |
| 'Only users who can edit the issue may add comments'), |
| ] |
| |
| |
| # These issue restrictions should be offered as examples whenever the project |
| # does not have any custom permissions in use already. |
| _EXAMPLE_ISSUE_RESTRICTIONS = [ |
| (permissions.VIEW, 'CoreTeam', |
| 'Custom permission CoreTeam is needed to access'), |
| ] |
| |
| |
| class IssueOptionsJSON(jsonfeed.JsonFeed): |
| """JSON data describing all issue statuses, labels, and members.""" |
| |
| def HandleRequest(self, mr): |
| """Provide the UI with info used in auto-completion. |
| |
| Args: |
| mr: common information parsed from the HTTP request. |
| |
| Returns: |
| Results dictionary in JSON format |
| """ |
| # Issue options data can be cached separately in each user's browser. When |
| # the project changes, a new cached_content_timestamp is set and it will |
| # cause new requests to use a new URL. |
| self.SetCacheHeaders(self.response) |
| |
| member_data = project_helpers.BuildProjectMembers( |
| mr.cnxn, mr.project, self.services.user) |
| owner_views = member_data['owners'] |
| committer_views = member_data['committers'] |
| contributor_views = member_data['contributors'] |
| |
| config = self.services.config.GetProjectConfig(mr.cnxn, mr.project_id) |
| |
| open_statuses = [] |
| closed_statuses = [] |
| for wks in config.well_known_statuses: |
| if not wks.deprecated: |
| item = dict(name=wks.status, doc=wks.status_docstring) |
| if wks.means_open: |
| open_statuses.append(item) |
| else: |
| closed_statuses.append(item) |
| |
| # TODO(jrobbins): restrictions on component definitions? |
| components = [{'name': cd.path, 'doc': cd.docstring} |
| for cd in config.component_defs if not cd.deprecated] |
| |
| labels = [] |
| field_names = [ |
| fd.field_name for fd in config.field_defs if not fd.is_deleted] |
| non_masked_labels = tracker_helpers.LabelsNotMaskedByFields( |
| config, field_names) |
| for wkl in non_masked_labels: |
| if not wkl.commented: |
| item = dict(name=wkl.name, doc=wkl.docstring) |
| labels.append(item) |
| |
| # TODO(jrobbins): omit fields that they don't have permission to view. |
| field_def_views = [ |
| tracker_views.FieldDefView(fd, config) |
| for fd in config.field_defs |
| if not fd.is_deleted] |
| fields = [ |
| dict(field_name=fdv.field_name, field_type=fdv.field_type, |
| field_id=fdv.field_id, needs_perm=fdv.needs_perm, |
| is_required=fdv.is_required, is_multivalued=fdv.is_multivalued, |
| choices=[dict(name=c.name, doc=c.docstring) for c in fdv.choices], |
| docstring=fdv.docstring) |
| for fdv in field_def_views] |
| |
| frequent_restrictions = _FREQUENT_ISSUE_RESTRICTIONS[:] |
| custom_permissions = permissions.GetCustomPermissions(mr.project) |
| if not custom_permissions: |
| frequent_restrictions.extend( |
| _EXAMPLE_ISSUE_RESTRICTIONS) |
| |
| labels.extend(_BuildRestrictionChoices( |
| mr.project, frequent_restrictions, |
| permissions.STANDARD_ISSUE_PERMISSIONS)) |
| |
| group_ids = self.services.usergroup.DetermineWhichUserIDsAreGroups( |
| mr.cnxn, [mem.user_id for mem in member_data['all_members']]) |
| logging.info('group_ids is %r', group_ids) |
| |
| # TODO(jrobbins): Normally, users will be allowed view the members |
| # of any user group if the project From: email address is listed |
| # as a group member, as well as any group that they are personally |
| # members of. |
| member_ids, owner_ids = self.services.usergroup.LookupVisibleMembers( |
| mr.cnxn, group_ids, mr.perms, mr.auth.effective_ids, self.services) |
| indirect_ids = set() |
| for gid in group_ids: |
| indirect_ids.update(member_ids.get(gid, [])) |
| indirect_ids.update(owner_ids.get(gid, [])) |
| indirect_user_ids = list(indirect_ids) |
| indirect_member_views = framework_views.MakeAllUserViews( |
| mr.cnxn, self.services.user, indirect_user_ids).values() |
| |
| visible_member_views = _FilterMemberData( |
| mr, owner_views, committer_views, contributor_views, |
| indirect_member_views) |
| # Filter out servbice accounts |
| visible_member_views = [m for m in visible_member_views |
| if not framework_helpers.IsServiceAccount(m.email)] |
| visible_member_email_list = list({ |
| uv.email for uv in visible_member_views}) |
| user_indexes = {email: idx |
| for idx, email in enumerate(visible_member_email_list)} |
| visible_members_dict = {} |
| for uv in visible_member_views: |
| visible_members_dict[uv.email] = uv.user_id |
| group_ids = self.services.usergroup.DetermineWhichUserIDsAreGroups( |
| mr.cnxn, visible_members_dict.values()) |
| |
| for field_dict in fields: |
| needed_perm = field_dict['needs_perm'] |
| if needed_perm: |
| qualified_user_indexes = [] |
| for uv in visible_member_views: |
| # TODO(jrobbins): Similar code occurs in field_helpers.py. |
| user = self.services.user.GetUser(mr.cnxn, uv.user_id) |
| auth = monorailrequest.AuthData.FromUserID( |
| mr.cnxn, uv.user_id, self.services) |
| user_perms = permissions.GetPermissions( |
| user, auth.effective_ids, mr.project) |
| has_perm = user_perms.CanUsePerm( |
| needed_perm, auth.effective_ids, mr.project, []) |
| if has_perm: |
| qualified_user_indexes.append(user_indexes[uv.email]) |
| |
| field_dict['user_indexes'] = sorted(set(qualified_user_indexes)) |
| |
| excl_prefixes = [prefix.lower() for prefix in |
| config.exclusive_label_prefixes] |
| members_def_list = [dict(name=email, doc='') |
| for email in visible_member_email_list] |
| members_def_list = sorted( |
| members_def_list, key=lambda md: md['name']) |
| for md in members_def_list: |
| md_id = visible_members_dict[md['name']] |
| if md_id in group_ids: |
| md['is_group'] = True |
| |
| return { |
| 'open': open_statuses, |
| 'closed': closed_statuses, |
| 'statuses_offer_merge': config.statuses_offer_merge, |
| 'components': components, |
| 'labels': labels, |
| 'fields': fields, |
| 'excl_prefixes': excl_prefixes, |
| 'strict': ezt.boolean(config.restrict_to_known), |
| 'members': members_def_list, |
| 'custom_permissions': custom_permissions, |
| } |
| |
| |
| def _FilterMemberData( |
| mr, owner_views, committer_views, contributor_views, |
| indirect_member_views): |
| """Return a filtered list of members that the user can view. |
| |
| In most projects, everyone can view the entire member list. But, |
| some projects are configured to only allow project owners to see |
| all members. In those projects, committers and contributors do not |
| see any contributors. Regardless of how the project is configured |
| or the role that the user plays in the current project, we include |
| any indirect members through user groups that the user has access |
| to view. |
| |
| Args: |
| mr: Commonly used info parsed from the HTTP request. |
| owner_views: list of UserViews for project owners. |
| committer_views: list of UserViews for project committers. |
| contributor_views: list of UserViews for project contributors. |
| indirect_member_views: list of UserViews for users who have |
| an indirect role in the project via a user group, and that the |
| logged in user is allowed to see. |
| |
| Returns: |
| A list of owners, committer and visible indirect members if the user is not |
| signed in. If the project is set to display contributors to non-owners or |
| the signed in user has necessary permissions then additionally a list of |
| contributors. |
| """ |
| visible_members = [] |
| |
| # Everyone can view owners and committers |
| visible_members.extend(owner_views) |
| visible_members.extend(committer_views) |
| |
| # The list of indirect members is already limited to ones that the user |
| # is allowed to see according to user group settings. |
| visible_members.extend(indirect_member_views) |
| |
| # If the user is allowed to view the list of contributors, add those too. |
| if permissions.CanViewContributorList(mr): |
| visible_members.extend(contributor_views) |
| |
| return visible_members |
| |
| |
| def _BuildRestrictionChoices(project, freq_restrictions, actions): |
| """Return a list of autocompletion choices for restriction labels. |
| |
| Args: |
| project: Project PB for the current project. |
| freq_restrictions: list of (action, perm, doc) tuples for restrictions |
| that are frequently used. |
| actions: list of strings for actions that are relevant to the current |
| artifact. |
| |
| Returns: |
| A list of dictionaries [{'name': 'perm name', 'doc': 'docstring'}, ...] |
| suitable for use in a JSON feed to our JS autocompletion functions. |
| """ |
| custom_permissions = permissions.GetCustomPermissions(project) |
| choices = [] |
| |
| for action, perm, doc in freq_restrictions: |
| choices.append({ |
| 'name': 'Restrict-%s-%s' % (action, perm), |
| 'doc': doc, |
| }) |
| |
| for action in actions: |
| for perm in custom_permissions: |
| choices.append({ |
| 'name': 'Restrict-%s-%s' % (action, perm), |
| 'doc': 'Permission %s needed to use %s' % (perm, action), |
| }) |
| |
| return choices |
