From 27ae9095639bb228a1b7ff86a3ebe4264abf05be Mon Sep 17 00:00:00 2001
From: mschaefers <mschaefers@scoop-gmbh.de>
Date: Thu, 29 Nov 2012 12:33:09 -0500
Subject: [PATCH] feature: when using LdapUserService one can configure Gitblit to fetch all users from ldap that can possibly login. This allows to see newly generated LDAP users instantly in Gitblit. By now an LDAP user had to log in once to appear in GitBlit.

---
 src/com/gitblit/models/UserModel.java |  133 ++++++++++++++++++++++++++++++++++++--------
 1 files changed, 109 insertions(+), 24 deletions(-)

diff --git a/src/com/gitblit/models/UserModel.java b/src/com/gitblit/models/UserModel.java
index d7e8f57..bd40985 100644
--- a/src/com/gitblit/models/UserModel.java
+++ b/src/com/gitblit/models/UserModel.java
@@ -21,6 +21,7 @@
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -55,6 +56,11 @@
 	public String cookie;
 	public String displayName;
 	public String emailAddress;
+	public String organizationalUnit;
+	public String organization;
+	public String locality;
+	public String stateProvince;
+	public String countryCode;
 	public boolean canAdmin;
 	public boolean canFork;
 	public boolean canCreate;
@@ -138,21 +144,42 @@
 	 */
 	public List<RegistrantAccessPermission> getRepositoryPermissions() {
 		List<RegistrantAccessPermission> list = new ArrayList<RegistrantAccessPermission>();
+		if (canAdmin()) {
+			// user has REWIND access to all repositories
+			return list;
+		}
 		for (Map.Entry<String, AccessPermission> entry : permissions.entrySet()) {
 			String registrant = entry.getKey();
-			boolean editable = true;
+			AccessPermission ap = entry.getValue();
+			String source = null;
+			boolean mutable = true;
 			PermissionType pType = PermissionType.EXPLICIT;
 			if (isMyPersonalRepository(registrant)) {
 				pType = PermissionType.OWNER;
-				editable = false;
+				ap = AccessPermission.REWIND;
+				mutable = false;
 			} else if (StringUtils.findInvalidCharacter(registrant) != null) {
 				// a regex will have at least 1 invalid character
 				pType = PermissionType.REGEX;
+				source = registrant;
 			}
-			list.add(new RegistrantAccessPermission(registrant, entry.getValue(), pType, RegistrantType.REPOSITORY, editable));
+			list.add(new RegistrantAccessPermission(registrant, ap, pType, RegistrantType.REPOSITORY, source, mutable));
 		}
 		Collections.sort(list);
-		return list;
+		
+		// include immutable team permissions, being careful to preserve order
+		Set<RegistrantAccessPermission> set = new LinkedHashSet<RegistrantAccessPermission>(list);
+		for (TeamModel team : teams) {
+			for (RegistrantAccessPermission teamPermission : team.getRepositoryPermissions()) {
+				// we can not change an inherited team permission, though we can override
+				teamPermission.registrantType = RegistrantType.REPOSITORY;
+				teamPermission.permissionType = PermissionType.TEAM;
+				teamPermission.source = team.name;
+				teamPermission.mutable = false;
+				set.add(teamPermission);
+			}
+		}
+		return new ArrayList<RegistrantAccessPermission>(set);
 	}
 	
 	/**
@@ -194,6 +221,24 @@
 	}
 	
 	/**
+	 * Returns true if the user's team memberships specify an access permission for
+	 * this repository.
+	 * 
+	 * @param name
+	 * @return if the user's team memberships specifi an access permission
+	 */
+	public boolean hasTeamRepositoryPermission(String name) {
+		if (teams != null) {
+			for (TeamModel team : teams) {
+				if (team.hasRepositoryPermission(name)) {
+					return true;
+				}
+			}
+		}
+		return false;
+	}
+	
+	/**
 	 * Adds a repository permission to the team.
 	 * <p>
 	 * Role may be formatted as:
@@ -220,23 +265,59 @@
 		permissions.put(repository.toLowerCase(), permission);
 	}
 
-	public AccessPermission getRepositoryPermission(RepositoryModel repository) {
-		if (canAdmin() || repository.isOwner(username) || repository.isUsersPersonalRepository(username)) {
-			return AccessPermission.REWIND;
+	public RegistrantAccessPermission getRepositoryPermission(RepositoryModel repository) {
+		RegistrantAccessPermission ap = new RegistrantAccessPermission();
+		ap.registrant = username;
+		ap.registrantType = RegistrantType.USER;
+		ap.permission = AccessPermission.NONE;
+		ap.mutable = false;
+
+		if (AccessRestrictionType.NONE.equals(repository.accessRestriction)) {
+			// anonymous rewind
+			ap.permissionType = PermissionType.ADMINISTRATOR;
+			ap.permission = AccessPermission.REWIND;
+			return ap;
 		}
+
+		// administrator
+		if (canAdmin()) {
+			ap.permissionType = PermissionType.ADMINISTRATOR;
+			ap.permission = AccessPermission.REWIND;
+			if (!canAdmin) {
+				// administator permission from team membership
+				for (TeamModel team : teams) {
+					if (team.canAdmin) {
+						ap.source = team.name;
+						break;
+					}
+				}
+			}
+			return ap;
+		}
+		
+		// repository owner - either specified owner or personal repository
+		if (repository.isOwner(username) || repository.isUsersPersonalRepository(username)) {
+			ap.permissionType = PermissionType.OWNER;
+			ap.permission = AccessPermission.REWIND;
+			return ap;
+		}
+		
 		if (AuthorizationControl.AUTHENTICATED.equals(repository.authorizationControl) && isAuthenticated) {
-			// AUTHENTICATED is a shortcut for authorizing all logged-in users RW access
-			return AccessPermission.REWIND;
+			// AUTHENTICATED is a shortcut for authorizing all logged-in users RW+ access
+			ap.permission = AccessPermission.REWIND;
+			return ap;
 		}
 		
 		// explicit user permission OR user regex match is used
 		// if that fails, then the best team permission is used
-		AccessPermission permission = AccessPermission.NONE;
 		if (permissions.containsKey(repository.name.toLowerCase())) {
 			// exact repository permission specified, use it
 			AccessPermission p = permissions.get(repository.name.toLowerCase());
 			if (p != null) {
-				return p;
+				ap.permissionType = PermissionType.EXPLICIT;
+				ap.permission = p;
+				ap.mutable = true;
+				return ap;
 			}
 		} else {
 			// search for case-insensitive regex permission match
@@ -245,29 +326,33 @@
 					AccessPermission p = permissions.get(key);
 					if (p != null) {
 						// take first match
-						permission = p;
-						break;
+						ap.permissionType = PermissionType.REGEX;
+						ap.permission = p;
+						ap.source = key;
+						return ap;
 					}
 				}
 			}
 		}
 		
-		if (AccessPermission.NONE.equals(permission)) {
-			for (TeamModel team : teams) {
-				AccessPermission p = team.getRepositoryPermission(repository);
-				if (p.exceeds(permission)) {
-					// use highest team permission
-					permission = p;
-				}
+		// try to find a team match
+		for (TeamModel team : teams) {
+			RegistrantAccessPermission p = team.getRepositoryPermission(repository);
+			if (p.permission.exceeds(ap.permission)) {
+				// use highest team permission
+				ap.permission = p.permission;
+				ap.source = team.name;
+				ap.permissionType = PermissionType.TEAM;
 			}
-		}
-		return permission;
+		}		
+		
+		return ap;
 	}
 	
 	protected boolean canAccess(RepositoryModel repository, AccessRestrictionType ifRestriction, AccessPermission requirePermission) {
 		if (repository.accessRestriction.atLeast(ifRestriction)) {
-			AccessPermission permission = getRepositoryPermission(repository);
-			return permission.atLeast(requirePermission);
+			RegistrantAccessPermission ap = getRepositoryPermission(repository);
+			return ap.permission.atLeast(requirePermission);
 		}
 		return true;
 	}

--
Gitblit v1.9.1