Marcin Kuzminski  committed 157231a

move permission check of write access to repo groups inside a form.
- it's runned via create/edit/fork forms
- in case we have disabled repo creation, it will check root location write access for people that are not super admins, or have explicity create repo permission
- in case there's a group value passed to form, it checks just admin or write access

  • Participants
  • Parent commits 199fd21

Comments (0)

Files changed (2)

File rhodecode/controllers/admin/

             form_result = RepoForm(repo_groups=c.repo_groups_choices,
-            #we check ACLs after form, since we want to display nicer errors
-            #if form forbids creation of repos inside a group we don't have
-            #perms for
-            if not HasPermissionAny('hg.admin', 'hg.create.repository')():
-                #you're not super admin nor have global create permissions,
-                #but maybe you have at least write permission to a parent group ?
-                parent_group = request.POST.get('repo_group')
-                _gr = RepoGroup.get(parent_group)
-                gr_name = _gr.group_name if _gr else None
-                if not HasReposGroupPermissionAny('group.admin', 'group.write')(group_name=gr_name):
-                    msg = _('no permission to create repository in root location')
-                    raise formencode.Invalid('', form_result, None,
-                                             error_dict={'repo_group': msg})
             new_repo = RepoModel().create(form_result,

File rhodecode/model/

 from rhodecode.lib.exceptions import LdapImportError
 from rhodecode.config.routing import ADMIN_PREFIX
-from rhodecode.lib.auth import HasReposGroupPermissionAny
+from rhodecode.lib.auth import HasReposGroupPermissionAny, HasPermissionAny
 # silence warnings and pylint
 UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set, \
     class _validator(formencode.validators.FancyValidator):
         messages = {
             'permission_denied': _(u"You don't have permissions "
-                                   "to create repository in this group")
+                                   "to create repository in this group"),
+            'permission_denied_root': _(u"no permission to create repository "
+                                        "in root location")
-        def to_python(self, value, state):
+        def _to_python(self, value, state):
             #root location
             if value in [-1, "-1"]:
                 return None
             gr = RepoGroup.get(value)
             gr_name = gr.group_name if gr else None  # None means ROOT location
             val = HasReposGroupPermissionAny('group.write', 'group.admin')
+            can_create_repos = HasPermissionAny('hg.admin', 'hg.create.repository')
             forbidden = not val(gr_name, 'can write into group validator')
             #parent group need to be existing
             if gr and forbidden:
                 raise formencode.Invalid(msg, value, state,
+            ## check if we can write to root location !
+            elif gr is None and can_create_repos() is False:
+                msg = M(self, 'permission_denied_root', state)
+                raise formencode.Invalid(msg, value, state,
+                    error_dict=dict(repo_type=msg)
+                )
     return _validator