scripts/migrations/010-fix-home-permissions.py - allura - Git at Google

 import sys
 import logging
 from collections import OrderedDict

 from pylons import c
 from ming.orm import session
 from bson import ObjectId

 from allura import model as M
 from allura.lib import utils
 from forgewiki.wiki_main import ForgeWikiApp

 log = logging.getLogger('fix-home-permissions')
 handler = logging.StreamHandler(sys.stdout)
 log.addHandler(handler)

 TEST = sys.argv[-1].lower() == 'test'

 def main():

     if TEST:
         log.info('Examining permissions for all Home Wikis')
     else:
         log.info('Fixing permissions for all Home Wikis')

     for some_projects in utils.chunked_find(M.Project, {'neighborhood_id': {
                 '$nin': [ObjectId('4be2faf8898e33156f00003e'),      # /u
                          ObjectId('4dbf2563bfc09e6362000005')]}}):  # /motorola
         for project in some_projects:
             c.project = project
             home_app = project.app_instance('home')
             if isinstance(home_app, ForgeWikiApp):
                 log.info('Examining permissions in project "%s".' % project.shortname)
                 root_project = project.root_project or project
                 authenticated_role = project_role(root_project, '*authenticated')
                 member_role = project_role(root_project, 'Member')

                 # remove *authenticated create/update permissions
                 new_acl = OrderedDict(
                     ((ace.role_id, ace.access, ace.permission), ace)
                     for ace in home_app.acl
                     if not (
                         ace.role_id==authenticated_role._id and ace.access==M.ACE.ALLOW and ace.permission in ('create', 'edit', 'delete', 'unmoderated_post')
                     )
                 )
                 if (member_role._id, M.ACE.ALLOW, 'update') in new_acl:
                     del new_acl[(member_role._id, M.ACE.ALLOW, 'update')]

                 # add member create/edit permissions
                 new_acl[(member_role._id, M.ACE.ALLOW, 'create')] = M.ACE.allow(member_role._id, 'create')
                 new_acl[(member_role._id, M.ACE.ALLOW, 'edit')] = M.ACE.allow(member_role._id, 'edit')
                 new_acl[(member_role._id, M.ACE.ALLOW, 'unmoderated_post')] = M.ACE.allow(member_role._id, 'unmoderated_post')

                 if TEST:
                     log.info('...would update acl for home app in project "%s".' % project.shortname)
                 else:
                     log.info('...updating acl for home app in project "%s".' % project.shortname)
                     home_app.config.acl = map(dict, new_acl.values())
                     session(home_app.config).flush()

 def project_role(project, name):
     role = M.ProjectRole.query.get(project_id=project._id, name=name)
     if role is None:
         role = M.ProjectRole(project_id=project._id, name=name)
     return role

 if __name__ == '__main__':
     main()
	import sys
	import logging
	from collections import OrderedDict

	from pylons import c
	from ming.orm import session
	from bson import ObjectId

	from allura import model as M
	from allura.lib import utils
	from forgewiki.wiki_main import ForgeWikiApp

	log = logging.getLogger('fix-home-permissions')
	handler = logging.StreamHandler(sys.stdout)
	log.addHandler(handler)

	TEST = sys.argv[-1].lower() == 'test'

	def main():

	if TEST:
	log.info('Examining permissions for all Home Wikis')
	else:
	log.info('Fixing permissions for all Home Wikis')

	for some_projects in utils.chunked_find(M.Project, {'neighborhood_id': {
	'$nin': [ObjectId('4be2faf8898e33156f00003e'), # /u
	ObjectId('4dbf2563bfc09e6362000005')]}}): # /motorola
	for project in some_projects:
	c.project = project
	home_app = project.app_instance('home')
	if isinstance(home_app, ForgeWikiApp):
	log.info('Examining permissions in project "%s".' % project.shortname)
	root_project = project.root_project or project
	authenticated_role = project_role(root_project, '*authenticated')
	member_role = project_role(root_project, 'Member')

	# remove *authenticated create/update permissions
	new_acl = OrderedDict(
	((ace.role_id, ace.access, ace.permission), ace)
	for ace in home_app.acl
	if not (
	ace.role_id==authenticated_role._id and ace.access==M.ACE.ALLOW and ace.permission in ('create', 'edit', 'delete', 'unmoderated_post')
	)
	)
	if (member_role._id, M.ACE.ALLOW, 'update') in new_acl:
	del new_acl[(member_role._id, M.ACE.ALLOW, 'update')]

	# add member create/edit permissions
	new_acl[(member_role._id, M.ACE.ALLOW, 'create')] = M.ACE.allow(member_role._id, 'create')
	new_acl[(member_role._id, M.ACE.ALLOW, 'edit')] = M.ACE.allow(member_role._id, 'edit')
	new_acl[(member_role._id, M.ACE.ALLOW, 'unmoderated_post')] = M.ACE.allow(member_role._id, 'unmoderated_post')

	if TEST:
	log.info('...would update acl for home app in project "%s".' % project.shortname)
	else:
	log.info('...updating acl for home app in project "%s".' % project.shortname)
	home_app.config.acl = map(dict, new_acl.values())
	session(home_app.config).flush()

	def project_role(project, name):
	role = M.ProjectRole.query.get(project_id=project._id, name=name)
	if role is None:
	role = M.ProjectRole(project_id=project._id, name=name)
	return role

	if __name__ == '__main__':
	main()