Launchpad itself

Merge lp:~cjwatson/launchpad/git-permissions-ui-edit into lp:launchpad

git-permissions-ui-edit
Merge into devel

Proposed by Colin Watson on 2018-10-31

Status:

Superseded

Proposed branch:

lp:~cjwatson/launchpad/git-permissions-ui-edit

Merge into:

lp:launchpad

Prerequisite:

lp:~cjwatson/launchpad/snapshot-modifying-helper

Diff against target:

2295 lines (+2023/-8)

13 files modified

lib/lp/code/browser/configure.zcml (+6/-0)
lib/lp/code/browser/gitrepository.py (+486/-4)
lib/lp/code/browser/tests/test_gitrepository.py (+612/-1)
lib/lp/code/browser/widgets/gitgrantee.py (+253/-0)
lib/lp/code/browser/widgets/templates/gitgrantee.pt (+27/-0)
lib/lp/code/browser/widgets/tests/test_gitgrantee.py (+305/-0)
lib/lp/code/interfaces/gitrepository.py (+6/-1)
lib/lp/code/interfaces/gitrule.py (+4/-0)
lib/lp/code/model/gitrepository.py (+12/-1)
lib/lp/code/model/gitrule.py (+7/-0)
lib/lp/code/model/tests/test_gitrepository.py (+111/-1)
lib/lp/code/model/tests/test_gitrule.py (+2/-0)
lib/lp/code/templates/gitrepository-permissions.pt (+192/-0)

To merge this branch:

bzr merge lp:~cjwatson/launchpad/git-permissions-ui-edit

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Launchpad code reviewers		2018-10-31	Pending
Review via email: mp+358099@code.launchpad.net

This proposal has been superseded by a proposal from 2018-11-09.

Commit message

Add a Git repository permissions view.

Description of the change

This was very substantially complicated by not wanting to invest the time in a JS-based interface just yet (and wanting to have a non-JS fallback, in any case). Given that, we need to be able to cram everything into a single form which can be submitted in one go and specify the new state of the entire permissions structure. The UI-level separation between protected branches and protected tags also makes things hard, particularly when it comes to lining up columns consistently. This is the best I was able to do given those constraints; some bits are quite ugly (especially rule positions), but I think it's tolerable, and it should allow for future JS-based enhancement.

Example screenshot: https://people.canonical.com/~cjwatson/tmp/lp-git-repository-permissions.png

This isn't ready for review yet since it has multiple prerequisites (https://code.launchpad.net/~cjwatson/launchpad/snapshot-modifying-helper/+merge/357598 and https://code.launchpad.net/~cjwatson/launchpad/git-grantee-widgets/+merge/357600).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Harpianto,ANDI

James Troup

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

 === modified file 'lib/lp/code/browser/configure.zcml'
 --- lib/lp/code/browser/configure.zcml	2018-11-08 11:40:25 +0000
 +++ lib/lp/code/browser/configure.zcml	2018-11-09 22:50:10 +0000
@@ -871,6 +871,12 @@
      </class>
      <browser:page
          for="lp.code.interfaces.gitrepository.IGitRepository"
++        class="lp.code.browser.gitrepository.GitRepositoryPermissionsView"
++        name="+permissions"
++        permission="launchpad.Edit"
++        template="../templates/gitrepository-permissions.pt"/>
++    <browser:page
++        for="lp.code.interfaces.gitrepository.IGitRepository"
          class="lp.code.browser.gitrepository.GitRepositoryDeletionView"
          permission="launchpad.Edit"
          name="+delete"
 === modified file 'lib/lp/code/browser/gitrepository.py'
 --- lib/lp/code/browser/gitrepository.py	2018-11-08 15:53:56 +0000
 +++ lib/lp/code/browser/gitrepository.py	2018-11-09 22:50:10 +0000
@@ -17,10 +17,13 @@
      'GitRepositoryEditReviewerView',
      'GitRepositoryEditView',
      'GitRepositoryNavigation',
++    'GitRepositoryPermissionsView',
      'GitRepositoryURL',
      'GitRepositoryView',
+     ]
++import base64
++
  from lazr.lifecycle.event import ObjectModifiedEvent
  from lazr.lifecycle.snapshot import Snapshot
  from lazr.restful.interface import (
@@ -34,14 +37,21 @@
  from zope.component import getUtility
  from zope.event import notify
  from zope.formlib import form
++from zope.formlib.textwidgets import IntWidget
++from zope.formlib.widget import CustomWidgetFactory
  from zope.interface import (
      implementer,
      Interface,
      providedBy,
+     )
  from zope.publisher.interfaces.browser import IBrowserPublisher
--from zope.schema import Choice
++from zope.schema import (
++    Bool,
++    Choice,
++    Int,
++    )
  from zope.schema.vocabulary import (
++    getVocabularyRegistry,
      SimpleTerm,
      SimpleVocabulary,
+     )
@@ -53,7 +63,10 @@
      LaunchpadEditFormView,
      LaunchpadFormView,
+     )
--from lp.app.errors import NotFoundError
++from lp.app.errors import (
++    NotFoundError,
++    UnexpectedFormData,
++    )
  from lp.app.vocabularies import InformationTypeVocabulary
  from lp.app.widgets.itemswidgets import LaunchpadRadioWidgetWithDescription
  from lp.code.browser.branch import CodeEditOwnerMixin
@@ -62,11 +75,19 @@
+     )
  from lp.code.browser.codeimport import CodeImportTargetMixin
  from lp.code.browser.sourcepackagerecipelisting import HasRecipesMenuMixin
++from lp.code.browser.widgets.gitgrantee import (
++    GitGranteeDisplayWidget,
++    GitGranteeField,
++    GitGranteeWidget,
++    )
  from lp.code.browser.widgets.gitrepositorytarget import (
      GitRepositoryTargetDisplayWidget,
      GitRepositoryTargetWidget,
+     )
--from lp.code.enums import GitRepositoryType
++from lp.code.enums import (
++    GitGranteeType,
++    GitRepositoryType,
++    )
  from lp.code.errors import (
      GitDefaultConflict,
      GitRepositoryCreationForbidden,
@@ -76,6 +97,7 @@
  from lp.code.interfaces.gitnamespace import get_git_namespace
  from lp.code.interfaces.gitref import IGitRefBatchNavigator
  from lp.code.interfaces.gitrepository import IGitRepository
++from lp.code.vocabularies.gitrule import GitPermissionsVocabulary
  from lp.registry.interfaces.person import (
      IPerson,
      IPersonSet,
@@ -84,6 +106,7 @@
  from lp.services.config import config
  from lp.services.database.constants import UTC_NOW
  from lp.services.features import getFeatureFlag
++from lp.services.fields import UniqueField
  from lp.services.propertycache import cachedproperty
  from lp.services.webapp import (
      canonical_url,
@@ -105,6 +128,7 @@
  from lp.services.webapp.escaping import structured
  from lp.services.webapp.interfaces import ICanonicalUrlData
  from lp.services.webapp.publisher import DataDownloadView
++from lp.services.webapp.snapshot import notify_modified
  from lp.services.webhooks.browser import WebhookTargetNavigationMixin
  from lp.snappy.browser.hassnaps import HasSnapsViewMixin
@@ -211,7 +235,14 @@
      usedfor = IGitRepository
      facet = "branches"
      title = "Edit Git repository"
--    links = ["edit", "reviewer", "webhooks", "activity", "delete"]
++    links = [
++        "edit",
++        "reviewer",
++        "permissions",
++        "activity",
++        "webhooks",
++        "delete",
++        ]
      @enabled_with_permission("launchpad.Edit")
      def edit(self):
@@ -224,6 +255,11 @@
          return Link("+reviewer", text, icon="edit")
      @enabled_with_permission("launchpad.Edit")
++    def permissions(self):
++        text = "Manage permissions"
++        return Link("+permissions", text, icon="edit")
++
++    @enabled_with_permission("launchpad.Edit")
      def webhooks(self):
          text = "Manage webhooks"
          return Link(
@@ -709,6 +745,452 @@
          return self, ()
++def encode_form_field_id(value):
++    """Encode text for use in form field names.
++
++    We use a modified version of base32 which fits into CSS identifiers and
++    so doesn't cause FormattersAPI.zope_css_id to do unhelpful things.
++    """
++    return base64.b32encode(
++        value.encode("UTF-8")).decode("UTF-8").replace("=", "_")
++
++
++def decode_form_field_id(encoded):
++    """Inverse of `encode_form_field_id`."""
++    return base64.b32decode(
++        encoded.replace("_", "=").encode("UTF-8")).decode("UTF-8")
++
++
++class GitRulePatternField(UniqueField):
++
++    errormessage = _("%s is already in use by another rule")
++    attribute = "ref_pattern"
++    _content_iface = IGitRepository
++
++    def __init__(self, ref_prefix, rule=None, *args, **kwargs):
++        self.ref_prefix = ref_prefix
++        self.rule = rule
++        super(GitRulePatternField, self).__init__(*args, **kwargs)
++
++    def _getByAttribute(self, ref_pattern):
++        """See `UniqueField`."""
++        if self._content_iface.providedBy(self.context):
++            return self.context.getRule(self.ref_prefix + ref_pattern)
++        else:
++            return None
++
++    def unchanged(self, input):
++        """See `UniqueField`."""
++        return (
++            self.rule is not None and
++            self.ref_prefix + input == self.rule.ref_pattern)
++
++    def set(self, object, value):
++        """See `IField`."""
++        if value is not None:
++            value = value.strip()
++        super(GitRulePatternField, self).set(object, value)
++
++
++class GitRepositoryPermissionsView(LaunchpadFormView):
++    """A view to manage repository permissions."""
++
++    @property
++    def label(self):
++        return "Manage permissions for %s" % self.context.identity
++
++    page_title = "Manage permissions"
++
++    @cachedproperty
++    def repository(self):
++        return self.context
++
++    @cachedproperty
++    def rules(self):
++        return self.repository.getRules()
++
++    @cachedproperty
++    def branch_rules(self):
++        return [
++            rule for rule in self.rules
++            if rule.ref_pattern.startswith(u"refs/heads/")]
++
++    @cachedproperty
++    def tag_rules(self):
++        return [
++            rule for rule in self.rules
++            if rule.ref_pattern.startswith(u"refs/tags/")]
++
++    @cachedproperty
++    def other_rules(self):
++        return [
++            rule for rule in self.rules
++            if not rule.ref_pattern.startswith(u"refs/heads/") and
++               not rule.ref_pattern.startswith(u"refs/tags/")]
++
++    def _getRuleGrants(self, rule):
++        def grantee_key(grant):
++            if grant.grantee is not None:
++                return grant.grantee_type, grant.grantee.name
++            else:
++                return (grant.grantee_type,)
++
++        return sorted(rule.grants, key=grantee_key)
++
++    def _parseRefPattern(self, ref_pattern):
++        """Parse a pattern into a prefix and the displayed portion."""
++        for prefix in (u"refs/heads/", u"refs/tags/"):
++            if ref_pattern.startswith(prefix):
++                return prefix, ref_pattern[len(prefix):]
++        return u"", ref_pattern
++
++    def _getFieldName(self, name, ref_pattern, grantee=None):
++        """Get the combined field name for a ref pattern and optional grantee.
++
++        In order to be able to render a permissions table, we encode the ref
++        pattern and the grantee in the form field name.
++        """
++        suffix = "." + encode_form_field_id(ref_pattern)
++        if grantee is not None:
++            if IPerson.providedBy(grantee):
++                suffix += "." + str(grantee.id)
++            else:
++                suffix += "._" + grantee.name.lower()
++        return name + suffix
++
++    def _parseFieldName(self, field_name):
++        """Parse a combined field name as described in `_getFieldName`.
++
++        :raises UnexpectedFormData: if the field name cannot be parsed or
++            the grantee cannot be found.
++        """
++        field_bits = field_name.split(".")
++        if len(field_bits) < 2:
++            raise UnexpectedFormData(
++                "Cannot parse field name: %s" % field_name)
++        field_type = field_bits[0]
++        try:
++            ref_pattern = decode_form_field_id(field_bits[1])
++        except TypeError:
++            raise UnexpectedFormData(
++                "Cannot parse field name: %s" % field_name)
++        if len(field_bits) > 2:
++            grantee_id = field_bits[2]
++            if grantee_id.startswith("_"):
++                grantee_id = grantee_id[1:]
++                try:
++                    grantee = GitGranteeType.getTermByToken(grantee_id).value
++                except LookupError:
++                    grantee = None
++            else:
++                try:
++                    grantee_id = int(grantee_id)
++                except ValueError:
++                    grantee = None
++                else:
++                    grantee = getUtility(IPersonSet).get(grantee_id)
++            if grantee is None or grantee == GitGranteeType.PERSON:
++                raise UnexpectedFormData("No such grantee: %s" % grantee_id)
++        else:
++            grantee = None
++        return field_type, ref_pattern, grantee
++
++    def _getPermissionsTerm(self, grant):
++        """Return a term from `GitPermissionsVocabulary` for this grant."""
++        vocabulary = getVocabularyRegistry().get(grant, "GitPermissions")
++        try:
++            return vocabulary.getTerm(grant.permissions)
++        except LookupError:
++            # This should never happen, because GitPermissionsVocabulary
++            # adds a custom term for the context grant if necessary.
++            raise AssertionError(
++                "Could not find GitPermissions term for %r" % grant)
++
++    def setUpFields(self):
++        """See `LaunchpadFormView`."""
++        position_fields = []
++        pattern_fields = []
++        delete_fields = []
++        readonly_grantee_fields = []
++        grantee_fields = []
++        permissions_fields = []
++
++        default_permissions_by_prefix = {
++            "refs/heads/": "can_push",
++            "refs/tags/": "can_create",
++            "": "can_push",
++            }
++
++        for rule_index, rule in enumerate(self.rules):
++            # Remove the usual branch/tag prefixes from patterns.  The full
++            # pattern goes into form field names, so no data is lost here.
++            ref_pattern = rule.ref_pattern
++            ref_prefix, short_pattern = self._parseRefPattern(ref_pattern)
++            position_fields.append(
++                Int(
++                    __name__=self._getFieldName("position", ref_pattern),
++                    required=True, readonly=False, default=rule_index + 1))
++            pattern_fields.append(
++                GitRulePatternField(
++                    __name__=self._getFieldName("pattern", ref_pattern),
++                    required=True, readonly=False, ref_prefix=ref_prefix,
++                    rule=rule, default=short_pattern))
++            delete_fields.append(
++                Bool(
++                    __name__=self._getFieldName("delete", ref_pattern),
++                    readonly=False, default=False))
++            for grant in self._getRuleGrants(rule):
++                grantee = grant.combined_grantee
++                readonly_grantee_fields.append(
++                    GitGranteeField(
++                        __name__=self._getFieldName(
++                            "grantee", ref_pattern, grantee),
++                        required=False, readonly=True, default=grantee,
++                        rule=rule))
++                permissions_fields.append(
++                    Choice(
++                        __name__=self._getFieldName(
++                            "permissions", ref_pattern, grantee),
++                        source=GitPermissionsVocabulary(grant),
++                        readonly=False,
++                        default=self._getPermissionsTerm(grant).value))
++                delete_fields.append(
++                    Bool(
++                        __name__=self._getFieldName(
++                            "delete", ref_pattern, grantee),
++                        readonly=False, default=False))
++            grantee_fields.append(
++                GitGranteeField(
++                    __name__=self._getFieldName("grantee", ref_pattern),
++                    required=False, readonly=False, rule=rule))
++            permissions_vocabulary = GitPermissionsVocabulary(rule)
++            permissions_fields.append(
++                Choice(
++                    __name__=self._getFieldName(
++                        "permissions", ref_pattern),
++                    source=permissions_vocabulary, readonly=False,
++                    default=permissions_vocabulary.getTermByToken(
++                        default_permissions_by_prefix[ref_prefix]).value))
++        for ref_prefix in ("refs/heads/", "refs/tags/"):
++            position_fields.append(
++                Int(
++                    __name__=self._getFieldName("new-position", ref_prefix),
++                    required=False, readonly=True))
++            pattern_fields.append(
++                GitRulePatternField(
++                    __name__=self._getFieldName("new-pattern", ref_prefix),
++                    required=False, readonly=False, ref_prefix=ref_prefix))
++
++        self.form_fields = (
++            form.FormFields(
++                *position_fields,
++                custom_widget=CustomWidgetFactory(IntWidget, displayWidth=2)) +
++            form.FormFields(*pattern_fields) +
++            form.FormFields(*delete_fields) +
++            form.FormFields(
++                *readonly_grantee_fields,
++                custom_widget=CustomWidgetFactory(GitGranteeDisplayWidget)) +
++            form.FormFields(
++                *grantee_fields,
++                custom_widget=CustomWidgetFactory(GitGranteeWidget)) +
++            form.FormFields(*permissions_fields))
++
++    def setUpWidgets(self, context=None):
++        """See `LaunchpadFormView`."""
++        super(GitRepositoryPermissionsView, self).setUpWidgets(
++            context=context)
++        for widget in self.widgets:
++            widget.display_label = False
++            widget.hint = None
++
++    @property
++    def cancel_url(self):
++        return canonical_url(self.context)
++
++    def getRuleWidgets(self, rule):
++        widgets_by_name = {widget.name: widget for widget in self.widgets}
++        ref_pattern = rule.ref_pattern
++        position_field_name = (
++            "field." + self._getFieldName("position", ref_pattern))
++        pattern_field_name = (
++            "field." + self._getFieldName("pattern", ref_pattern))
++        delete_field_name = (
++            "field." + self._getFieldName("delete", ref_pattern))
++        grant_widgets = []
++        for grant in self._getRuleGrants(rule):
++            grantee = grant.combined_grantee
++            grantee_field_name = (
++                "field." + self._getFieldName("grantee", ref_pattern, grantee))
++            permissions_field_name = (
++                "field." +
++                self._getFieldName("permissions", ref_pattern, grantee))
++            delete_grant_field_name = (
++                "field." + self._getFieldName("delete", ref_pattern, grantee))
++            grant_widgets.append({
++                "grantee": widgets_by_name[grantee_field_name],
++                "permissions": widgets_by_name[permissions_field_name],
++                "delete": widgets_by_name[delete_grant_field_name],
++                })
++        new_grantee_field_name = (
++            "field." + self._getFieldName("grantee", ref_pattern))
++        new_permissions_field_name = (
++            "field." + self._getFieldName("permissions", ref_pattern))
++        new_grant_widgets = {
++            "grantee": widgets_by_name[new_grantee_field_name],
++            "permissions": widgets_by_name[new_permissions_field_name],
++            }
++        return {
++            "position": widgets_by_name[position_field_name],
++            "pattern": widgets_by_name[pattern_field_name],
++            "delete": widgets_by_name.get(delete_field_name),
++            "grants": grant_widgets,
++            "new_grant": new_grant_widgets,
++            }
++
++    def getNewRuleWidgets(self, ref_prefix):
++        widgets_by_name = {widget.name: widget for widget in self.widgets}
++        new_position_field_name = (
++            "field." + self._getFieldName("new-position", ref_prefix))
++        new_pattern_field_name = (
++            "field." + self._getFieldName("new-pattern", ref_prefix))
++        return {
++            "position": widgets_by_name[new_position_field_name],
++            "pattern": widgets_by_name[new_pattern_field_name],
++            }
++
++    def updateRepositoryFromData(self, repository, data):
++        pattern_field_names = sorted(
++            name for name in data if name.split(".")[0] == "pattern")
++        new_pattern_field_names = sorted(
++            name for name in data if name.split(".")[0] == "new-pattern")
++        permissions_field_names = sorted(
++            name for name in data if name.split(".")[0] == "permissions")
++
++        # Fetch rules before making any changes, since their ref_patterns
++        # may change as a result of this update.
++        rule_map = {rule.ref_pattern: rule for rule in self.repository.rules}
++        grant_map = {
++            (grant.rule.ref_pattern, grant.combined_grantee): grant
++            for grant in self.repository.grants}
++
++        # Patterns must be processed in rule order so that position changes
++        # work in a reasonably natural way.
++        ordered_patterns = []
++        for pattern_field_name in pattern_field_names:
++            _, ref_pattern, _ = self._parseFieldName(pattern_field_name)
++            if ref_pattern is not None:
++                rule = rule_map.get(ref_pattern)
++                ordered_patterns.append(
++                    (pattern_field_name, ref_pattern, rule))
++        ordered_patterns.sort(key=lambda item: item[2].position)
++
++        for pattern_field_name, ref_pattern, rule in ordered_patterns:
++            prefix, _ = self._parseRefPattern(ref_pattern)
++            rule = rule_map.get(ref_pattern)
++            delete_field_name = self._getFieldName("delete", ref_pattern)
++            # If the rule was already deleted by somebody else, then we
++            # have nothing to do.
++            if rule is not None and data.get(delete_field_name):
++                rule.destroySelf(self.user)
++                rule_map[ref_pattern] = rule = None
++            position_field_name = self._getFieldName("position", ref_pattern)
++            if rule is not None:
++                new_position = max(0, data[position_field_name] - 1)
++                self.repository.moveRule(rule, new_position, self.user)
++            new_pattern = prefix + data[pattern_field_name]
++            if rule is not None and new_pattern != rule.ref_pattern:
++                with notify_modified(rule, ["ref_pattern"]):
++                    rule.ref_pattern = new_pattern
++
++        for new_pattern_field_name in new_pattern_field_names:
++            _, prefix, _ = self._parseFieldName(new_pattern_field_name)
++            if data[new_pattern_field_name]:
++                # This is an "add rule" entry.
++                new_position_field_name = self._getFieldName(
++                    "position", prefix)
++                new_pattern = prefix + data[new_pattern_field_name]
++                rule = rule_map.get(new_pattern)
++                if rule is None:
++                    if new_position_field_name in data:
++                        new_position = max(
++                            0, data[new_position_field_name] - 1)
++                    else:
++                        new_position = None
++                    rule = repository.addRule(
++                        new_pattern, self.user, position=new_position)
++                    if prefix == "refs/tags/":
++                        # Tags are a special case: on creation, they
++                        # automatically get a grant of create permissions to
++                        # the repository owner (suppressing the normal
++                        # ability of the repository owner to push protected
++                        # references).
++                        rule.addGrant(
++                            GitGranteeType.REPOSITORY_OWNER, self.user,
++                            can_create=True)
++
++        for permissions_field_name in permissions_field_names:
++            _, ref_pattern, grantee = self._parseFieldName(
++                permissions_field_name)
++            if ref_pattern not in rule_map:
++                self.addError(structured(
++                    "Cannot edit grants for nonexistent rule %s", ref_pattern))
++                return
++            rule = rule_map.get(ref_pattern)
++            if rule is None:
++                # Already deleted.
++                continue
++
++            # Find or create the corresponding grant.  We only create a
++            # grant if explicitly processing an "add grant" entry in the UI;
++            # if there isn't already a grant for an existing entry that's
++            # being modified, implicitly adding it is probably too
++            # confusing.
++            permissions = data[permissions_field_name]
++            grant = None
++            if grantee is not None:
++                # This entry should correspond to an existing grant.  Make
++                # whatever changes were requested to it.
++                grant = grant_map.get((ref_pattern, grantee))
++                delete_field_name = self._getFieldName(
++                    "delete", ref_pattern, grantee)
++                # If the grant was already deleted by somebody else, then we
++                # have nothing to do.
++                if grant is not None and data.get(delete_field_name):
++                    grant.destroySelf(self.user)
++                    grant = None
++                if grant is not None and permissions != grant.permissions:
++                    with notify_modified(
++                            grant,
++                            ["can_create", "can_push", "can_force_push"]):
++                        grant.permissions = permissions
++            else:
++                # This is an "add grant" entry.
++                grantee_field_name = self._getFieldName("grantee", ref_pattern)
++                grantee = data.get(grantee_field_name)
++                if grantee:
++                    grant = grant_map.get((ref_pattern, grantee))
++                    if grant is None:
++                        rule.addGrant(
++                            grantee, self.user, permissions=permissions)
++                    elif permissions != grant.permissions:
++                        # Somebody else added the grant since the form was
++                        # last rendered.  Updating it with the permissions
++                        # from this request seems best.
++                        with notify_modified(
++                                grant,
++                                ["can_create", "can_push", "can_force_push"]):
++                            grant.permissions = permissions
++
++        self.request.response.addNotification(
++            "Saved permissions for %s" % self.context.identity)
++        self.next_url = canonical_url(self.context, view_name="+permissions")
++
++    @action("Save", name="save")
++    def save_action(self, action, data):
++        with notify_modified(self.repository, []):
++            self.updateRepositoryFromData(self.repository, data)
++
++
  class GitRepositoryDeletionView(LaunchpadFormView):
      schema = IGitRepository
 === modified file 'lib/lp/code/browser/tests/test_gitrepository.py'
 --- lib/lp/code/browser/tests/test_gitrepository.py	2018-11-08 15:33:03 +0000
 +++ lib/lp/code/browser/tests/test_gitrepository.py	2018-11-09 22:50:10 +0000
@@ -7,16 +7,26 @@
  __metaclass__ = type
++import base64
  from datetime import datetime
  import doctest
++from operator import attrgetter
++import re
  from textwrap import dedent
  from fixtures import FakeLogger
  import pytz
++import soupmatchers
  from storm.store import Store
  from testtools.matchers import (
++    AfterPreprocessing,
      DocTestMatches,
      Equals,
++    Is,
++    MatchesDict,
++    MatchesListwise,
++    MatchesSetwise,
++    MatchesStructure,
+     )
  import transaction
  from zope.component import getUtility
@@ -26,11 +36,16 @@
  from zope.security.proxy import removeSecurityProxy
  from lp.app.enums import InformationType
++from lp.app.errors import UnexpectedFormData
  from lp.app.interfaces.launchpad import ILaunchpadCelebrities
  from lp.app.interfaces.services import IService
++from lp.code.browser.gitrepository import encode_form_field_id
  from lp.code.enums import (
      BranchMergeProposalStatus,
      CodeReviewVote,
++    GitActivityType,
++    GitGranteeType,
++    GitPermissionType,
      GitRepositoryType,
+     )
  from lp.code.interfaces.revision import IRevisionSet
@@ -40,7 +55,10 @@
      VCSType,
+     )
  from lp.registry.interfaces.accesspolicy import IAccessPolicySource
--from lp.registry.interfaces.person import PersonVisibility
++from lp.registry.interfaces.person import (
++    IPerson,
++    PersonVisibility,
++    )
  from lp.services.beautifulsoup import BeautifulSoup
  from lp.services.database.constants import UTC_NOW
  from lp.services.features.testing import FeatureFixture
@@ -1097,6 +1115,599 @@
              browser.headers["Content-Disposition"])
++class TestGitRepositoryPermissionsView(BrowserTestCase):
++
++    layer = DatabaseFunctionalLayer
++
++    def test_rules_properties(self):
++        repository = self.factory.makeGitRepository()
++        heads_rule = self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/*")
++        tags_rule = self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/tags/*")
++        catch_all_rule = self.factory.makeGitRule(
++            repository=repository, ref_pattern="*")
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        self.assertEqual([heads_rule], view.branch_rules)
++        self.assertEqual([tags_rule], view.tag_rules)
++        self.assertEqual([catch_all_rule], view.other_rules)
++
++    def test__getRuleGrants(self):
++        rule = self.factory.makeGitRule()
++        grantees = sorted(
++            [self.factory.makePerson() for _ in range(3)],
++            key=attrgetter("name"))
++        for grantee in (grantees[1], grantees[0], grantees[2]):
++            self.factory.makeGitRuleGrant(rule=rule, grantee=grantee)
++        self.factory.makeGitRuleGrant(
++            rule=rule, grantee=GitGranteeType.REPOSITORY_OWNER)
++        login_person(rule.repository.owner)
++        view = create_initialized_view(rule.repository, name="+permissions")
++        self.assertThat(view._getRuleGrants(rule), MatchesListwise([
++            MatchesStructure.byEquality(
++                grantee_type=GitGranteeType.REPOSITORY_OWNER),
++            MatchesStructure.byEquality(grantee=grantees[0]),
++            MatchesStructure.byEquality(grantee=grantees[1]),
++            MatchesStructure.byEquality(grantee=grantees[2]),
++            ]))
++
++    def test__parseRefPattern(self):
++        repository = self.factory.makeGitRepository()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        self.assertEqual(
++            ("refs/heads/", "stable/*"),
++            view._parseRefPattern("refs/heads/stable/*"))
++        self.assertEqual(
++            ("refs/tags/", "1.0"), view._parseRefPattern("refs/tags/1.0"))
++        self.assertEqual(
++            ("", "refs/other/*"), view._parseRefPattern("refs/other/*"))
++        self.assertEqual(("", "*"), view._parseRefPattern("*"))
++
++    def test__getFieldName_no_grantee(self):
++        repository = self.factory.makeGitRepository()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        encoded_ref_pattern = base64.b32encode(
++            b"refs/heads/*").replace("=", "_").decode("UTF-8")
++        self.assertEqual(
++            "field.%s" % encoded_ref_pattern,
++            view._getFieldName("field", "refs/heads/*"))
++
++    def test__getFieldName_grantee_repository_owner(self):
++        repository = self.factory.makeGitRepository()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        encoded_ref_pattern = base64.b32encode(
++            b"refs/tags/*").replace("=", "_").decode("UTF-8")
++        self.assertEqual(
++            "field.%s._repository_owner" % encoded_ref_pattern,
++            view._getFieldName(
++                "field", "refs/tags/*",
++                grantee=GitGranteeType.REPOSITORY_OWNER))
++
++    def test__getFieldName_grantee_person(self):
++        repository = self.factory.makeGitRepository()
++        grantee = self.factory.makePerson()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        encoded_ref_pattern = base64.b32encode(
++            b"refs/*").replace("=", "_").decode("UTF-8")
++        self.assertEqual(
++            "field.%s.%s" % (encoded_ref_pattern, grantee.id),
++            view._getFieldName("field", "refs/*", grantee=grantee))
++
++    def test__parseFieldName_too_few_components(self):
++        repository = self.factory.makeGitRepository()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        self.assertRaises(UnexpectedFormData, view._parseFieldName, "field")
++
++    def test__parseFieldName_bad_ref_pattern(self):
++        repository = self.factory.makeGitRepository()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        self.assertRaises(
++            UnexpectedFormData, view._parseFieldName, "field.nonsense")
++
++    def test__parseFieldName_no_grantee(self):
++        repository = self.factory.makeGitRepository()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        encoded_ref_pattern = base64.b32encode(
++            b"refs/heads/*").replace("=", "_").decode("UTF-8")
++        self.assertEqual(
++            ("permissions", "refs/heads/*", None),
++            view._parseFieldName("permissions.%s" % encoded_ref_pattern))
++
++    def test__parseFieldName_grantee_unknown_type(self):
++        repository = self.factory.makeGitRepository()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        encoded_ref_pattern = base64.b32encode(
++            b"refs/tags/*").replace("=", "_").decode("UTF-8")
++        self.assertRaises(
++            UnexpectedFormData, view._parseFieldName,
++            "field.%s._nonsense" % encoded_ref_pattern)
++        self.assertRaises(
++            UnexpectedFormData, view._parseFieldName,
++            "field.%s._person" % encoded_ref_pattern)
++
++    def test__parseFieldName_grantee_repository_owner(self):
++        repository = self.factory.makeGitRepository()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        encoded_ref_pattern = base64.b32encode(
++            b"refs/tags/*").replace("=", "_").decode("UTF-8")
++        self.assertEqual(
++            ("pattern", "refs/tags/*", GitGranteeType.REPOSITORY_OWNER),
++            view._parseFieldName(
++                "pattern.%s._repository_owner" % encoded_ref_pattern))
++
++    def test__parseFieldName_grantee_unknown_person(self):
++        repository = self.factory.makeGitRepository()
++        grantee = self.factory.makePerson()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        encoded_ref_pattern = base64.b32encode(
++            b"refs/*").replace("=", "_").decode("UTF-8")
++        self.assertRaises(
++            UnexpectedFormData, view._parseFieldName,
++            "delete.%s.%s" % (encoded_ref_pattern, grantee.id * 2))
++
++    def test__parseFieldName_grantee_person(self):
++        repository = self.factory.makeGitRepository()
++        grantee = self.factory.makePerson()
++        login_person(repository.owner)
++        view = create_initialized_view(repository, name="+permissions")
++        encoded_ref_pattern = base64.b32encode(
++            b"refs/*").replace("=", "_").decode("UTF-8")
++        self.assertEqual(
++            ("delete", "refs/*", grantee),
++            view._parseFieldName(
++                "delete.%s.%s" % (encoded_ref_pattern, grantee.id)))
++
++    def test__getPermissionsTerm_standard(self):
++        grant = self.factory.makeGitRuleGrant(
++            ref_pattern="refs/heads/*", can_create=True, can_push=True)
++        login_person(grant.repository.owner)
++        view = create_initialized_view(grant.repository, name="+permissions")
++        self.assertThat(
++            view._getPermissionsTerm(grant), MatchesStructure.byEquality(
++                value={
++                    GitPermissionType.CAN_CREATE, GitPermissionType.CAN_PUSH},
++                token="can_push",
++                title="Can push"))
++
++    def test__getPermissionsTerm_custom(self):
++        grant = self.factory.makeGitRuleGrant(
++            ref_pattern="refs/heads/*", can_force_push=True)
++        login_person(grant.repository.owner)
++        view = create_initialized_view(grant.repository, name="+permissions")
++        self.assertThat(
++            view._getPermissionsTerm(grant), MatchesStructure.byEquality(
++                value={GitPermissionType.CAN_FORCE_PUSH},
++                token="custom",
++                title="Custom permissions: force-push"))
++
++    def _matchesCells(self, row_tag, cell_matchers):
++        return AfterPreprocessing(
++            str, soupmatchers.HTMLContains(*(
++                soupmatchers.Within(row_tag, cell_matcher)
++                for cell_matcher in cell_matchers)))
++
++    def _matchesRule(self, position, pattern, short_pattern):
++        rule_tag = soupmatchers.Tag(
++            "rule row", "tr", attrs={"class": "git-rule"})
++        suffix = "." + encode_form_field_id(pattern)
++        position_field_name = "field.position" + suffix
++        pattern_field_name = "field.pattern" + suffix
++        delete_field_name = "field.delete" + suffix
++        return self._matchesCells(rule_tag, [
++            soupmatchers.Within(
++                soupmatchers.Tag("position cell", "td"),
++                soupmatchers.Tag(
++                    "position widget", "input",
++                    attrs={"name": position_field_name, "value": position})),
++            soupmatchers.Within(
++                soupmatchers.Tag("pattern cell", "td"),
++                soupmatchers.Tag(
++                    "pattern widget", "input",
++                    attrs={
++                        "name": pattern_field_name,
++                        "value": short_pattern,
++                        })),
++            soupmatchers.Within(
++                soupmatchers.Tag("delete cell", "td"),
++                soupmatchers.Tag(
++                    "delete widget", "input",
++                    attrs={"name": delete_field_name})),
++            ])
++
++    def _matchesNewRule(self, ref_prefix):
++        new_rule_tag = soupmatchers.Tag(
++            "new rule row", "tr", attrs={"class": "git-new-rule"})
++        suffix = "." + encode_form_field_id(ref_prefix)
++        new_position_field_name = "field.new-position" + suffix
++        new_pattern_field_name = "field.new-pattern" + suffix
++        return self._matchesCells(new_rule_tag, [
++            soupmatchers.Within(
++                soupmatchers.Tag("position cell", "td"),
++                soupmatchers.Tag(
++                    "position widget", "input",
++                    attrs={"name": new_position_field_name, "value": ""})),
++            soupmatchers.Within(
++                soupmatchers.Tag("pattern cell", "td"),
++                soupmatchers.Tag(
++                    "pattern widget", "input",
++                    attrs={"name": new_pattern_field_name, "value": ""})),
++            ])
++
++    def _matchesRuleGrant(self, pattern, grantee, permissions_token,
++                          permissions_title):
++        rule_grant_tag = soupmatchers.Tag(
++            "rule grant row", "tr", attrs={"class": "git-rule-grant"})
++        suffix = "." + encode_form_field_id(pattern)
++        if IPerson.providedBy(grantee):
++            suffix += "." + str(grantee.id)
++            grantee_widget_matcher = soupmatchers.Tag(
++                "grantee widget", "a", attrs={"href": canonical_url(grantee)},
++                text=" " + grantee.display_name)
++        else:
++            suffix += "._" + grantee.name.lower()
++            grantee_widget_matcher = soupmatchers.Tag(
++                "grantee widget", "label",
++                text=re.compile(re.escape(grantee.title)))
++        permissions_field_name = "field.permissions" + suffix
++        delete_field_name = "field.delete" + suffix
++        return self._matchesCells(rule_grant_tag, [
++            soupmatchers.Within(
++                soupmatchers.Tag("grantee cell", "td"),
++                grantee_widget_matcher),
++            soupmatchers.Within(
++                soupmatchers.Tag("permissions cell", "td"),
++                soupmatchers.Within(
++                    soupmatchers.Tag(
++                        "permissions widget", "select",
++                        attrs={"name": permissions_field_name}),
++                    soupmatchers.Tag(
++                        "selected permissions option", "option",
++                        attrs={
++                            "selected": "selected",
++                            "value": permissions_token,
++                            },
++                        text=permissions_title))),
++            soupmatchers.Within(
++                soupmatchers.Tag("delete cell", "td"),
++                soupmatchers.Tag(
++                    "delete widget", "input",
++                    attrs={"name": delete_field_name})),
++            ])
++
++    def _matchesNewRuleGrant(self, pattern, permissions_token):
++        rule_grant_tag = soupmatchers.Tag(
++            "rule grant row", "tr", attrs={"class": "git-new-rule-grant"})
++        suffix = "." + encode_form_field_id(pattern)
++        grantee_field_name = "field.grantee" + suffix
++        permissions_field_name = "field.permissions" + suffix
++        return self._matchesCells(rule_grant_tag, [
++            soupmatchers.Within(
++                soupmatchers.Tag("grantee cell", "td"),
++                soupmatchers.Tag(
++                    "grantee widget", "input",
++                    attrs={"name": grantee_field_name})),
++            soupmatchers.Within(
++                soupmatchers.Tag("permissions cell", "td"),
++                soupmatchers.Within(
++                    soupmatchers.Tag(
++                        "permissions widget", "select",
++                        attrs={"name": permissions_field_name}),
++                    soupmatchers.Tag(
++                        "selected permissions option", "option",
++                        attrs={
++                            "selected": "selected",
++                            "value": permissions_token,
++                            }))),
++            ])
++
++    def test_rules_table(self):
++        repository = self.factory.makeGitRepository()
++        heads_rule = self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/stable/*")
++        heads_grantee_1 = self.factory.makePerson(
++            name=self.factory.getUniqueString("person-name-a"))
++        heads_grantee_2 = self.factory.makePerson(
++            name=self.factory.getUniqueString("person-name-b"))
++        self.factory.makeGitRuleGrant(
++            rule=heads_rule, grantee=heads_grantee_1, can_push=True)
++        self.factory.makeGitRuleGrant(
++            rule=heads_rule, grantee=heads_grantee_2, can_force_push=True)
++        tags_rule = self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/tags/*")
++        self.factory.makeGitRuleGrant(
++            rule=tags_rule, grantee=GitGranteeType.REPOSITORY_OWNER)
++        login_person(repository.owner)
++        view = create_initialized_view(
++            repository, name="+permissions", principal=repository.owner)
++        rules_table = find_tag_by_id(view(), "rules-table")
++        rows = rules_table.findAll("tr", {"class": True})
++        self.assertThat(rows, MatchesListwise([
++            self._matchesRule("1", "refs/heads/stable/*", "stable/*"),
++            self._matchesRuleGrant(
++                "refs/heads/stable/*", heads_grantee_1, "can_push_existing",
++                "Can push if the branch already exists"),
++            self._matchesRuleGrant(
++                "refs/heads/stable/*", heads_grantee_2, "custom",
++                "Custom permissions: force-push"),
++            self._matchesNewRuleGrant("refs/heads/stable/*", "can_push"),
++            self._matchesNewRule("refs/heads/"),
++            self._matchesRule("2", "refs/tags/*", "*"),
++            self._matchesRuleGrant(
++                "refs/tags/*", GitGranteeType.REPOSITORY_OWNER,
++                "cannot_create", "Cannot create"),
++            self._matchesNewRuleGrant("refs/tags/*", "can_create"),
++            self._matchesNewRule("refs/tags/"),
++            ]))
++
++    def assertHasRules(self, repository, ref_patterns):
++        self.assertThat(list(repository.rules), MatchesListwise([
++            MatchesStructure.byEquality(ref_pattern=ref_pattern)
++            for ref_pattern in ref_patterns
++            ]))
++
++    def assertHasSavedNotification(self, view, repository):
++        self.assertThat(view.request.response.notifications, MatchesListwise([
++            MatchesStructure.byEquality(
++                message="Saved permissions for %s" % repository.identity),
++            ]))
++
++    def test_save_add_rules(self):
++        repository = self.factory.makeGitRepository()
++        self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/stable/*")
++        removeSecurityProxy(repository.getActivity()).remove()
++        login_person(repository.owner)
++        encoded_heads_prefix = encode_form_field_id("refs/heads/")
++        encoded_tags_prefix = encode_form_field_id("refs/tags/")
++        form = {
++            "field.new-pattern." + encoded_heads_prefix: "*",
++            "field.new-pattern." + encoded_tags_prefix: "1.0",
++            "field.actions.save": "Save",
++            }
++        view = create_initialized_view(
++            repository, name="+permissions", form=form,
++            principal=repository.owner)
++        self.assertHasRules(
++            repository,
++            ["refs/tags/1.0", "refs/heads/stable/*", "refs/heads/*"])
++        self.assertThat(list(repository.getActivity()), MatchesListwise([
++            # Adding a tag rule automatically adds a repository owner grant.
++            MatchesStructure(
++                changer=Equals(repository.owner),
++                changee=Is(None),
++                what_changed=Equals(GitActivityType.GRANT_ADDED),
++                new_value=MatchesDict({
++                    "changee_type": Equals("Repository owner"),
++                    "ref_pattern": Equals("refs/tags/1.0"),
++                    "can_create": Is(True),
++                    "can_push": Is(False),
++                    "can_force_push": Is(False),
++                    })),
++            MatchesStructure(
++                changer=Equals(repository.owner),
++                what_changed=Equals(GitActivityType.RULE_ADDED),
++                new_value=MatchesDict({
++                    "ref_pattern": Equals("refs/tags/1.0"),
++                    "position": Equals(0),
++                    })),
++            MatchesStructure(
++                changer=Equals(repository.owner),
++                what_changed=Equals(GitActivityType.RULE_ADDED),
++                new_value=MatchesDict({
++                    "ref_pattern": Equals("refs/heads/*"),
++                    # Initially inserted at 1, although refs/tags/1.0 was
++                    # later inserted before it.
++                    "position": Equals(1),
++                    })),
++            ]))
++        self.assertHasSavedNotification(view, repository)
++
++    def test_save_add_duplicate_rule(self):
++        repository = self.factory.makeGitRepository()
++        self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/stable/*")
++        transaction.commit()
++        login_person(repository.owner)
++        encoded_heads_prefix = encode_form_field_id("refs/heads/")
++        form = {
++            "field.new-pattern." + encoded_heads_prefix: "stable/*",
++            "field.actions.save": "Save",
++            }
++        view = create_initialized_view(
++            repository, name="+permissions", form=form,
++            principal=repository.owner)
++        self.assertThat(view.errors, MatchesListwise([
++            MatchesStructure(
++                field_name=Equals("new-pattern." + encoded_heads_prefix),
++                errors=MatchesStructure.byEquality(
++                    args=("stable/* is already in use by another rule",))),
++            ]))
++        self.assertHasRules(repository, ["refs/heads/stable/*"])
++
++    def test_save_move_rule(self):
++        repository = self.factory.makeGitRepository()
++        self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/stable/*")
++        self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/*/next")
++        encoded_patterns = [
++            encode_form_field_id(rule.ref_pattern)
++            for rule in repository.rules]
++        removeSecurityProxy(repository.getActivity()).remove()
++        login_person(repository.owner)
++        # Positions are 1-based in the UI.
++        form = {
++            "field.position." + encoded_patterns[0]: "2",
++            "field.pattern." + encoded_patterns[0]: "stable/*",
++            "field.position." + encoded_patterns[1]: "1",
++            "field.pattern." + encoded_patterns[1]: "*/more-next",
++            "field.actions.save": "Save",
++            }
++        view = create_initialized_view(
++            repository, name="+permissions", form=form,
++            principal=repository.owner)
++        self.assertHasRules(
++            repository, ["refs/heads/*/more-next", "refs/heads/stable/*"])
++        self.assertThat(list(repository.getActivity()), MatchesListwise([
++            MatchesStructure(
++                changer=Equals(repository.owner),
++                what_changed=Equals(GitActivityType.RULE_CHANGED),
++                old_value=MatchesDict({
++                    "ref_pattern": Equals("refs/heads/*/next"),
++                    "position": Equals(0),
++                    }),
++                new_value=MatchesDict({
++                    "ref_pattern": Equals("refs/heads/*/more-next"),
++                    "position": Equals(0),
++                    })),
++            # Only one rule is recorded as moving; the other is already in
++            # its new position by the time it's processed.
++            MatchesStructure(
++                changer=Equals(repository.owner),
++                what_changed=Equals(GitActivityType.RULE_MOVED),
++                old_value=MatchesDict({
++                    "ref_pattern": Equals("refs/heads/stable/*"),
++                    "position": Equals(0),
++                    }),
++                new_value=MatchesDict({
++                    "ref_pattern": Equals("refs/heads/stable/*"),
++                    "position": Equals(1),
++                    })),
++            ]))
++        self.assertHasSavedNotification(view, repository)
++
++    def test_save_change_grants(self):
++        repository = self.factory.makeGitRepository()
++        stable_rule = self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/stable/*")
++        next_rule = self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/*/next")
++        grantees = [self.factory.makePerson() for _ in range(3)]
++        self.factory.makeGitRuleGrant(
++            rule=stable_rule, grantee=GitGranteeType.REPOSITORY_OWNER,
++            can_create=True)
++        self.factory.makeGitRuleGrant(
++            rule=stable_rule,
++            grantee=grantees[0], can_create=True, can_push=True)
++        self.factory.makeGitRuleGrant(
++            rule=next_rule, grantee=grantees[1],
++            can_create=True, can_push=True, can_force_push=True)
++        encoded_patterns = [
++            encode_form_field_id(rule.ref_pattern)
++            for rule in repository.rules]
++        removeSecurityProxy(repository.getActivity()).remove()
++        login_person(repository.owner)
++        form = {
++            "field.permissions.%s._repository_owner" % encoded_patterns[0]: (
++                "can_push"),
++            "field.permissions.%s.%s" % (
++                encoded_patterns[0], grantees[0].id): "can_push",
++            "field.delete.%s.%s" % (encoded_patterns[0], grantees[0].id): "on",
++            "field.grantee.%s" % encoded_patterns[1]: "person",
++            "field.grantee.%s.person" % encoded_patterns[1]: grantees[2].name,
++            "field.permissions.%s" % encoded_patterns[1]: "can_push_existing",
++            "field.actions.save": "Save",
++            }
++        view = create_initialized_view(
++            repository, name="+permissions", form=form,
++            principal=repository.owner)
++        self.assertHasRules(
++            repository, ["refs/heads/stable/*", "refs/heads/*/next"])
++        self.assertThat(stable_rule.grants, MatchesSetwise(
++            MatchesStructure.byEquality(
++                grantee_type=GitGranteeType.REPOSITORY_OWNER,
++                can_create=True, can_push=True, can_force_push=False)))
++        self.assertThat(next_rule.grants, MatchesSetwise(
++            MatchesStructure.byEquality(
++                grantee=grantees[1],
++                can_create=True, can_push=True, can_force_push=True),
++            MatchesStructure.byEquality(
++                grantee=grantees[2],
++                can_create=False, can_push=True, can_force_push=False)))
++        self.assertThat(repository.getActivity(), MatchesSetwise(
++            MatchesStructure(
++                changer=Equals(repository.owner),
++                changee=Is(None),
++                what_changed=Equals(GitActivityType.GRANT_CHANGED),
++                old_value=Equals({
++                    "changee_type": "Repository owner",
++                    "ref_pattern": "refs/heads/stable/*",
++                    "can_create": True,
++                    "can_push": False,
++                    "can_force_push": False,
++                    }),
++                new_value=Equals({
++                    "changee_type": "Repository owner",
++                    "ref_pattern": "refs/heads/stable/*",
++                    "can_create": True,
++                    "can_push": True,
++                    "can_force_push": False,
++                    })),
++            MatchesStructure(
++                changer=Equals(repository.owner),
++                changee=Equals(grantees[0]),
++                what_changed=Equals(GitActivityType.GRANT_REMOVED),
++                old_value=Equals({
++                    "changee_type": "Person",
++                    "ref_pattern": "refs/heads/stable/*",
++                    "can_create": True,
++                    "can_push": True,
++                    "can_force_push": False,
++                    })),
++            MatchesStructure(
++                changer=Equals(repository.owner),
++                changee=Equals(grantees[2]),
++                what_changed=Equals(GitActivityType.GRANT_ADDED),
++                new_value=Equals({
++                    "changee_type": "Person",
++                    "ref_pattern": "refs/heads/*/next",
++                    "can_create": False,
++                    "can_push": True,
++                    "can_force_push": False,
++                    }))))
++        self.assertHasSavedNotification(view, repository)
++
++    def test_save_delete_rule(self):
++        repository = self.factory.makeGitRepository()
++        self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/stable/*")
++        self.factory.makeGitRule(
++            repository=repository, ref_pattern="refs/heads/*")
++        removeSecurityProxy(repository.getActivity()).remove()
++        login_person(repository.owner)
++        encoded_pattern = encode_form_field_id("refs/heads/*")
++        form = {
++            "field.pattern." + encoded_pattern: "*",
++            "field.delete." + encoded_pattern: "on",
++            "field.actions.save": "Save",
++            }
++        view = create_initialized_view(
++            repository, name="+permissions", form=form,
++            principal=repository.owner)
++        self.assertHasRules(repository, ["refs/heads/stable/*"])
++        self.assertThat(list(repository.getActivity()), MatchesListwise([
++            MatchesStructure(
++                changer=Equals(repository.owner),
++                what_changed=Equals(GitActivityType.RULE_REMOVED),
++                old_value=MatchesDict({
++                    "ref_pattern": Equals("refs/heads/*"),
++                    "position": Equals(1),
++                    })),
++            ]))
++        self.assertHasSavedNotification(view, repository)
++
++
  class TestGitRepositoryDeletionView(BrowserTestCase):
      layer = DatabaseFunctionalLayer
 === added file 'lib/lp/code/browser/widgets/gitgrantee.py'
 --- lib/lp/code/browser/widgets/gitgrantee.py	1970-01-01 00:00:00 +0000
 +++ lib/lp/code/browser/widgets/gitgrantee.py	2018-11-09 22:50:10 +0000
@@ -0,0 +1,253 @@
++# Copyright 2018 Canonical Ltd.  This software is licensed under the
++# GNU Affero General Public License version 3 (see the file LICENSE).
++
++from __future__ import absolute_import, print_function, unicode_literals
++
++__metaclass__ = type
++__all__ = [
++    'GitGranteeDisplayWidget',
++    'GitGranteeField',
++    'GitGranteeWidget',
++    ]
++
++from lazr.enum import DBItem
++from lazr.restful.fields import Reference
++from z3c.ptcompat import ViewPageTemplateFile
++from zope.formlib.interfaces import (
++    ConversionError,
++    IDisplayWidget,
++    IInputWidget,
++    InputErrors,
++    MissingInputError,
++    WidgetInputError,
++    )
++from zope.formlib.utility import setUpWidget
++from zope.formlib.widget import (
++    BrowserWidget,
++    CustomWidgetFactory,
++    DisplayWidget,
++    InputWidget,
++    renderElement,
++    )
++from zope.interface import implementer
++from zope.schema import (
++    Choice,
++    Field,
++    )
++from zope.schema.interfaces import IField
++from zope.schema.vocabulary import getVocabularyRegistry
++from zope.security.proxy import isinstance as zope_isinstance
++
++from lp import _
++from lp.app.errors import UnexpectedFormData
++from lp.app.validators import LaunchpadValidationError
++from lp.app.widgets.popup import PersonPickerWidget
++from lp.code.enums import GitGranteeType
++from lp.code.interfaces.gitrule import IGitRule
++from lp.registry.interfaces.person import IPerson
++from lp.services.webapp.escaping import structured
++from lp.services.webapp.interfaces import (
++    IAlwaysSubmittedWidget,
++    IMultiLineWidgetLayout,
++    )
++from lp.services.webapp.publisher import canonical_url
++
++
++class IGitGranteeField(IField):
++    """An interface for a Git access grantee field."""
++
++    rule = Reference(
++        title=_("Rule"), required=True, readonly=True, schema=IGitRule,
++        description=_("The rule that this grantee is for."))
++
++
++@implementer(IGitGranteeField)
++class GitGranteeField(Field):
++    """A field that holds a Git access grantee."""
++
++    def __init__(self, rule, *args, **kwargs):
++        super(GitGranteeField, self).__init__(*args, **kwargs)
++        self.rule = rule
++
++    def constraint(self, value):
++        """See `IField`."""
++        if zope_isinstance(value, DBItem) and value.enum == GitGranteeType:
++            return value != GitGranteeType.PERSON
++        else:
++            return value in getVocabularyRegistry().get(
++                None, "ValidPersonOrTeam")
++
++
++@implementer(IDisplayWidget)
++class GitGranteePersonDisplayWidget(BrowserWidget):
++
++    def __init__(self, context, vocabulary, request):
++        super(GitGranteePersonDisplayWidget, self).__init__(context, request)
++
++    def __call__(self):
++        if self._renderedValueSet():
++            grantee = self._data
++            person_img = renderElement(
++                "img", style="padding-bottom: 2px", src="/@@/person", alt="")
++            return renderElement(
++                "a", href=canonical_url(grantee),
++                contents="%s %s" % (
++                    person_img,
++                    structured("%s", grantee.display_name).escapedtext))
++        else:
++            return ""
++
++
++@implementer(IMultiLineWidgetLayout)
++class GitGranteeWidgetBase(BrowserWidget):
++
++    template = ViewPageTemplateFile("templates/gitgrantee.pt")
++    default_option = "person"
++    _widgets_set_up = False
++
++    def setUpSubWidgets(self):
++        if self._widgets_set_up:
++            return
++        fields = [
++            Choice(
++                __name__="person", title=u"Person",
++                required=False, vocabulary="ValidPersonOrTeam"),
++            ]
++        if self._read_only:
++            self.person_widget = CustomWidgetFactory(
++                GitGranteePersonDisplayWidget)
++        else:
++            self.person_widget = CustomWidgetFactory(
++                PersonPickerWidget,
++                # XXX cjwatson 2018-10-18: This is a little unfortunate, but
++                # otherwise there's no spacing at all between the
++                # (deliberately unlabelled) radio button and the text box.
++                style="margin-left: 4px;")
++        for field in fields:
++            setUpWidget(
++                self, field.__name__, field, self._sub_widget_interface,
++                prefix=self.name)
++        self._widgets_set_up = True
++
++    def setUpOptions(self):
++        """Set up options to be rendered."""
++        self.options = {}
++        for option in ("repository_owner", "person"):
++            attributes = {
++                "type": "radio", "name": self.name, "value": option,
++                "id": "%s.option.%s" % (self.name, option),
++                # XXX cjwatson 2018-10-18: Ugly, but it's worse without
++                # this, especially in a permissions table where this widget
++                # is normally used.
++                "style": "margin-left: 0;",
++                }
++            if self.request.form_ng.getOne(
++                    self.name, self.default_option) == option:
++                attributes["checked"] = "checked"
++            if self._read_only:
++                attributes["disabled"] = "disabled"
++            self.options[option] = renderElement("input", **attributes)
++
++    @property
++    def show_options(self):
++        return {
++            option: not self._read_only or self.default_option == option
++            for option in ("repository_owner", "person")}
++
++    def setRenderedValue(self, value):
++        """See `IWidget`."""
++        self.setUpSubWidgets()
++        if value == GitGranteeType.REPOSITORY_OWNER:
++            self.default_option = "repository_owner"
++            return
++        elif value is None or IPerson.providedBy(value):
++            self.default_option = "person"
++            self.person_widget.setRenderedValue(value)
++            return
++        else:
++            raise AssertionError("Not a valid value: %r" % value)
++
++    def __call__(self):
++        """See `zope.formlib.interfaces.IBrowserWidget`."""
++        self.setUpSubWidgets()
++        self.setUpOptions()
++        return self.template()
++
++
++@implementer(IDisplayWidget)
++class GitGranteeDisplayWidget(GitGranteeWidgetBase, DisplayWidget):
++    """Widget for displaying a Git access grantee."""
++
++    _sub_widget_interface = IDisplayWidget
++    _read_only = True
++
++
++@implementer(IAlwaysSubmittedWidget, IInputWidget)
++class GitGranteeWidget(GitGranteeWidgetBase, InputWidget):
++    """Widget for selecting a Git access grantee."""
++
++    _sub_widget_interface = IInputWidget
++    _read_only = False
++    _widgets_set_up = False
++
++    @property
++    def show_options(self):
++        show_options = super(GitGranteeWidget, self).show_options
++        # Hide options that indicate unique grantee_types (e.g.
++        # repository_owner) if they already exist for the context rule.
++        if (show_options["repository_owner"] and
++            not self.context.rule.repository.findRuleGrantsByGrantee(
++                GitGranteeType.REPOSITORY_OWNER,
++                ref_pattern=self.context.rule.ref_pattern,
++                exact_grantee=True).is_empty()):
++            show_options["repository_owner"] = False
++        return show_options
++
++    def hasInput(self):
++        self.setUpSubWidgets()
++        form_value = self.request.form_ng.getOne(self.name)
++        if form_value is None:
++            return False
++        return form_value != "person" or self.person_widget.hasInput()
++
++    def hasValidInput(self):
++        """See `zope.formlib.interfaces.IInputWidget`."""
++        try:
++            self.getInputValue()
++            return True
++        except (InputErrors, UnexpectedFormData):
++            return False
++
++    def getInputValue(self):
++        """See `zope.formlib.interfaces.IInputWidget`."""
++        self.setUpSubWidgets()
++        form_value = self.request.form_ng.getOne(self.name)
++        if form_value == "repository_owner":
++            return GitGranteeType.REPOSITORY_OWNER
++        elif form_value == "person":
++            try:
++                return self.person_widget.getInputValue()
++            except MissingInputError:
++                raise WidgetInputError(
++                    self.name, self.label,
++                    LaunchpadValidationError(
++                        "Please enter a person or team name"))
++            except ConversionError:
++                entered_name = self.request.form_ng.getOne(
++                    "%s.person" % self.name)
++                raise WidgetInputError(
++                    self.name, self.label,
++                    LaunchpadValidationError(
++                        "There is no person or team named '%s' registered in "
++                        "Launchpad" % entered_name))
++        else:
++            raise UnexpectedFormData("No valid option was selected.")
++
++    def error(self):
++        """See `zope.formlib.interfaces.IBrowserWidget`."""
++        try:
++            if self.hasInput():
++                self.getInputValue()
++        except InputErrors as error:
++            self._error = error
++        return super(GitGranteeWidget, self).error()
 === added file 'lib/lp/code/browser/widgets/templates/gitgrantee.pt'
 --- lib/lp/code/browser/widgets/templates/gitgrantee.pt	1970-01-01 00:00:00 +0000
 +++ lib/lp/code/browser/widgets/templates/gitgrantee.pt	2018-11-09 22:50:10 +0000
@@ -0,0 +1,27 @@
++<table>
++  <tr tal:condition="view/show_options/repository_owner">
++    <td colspan="2">
++      <label>
++        <input
++            type="radio" value="repository_owner"
++            tal:condition="not: context/readonly"
++            tal:replace="structure view/options/repository_owner" />
++        Repository owner
++      </label>
++    </td>
++  </tr>
++
++  <tr tal:condition="view/show_options/person">
++    <td>
++      <label>
++        <input
++            type="radio" value="person"
++            tal:condition="not: context/readonly"
++            tal:replace="structure view/options/person" />
++      </label>
++    </td>
++    <td>
++      <tal:person replace="structure view/person_widget" />
++    </td>
++  </tr>
++</table>
 === added file 'lib/lp/code/browser/widgets/tests/test_gitgrantee.py'
 --- lib/lp/code/browser/widgets/tests/test_gitgrantee.py	1970-01-01 00:00:00 +0000
 +++ lib/lp/code/browser/widgets/tests/test_gitgrantee.py	2018-11-09 22:50:10 +0000
@@ -0,0 +1,305 @@
++# Copyright 2018 Canonical Ltd.  This software is licensed under the
++# GNU Affero General Public License version 3 (see the file LICENSE).
++
++from __future__ import absolute_import, print_function, unicode_literals
++
++__metaclass__ = type
++
++import re
++
++from zope.formlib.interfaces import (
++    IBrowserWidget,
++    IDisplayWidget,
++    IInputWidget,
++    WidgetInputError,
++    )
++
++from lp.app.validators import LaunchpadValidationError
++from lp.code.browser.widgets.gitgrantee import (
++    GitGranteeDisplayWidget,
++    GitGranteeField,
++    GitGranteeWidget,
++    )
++from lp.code.enums import GitGranteeType
++from lp.registry.vocabularies import ValidPersonOrTeamVocabulary
++from lp.services.beautifulsoup import BeautifulSoup
++from lp.services.webapp.escaping import html_escape
++from lp.services.webapp.publisher import canonical_url
++from lp.services.webapp.servers import LaunchpadTestRequest
++from lp.testing import (
++    TestCaseWithFactory,
++    verifyObject,
++    )
++from lp.testing.layers import DatabaseFunctionalLayer
++
++
++class TestGitGranteeWidgetBase:
++
++    layer = DatabaseFunctionalLayer
++
++    def setUp(self):
++        super(TestGitGranteeWidgetBase, self).setUp()
++        [self.ref] = self.factory.makeGitRefs()
++        self.rule = self.factory.makeGitRule(
++            repository=self.ref.repository, ref_pattern=self.ref.path)
++        self.field = GitGranteeField(__name__="grantee", rule=self.rule)
++        self.request = LaunchpadTestRequest()
++        self.widget = self.widget_factory(self.field, self.request)
++
++    def test_implements(self):
++        self.assertTrue(verifyObject(IBrowserWidget, self.widget))
++        self.assertTrue(
++            verifyObject(self.expected_widget_interface, self.widget))
++
++    def test_template(self):
++        # The render template is setup.
++        self.assertTrue(
++            self.widget.template.filename.endswith("gitgrantee.pt"),
++            "Template was not set up.")
++
++    def test_default_option(self):
++        # The person field is the default option.
++        self.assertEqual("person", self.widget.default_option)
++
++    def test_setUpSubWidgets_first_call(self):
++        # The subwidget is set up and a flag is set.
++        self.widget.setUpSubWidgets()
++        self.assertTrue(self.widget._widgets_set_up)
++        self.assertIsInstance(
++            self.widget.person_widget.context.vocabulary,
++            ValidPersonOrTeamVocabulary)
++
++    def test_setUpSubWidgets_second_call(self):
++        # The setUpSubWidgets method exits early if a flag is set to
++        # indicate that the subwidget was set up.
++        self.widget._widgets_set_up = True
++        self.widget.setUpSubWidgets()
++        self.assertIsNone(getattr(self.widget, "person_widget", None))
++
++    def test_setUpOptions_default_person_checked(self):
++        # The radio button options are composed of the setup widgets with
++        # the person widget set as the default.
++        self.widget.setUpSubWidgets()
++        self.widget.setUpOptions()
++        self.assertEqual(
++            '<input class="radioType" style="margin-left: 0;" ' +
++            self.expected_disabled_attr +
++            'id="field.grantee.option.repository_owner" name="field.grantee" '
++            'type="radio" value="repository_owner" />',
++            self.widget.options["repository_owner"])
++        self.assertEqual(
++            '<input class="radioType" style="margin-left: 0;" ' +
++            'checked="checked" ' + self.expected_disabled_attr +
++            'id="field.grantee.option.person" name="field.grantee" '
++            'type="radio" value="person" />',
++            self.widget.options["person"])
++
++    def test_setUpOptions_repository_owner_checked(self):
++        # The repository owner radio button is selected when the form is
++        # submitted when the grantee field's value is 'repository_owner'.
++        form = {"field.grantee": "repository_owner"}
++        self.widget.request = LaunchpadTestRequest(form=form)
++        self.widget.setUpSubWidgets()
++        self.widget.setUpOptions()
++        self.assertEqual(
++            '<input class="radioType" style="margin-left: 0;" '
++            'checked="checked" ' + self.expected_disabled_attr +
++            'id="field.grantee.option.repository_owner" name="field.grantee" '
++            'type="radio" value="repository_owner" />',
++            self.widget.options["repository_owner"])
++        self.assertEqual(
++            '<input class="radioType" style="margin-left: 0;" ' +
++            self.expected_disabled_attr +
++            'id="field.grantee.option.person" name="field.grantee" '
++            'type="radio" value="person" />',
++            self.widget.options["person"])
++
++    def test_setUpOptions_person_checked(self):
++        # The person radio button is selected when the form is submitted
++        # when the grantee field's value is 'person'.
++        form = {"field.grantee": "person"}
++        self.widget.request = LaunchpadTestRequest(form=form)
++        self.widget.setUpSubWidgets()
++        self.widget.setUpOptions()
++        self.assertEqual(
++            '<input class="radioType" style="margin-left: 0;" ' +
++            self.expected_disabled_attr +
++            'id="field.grantee.option.repository_owner" name="field.grantee" '
++            'type="radio" value="repository_owner" />',
++            self.widget.options["repository_owner"])
++        self.assertEqual(
++            '<input class="radioType" style="margin-left: 0;" ' +
++            'checked="checked" ' + self.expected_disabled_attr +
++            'id="field.grantee.option.person" name="field.grantee" '
++            'type="radio" value="person" />',
++            self.widget.options["person"])
++
++    def test_setRenderedValue_repository_owner(self):
++        # Passing GitGranteeType.REPOSITORY_OWNER will set the widget's
++        # render state to "repository_owner".
++        self.widget.setUpSubWidgets()
++        self.widget.setRenderedValue(GitGranteeType.REPOSITORY_OWNER)
++        self.assertEqual("repository_owner", self.widget.default_option)
++
++    def test_setRenderedValue_person(self):
++        # Passing a person will set the widget's render state to "person".
++        self.widget.setUpSubWidgets()
++        person = self.factory.makePerson()
++        self.widget.setRenderedValue(person)
++        self.assertEqual("person", self.widget.default_option)
++        self.assertEqual(person, self.widget.person_widget._data)
++
++    def test_call(self):
++        # The __call__ method sets up the widgets and the options.
++        markup = self.widget()
++        self.assertIsNotNone(self.widget.person_widget)
++        self.assertIn("repository_owner", self.widget.options)
++        self.assertIn("person", self.widget.options)
++        soup = BeautifulSoup(markup)
++        fields = soup.findAll(["input", "select"], {"id": re.compile(".*")})
++        ids = [field["id"] for field in fields]
++        self.assertContentEqual(self.expected_ids, ids)
++
++
++class TestGitGranteeDisplayWidget(
++        TestGitGranteeWidgetBase, TestCaseWithFactory):
++    """Test the GitGranteeDisplayWidget class."""
++
++    widget_factory = GitGranteeDisplayWidget
++    expected_widget_interface = IDisplayWidget
++    expected_disabled_attr = 'disabled="disabled" '
++    expected_ids = ["field.grantee.option.person"]
++
++    def test_setRenderedValue_person_display_widget(self):
++        # If the widget's render state is "person", a customised display
++        # widget is used.
++        self.widget.setUpSubWidgets()
++        person = self.factory.makePerson()
++        self.widget.setRenderedValue(person)
++        person_url = canonical_url(person)
++        self.assertEqual(
++            '<a href="%s">'
++            '<img style="padding-bottom: 2px" alt="" src="/@@/person" /> '
++            '%s</a>' % (person_url, html_escape(person.display_name)),
++            self.widget.person_widget())
++
++
++class TestGitGranteeWidget(TestGitGranteeWidgetBase, TestCaseWithFactory):
++    """Test the GitGranteeWidget class."""
++
++    widget_factory = GitGranteeWidget
++    expected_widget_interface = IInputWidget
++    expected_disabled_attr = ""
++    expected_ids = [
++        "field.grantee.option.repository_owner",
++        "field.grantee.option.person",
++        "field.grantee.person",
++        ]
++
++    def setUp(self):
++        super(TestGitGranteeWidget, self).setUp()
++        self.person = self.factory.makePerson()
++
++    def test_show_options_repository_owner_grant_already_exists(self):
++        # If the rule already has a repository owner grant, the input widget
++        # doesn't offer that option.
++        self.factory.makeGitRuleGrant(
++            rule=self.rule, grantee=GitGranteeType.REPOSITORY_OWNER)
++        self.assertEqual(
++            {"repository_owner": False, "person": True},
++            self.widget.show_options)
++
++    def test_show_options_repository_owner_grant_does_not_exist(self):
++        # If the rule doesn't have a repository owner grant, the input
++        # widget offers that option.
++        self.factory.makeGitRuleGrant(rule=self.rule)
++        self.assertEqual(
++            {"repository_owner": True, "person": True},
++            self.widget.show_options)
++
++    @property
++    def form(self):
++        return {
++            "field.grantee": "person",
++            "field.grantee.person": self.person.name,
++            }
++
++    def test_hasInput_not_in_form(self):
++        # hasInput is false when the widget's name is not in the form data.
++        self.widget.request = LaunchpadTestRequest(form={})
++        self.assertEqual("field.grantee", self.widget.name)
++        self.assertFalse(self.widget.hasInput())
++
++    def test_hasInput_no_person(self):
++        # hasInput is false when the person radio button is selected and the
++        # person widget's name is not in the form data.
++        self.widget.request = LaunchpadTestRequest(
++            form={"field.grantee": "person"})
++        self.assertEqual("field.grantee", self.widget.name)
++        self.assertFalse(self.widget.hasInput())
++
++    def test_hasInput_repository_owner(self):
++        # hasInput is true when the repository owner radio button is selected.
++        self.widget.request = LaunchpadTestRequest(
++            form={"field.grantee": "repository_owner"})
++        self.assertEqual("field.grantee", self.widget.name)
++        self.assertTrue(self.widget.hasInput())
++
++    def test_hasInput_person(self):
++        # hasInput is true when the person radio button is selected and the
++        # person widget's name is in the form data.
++        self.widget.request = LaunchpadTestRequest(form=self.form)
++        self.assertEqual("field.grantee", self.widget.name)
++        self.assertTrue(self.widget.hasInput())
++
++    def test_hasValidInput_true(self):
++        # The field input is valid when all submitted parts are valid.
++        self.widget.request = LaunchpadTestRequest(form=self.form)
++        self.assertTrue(self.widget.hasValidInput())
++
++    def test_hasValidInput_false(self):
++        # The field input is invalid if any of the submitted parts are invalid.
++        form = self.form
++        form["field.grantee.person"] = "non-existent"
++        self.widget.request = LaunchpadTestRequest(form=form)
++        self.assertFalse(self.widget.hasValidInput())
++
++    def test_getInputValue_repository_owner(self):
++        # The field value is GitGranteeType.REPOSITORY_OWNER when the
++        # repository owner radio button is selected.
++        form = self.form
++        form["field.grantee"] = "repository_owner"
++        self.widget.request = LaunchpadTestRequest(form=form)
++        self.assertEqual(
++            GitGranteeType.REPOSITORY_OWNER, self.widget.getInputValue())
++
++    def test_getInputValue_person(self):
++        # The field value is the person when the person radio button is
++        # selected and the person sub field is valid.
++        form = self.form
++        form["field.grantee"] = "person"
++        self.widget.request = LaunchpadTestRequest(form=form)
++        self.assertEqual(self.person, self.widget.getInputValue())
++
++    def test_getInputValue_person_missing(self):
++        # An error is raised when the person field is missing.
++        form = self.form
++        form["field.grantee"] = "person"
++        del form["field.grantee.person"]
++        self.widget.request = LaunchpadTestRequest(form=form)
++        message = "Please enter a person or team name"
++        e = self.assertRaises(WidgetInputError, self.widget.getInputValue)
++        self.assertEqual(LaunchpadValidationError(message), e.errors)
++
++    def test_getInputValue_person_invalid(self):
++        # An error is raised when the person is not valid.
++        form = self.form
++        form["field.grantee"] = "person"
++        form["field.grantee.person"] = "non-existent"
++        self.widget.request = LaunchpadTestRequest(form=form)
++        message = (
++            "There is no person or team named 'non-existent' registered in "
++            "Launchpad")
++        e = self.assertRaises(WidgetInputError, self.widget.getInputValue)
++        self.assertEqual(LaunchpadValidationError(message), e.errors)
++        self.assertEqual(html_escape(message), self.widget.error())
 === modified file 'lib/lp/code/interfaces/gitrepository.py'
 --- lib/lp/code/interfaces/gitrepository.py	2018-11-09 22:06:43 +0000
 +++ lib/lp/code/interfaces/gitrepository.py	2018-11-09 22:50:10 +0000
@@ -766,12 +766,17 @@
          :param user: The `IPerson` who is moving the rule.
          """
--    def findRuleGrantsByGrantee(grantee):
++    def findRuleGrantsByGrantee(grantee, exact_grantee=False,
++                                ref_pattern=None):
          """Find the grants for a grantee applied to this repository.
          :param grantee: The `IPerson` to search for, or an item of
              `GitGranteeType` other than `GitGranteeType.PERSON` to search
              for some other kind of entity.
++        :param exact_grantee: If True, match `grantee` exactly; if False
++            (the default), also accept teams of which `grantee` is a member.
++        :param ref_pattern: If not None, only return grants for rules with
++            this ref_pattern.
          """
      @export_read_operation()
 === modified file 'lib/lp/code/interfaces/gitrule.py'
 --- lib/lp/code/interfaces/gitrule.py	2018-10-23 16:17:39 +0000
 +++ lib/lp/code/interfaces/gitrule.py	2018-11-09 22:50:10 +0000
@@ -158,6 +158,10 @@
          vocabulary="ValidPersonOrTeam",
          description=_("The person being granted access."))
++    combined_grantee = Attribute(
++        "The overall grantee of this grant: either a `GitGranteeType` (other "
++        "than `PERSON`) or an `IPerson`.")
++
      date_created = Datetime(
          title=_("Date created"), required=True, readonly=True,
          description=_("The time when this grant was created."))
 === modified file 'lib/lp/code/model/gitrepository.py'
 --- lib/lp/code/model/gitrepository.py	2018-11-09 22:06:43 +0000
 +++ lib/lp/code/model/gitrepository.py	2018-11-09 22:50:10 +0000
@@ -1216,7 +1216,8 @@
          return Store.of(self).find(
              GitRuleGrant, GitRuleGrant.repository_id == self.id)
--    def findRuleGrantsByGrantee(self, grantee):
++    def findRuleGrantsByGrantee(self, grantee, exact_grantee=False,
++                                ref_pattern=None):
          """See `IGitRepository`."""
          if isinstance(grantee, DBItem) and grantee.enum == GitGranteeType:
              if grantee == GitGranteeType.PERSON:
@@ -1224,12 +1225,22 @@
                      "grantee may not be GitGranteeType.PERSON; pass a person "
                      "object instead")
              clauses = [GitRuleGrant.grantee_type == grantee]
++        elif exact_grantee:
++            clauses = [
++                GitRuleGrant.grantee_type == GitGranteeType.PERSON,
++                GitRuleGrant.grantee == grantee,
++                ]
          else:
              clauses = [
                  GitRuleGrant.grantee_type == GitGranteeType.PERSON,
                  TeamParticipation.person == grantee,
                  GitRuleGrant.grantee == TeamParticipation.teamID
+                 ]
++        if ref_pattern is not None:
++            clauses.extend([
++                GitRuleGrant.rule_id == GitRule.id,
++                GitRule.ref_pattern == ref_pattern,
++                ])
          return self.grants.find(*clauses).config(distinct=True)
      def getRules(self):
 === modified file 'lib/lp/code/model/gitrule.py'
 --- lib/lp/code/model/gitrule.py	2018-10-29 14:27:36 +0000
 +++ lib/lp/code/model/gitrule.py	2018-11-09 22:50:10 +0000
@@ -310,6 +310,13 @@
          self.date_created = date_created
          self.date_last_modified = date_created
++    @property
++    def combined_grantee(self):
++        if self.grantee_type == GitGranteeType.PERSON:
++            return self.grantee
++        else:
++            return self.grantee_type
++
      def __repr__(self):
          if self.grantee_type == GitGranteeType.PERSON:
              grantee_name = "~%s" % self.grantee.name
 === modified file 'lib/lp/code/model/tests/test_gitrepository.py'
 --- lib/lp/code/model/tests/test_gitrepository.py	2018-11-09 22:06:43 +0000
 +++ lib/lp/code/model/tests/test_gitrepository.py	2018-11-09 22:50:10 +0000
@@ -265,7 +265,7 @@
          grant = self.factory.makeGitRuleGrant(
              rule=rule, grantee=requester, can_push=True, can_create=True)
--        results = repository.findRuleGrantsByGrantee(requester)
++        results = repository.findRuleGrantsByGrantee(member)
          self.assertEqual([grant], list(results))
      def test_findRuleGrantsByGrantee_team_in_team(self):
@@ -357,6 +357,116 @@
          results = repository.findRuleGrantsByGrantee(requester)
          self.assertEqual([owner_grant], list(results))
++    def test_findRuleGrantsByGrantee_ref_pattern(self):
++        requester = self.factory.makePerson()
++        repository = removeSecurityProxy(
++            self.factory.makeGitRepository(owner=requester))
++        [ref] = self.factory.makeGitRefs(repository=repository)
++
++        exact_grant = self.factory.makeGitRuleGrant(
++            repository=repository, ref_pattern=ref.path, grantee=requester)
++        self.factory.makeGitRuleGrant(
++            repository=repository, ref_pattern="refs/heads/*",
++            grantee=requester)
++
++        results = repository.findRuleGrantsByGrantee(
++            requester, ref_pattern=ref.path)
++        self.assertEqual([exact_grant], list(results))
++
++    def test_findRuleGrantsByGrantee_exact_grantee_person(self):
++        requester = self.factory.makePerson()
++        repository = removeSecurityProxy(
++            self.factory.makeGitRepository(owner=requester))
++
++        rule = self.factory.makeGitRule(repository)
++        grant = self.factory.makeGitRuleGrant(rule=rule, grantee=requester)
++
++        results = repository.findRuleGrantsByGrantee(
++            requester, exact_grantee=True)
++        self.assertEqual([grant], list(results))
++
++    def test_findRuleGrantsByGrantee_exact_grantee_team(self):
++        team = self.factory.makeTeam()
++        repository = removeSecurityProxy(
++            self.factory.makeGitRepository(owner=team))
++
++        rule = self.factory.makeGitRule(repository)
++        grant = self.factory.makeGitRuleGrant(rule=rule, grantee=team)
++
++        results = repository.findRuleGrantsByGrantee(team, exact_grantee=True)
++        self.assertEqual([grant], list(results))
++
++    def test_findRuleGrantsByGrantee_exact_grantee_member_of_team(self):
++        member = self.factory.makePerson()
++        team = self.factory.makeTeam(members=[member])
++        repository = removeSecurityProxy(
++            self.factory.makeGitRepository(owner=team))
++
++        rule = self.factory.makeGitRule(repository)
++        self.factory.makeGitRuleGrant(rule=rule, grantee=team)
++
++        results = repository.findRuleGrantsByGrantee(
++            member, exact_grantee=True)
++        self.assertEqual([], list(results))
++
++    def test_findRuleGrantsByGrantee_no_owner_grant(self):
++        repository = removeSecurityProxy(self.factory.makeGitRepository())
++
++        rule = self.factory.makeGitRule(repository=repository)
++        self.factory.makeGitRuleGrant(rule=rule)
++
++        results = repository.findRuleGrantsByGrantee(
++            GitGranteeType.REPOSITORY_OWNER)
++        self.assertEqual([], list(results))
++
++    def test_findRuleGrantsByGrantee_owner_grant(self):
++        repository = removeSecurityProxy(self.factory.makeGitRepository())
++
++        rule = self.factory.makeGitRule(repository=repository)
++        grant = self.factory.makeGitRuleGrant(
++            rule=rule, grantee=GitGranteeType.REPOSITORY_OWNER)
++        self.factory.makeGitRuleGrant(rule=rule)
++
++        results = repository.findRuleGrantsByGrantee(
++            GitGranteeType.REPOSITORY_OWNER)
++        self.assertEqual([grant], list(results))
++
++    def test_findRuleGrantsByGrantee_owner_ref_pattern(self):
++        repository = removeSecurityProxy(self.factory.makeGitRepository())
++        [ref] = self.factory.makeGitRefs(repository=repository)
++
++        exact_grant = self.factory.makeGitRuleGrant(
++            repository=repository, ref_pattern=ref.path,
++            grantee=GitGranteeType.REPOSITORY_OWNER)
++        self.factory.makeGitRuleGrant(
++            repository=repository, ref_pattern="refs/heads/*",
++            grantee=GitGranteeType.REPOSITORY_OWNER)
++
++        results = ref.repository.findRuleGrantsByGrantee(
++            GitGranteeType.REPOSITORY_OWNER, ref_pattern=ref.path)
++        self.assertEqual([exact_grant], list(results))
++
++    def test_findRuleGrantsByGrantee_owner_exact_grantee(self):
++        repository = removeSecurityProxy(self.factory.makeGitRepository())
++        [ref] = self.factory.makeGitRefs(repository=repository)
++
++        exact_grant = self.factory.makeGitRuleGrant(
++            repository=repository, ref_pattern=ref.path,
++            grantee=GitGranteeType.REPOSITORY_OWNER)
++        self.factory.makeGitRuleGrant(
++            rule=exact_grant.rule, grantee=repository.owner)
++        wildcard_grant = self.factory.makeGitRuleGrant(
++            repository=repository, ref_pattern="refs/heads/*",
++            grantee=GitGranteeType.REPOSITORY_OWNER)
++
++        results = ref.repository.findRuleGrantsByGrantee(
++            GitGranteeType.REPOSITORY_OWNER, exact_grantee=True)
++        self.assertItemsEqual([exact_grant, wildcard_grant], list(results))
++        results = ref.repository.findRuleGrantsByGrantee(
++            GitGranteeType.REPOSITORY_OWNER, ref_pattern=ref.path,
++            exact_grantee=True)
++        self.assertEqual([exact_grant], list(results))
++
  class TestGitIdentityMixin(TestCaseWithFactory):
      """Test the defaults and identities provided by GitIdentityMixin."""
 === modified file 'lib/lp/code/model/tests/test_gitrule.py'
 --- lib/lp/code/model/tests/test_gitrule.py	2018-10-21 17:38:05 +0000
 +++ lib/lp/code/model/tests/test_gitrule.py	2018-11-09 22:50:10 +0000
@@ -594,6 +594,7 @@
              rule=Equals(rule),
              grantee_type=Equals(GitGranteeType.REPOSITORY_OWNER),
              grantee=Is(None),
++            combined_grantee=Equals(GitGranteeType.REPOSITORY_OWNER),
              can_create=Is(True),
              can_push=Is(False),
              can_force_push=Is(True),
@@ -614,6 +615,7 @@
              rule=Equals(rule),
              grantee_type=Equals(GitGranteeType.PERSON),
              grantee=Equals(grantee),
++            combined_grantee=Equals(grantee),
              can_create=Is(False),
              can_push=Is(True),
              can_force_push=Is(False),
 === added file 'lib/lp/code/templates/gitrepository-permissions.pt'
 --- lib/lp/code/templates/gitrepository-permissions.pt	1970-01-01 00:00:00 +0000
 +++ lib/lp/code/templates/gitrepository-permissions.pt	2018-11-09 22:50:10 +0000
@@ -0,0 +1,192 @@
++<html
++  xmlns="http://www.w3.org/1999/xhtml"
++  xmlns:tal="http://xml.zope.org/namespaces/tal"
++  xmlns:metal="http://xml.zope.org/namespaces/metal"
++  xmlns:i18n="http://xml.zope.org/namespaces/i18n"
++  metal:use-macro="view/macro:page/main_only"
++  i18n:domain="launchpad">
++<body>
++
++  <metal:macros fill-slot="bogus">
++    <metal:macro define-macro="rule-rows">
++      <tal:rule repeat="rule rules">
++        <tal:rule_widgets
++            define="rule_widgets python:view.getRuleWidgets(rule)">
++          <tr class="git-rule">
++            <td tal:define="widget nocall:rule_widgets/position">
++              <metal:block use-macro="context/@@launchpad_form/widget_div" />
++            </td>
++            <td tal:define="widget nocall:rule_widgets/pattern" colspan="2">
++              <metal:block use-macro="context/@@launchpad_form/widget_div" />
++            </td>
++            <td tal:define="widget nocall:rule_widgets/delete">
++              <metal:block use-macro="context/@@launchpad_form/widget_div" />
++            </td>
++          </tr>
++          <tr class="git-rule-grant"
++              tal:repeat="grant_widgets rule_widgets/grants">
++            <td></td>
++            <td tal:define="widget nocall:grant_widgets/grantee">
++              <metal:block use-macro="context/@@launchpad_form/widget_div" />
++            </td>
++            <td tal:define="widget nocall:grant_widgets/permissions">
++              <metal:block use-macro="context/@@launchpad_form/widget_div" />
++            </td>
++            <td tal:define="widget nocall:grant_widgets/delete">
++              <metal:block use-macro="context/@@launchpad_form/widget_div" />
++            </td>
++          </tr>
++          <tr class="git-new-rule-grant"
++              tal:define="new_grant_widgets rule_widgets/new_grant">
++            <td></td>
++            <td tal:define="widget nocall:new_grant_widgets/grantee">
++              <metal:block use-macro="context/@@launchpad_form/widget_div" />
++            </td>
++            <td tal:define="widget nocall:new_grant_widgets/permissions">
++              <metal:block use-macro="context/@@launchpad_form/widget_div" />
++            </td>
++            <td></td>
++          </tr>
++        </tal:rule_widgets>
++      </tal:rule>
++      <tal:allows-new-rule condition="ref_prefix">
++        <tr class="git-new-rule"
++            tal:define="new_rule_widgets python:view.getNewRuleWidgets(ref_prefix)">
++          <td tal:define="widget nocall:new_rule_widgets/position">
++            <metal:block use-macro="context/@@launchpad_form/widget_div" />
++          </td>
++          <td tal:define="widget nocall:new_rule_widgets/pattern" colspan="2">
++            <metal:block use-macro="context/@@launchpad_form/widget_div" />
++          </td>
++          <td></td>
++        </tr>
++      </tal:allows-new-rule>
++    </metal:macro>
++  </metal:macros>
++
++  <div metal:fill-slot="main">
++    <p>
++      By default, repository owners may create, push, force-push, or delete
++      any branch or tag in their repositories, and nobody else may modify
++      them in any way.
++    </p>
++    <p>
++      If any of the rules below matches a branch or tag, then it is
++      <em>protected</em>.  By default, protecting a branch implicitly
++      prevents repository owners from force-pushing to it or deleting it,
++      while protecting a tag prevents repository owners from moving it.
++      Protecting a branch or tag also allows you to grant other permissions.
++    </p>
++    <p>
++      You may create rules that match a single branch or tag, or wildcard
++      rules that match a pattern: for example, <code>*</code> matches
++      everything, while <code>stable/*</code> matches
++      <code>stable/1.0</code> but not <code>master</code>.
++    </p>
++
++    <metal:grants-form use-macro="context/@@launchpad_form/form">
++      <div class="form" metal:fill-slot="widgets">
++        <table id="rules-table" class="listing"
++               style="max-width: 60em; margin-bottom: 1em;">
++          <thead>
++            <tr>
++              <th>Position</th>
++              <th colspan="2">Rule</th>
++              <th>Delete?</th>
++            </tr>
++          </thead>
++          <tbody>
++            <tr>
++              <td colspan="4">
++                <h3>Protected branches (under <code>refs/heads/</code>)</h3>
++              </td>
++            </tr>
++            <tal:branches define="rules view/branch_rules;
++                                  ref_prefix string:refs/heads/">
++              <metal:grants use-macro="template/macros/rule-rows" />
++            </tal:branches>
++
++            <tr>
++              <td colspan="4">
++                <h3>Protected tags (under <code>refs/tags/</code>)</h3>
++              </td>
++            </tr>
++            <tal:tags define="rules view/tag_rules;
++                              ref_prefix string:refs/tags/">
++              <metal:grants use-macro="template/macros/rule-rows" />
++            </tal:tags>
++
++            <tal:has-other condition="view/other_rules">
++              <tr><td colspan="4"><h3>Other protected references</h3></td></tr>
++              <tal:other define="rules view/other_rules; ref_prefix nothing">
++                <metal:grants use-macro="template/macros/rule-rows" />
++              </tal:other>
++            </tal:has-other>
++          </tbody>
++        </table>
++
++        <p class="actions">
++          <input tal:replace="structure view/save_action/render" />
++          or <a tal:attributes="href view/cancel_url">Cancel</a>
++        </p>
++      </div>
++
++      <metal:buttons fill-slot="buttons" />
++    </metal:grants-form>
++
++    <h2>Wildcards</h2>
++    <p>The special characters used in wildcard rules are:</p>
++    <table class="listing narrow-listing">
++      <thead>
++        <tr>
++          <th>Pattern</th>
++          <th>Meaning</th>
++        </tr>
++      </thead>
++      <tbody>
++        <tr>
++          <td><code>*</code></td>
++          <td>matches zero or more characters</td>
++        </tr>
++        <tr>
++          <td><code>?</code></td>
++          <td>matches any single character</td>
++        </tr>
++        <tr>
++          <td><code>[chars]</code></td>
++          <td>matches any character in <em>chars</em></td>
++        </tr>
++        <tr>
++          <td><code>[!chars]</code></td>
++          <td>matches any character not in <em>chars</em></td>
++        </tr>
++      </tbody>
++    </table>
++
++    <h2>Effective permissions</h2>
++    <p>
++      Launchpad works out the effective permissions that a user has on a
++      protected branch as follows:
++    </p>
++    <ol>
++      <li>Take all the rules that match the branch.</li>
++      <li>
++        For each matching rule, select any grants whose grantee matches the
++        user, as long as the same grantee has not already been seen in an
++        earlier matching rule.  (A user can be matched by more than one
++        grantee: for example, they might be in multiple teams.)
++      </li>
++      <li>
++        If the user is an owner of the repository and there was no previous
++        “Repository owner” grant, then add an implicit grant allowing them
++        to create or push.
++      </li>
++      <li>
++        The effective permission set is the union of the permissions granted
++        by all the selected grants.
++      </li>
++    </ol>
++  </div>
++
++</body>
++</html>