Permission Overview

Adds an overview of the permissions of a user including its groups. To do so, a new cache is introduced that stores the groups of a user, when the user is authenticated. In doing so, SCM-Manager can also list groups assigned by external authentication plugins such as LDAP. On the other hand, the user has to have been logged in at least once to get external groups, and even then the cached groups may be out of date when the overview is created. Internal groups will always be added correctly, nonetheless. Due to the cache, another problem arised: On some logins, the xml dao for the cache failed to be read, because it was read and written at the same time. To fix this, a more thorough synchronization of the stores has been implemented. Committed-by: Konstantin Schaper <konstantin.schaper@cloudogu.com> Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
2026-05-07 21:36:43 +02:00 · 2023-02-09 10:29:05 +01:00
parent 864ed9072d
commit e1b107849e
39 changed files with 1748 additions and 151 deletions
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionOverviewDto.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionOverviewDto.java
@@ -0,0 +1,62 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import de.otto.edison.hal.Embedded;
+import de.otto.edison.hal.HalRepresentation;
+import de.otto.edison.hal.Links;
+import lombok.Getter;
+import lombok.Setter;
+
+import java.util.Collection;
+
+@Getter
+@Setter
+@SuppressWarnings("java:S2160") // no equals needed in dto
+class PermissionOverviewDto extends HalRepresentation {
+
+  private Collection<PermissionOverviewDto.GroupEntryDto> relevantGroups;
+  private Collection<String> relevantNamespaces;
+  private Collection<RepositoryEntry> relevantRepositories;
+
+  PermissionOverviewDto(Links links, Embedded embedded) {
+    super(links, embedded);
+  }
+
+  @Getter
+  @Setter
+  static class GroupEntryDto {
+    private String name;
+    private boolean permissions;
+    private boolean externalOnly;
+  }
+
+  @Getter
+  @Setter
+  static class RepositoryEntry {
+    private String namespace;
+    private String name;
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionOverviewToPermissionOverviewDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionOverviewToPermissionOverviewDtoMapper.java
@@ -0,0 +1,98 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import de.otto.edison.hal.Embedded;
+import org.mapstruct.Context;
+import org.mapstruct.Mapper;
+import org.mapstruct.ObjectFactory;
+import sonia.scm.group.GroupManager;
+import sonia.scm.repository.Repository;
+import sonia.scm.user.PermissionOverview;
+
+import javax.inject.Inject;
+import java.util.List;
+
+import static de.otto.edison.hal.Links.linkingTo;
+import static java.util.stream.Collectors.toList;
+
+@Mapper
+abstract class PermissionOverviewToPermissionOverviewDtoMapper {
+
+  @Inject
+  private ResourceLinks resourceLinks;
+  @Inject
+  private RepositoryToRepositoryDtoMapper repositoryToRepositoryDtoMapper;
+  @Inject
+  private NamespaceToNamespaceDtoMapper namespaceToNamespaceDtoMapper;
+  @Inject
+  private GroupManager groupManager;
+  @Inject
+  private GroupToGroupDtoMapper groupToGroupDtoMapper;
+
+  abstract PermissionOverviewDto toDto(PermissionOverview permissionOverview, @Context String userName);
+
+  abstract PermissionOverviewDto.GroupEntryDto toDto(PermissionOverview.GroupEntry groupEntry);
+
+  abstract PermissionOverviewDto.RepositoryEntry toDto(Repository repository);
+
+  @ObjectFactory
+  PermissionOverviewDto createDto(PermissionOverview permissionOverview, @Context String userName) {
+    List<NamespaceDto> relevantNamespaces = permissionOverview
+      .getRelevantNamespaces()
+      .stream()
+      .map(namespaceToNamespaceDtoMapper::map)
+      .collect(toList());
+    List<NamespaceDto> otherNamespaces = permissionOverview
+      .getRelevantRepositories()
+      .stream()
+      .map(Repository::getNamespace)
+      .distinct()
+      .filter(namespace -> !permissionOverview.getRelevantNamespaces().contains(namespace))
+      .map(namespaceToNamespaceDtoMapper::map)
+      .collect(toList());
+    List<RepositoryDto> repositories = permissionOverview
+      .getRelevantRepositories()
+      .stream()
+      .map(repositoryToRepositoryDtoMapper::map)
+      .collect(toList());
+    List<GroupDto> groups = permissionOverview
+      .getRelevantGroups()
+      .stream()
+      .map(PermissionOverview.GroupEntry::getName)
+      .map(groupManager::get)
+      .map(groupToGroupDtoMapper::map)
+      .collect(toList());
+    Embedded.Builder embedded = new Embedded.Builder()
+      .with("relevantNamespaces", relevantNamespaces)
+      .with("otherNamespaces", otherNamespaces)
+      .with("repositories", repositories)
+      .with("groups", groups);
+    return new PermissionOverviewDto(
+      linkingTo().self(resourceLinks.user().permissionOverview(userName)).build(),
+      embedded.build()
+    );
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ResourceLinks.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ResourceLinks.java
@@ -148,6 +148,10 @@ class ResourceLinks {
      return userLinkBuilder.method("getUserResource").parameters(name).method("toInternal").parameters().href();
    }

+    public String permissionOverview(String name) {
+      return userLinkBuilder.method("getUserResource").parameters(name).method("permissionOverview").parameters().href();
+    }
+
    public String publicKeys(String name) {
      return publicKeyLinkBuilder.method("findAll").parameters(name).href();
    }
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java
@@ -31,6 +31,7 @@ import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.parameters.RequestBody;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import org.apache.shiro.authc.credential.PasswordService;
+import sonia.scm.user.PermissionOverviewCollector;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
 import sonia.scm.web.VndMediaType;
@@ -44,30 +45,36 @@ import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;

 public class UserResource {

  private final UserDtoToUserMapper dtoToUserMapper;
  private final UserToUserDtoMapper userToDtoMapper;
+  private final PermissionOverviewToPermissionOverviewDtoMapper permissionOverviewMapper;

  private final IdResourceManagerAdapter<User, UserDto> adapter;
  private final UserManager userManager;
  private final PasswordService passwordService;
  private final UserPermissionResource userPermissionResource;
+  private final PermissionOverviewCollector permissionOverviewCollector;

  @Inject
-  public UserResource(
-    UserDtoToUserMapper dtoToUserMapper,
-    UserToUserDtoMapper userToDtoMapper,
-    UserManager manager,
-    PasswordService passwordService, UserPermissionResource userPermissionResource) {
+  public UserResource(UserDtoToUserMapper dtoToUserMapper,
+                      UserToUserDtoMapper userToDtoMapper,
+                      PermissionOverviewToPermissionOverviewDtoMapper permissionOverviewMapper, UserManager manager,
+                      PasswordService passwordService,
+                      UserPermissionResource userPermissionResource,
+                      PermissionOverviewCollector permissionOverviewCollector) {
    this.dtoToUserMapper = dtoToUserMapper;
    this.userToDtoMapper = userToDtoMapper;
+    this.permissionOverviewMapper = permissionOverviewMapper;
    this.adapter = new IdResourceManagerAdapter<>(manager, User.class);
    this.userManager = manager;
    this.passwordService = passwordService;
    this.userPermissionResource = userPermissionResource;
+    this.permissionOverviewCollector = permissionOverviewCollector;
  }

  /**
@@ -298,6 +305,13 @@ public class UserResource {
    return Response.noContent().build();
  }

+  @GET
+  @Path("permissionOverview")
+  @Produces(MediaType.APPLICATION_JSON)
+  public PermissionOverviewDto permissionOverview(@PathParam("id") String name) {
+    return permissionOverviewMapper.toDto(permissionOverviewCollector.create(name), name);
+  }
+
  @Path("permissions")
  public UserPermissionResource permissions() {
    return userPermissionResource;
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserToUserDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserToUserDtoMapper.java
@@ -29,6 +29,7 @@ import de.otto.edison.hal.Links;
 import org.mapstruct.Mapper;
 import org.mapstruct.Mapping;
 import org.mapstruct.ObjectFactory;
+import sonia.scm.group.GroupPermissions;
 import sonia.scm.security.PermissionPermissions;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
@@ -76,6 +77,9 @@ public abstract class UserToUserDtoMapper extends BaseMapper<User, UserDto> {
    }
    if (PermissionPermissions.read().isPermitted()) {
      linksBuilder.single(link("permissions", resourceLinks.userPermissions().permissions(user.getName())));
+      if (GroupPermissions.list().isPermitted()) {
+        linksBuilder.single(link("permissionOverview", resourceLinks.user().permissionOverview(user.getName())));
+      }
    }

    Embedded.Builder embeddedBuilder = embeddedBuilder();
--- a/scm-webapp/src/main/java/sonia/scm/group/DefaultGroupCollector.java
+++ b/scm-webapp/src/main/java/sonia/scm/group/DefaultGroupCollector.java
@@ -34,11 +34,15 @@ import sonia.scm.cache.Cache;
 import sonia.scm.cache.CacheManager;
 import sonia.scm.security.Authentications;
 import sonia.scm.security.LogoutEvent;
+import sonia.scm.store.ConfigurationStore;
+import sonia.scm.store.ConfigurationStoreFactory;
 import sonia.scm.user.UserEvent;

 import javax.inject.Inject;
 import javax.inject.Singleton;
+import java.util.HashSet;
 import java.util.Set;
+import java.util.stream.Stream;

 /**
 * Collect groups for a certain principal.
@@ -56,11 +60,14 @@ public class DefaultGroupCollector implements GroupCollector {
  private final Cache<String, Set<String>> cache;
  private final Set<GroupResolver> groupResolvers;

+  private final ConfigurationStoreFactory configurationStoreFactory;
+
  @Inject
-  public DefaultGroupCollector(GroupDAO groupDAO, CacheManager cacheManager, Set<GroupResolver> groupResolvers) {
+  public DefaultGroupCollector(GroupDAO groupDAO, CacheManager cacheManager, Set<GroupResolver> groupResolvers, ConfigurationStoreFactory configurationStoreFactory) {
    this.groupDAO = groupDAO;
    this.cache = cacheManager.getCache(CACHE_NAME);
    this.groupResolvers = groupResolvers;
+    this.configurationStoreFactory = configurationStoreFactory;
  }

  @Override
@@ -79,9 +86,30 @@ public class DefaultGroupCollector implements GroupCollector {

    Set<String> groups = builder.build();
    LOG.debug("collected following groups for principal {}: {}", principal, groups);
+
+    ConfigurationStore<UserGroupCache> store = createStore();
+    UserGroupCache persistentCache = getPersistentCache(store);
+    persistentCache.put(principal, groups);
+    store.set(persistentCache);
+
    return groups;
  }

+  @Override
+  public Set<String> fromLastLoginPlusInternal(String principal) {
+    Set<String> cached = new HashSet<>(getPersistentCache(createStore()).get(principal));
+    computeInternalGroups(principal).forEach(cached::add);
+    return cached;
+  }
+
+  private static UserGroupCache getPersistentCache(ConfigurationStore<UserGroupCache> store) {
+    return store.getOptional().orElseGet(UserGroupCache::new);
+  }
+
+  private ConfigurationStore<UserGroupCache> createStore() {
+    return configurationStoreFactory.withType(UserGroupCache.class).withName("user-group-cache").build();
+  }
+
  @Subscribe(async = false)
  public void clearCacheOnLogOut(LogoutEvent event) {
    String principal = event.getPrimaryPrincipal();
@@ -95,12 +123,12 @@ public class DefaultGroupCollector implements GroupCollector {
    }
  }

+  private Stream<String> computeInternalGroups(String principal) {
+    return groupDAO.getAll().stream().filter(group -> group.isMember(principal)).map(Group::getName);
+  }
+
  private void appendInternalGroups(String principal, ImmutableSet.Builder<String> builder) {
-    for (Group group : groupDAO.getAll()) {
-      if (group.isMember(principal)) {
-        builder.add(group.getName());
-      }
-    }
+    computeInternalGroups(principal).forEach(builder::add);
  }

  private Set<String> resolveExternalGroups(String principal) {
--- a/scm-webapp/src/main/java/sonia/scm/group/DefaultGroupManager.java
+++ b/scm-webapp/src/main/java/sonia/scm/group/DefaultGroupManager.java
@@ -37,7 +37,6 @@ import sonia.scm.HandlerEventType;
 import sonia.scm.ManagerDaoAdapter;
 import sonia.scm.NotFoundException;
 import sonia.scm.SCMContextProvider;
-import sonia.scm.TransformFilter;
 import sonia.scm.search.SearchRequest;
 import sonia.scm.search.SearchUtil;
 import sonia.scm.util.CollectionAppender;
@@ -50,8 +49,11 @@ import java.util.Collections;
 import java.util.Comparator;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Set;
 import java.util.function.Predicate;

+import static java.util.stream.Collectors.toSet;
+
 //~--- JDK imports ------------------------------------------------------------

 /**
@@ -346,7 +348,11 @@ public class DefaultGroupManager extends AbstractGroupManager
    return groupDAO.getLastModified();
  }

-  //~--- methods --------------------------------------------------------------
+  @Override
+  public Set<String> getAllNames() {
+    GroupPermissions.list().check();
+    return groupDAO.getAll().stream().map(Group::getName).collect(toSet());
+  }

  /**
   * Remove duplicate members from group.
--- a/scm-webapp/src/main/java/sonia/scm/group/UserGroupCache.java
+++ b/scm-webapp/src/main/java/sonia/scm/group/UserGroupCache.java
@@ -0,0 +1,58 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.group;
+
+import sonia.scm.xml.XmlMapMultiStringAdapter;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import static java.util.Collections.emptySet;
+
+@XmlRootElement(name = "user-group-cache")
+@XmlAccessorType(XmlAccessType.FIELD)
+class UserGroupCache {
+  @XmlJavaTypeAdapter(XmlMapMultiStringAdapter.class)
+  private Map<String, Set<String>> cache;
+
+  Set<String> get(String user) {
+    if (cache == null) {
+      return emptySet();
+    }
+    return cache.getOrDefault(user, emptySet());
+  }
+
+  void put(String user, Set<String> groups) {
+    if (cache == null) {
+      cache = new HashMap<>();
+    }
+    cache.put(user, groups);
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/update/store/DifferentiateBetweenConfigAndConfigEntryUpdateStep.java
+++ b/scm-webapp/src/main/java/sonia/scm/update/store/DifferentiateBetweenConfigAndConfigEntryUpdateStep.java
@@ -49,6 +49,8 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.stream.Stream;

+import static sonia.scm.store.CopyOnWrite.compute;
+
 abstract class DifferentiateBetweenConfigAndConfigEntryUpdateStep {

  private static final Logger LOG = LoggerFactory.getLogger(DifferentiateBetweenConfigAndConfigEntryUpdateStep.class);
@@ -90,7 +92,7 @@ abstract class DifferentiateBetweenConfigAndConfigEntryUpdateStep {
  private void updateSingleFile(Path configFile) {
    LOG.info("Updating config entry file: {}", configFile);

-    Document configEntryDocument = readAsXmlDocument(configFile);
+    Document configEntryDocument = compute(() -> readAsXmlDocument(configFile)).withLockedFile(configFile);

    configEntryDocument.getDocumentElement().setAttribute("type", "config-entry");

--- a/scm-webapp/src/main/java/sonia/scm/user/PermissionOverview.java
+++ b/scm-webapp/src/main/java/sonia/scm/user/PermissionOverview.java
@@ -0,0 +1,77 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.user;
+
+import lombok.Getter;
+import sonia.scm.repository.Repository;
+
+import java.util.Collection;
+
+import static java.util.Collections.unmodifiableCollection;
+
+/**
+ * The permission overview aggregates groups a user is a member of and all namespaces
+ * and repositories that have permissions configured for this user or one of its groups.
+ * This is the result of {@link PermissionOverviewCollector#create(String)}.
+ *
+ * @since 2.42.0
+ */
+public class PermissionOverview {
+
+  private final Collection<GroupEntry> relevantGroups;
+  private final Collection<String> relevantNamespaces;
+  private final Collection<Repository> relevantRepositories;
+
+  public PermissionOverview(Collection<GroupEntry> relevantGroups, Collection<String> relevantNamespaces, Collection<Repository> relevantRepositories) {
+    this.relevantGroups = relevantGroups;
+    this.relevantNamespaces = relevantNamespaces;
+    this.relevantRepositories = relevantRepositories;
+  }
+
+  public Collection<GroupEntry> getRelevantGroups() {
+    return unmodifiableCollection(relevantGroups);
+  }
+
+  public Collection<String> getRelevantNamespaces() {
+    return unmodifiableCollection(relevantNamespaces);
+  }
+
+  public Collection<Repository> getRelevantRepositories() {
+    return unmodifiableCollection(relevantRepositories);
+  }
+
+  @Getter
+  public static class GroupEntry {
+    private final String name;
+    private final boolean permissions;
+    private final boolean externalOnly;
+
+    public GroupEntry(String name, boolean permissions, boolean externalOnly) {
+      this.name = name;
+      this.permissions = permissions;
+      this.externalOnly = externalOnly;
+    }
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/user/PermissionOverviewCollector.java
+++ b/scm-webapp/src/main/java/sonia/scm/user/PermissionOverviewCollector.java
@@ -0,0 +1,114 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.user;
+
+import sonia.scm.group.GroupCollector;
+import sonia.scm.group.GroupManager;
+import sonia.scm.repository.Namespace;
+import sonia.scm.repository.NamespaceManager;
+import sonia.scm.repository.Repository;
+import sonia.scm.repository.RepositoryManager;
+import sonia.scm.repository.RepositoryPermission;
+import sonia.scm.repository.RepositoryPermissionHolder;
+import sonia.scm.security.PermissionAssigner;
+import sonia.scm.security.PermissionDescriptor;
+import sonia.scm.security.PermissionPermissions;
+import sonia.scm.user.PermissionOverview.GroupEntry;
+
+import javax.inject.Inject;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import static java.util.stream.Collectors.toList;
+
+public class PermissionOverviewCollector {
+
+  private final GroupCollector groupCollector;
+  private final PermissionAssigner permissionAssigner;
+  private final GroupManager groupManager;
+  private final RepositoryManager repositoryManager;
+  private final NamespaceManager namespaceManager;
+
+  @Inject
+  public PermissionOverviewCollector(GroupCollector groupCollector, PermissionAssigner permissionAssigner, GroupManager groupManager, RepositoryManager repositoryManager, NamespaceManager namespaceManager) {
+    this.groupCollector = groupCollector;
+    this.permissionAssigner = permissionAssigner;
+    this.groupManager = groupManager;
+    this.repositoryManager = repositoryManager;
+    this.namespaceManager = namespaceManager;
+  }
+
+  public PermissionOverview create(String userId) {
+    PermissionPermissions.read().check();
+    Collection<String> groupsFromLastLogin = groupCollector.fromLastLoginPlusInternal(userId);
+
+    return new PermissionOverview(
+      collectGroups(groupsFromLastLogin),
+      collectNamespaces(userId, groupsFromLastLogin),
+      collectRepositories(userId, groupsFromLastLogin)
+    );
+  }
+
+  private Collection<GroupEntry> collectGroups(Collection<String> groupsFromLastLogin) {
+    Collection<GroupEntry> groupEntries = new ArrayList<>();
+    Collection<String> allGroups = groupManager.getAllNames();
+    groupsFromLastLogin.forEach(groupName -> {
+      Collection<PermissionDescriptor> permissionDescriptors = permissionAssigner.readPermissionsForGroup(groupName);
+      groupEntries.add(
+        new GroupEntry(
+          groupName,
+          !permissionDescriptors.isEmpty(),
+          !allGroups.contains(groupName)));
+    });
+    return groupEntries;
+  }
+
+  private Collection<String> collectNamespaces(String userId, Collection<String> groupsFromLastLogin) {
+    return namespaceManager
+      .getAll()
+      .stream()
+      .filter(namespace -> isRelevant(userId, groupsFromLastLogin, namespace))
+      .map(Namespace::getNamespace)
+      .collect(toList());
+  }
+
+  private List<Repository> collectRepositories(String userId, Collection<String> groupsFromLastLogin) {
+    return repositoryManager
+      .getAll()
+      .stream()
+      .filter(repo -> isRelevant(userId, groupsFromLastLogin, repo))
+      .collect(toList());
+  }
+
+  private static boolean isRelevant(String userId, Collection<String> groupsFromLastLogin, RepositoryPermissionHolder permissionHolder) {
+    return permissionHolder.getPermissions().stream().anyMatch(permission -> isRelevant(userId, groupsFromLastLogin, permission));
+  }
+
+  private static boolean isRelevant(String userId, Collection<String> groupsFromLastLogin, RepositoryPermission permission) {
+    return permission.isGroupPermission() && groupsFromLastLogin.contains(permission.getName())
+      || !permission.isGroupPermission() && userId.equals(permission.getName());
+  }
+}