From 9b6cc80ecc863d6269097f422f7c97b156348071 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Wed, 6 Jan 2021 13:31:32 +0100 Subject: [PATCH] Improve permissions management --- manifest.json | 2 +- scripts/install | 14 ++++++++++---- scripts/upgrade | 38 +++++++++++--------------------------- 3 files changed, 22 insertions(+), 32 deletions(-) diff --git a/manifest.json b/manifest.json index 44a6aa9..2eb84bc 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ "url": "http://example.com" }, "requirements": { - "yunohost": ">= 3.7" + "yunohost": ">= 4.1.2" }, "multi_instance": true, "services": [ diff --git a/scripts/install b/scripts/install index 54d74a3..24f1a05 100755 --- a/scripts/install +++ b/scripts/install @@ -220,7 +220,8 @@ chown -R $app: $final_path # Set the app as temporarily public for curl call ynh_script_progression --message="Configuring SSOwat..." --time --weight=1 -ynh_app_setting_set --app=$app --key=skipped_uris --value="/" +# Making the app public for curl +ynh_permission_update --permission="main" --add="visitors" # Reload SSOwat config yunohost app ssowatconf @@ -232,7 +233,7 @@ ynh_script_progression --message="Finalizing installation..." --time --weight=1 ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3" # Remove the public access -ynh_app_setting_delete --app=$app --key=skipped_uris +ynh_permission_update --permission="main" --remove="visitors" #================================================= # MODIFY A CONFIG FILE @@ -339,11 +340,16 @@ if [ $is_public -eq 1 ] then # Everyone can access the app. # The "main" permission is automatically created before the install script. - ynh_permission_update --permission "main" --add "visitors" + ynh_permission_update --permission="main" --add="visitors" fi # Only the admin can access the admin panel of the app (if the app has an admin panel) -ynh_permission_create --permission "admin" --url "/admin" --allowed $admin +ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin + +# Everyone can access to the api part +# We don't want to display the tile in the sso so we put --show_tile="false" +# And we don't want that the YunoHost Admin can remove visitors group to this permission, so we put --protected="true" +ynh_permission_create --permission="api" --url "/api" --allowed="visitors" --show_tile="false" --protected="true" #================================================= # RELOAD NGINX diff --git a/scripts/upgrade b/scripts/upgrade index 544b891..93ca640 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -52,28 +52,22 @@ if [ -z "$final_path" ]; then ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi -### If nobody installed your app before 3.7, +### If nobody installed your app before 4.1, ### then you may safely remove these lines # Cleaning legacy permissions -is_public=$(ynh_app_setting_get --app=$app --key=is_public) +if ynh_legacy_permissions_exists; then + ynh_legacy_permissions_delete_all -if [ -n "$is_public" ]; then - # Remove unprotected_uris - ynh_app_setting_delete --app=$app --key=unprotected_uris - # Remove protected_uris - ynh_app_setting_delete --app=$app --key=protected_uris - - # Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7 - # Remove skipped_uris. If the app was public, add visitors again to the main permission - if ynh_permission_has_user --permission=main --user=visitors - then - ynh_app_setting_delete --app=$app --key=skipped_uris - ynh_permission_update --permission "main" --add "visitors" - else - ynh_app_setting_delete --app=$app --key=skipped_uris - fi ynh_app_setting_delete --app=$app --key=is_public + + # Create the required permissions + ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin +fi + +# Create a permission if needed +if ! ynh_permission_exists --permission="api"; then + ynh_permission_create --permission="api" --url "/api" --allowed="visitors" --show_tile="false" --protected="true" fi #================================================= @@ -203,16 +197,6 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failreg # Set permissions on app files chown -R root: $final_path -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Upgrading permissions configuration..." --time --weight=1 - -# Create the admin permission if needed -if ! ynh_permission_exists --permission "admin"; then - ynh_permission_create --permission "admin" --url "/admin" --allowed $admin -fi - #================================================= # START SYSTEMD SERVICE #=================================================