Merge pull request #64 from YunoHost-Apps/permissions

Permissions

CHANGELOG.md

@@ -10,6 +10,17 @@
 
 ------------
 
+# [2020-07-29~ynh4] - 2021-01-19
+
+### Added
+
+- Support for new permission system in YunoHost 3.7
+
+### Changed
+
+- wiki administrators is now a group and can be modified from webadmin YunoHost panel
+- Require YunoHost 3.7 minimum
+
 ## [2020-07-29~ynh2] - 2020-10-23
 
 ### Added

check_process

@@ -14,7 +14,8 @@
 		setup_private=1
 		setup_public=1
 		upgrade=1
-		upgrade=1	from_commit=01add99d3d903ca6d07f863045edf2ba46cf18d5
+		# Laster released version. See https://github.com/YunoHost-Apps/dokuwiki_ynh/commits/master
+		upgrade=1	from_commit=500a7d3fa9c008a2b75d0f6bec519e41fed97da0
 		backup_restore=1
 		multi_instance=1
 		port_already_use=0

conf/local.protected.php

@@ -14,15 +14,19 @@
 $conf['useacl']      = 1;                //Use Access Control Lists to restrict access?
 $conf['authtype']    = 'authldap';       //which authentication backend should be used
 $conf['passcrypt']   = 'sha1';           //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411)
-$conf['superuser']   = '__YNH_ADMIN_USER__'; //The admin can be user or @group or comma separated list user1,@group1,user2
-$conf['manager']     = '__YNH_ADMIN_USER__'; //The manager can be user or @group or comma separated list user1,@group1,user2
+$conf['superuser']   = '@__APP__.admin'; //The admin can be user or @group or comma separated list user1,@group1,user2
+$conf['manager']     = '@__APP__.admin'; //The manager can be user or @group or comma separated list user1,@group1,user2
 
 /* LDAP Yunohost config */
 $conf['plugin']['authldap']['server']      = 'localhost';
 $conf['plugin']['authldap']['port']        = 389;
 $conf['plugin']['authldap']['version']     = 3;
 $conf['plugin']['authldap']['usertree']    = 'ou=users,dc=yunohost,dc=org';
-$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';
+$conf['plugin']['authldap']['grouptree']   = 'ou=permission,dc=yunohost,dc=org';
+$conf['plugin']['authldap']['userfilter']  = '(&(objectClass=posixAccount)(uid=%{user})(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))';
+$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(memberUid=%{user}))';
+#$conf['plugin']['authldap']['debug']      = 1;
+
 
 /* Advanced Settings */
 $conf['updatecheck'] = 0;                //automatically check for new releases?

manifest.json

@@ -9,7 +9,8 @@
         "es": "Un sistema de Wiki de uso sencillicimo y compatible con los estándares.",
         "it": "Un Wiki aderente agli standard, semplice da usare, finalizzato principalmente alla creazione di documentazione di qualsiasi tipo."
     },
-    "version": "2020-07-29~ynh3",
+
+    "version": "2020-07-29~ynh4",
     "url": "https://www.dokuwiki.org",
     "license": "GPL-2.0-or-later",
     "maintainer": {
@@ -22,7 +23,7 @@
         "email": "opi@zeropi.net"
     }],
     "requirements": {
-        "yunohost": ">= 3.8.1"
+        "yunohost": ">= 4.1.0"
     },
     "multi_instance": true,
     "services": [

scripts/_common.sh

@@ -4,6 +4,7 @@
 # COMMON VARIABLES
 #=================================================
 
+
 YNH_PHP_VERSION="7.3"
 
 extra_php_dependencies="php${YNH_PHP_VERSION}-xml php${YNH_PHP_VERSION}-ldap php${YNH_PHP_VERSION}-gd"

scripts/install

@@ -22,7 +22,7 @@ ynh_abort_if_errors
 
 domain=$YNH_APP_ARG_DOMAIN
 path_url=$YNH_APP_ARG_PATH
-admin=$YNH_APP_ARG_ADMIN
+admin_user=$YNH_APP_ARG_ADMIN
 is_public=$YNH_APP_ARG_IS_PUBLIC
 language=$YNH_APP_ARG_LANGUAGE
 
@@ -46,8 +46,6 @@ ynh_script_progression --message="Storing installation settings..." --weight=2
 
 ynh_app_setting_set --app=$app --key=domain --value=$domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
-ynh_app_setting_set --app=$app --key=admin --value=$admin
-ynh_app_setting_set --app=$app --key=is_public --value=$is_public
 ynh_app_setting_set --app=$app --key=language --value=$language
 
 #=================================================
@@ -109,8 +107,12 @@ ynh_script_progression --message="Configuring DokuWiki..." --weight=2
 # It will only be updated by Yunohost package or directly by adventurous users
 cp ../conf/local.protected.php $final_path/conf
 
-# Set the "admin" user
-ynh_replace_string --match_string="__YNH_ADMIN_USER__" --replace_string="$admin"    --target_file="$final_path/conf/local.protected.php"
+# Create the "admin" group and add the "admin" user
+ynh_permission_create --permission "admin" --allowed "$admin_user"
+
+# Customize admin group in case of multiple wiki install managed by different admins
+# dokuwiki.admin; dokuwiki__1.admin; etc
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$final_path/conf/local.protected.php"
 
 
 # This file might be modified by DokuWiki admin panel or by plugins
@@ -217,13 +219,14 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex
 #=================================================
 # SETUP SSOWAT
 #=================================================
-ynh_script_progression --message="Configuring SSOwat..."
+ynh_script_progression --message="Configuring permissions..." --weight=2
 
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
-	# unprotected_uris allows SSO credentials to be passed anyway.
-	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
+	# Everyone can access the app.
+	# The "main" permission is automatically created before the install script.
+	ynh_permission_update --permission "main" --add "visitors"
 fi
 
 #=================================================

scripts/upgrade

@@ -18,8 +18,6 @@ app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
-admin=$(ynh_app_setting_get --app=$app --key=admin)
-is_public=$(ynh_app_setting_get --app=$app --key=is_public)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
 
@@ -34,35 +32,57 @@ upgrade_type=$(ynh_check_app_version_changed)
 #=================================================
 ynh_script_progression --message="Ensuring downward compatibility..."
 
-# Fix is_public as a boolean value
-if [ "$is_public" = "Yes" ]; then
-	ynh_app_setting_set --app=$app --key=is_public --value=1
-	is_public=1
-elif [ "$is_public" = "No" ]; then
-	ynh_app_setting_set --app=$app --key=is_public --value=0
-	is_public=0
-fi
-
 # If final_path doesn't exist, create it
 if [ -z "$final_path" ]; then
 	final_path=/var/www/$app
 	ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 fi
 
-# TODO Not sure if still needed ??
-# admin default value, if not set
-if [ -z "$admin" ]; then
-	admin=$(yunohost user list | grep 'username' -m1 | awk '{print $2}')
-	ynh_app_setting_set --app=$app --key=is_public --value=$is_public
-fi
-
 # language default value, if not set
 if [ -z "$language" ]; then
 	language='en'
 	ynh_app_setting_set --app=$app --key=language --value=$language
 fi
 
-# YunoHost specific configuration, if it isn't exist already
+
+# Cleaning legacy permissions
+admin_user=$(ynh_app_setting_get --app=$app --key=admin)
+
+if [ -n "$admin_user" ]; then
+	# Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7
+	# Remove skipped_uris. If the app was public, add visitors again to the main permission
+	if ynh_permission_has_user --permission=admin --user="$admin_user"
+	then
+		echo "permission admin already exist. Nothing to do"
+	else
+		ynh_permission_create --permission "admin" --allowed "$admin_user"
+	fi
+	# Remove legacy admin setting
+	ynh_app_setting_delete --app=$app --key=admin
+fi
+
+is_public=$(ynh_app_setting_get --app=$app --key=is_public)
+if [ -n "$is_public" ]; then
+	# Remove unprotected_uris
+	ynh_app_setting_delete --app=$app --key=unprotected_uris
+	# Remove protected_uris
+	ynh_app_setting_delete --app=$app --key=protected_uris
+
+	# Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7
+	# Remove skipped_uris. If the app was public, add visitors again to the main permission
+	if ynh_permission_has_user --permission=main --user=visitors
+	then
+		ynh_app_setting_delete --app=$app --key=skipped_uris
+		ynh_permission_update --permission "main" --add "visitors"
+	else
+		ynh_app_setting_delete --app=$app --key=skipped_uris
+	fi
+	ynh_app_setting_delete --app=$app --key=is_public
+fi
+
+
+
+# Yunohost specific configuration, if it isn't exist already
 
 # Previously, these settings were store in an unique "dokuwiki.php"
 # Now, they are split in multiple files to ease upgrading process (separate YunoHost config from user config)
@@ -205,15 +225,43 @@ then
     # See https://www.dokuwiki.org/install:unused_files
     if [ -f "$final_path/data/deleted.files" ]; then
 
-        # Use a "sub process" to start a new shell to run these commands
-        # Allow to use only one "cd" and to be more efficent
-        (
-            # Move to the dokuwiki installation folder so the "official" commands can be used without adaptation
-            cd $final_path
+        # Feed output of grep[...] line by line to 'ynh_secure_remove'
+        # 'ynh_secure_remove' can only work file by file. Cannot work with a list
+        # This is a (complicated) workaround this limitation
+        while IFS= read -r line; do
 
-            grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 rm --force --dir || true
-        )
-    fi
+            # Added this test to reduce the spam printed by helper to the user in the webadmin.
+            # Should be less 'scary' to them I think
+            #
+            # number of messages = number of lines *2    (673 lines while writing this)
+            ### grep --extended-regexp --invert-match '^($|#)' data/deleted.files | wc -l
+            ### 673
+            #
+            # Spam sample:
+                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
+                #Info : 'inc/parser/spamcheck.php' wasn't deleted because it doesn't exist.
+                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
+                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
+                #Info : 'lib/images/favicon.ico' wasn't deleted because it doesn't exist.
+                #Info : 'lib/images/thumbup.gif' wasn't deleted because it doesn't exist.
+                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
+                #Info : 'lib/images/toolbar/code.png' wasn't deleted because it doesn't exist.
+                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
+                #Info : 'lib/images/toolbar/empty.png' wasn't deleted because it doesn't exist.
+            if [ -f "$line" ]; then
+                ynh_secure_remove --file "$line"
+            fi
+        done < <(grep --null --extended-regexp --invert-match '^($|#)' "$final_path/data/deleted.files" | xargs --null --max-args=1 || true)
+        #    ^ ^  First < is redirection, second is process substitution.
+        # Source: https://tldp.org/LDP/abs/html/process-sub.html
+
+        # Previous attemps if someone reads this one day
+        ###grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 rm --verbose --force --dir 2>&1 || true
+        ###grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 ynh_secure_remove --file 2>&1
+        
+        ###grep --null --extended-regexp --invert-match '^($|#)' data/deleted.files > toto.list
+        ###xargs --null --verbose --max-args=1 --arg-file=toto.list ynh_secure_remove 2>&1
+fi
 
     # TODO Taken from old "upgrade" script. Should check if it is needed and what it does
     # Update all plugins
@@ -239,8 +287,12 @@ ynh_backup_if_checksum_is_different --file="$final_path/conf/local.protected.php
 # Always overwrite local file with the one from package.
 cp ../conf/local.protected.php $final_path/conf
 
-# Set the "admin" user
-ynh_replace_string --match_string="__YNH_ADMIN_USER__" --replace_string="$admin" --target_file="$final_path/conf/local.protected.php"
+# Create the "admin" group and add the "admin" user
+#ynh_permission_create --permission "admin" --allowed "$admin_user"
+
+# Customize admin group in case of multiple wiki install managed by different admins
+# dokuwiki.admin; dokuwiki__1.admin; etc
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$final_path/conf/local.protected.php"
 
 # Recalculate and store the checksum of the file for the next upgrade.
 ynh_store_file_checksum --file="$final_path/conf/local.protected.php"
@@ -305,18 +357,8 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex
 #=================================================
 # SETUP SSOWAT
 #=================================================
-ynh_script_progression --message="Upgrading SSOwat configuration..."
-
-if [ $is_public -eq 0 ]
-then	# Remove the public access
-	ynh_app_setting_delete --app=$app --key=skipped_uris
-fi
-# Make app public if necessary
-if [ $is_public -eq 1 ]
-then
-	# unprotected_uris allows SSO credentials to be passed anyway
-	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
-fi
+ # Nothinf to do here. Already done in "ENSURE DOWNWARD COMPATIBILITY" part
+ #ynh_script_progression --message="Upgrading permissions configuration..." --weight=2
 
 #=================================================
 # RELOAD NGINX