Implement new permissions system in YNH 3.7

conf/local.protected.php

@@ -14,15 +14,19 @@
 $conf['useacl']      = 1;                //Use Access Control Lists to restrict access?
 $conf['authtype']    = 'authldap';       //which authentication backend should be used
 $conf['passcrypt']   = 'sha1';           //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411)
-$conf['superuser']   = '__YNH_ADMIN_USER__'; //The admin can be user or @group or comma separated list user1,@group1,user2
-$conf['manager']     = '__YNH_ADMIN_USER__'; //The manager can be user or @group or comma separated list user1,@group1,user2
+$conf['superuser']   = '@__APP__.admin'; //The admin can be user or @group or comma separated list user1,@group1,user2
+$conf['manager']     = '@__APP__.admin'; //The manager can be user or @group or comma separated list user1,@group1,user2
 
 /* LDAP Yunohost config */
 $conf['plugin']['authldap']['server']      = 'localhost';
 $conf['plugin']['authldap']['port']        = 389;
 $conf['plugin']['authldap']['version']     = 3;
 $conf['plugin']['authldap']['usertree']    = 'ou=users,dc=yunohost,dc=org';
-$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';
+$conf['plugin']['authldap']['grouptree']   = 'ou=permission,dc=yunohost,dc=org';
+$conf['plugin']['authldap']['userfilter']  = '(&(objectClass=posixAccount)(uid=%{user})(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))';
+$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(memberUID=%{user})(cn=__APP__.*))';
+#$conf['plugin']['authldap']['debug']      = 1;
+
 
 /* Advanced Settings */
 $conf['updatecheck'] = 0;                //automatically check for new releases?

scripts/install

@@ -22,7 +22,7 @@ ynh_abort_if_errors
 
 domain=$YNH_APP_ARG_DOMAIN
 path_url=$YNH_APP_ARG_PATH
-admin=$YNH_APP_ARG_ADMIN
+admin_user=$YNH_APP_ARG_ADMIN
 is_public=$YNH_APP_ARG_IS_PUBLIC
 language=$YNH_APP_ARG_LANGUAGE
 
@@ -46,8 +46,6 @@ ynh_script_progression --message="Storing installation settings..." --weight=2
 
 ynh_app_setting_set --app=$app --key=domain --value=$domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
-ynh_app_setting_set --app=$app --key=admin --value=$admin
-ynh_app_setting_set --app=$app --key=is_public --value=$is_public
 ynh_app_setting_set --app=$app --key=language --value=$language
 
 #=================================================
@@ -108,8 +106,12 @@ ynh_script_progression --message="Configuring dokuwiki..." --weight=2
 # It will only be updated by Yunohost package or directly by adventurous users
 cp ../conf/local.protected.php $final_path/conf
 
-# Set the "admin" user
-ynh_replace_string --match_string="__YNH_ADMIN_USER__" --replace_string="$admin"    --target_file="$final_path/conf/local.protected.php"
+# Create the "admin" group and add the "admin" user
+ynh_permission_create --permission "admin" --allowed "$admin_user"
+
+# Customize admin group in case of multiple wiki install managed by different admins
+# dokuwiki.admin; dokuwiki__1.admin; etc
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$final_path/conf/local.protected.php"
 
 
 # This file might be modified by dokuwiki admin panel or by plugins
@@ -216,13 +218,14 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex
 #=================================================
 # SETUP SSOWAT
 #=================================================
-ynh_script_progression --message="Configuring SSOwat..."
+ynh_script_progression --message="Configuring permissions..." --weight=2
 
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
-	# unprotected_uris allows SSO credentials to be passed anyway.
-	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
+	# Everyone can access the app.
+	# The "main" permission is automatically created before the install script.
+	ynh_permission_update --permission "main" --add "visitors"
 fi
 
 #=================================================