diff --git a/CHANGELOG.md b/CHANGELOG.md index 3eeed71..93ea3bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,17 @@ ------------ +# [2020-07-29~ynh4] - 2021-01-19 + +### Added + +- Support for new permission system in YunoHost 3.7 + +### Changed + +- wiki administrators is now a group and can be modified from webadmin YunoHost panel +- Require YunoHost 3.7 minimum + ## [2020-07-29~ynh2] - 2020-10-23 ### Added diff --git a/check_process b/check_process index 5302a20..cf4781d 100644 --- a/check_process +++ b/check_process @@ -14,7 +14,8 @@ setup_private=1 setup_public=1 upgrade=1 - upgrade=1 from_commit=01add99d3d903ca6d07f863045edf2ba46cf18d5 + # Laster released version. See https://github.com/YunoHost-Apps/dokuwiki_ynh/commits/master + upgrade=1 from_commit=500a7d3fa9c008a2b75d0f6bec519e41fed97da0 backup_restore=1 multi_instance=1 port_already_use=0 diff --git a/conf/local.protected.php b/conf/local.protected.php index 0604e4e..f6945dd 100644 --- a/conf/local.protected.php +++ b/conf/local.protected.php @@ -14,15 +14,19 @@ $conf['useacl'] = 1; //Use Access Control Lists to restrict access? $conf['authtype'] = 'authldap'; //which authentication backend should be used $conf['passcrypt'] = 'sha1'; //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411) -$conf['superuser'] = '__YNH_ADMIN_USER__'; //The admin can be user or @group or comma separated list user1,@group1,user2 -$conf['manager'] = '__YNH_ADMIN_USER__'; //The manager can be user or @group or comma separated list user1,@group1,user2 +$conf['superuser'] = '@__APP__.admin'; //The admin can be user or @group or comma separated list user1,@group1,user2 +$conf['manager'] = '@__APP__.admin'; //The manager can be user or @group or comma separated list user1,@group1,user2 /* LDAP Yunohost config */ $conf['plugin']['authldap']['server'] = 'localhost'; $conf['plugin']['authldap']['port'] = 389; $conf['plugin']['authldap']['version'] = 3; $conf['plugin']['authldap']['usertree'] = 'ou=users,dc=yunohost,dc=org'; -$conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))'; +$conf['plugin']['authldap']['grouptree'] = 'ou=permission,dc=yunohost,dc=org'; +$conf['plugin']['authldap']['userfilter'] = '(&(objectClass=posixAccount)(uid=%{user})(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))'; +$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(memberUid=%{user}))'; +#$conf['plugin']['authldap']['debug'] = 1; + /* Advanced Settings */ $conf['updatecheck'] = 0; //automatically check for new releases? diff --git a/manifest.json b/manifest.json index fb212b8..c8ce5e0 100644 --- a/manifest.json +++ b/manifest.json @@ -9,7 +9,7 @@ "es": "Un sistema de Wiki de uso sencillicimo y compatible con los estándares.", "it": "Un Wiki aderente agli standard, semplice da usare, finalizzato principalmente alla creazione di documentazione di qualsiasi tipo." }, - "version": "2020-07-29~ynh3", + "version": "2020-07-29~ynh4", "url": "https://www.dokuwiki.org", "license": "GPL-2.0-or-later", "maintainer": { @@ -22,7 +22,7 @@ "email": "opi@zeropi.net" }], "requirements": { - "yunohost": ">= 3.8.1" + "yunohost": ">= 4.1.0" }, "multi_instance": true, "services": [ diff --git a/scripts/_common.sh b/scripts/_common.sh index 115991f..4bad65e 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,6 +4,7 @@ # COMMON VARIABLES #================================================= + YNH_PHP_VERSION="7.3" extra_php_dependencies="php${YNH_PHP_VERSION}-xml php${YNH_PHP_VERSION}-ldap php${YNH_PHP_VERSION}-gd" diff --git a/scripts/install b/scripts/install index b3dfdf5..6314e1a 100755 --- a/scripts/install +++ b/scripts/install @@ -22,7 +22,7 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH -admin=$YNH_APP_ARG_ADMIN +admin_user=$YNH_APP_ARG_ADMIN is_public=$YNH_APP_ARG_IS_PUBLIC language=$YNH_APP_ARG_LANGUAGE @@ -46,8 +46,6 @@ ynh_script_progression --message="Storing installation settings..." --weight=2 ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url -ynh_app_setting_set --app=$app --key=admin --value=$admin -ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=language --value=$language #================================================= @@ -109,8 +107,12 @@ ynh_script_progression --message="Configuring DokuWiki..." --weight=2 # It will only be updated by Yunohost package or directly by adventurous users cp ../conf/local.protected.php $final_path/conf -# Set the "admin" user -ynh_replace_string --match_string="__YNH_ADMIN_USER__" --replace_string="$admin" --target_file="$final_path/conf/local.protected.php" +# Create the "admin" group and add the "admin" user +ynh_permission_create --permission "admin" --allowed "$admin_user" + +# Customize admin group in case of multiple wiki install managed by different admins +# dokuwiki.admin; dokuwiki__1.admin; etc +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$final_path/conf/local.protected.php" # This file might be modified by DokuWiki admin panel or by plugins @@ -217,13 +219,14 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex #================================================= # SETUP SSOWAT #================================================= -ynh_script_progression --message="Configuring SSOwat..." +ynh_script_progression --message="Configuring permissions..." --weight=2 # Make app public if necessary if [ $is_public -eq 1 ] then - # unprotected_uris allows SSO credentials to be passed anyway. - ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" + # Everyone can access the app. + # The "main" permission is automatically created before the install script. + ynh_permission_update --permission "main" --add "visitors" fi #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index f87cc73..8db409e 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -18,8 +18,6 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) -admin=$(ynh_app_setting_get --app=$app --key=admin) -is_public=$(ynh_app_setting_get --app=$app --key=is_public) final_path=$(ynh_app_setting_get --app=$app --key=final_path) phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) @@ -34,35 +32,45 @@ upgrade_type=$(ynh_check_app_version_changed) #================================================= ynh_script_progression --message="Ensuring downward compatibility..." -# Fix is_public as a boolean value -if [ "$is_public" = "Yes" ]; then - ynh_app_setting_set --app=$app --key=is_public --value=1 - is_public=1 -elif [ "$is_public" = "No" ]; then - ynh_app_setting_set --app=$app --key=is_public --value=0 - is_public=0 -fi - # If final_path doesn't exist, create it if [ -z "$final_path" ]; then final_path=/var/www/$app ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi -# TODO Not sure if still needed ?? -# admin default value, if not set -if [ -z "$admin" ]; then - admin=$(yunohost user list | grep 'username' -m1 | awk '{print $2}') - ynh_app_setting_set --app=$app --key=is_public --value=$is_public -fi - # language default value, if not set if [ -z "$language" ]; then language='en' ynh_app_setting_set --app=$app --key=language --value=$language fi -# YunoHost specific configuration, if it isn't exist already + +# Cleaning legacy permissions +admin_user=$(ynh_app_setting_get --app=$app --key=admin) + +if [ -n "$admin_user" ]; then + # Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7 + # Remove skipped_uris. If the app was public, add visitors again to the main permission + if ynh_permission_has_user --permission=admin --user="$admin_user" + then + echo "permission admin already exist. Nothing to do" + else + ynh_permission_create --permission "admin" --allowed "$admin_user" + fi + # Remove legacy admin setting + ynh_app_setting_delete --app=$app --key=admin +fi + +# Cleaning legacy permissions +if ynh_legacy_permissions_exists; then + ynh_legacy_permissions_delete_all + + ynh_app_setting_delete --app=$app --key=is_public +fi + + + +# Yunohost specific configuration, if it isn't exist already # Previously, these settings were store in an unique "dokuwiki.php" # Now, they are split in multiple files to ease upgrading process (separate YunoHost config from user config) @@ -205,15 +213,43 @@ then # See https://www.dokuwiki.org/install:unused_files if [ -f "$final_path/data/deleted.files" ]; then - # Use a "sub process" to start a new shell to run these commands - # Allow to use only one "cd" and to be more efficent - ( - # Move to the dokuwiki installation folder so the "official" commands can be used without adaptation - cd $final_path + # Feed output of grep[...] line by line to 'ynh_secure_remove' + # 'ynh_secure_remove' can only work file by file. Cannot work with a list + # This is a (complicated) workaround this limitation + while IFS= read -r line; do - grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 rm --force --dir || true - ) - fi + # Added this test to reduce the spam printed by helper to the user in the webadmin. + # Should be less 'scary' to them I think + # + # number of messages = number of lines *2 (673 lines while writing this) + ### grep --extended-regexp --invert-match '^($|#)' data/deleted.files | wc -l + ### 673 + # + # Spam sample: + #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time. + #Info : 'inc/parser/spamcheck.php' wasn't deleted because it doesn't exist. + #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time. + #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time. + #Info : 'lib/images/favicon.ico' wasn't deleted because it doesn't exist. + #Info : 'lib/images/thumbup.gif' wasn't deleted because it doesn't exist. + #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time. + #Info : 'lib/images/toolbar/code.png' wasn't deleted because it doesn't exist. + #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time. + #Info : 'lib/images/toolbar/empty.png' wasn't deleted because it doesn't exist. + if [ -f "$line" ]; then + ynh_secure_remove --file "$line" + fi + done < <(grep --null --extended-regexp --invert-match '^($|#)' "$final_path/data/deleted.files" | xargs --null --max-args=1 || true) + # ^ ^ First < is redirection, second is process substitution. + # Source: https://tldp.org/LDP/abs/html/process-sub.html + + # Previous attemps if someone reads this one day + ###grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 rm --verbose --force --dir 2>&1 || true + ###grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 ynh_secure_remove --file 2>&1 + + ###grep --null --extended-regexp --invert-match '^($|#)' data/deleted.files > toto.list + ###xargs --null --verbose --max-args=1 --arg-file=toto.list ynh_secure_remove 2>&1 +fi # TODO Taken from old "upgrade" script. Should check if it is needed and what it does # Update all plugins @@ -239,8 +275,12 @@ ynh_backup_if_checksum_is_different --file="$final_path/conf/local.protected.php # Always overwrite local file with the one from package. cp ../conf/local.protected.php $final_path/conf -# Set the "admin" user -ynh_replace_string --match_string="__YNH_ADMIN_USER__" --replace_string="$admin" --target_file="$final_path/conf/local.protected.php" +# Create the "admin" group and add the "admin" user +#ynh_permission_create --permission "admin" --allowed "$admin_user" + +# Customize admin group in case of multiple wiki install managed by different admins +# dokuwiki.admin; dokuwiki__1.admin; etc +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$final_path/conf/local.protected.php" # Recalculate and store the checksum of the file for the next upgrade. ynh_store_file_checksum --file="$final_path/conf/local.protected.php" @@ -302,21 +342,6 @@ ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=7 ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Upgrading SSOwat configuration..." - -if [ $is_public -eq 0 ] -then # Remove the public access - ynh_app_setting_delete --app=$app --key=skipped_uris -fi -# Make app public if necessary -if [ $is_public -eq 1 ] -then - # unprotected_uris allows SSO credentials to be passed anyway - ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" -fi #================================================= # RELOAD NGINX