New permission system

PR #13

manifest.json

@@ -14,7 +14,7 @@
         "email": "aeris@e.email"
     },
     "requirements": {
-        "yunohost": ">= 3.5.0"
+        "yunohost": ">= 3.7.0"
     },
     "multi_instance": true,
     "services": [

scripts/_common.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+#=================================================
+# COMMON VARIABLES
+#=================================================
+
+#=================================================
+# PERSONAL HELPERS
+#=================================================
+
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================
+
+#=================================================
+# FUTURE OFFICIAL HELPERS
+#=================================================
+
+# Check if a permission exists
+#
+# While waiting for this new helper https://github.com/YunoHost/yunohost/pull/905
+# We have to use another one because the new helper use a new YunoHost command, not available for now.
+#
+# usage: ynh_permission_has_user --permission=permission --user=user
+# | arg: -p, --permission - the permission to check
+# | arg: -u, --user - the user seek in the permission
+#
+# example: ynh_permission_has_user --permission=main --user=visitors
+#
+# Requires YunoHost version 3.7.1 or higher.
+ynh_permission_has_user() {
+    local legacy_args=pu
+    # Declare an array to define the options of this helper.
+    declare -Ar args_array=( [p]=permission= [u]=user= )
+    local permission
+    local user
+    # Manage arguments with getopts
+    ynh_handle_getopts_args "$@"
+
+    if ! ynh_permission_exists --permission=$permission
+    then
+        return 1
+    fi
+
+    # List all permissions
+    # Filter only the required permission with a multiline sed (Here a cut from the permission to the next one), remove the url and his value 
+    perm="$(yunohost user permission list --full --output-as plain | sed --quiet "/^#$app.$permission/,/^#[[:alnum:]]/p" | sed "/^##url/,+1d")"
+    # Remove all lines starting by # (got from the plain output before)
+    allowed_users="$(echo "$perm" | grep --invert-match '^#')"
+    # Grep the list of users an return the result if the user is indeed into the list
+    echo "$allowed_users" | grep --quiet --word "$user"
+}

scripts/install

@@ -82,8 +82,7 @@ ynh_script_progression --message="Configuring SSOwat..."
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
-	# unprotected_uris allows SSO credentials to be passed anyway.
-	ynh_app_setting_set --app=$app --key=skipped_uris --value="/"
+	ynh_permission_update --permission "main" --add visitors
 fi
 
 #=================================================

scripts/upgrade

@@ -6,18 +6,18 @@
 # IMPORT GENERIC HELPERS
 #=================================================
 
+source _common.sh
 source /usr/share/yunohost/helpers
 
 #=================================================
 # LOAD SETTINGS
 #=================================================
-ynh_script_progression --message="Loading installation settings..." --weight=2
+ynh_script_progression --message="Loading installation settings..." --weight=1
 
 app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
-is_public=$(ynh_app_setting_get --app=$app --key=is_public)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 
 #=================================================
@@ -29,16 +29,7 @@ upgrade_type=$(ynh_check_app_version_changed)
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
 #=================================================
-ynh_script_progression --message="Ensuring downward compatibility..."
-
-# Fix is_public as a boolean value
-if [ "$is_public" = "Yes" ]; then
-	ynh_app_setting_set --app=$app --key=is_public --value=1
-	is_public=1
-elif [ "$is_public" = "No" ]; then
-	ynh_app_setting_set --app=$app --key=is_public --value=0
-	is_public=0
-fi
+ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
 
 # If final_path doesn't exist, create it
 if [ -z "$final_path" ]; then
@@ -46,6 +37,23 @@ if [ -z "$final_path" ]; then
 	ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 fi
 
+# Migrate from legacy permission system
+is_public=$(ynh_app_setting_get --app=$app --key=is_public)
+
+if [ -n "$is_public" ]; then
+	# Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7
+	# Remove skipped_uris. If the app was public, add visitors again to the main permission
+	if ynh_permission_has_user --permission=main --user=visitors
+	then
+		ynh_app_setting_delete --app=$app --key=skipped_uris
+		ynh_permission_update --permission "main" --add "visitors"
+	else
+		ynh_app_setting_delete --app=$app --key=skipped_uris
+	fi
+	ynh_app_setting_delete --app=$app --key=is_public
+fi
+
+
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
@@ -98,22 +106,10 @@ ynh_add_nginx_config
 # Set permissions to app files
 chown -R root: $final_path
 
-#=================================================
-# SETUP SSOWAT
-#=================================================
-ynh_script_progression --message="Upgrading SSOwat configuration..."
-
-# Make app public if necessary
-if [ $is_public -eq 1 ]
-then
-	# unprotected_uris allows SSO credentials to be passed anyway.
-	ynh_app_setting_set --app=$app --key=skipped_uris --value="/"
-fi
-
 #=================================================
 # RELOAD NGINX
 #=================================================
-ynh_script_progression --message="Reloading nginx web server..."
+ynh_script_progression --message="Reloading nginx web server..." --weight=1
 
 ynh_systemd_action --service_name=nginx --action=reload