YunoHost-Apps/lutim_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/lutim_ynh.git synced 2024-09-03 19:36:24 +02:00
Code Issues Activity Actions

Merge pull request #44 from YunoHost-Apps/new-permission-system

Browse source 
New permission system
This commit is contained in:
Maniack Crudelis 2020-03-27 12:30:38 +01:00 committed by GitHub
commit daa8742d59
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 117 additions and 134 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
actions.toml
View file

@ -21,15 +21,3 @@ name = "Reset the config file and restore a default one."
command = "/bin/bash scripts/actions/reset_default_config \"lutim.conf\"" command = "/bin/bash scripts/actions/reset_default_config \"lutim.conf\""
accepted_return_codes = [0] accepted_return_codes = [0]
description = "Reset the config file lutim.conf." description = "Reset the config file lutim.conf."
[public_private]
name = "Move to public or private"
command = "/bin/bash scripts/actions/public_private"
accepted_return_codes = [0]
description = "Change the public access of the app."
[public_private.arguments]
[public_private.arguments.is_public]
type = "boolean"
ask = "Is it a public app ?"
default = true

8
config_panel.toml
View file

@ -24,14 +24,6 @@ name = "Lutim configuration"
default = "Year" default = "Year"
help = "Users won't be able to ask Lutim to download images more than one per anti_flood_delay seconds." help = "Users won't be able to ask Lutim to download images more than one per anti_flood_delay seconds."
[main.is_public]
name = "Public access"
[main.is_public.is_public]
ask = "Is it a public website?"
type = "boolean"
default = true
[main.overwrite_files] [main.overwrite_files]
name = "Overwriting config files" name = "Overwriting config files"

26
hooks/post_app_addaccess Normal file
View file

@ -0,0 +1,26 @@
#!/bin/bash
# Source app helpers
source /usr/share/yunohost/helpers
app=$1
added_users=$2
permission=$3
added_groups=$4
if [ "$app" == __APP__ ]; then
if [ "$permission" = "upload images" ]; then # The fake permission "upload images" is modifed.
if [ "$added_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
# We remove the regex, no more protection is needed.
ynh_app_setting_delete --app=$app --key=protected_regex
# Sync the is_public variable according to the permission
ynh_app_setting_set --app=$app --key=is_public --value=1
yunohost app ssowatconf
else
ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
fi
fi
fi

34
hooks/post_app_removeaccess Normal file
View file

@ -0,0 +1,34 @@
#!/bin/bash
# Source app helpers
source /usr/share/yunohost/helpers
app=$1
removed_users=$2
permission=$3
removed_groups=$4
if [ "$app" == __APP__ ]; then
if [ "$permission" = "upload images" ]; then # The fake permission "upload images" is modifed.
if [ "$removed_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
# If the app is private, viewing images stays publicly accessible.
if [ "$path_url" == "/" ]; then
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats/?$","$domain_regex$path_url/manifest.webapp/?$","$domain_regex$path_url/?$","$domain_regex$path_url/[d-m]/.*$"
# Sync the is_public variable according to the permission
ynh_app_setting_set --app=$app --key=is_public --value=0
yunohost app ssowatconf
else
ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
fi
fi
fi

2
manifest.json
View file

@ -14,7 +14,7 @@
"email": "maniackc_dev@crudelis.fr" "email": "maniackc_dev@crudelis.fr"
}, },
"requirements": { "requirements": {
"yunohost": ">= 3.5" "yunohost": ">= 3.7"
}, },
"multi_instance": false, "multi_instance": false,
"services": [ "services": [

83
scripts/actions/public_private
View file

@ -1,83 +0,0 @@
#!/bin/bash
#=================================================
# GENERIC STARTING
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source scripts/_common.sh
source /usr/share/yunohost/helpers
#=================================================
# RETRIEVE ARGUMENTS
#=================================================
# Get is_public
is_public=${YNH_ACTION_IS_PUBLIC}
app=${YNH_APP_INSTANCE_NAME:-$YNH_APP_ID}
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
#=================================================
# CHECK IF ARGUMENTS ARE CORRECT
#=================================================
#=================================================
# CHECK IF AN ACTION HAS TO BE DONE
#=================================================
is_public_old=$(ynh_app_setting_get --app=$app --key=is_public)
if [ $is_public -eq $is_public_old ]
then
ynh_die --message="is_public is already set as $is_public." --ret_code=0
fi
#=================================================
# SPECIFIC ACTION
#=================================================
# MOVE TO PUBLIC OR PRIVATE
#=================================================
if [ $is_public -eq 0 ]; then
public_private="private"
else
public_private="public"
fi
ynh_script_progression --message="Moving the application to $public_private..." --weight=3
if [ $is_public -eq 0 ]
then
# If the app is private, viewing images stays publicly accessible.
if [ "$path_url" == "/" ]; then
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats/?$","$domain_regex$path_url/manifest.webapp/?$","$domain_regex$path_url/?$","$domain_regex$path_url/[d-m]/.*$"
else
ynh_app_setting_delete --app=$app --key=protected_regex
fi
ynh_script_progression --message="Upgrading SSOwat configuration..."
# Regen ssowat configuration
yunohost app ssowatconf
# Update the config of the app
ynh_app_setting_set --app=$app --key=is_public --value=$is_public
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading nginx web server..."
ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Execution completed" --last

2
scripts/change_url
View file

@ -122,7 +122,7 @@ fi
#================================================= #=================================================
ynh_script_progression --message="Reconfiguring SSOwat..." ynh_script_progression --message="Reconfiguring SSOwat..."
if [ $is_public -eq 0 ] if [ $is_public -eq 0 ] # Only user with a yunohost account can upload an image
then then
# If the app is private, viewing images stays publicly accessible. # If the app is private, viewing images stays publicly accessible.
if [ "$new_path" == "/" ]; then if [ "$new_path" == "/" ]; then

14
scripts/config
View file

@ -61,10 +61,6 @@ else
fi fi
delay="${YNH_CONFIG_MAIN_CONFIGURATION_DELAY:-$old_delay}" delay="${YNH_CONFIG_MAIN_CONFIGURATION_DELAY:-$old_delay}"
# is_public
old_is_public="$(ynh_app_setting_get --app=$app --key=is_public)"
is_public="${YNH_CONFIG_MAIN_IS_PUBLIC_IS_PUBLIC:-$old_is_public}"
# Overwrite settings.json file # Overwrite settings.json file
old_overwrite_settings="$(ynh_app_setting_get --app=$app --key=overwrite_settings)" old_overwrite_settings="$(ynh_app_setting_get --app=$app --key=overwrite_settings)"
overwrite_settings="${YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_SETTINGS:-$old_overwrite_settings}" overwrite_settings="${YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_SETTINGS:-$old_overwrite_settings}"
@ -93,8 +89,6 @@ show_config() {
ynh_return "YNH_CONFIG_MAIN_CONFIGURATION_ANTIFLOOD=$antiflood" ynh_return "YNH_CONFIG_MAIN_CONFIGURATION_ANTIFLOOD=$antiflood"
ynh_return "YNH_CONFIG_MAIN_CONFIGURATION_DELAY=$delay" ynh_return "YNH_CONFIG_MAIN_CONFIGURATION_DELAY=$delay"
ynh_return "YNH_CONFIG_MAIN_IS_PUBLIC_IS_PUBLIC=$is_public"
ynh_return "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_SETTINGS=$overwrite_settings" ynh_return "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_SETTINGS=$overwrite_settings"
ynh_return "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_NGINX=$overwrite_nginx" ynh_return "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_NGINX=$overwrite_nginx"
ynh_return "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_SYSTEMD=$overwrite_systemd" ynh_return "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_SYSTEMD=$overwrite_systemd"
@ -154,14 +148,6 @@ apply_config() {
ynh_systemd_action --action=restart --line_match="Manager.*started" --log_path="/var/log/$app/production.log" --timeout="120" ynh_systemd_action --action=restart --line_match="Manager.*started" --log_path="/var/log/$app/production.log" --timeout="120"
fi fi
# Change public accessibility
if [ "$is_public" = "1" ]
then
yunohost app action run $app public_private --args is_public=1
else
yunohost app action run $app public_private --args is_public=0
fi
# Set overwrite_settings # Set overwrite_settings
ynh_app_setting_set --app=$app --key=overwrite_settings --value="$overwrite_settings" ynh_app_setting_set --app=$app --key=overwrite_settings --value="$overwrite_settings"
# Set overwrite_nginx # Set overwrite_nginx

18
scripts/install
View file

@ -121,6 +121,13 @@ ynh_replace_string --match_string="__WORKERS__" --replace_string="$(( $(nproc) *
# Calculate and store the config file checksum into the app settings # Calculate and store the config file checksum into the app settings
ynh_store_file_checksum --file="$final_path/lutim.conf" ynh_store_file_checksum --file="$final_path/lutim.conf"
#=================================================
# SETUP HOOKS FILE
#=================================================
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess"
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess"
#================================================= #=================================================
# SETUP SYSTEMD # SETUP SYSTEMD
#================================================= #=================================================
@ -192,7 +199,13 @@ yunohost service add $app --log $final_path/log/production.log
#================================================= #=================================================
ynh_script_progression --message="Configuring SSOwat..." ynh_script_progression --message="Configuring SSOwat..."
ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" ynh_permission_update --permission="main" --add="visitors"
# This is a fake permission without any URL.
# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
# We can't use a real permission for now because the actual permision system doesn't support regex.
ynh_permission_create --permission="upload images" --allowed="visitors"
if [ $is_public -eq 0 ] if [ $is_public -eq 0 ]
then then
# If the app is private, viewing images stays publicly accessible. # If the app is private, viewing images stays publicly accessible.
@ -203,6 +216,9 @@ then
# Modify the domain to be used in a regex # Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g') domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats/?$","$domain_regex$path_url/manifest.webapp/?$","$domain_regex$path_url/?$","$domain_regex$path_url/[d-m]/.*$" ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats/?$","$domain_regex$path_url/manifest.webapp/?$","$domain_regex$path_url/?$","$domain_regex$path_url/[d-m]/.*$"
# If the app is not public, then the "visitors" group doesn't have this permission
ynh_permission_update --permission="upload images" --remove="visitors"
fi fi
#================================================= #=================================================

52
scripts/upgrade
View file

@ -55,6 +55,37 @@ elif [ "$is_public" = "No" ]; then
is_public=0 is_public=0
fi fi
skipped_uris=$(ynh_app_setting_get --app=$app --key=skipped_uris)
# Unused with the permission system
if [ ! -z "$skipped_uris" ]; then
ynh_app_setting_delete --app=$app --key=skipped_uris
fi
# Create the permission "upload images" only if it doesn't exist.
if ! ynh_permission_exists --permission="upload images"
then
# This is a fake permission without any URL.
# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
# We can't use a real permission for now because the actual permision system doesn't support regex.
ynh_permission_create --permission="upload images" --allowed="visitors"
if [ $is_public -eq 0 ]
then
# If the app is private, viewing images stays publicly accessible.
if [ "$path_url" == "/" ]; then
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats/?$","$domain_regex$path_url/manifest.webapp/?$","$domain_regex$path_url/?$","$domain_regex$path_url/[d-m]/.*$"
# If the app is not public, then the "visitors" group doesn't have this permission
ynh_permission_update --permission="upload images" --remove="visitors"
fi
fi
# if final_path isn't set, which can happens with old scripts, set final_path. # if final_path isn't set, which can happens with old scripts, set final_path.
if [ -z "$final_path" ]; then if [ -z "$final_path" ]; then
final_path=/var/www/$app final_path=/var/www/$app
@ -210,6 +241,13 @@ then
fi fi
fi fi
#=================================================
# SETUP HOOKS FILE
#=================================================
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess"
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess"
#================================================= #=================================================
# SETUP SYSTEMD # SETUP SYSTEMD
#================================================= #=================================================
@ -257,20 +295,6 @@ ynh_script_progression --message="Upgrading logrotate configuration..."
ynh_use_logrotate --non-append ynh_use_logrotate --non-append
chown $app -R /var/log/$app chown $app -R /var/log/$app
#=================================================
# SETUP SSOWAT
#=================================================
ynh_script_progression --message="Upgrading SSOwat configuration..."
ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
if [ $is_public -eq 0 ]
then
# If the app is private, viewing images stays publicly accessible.
# Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats/?$","$domain_regex$path_url/manifest.webapp/?$","$domain_regex$path_url/?$","$domain_regex$path_url/[d-m]/.*$"
fi
#================================================= #=================================================
# RELOAD NGINX # RELOAD NGINX
#================================================= #=================================================