Merge pull request #59 from YunoHost-Apps/new-permissions-system

New Permission System
2024-09-03 19:46:28 +02:00 · 2021-11-12 01:17:54 +01:00 · 2021-11-12 01:17:54 +01:00 · 74aba3d013
commit 74aba3d013
parent 643fed1d40 a8bafc51dd
6 changed files with 135 additions and 30 deletions
--- a/2
+++ b/2
@ -10,7 +10,7 @@
 		setup_sub_dir=1
 		setup_root=1
 		setup_nourl=0
-		setup_private=1
+		setup_private=0
 		setup_public=1
 		upgrade=1
 		upgrade=1	from_commit=02f2cd7e656ebae74643e969746b23d8912c7798
--- a/hooks/post_app_addaccess
+++ b/hooks/post_app_addaccess
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Source app helpers
+source /usr/share/yunohost/helpers
+
+app=$1
+added_users=$2
+permission=$3
+added_groups=$4
+
+if [ "$app" == __APP__ ]; then
+    if [ "$permission" = "create poll" ]; then # The fake permission "create poll" is modifed.
+        if [ "$added_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
+            domain=$(ynh_app_setting_get --app=$app --key=domain)
+            path_url=$(ynh_app_setting_get --app=$app --key=path)
+
+            if [ "$path_url" == "/" ]; then
+                # If the path is /, clear it to prevent any error with the regex.
+                path_url=""
+            fi
+            # Modify the domain to be used in a regex
+            domain_regex=$(echo "$domain" | sed 's@-@.@g')
+            ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/create_poll.php?.*$","$domain_regex$path_url/adminstuds.php?.*"
+
+            # Sync the is_public variable according to the permission
+            ynh_app_setting_set --app=$app --key=is_public --value=1
+
+            yunohost app ssowatconf
+        else
+            ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
+        fi
+    fi
+fi
--- a/hooks/post_app_removeaccess
+++ b/hooks/post_app_removeaccess
@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Source app helpers
+source /usr/share/yunohost/helpers
+
+app=$1
+removed_users=$2
+permission=$3
+removed_groups=$4
+
+if [ "$app" == __APP__ ]; then
+    if [ "$permission" = "create poll" ]; then # The fake permission "create poll" is modifed.
+        if [ "$removed_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
+            
+            # We remove the regex, no more protection is needed.
+            ynh_app_setting_delete --app=$app --key=unprotected_regex
+
+            # Sync the is_public variable according to the permission
+            ynh_app_setting_set --app=$app --key=is_public --value=0
+
+            yunohost app ssowatconf
+        else
+            ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
+        fi
+    fi
+fi
--- a/scripts/change_url
+++ b/scripts/change_url
@ -98,16 +98,13 @@ ynh_script_progression --message="Upgrading SSOwat configuration..."
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
-	ynh_app_setting_delete --app=$app --key=protected_regex
-
-	# Keep /admin private
 	if [ "$path_url" == "/" ]; then
 	    # If the path is /, clear it to prevent any error with the regex.
 	    path_url=""
 	fi
 	# Modify the domain to be used in a regex
 	domain_regex=$(echo "$new_domain" | sed 's@-@.@g')
-	ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/admin/"
+	ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/create_poll.php?.*$","$domain_regex$path_url/adminstuds.php?.*"
 fi

 #=================================================
--- a/scripts/install
+++ b/scripts/install
@ -108,6 +108,14 @@ ynh_script_progression --message="Configuring $app..." --weight=2

 ynh_add_config --template="../conf/config.php" --destination="$final_path/app/inc/config.php"

+#=================================================
+# SETUP HOOKS FILE
+#=================================================
+
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess"
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess"
+
+
 #=================================================
 # REPLACE LOGO IMAGE (DEFAULT IS FRAMADATE)
 #=================================================
@ -141,21 +149,29 @@ chown -R $app: "$final_path/"{tpl_c,admin/stdout.log}
 #=================================================
 # SETUP SSOWAT
 #=================================================
-ynh_script_progression --message="Configuring permissions..." --weight=1
+ynh_script_progression --message="Configuring Permissions..."
+
+ynh_permission_update --permission="main" --add="visitors"
+
+ynh_permission_create --permission="admin" --allowed="$admin" --url="/admin"
+
+# This is a fake permission without any URL.
+# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
+# We can't use a real permission for now because the actual permision system doesn't support regex.
+ynh_permission_create --permission="create poll" --allowed="visitors"

 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
-	ynh_permission_update --permission="main" --add="visitors"
-
-	# Keep /admin private
 	if [ "$path_url" == "/" ]; then
 	    # If the path is /, clear it to prevent any error with the regex.
 	    path_url=""
 	fi
 	# Modify the domain to be used in a regex
 	domain_regex=$(echo "$domain" | sed 's@-@.@g')
-	ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/admin/"
+	ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/create_poll.php?.*$","$domain_regex$path_url/adminstuds.php?.*"
+else
+	ynh_permission_update --permission="create poll" --remove="visitors"
 fi

 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -46,6 +46,52 @@ if [ -z "$is_public" ]; then
 	ynh_app_setting_delete --app=$app --key=public_site
 fi

+# Fix is_public as a boolean value
+if [ "$is_public" = "Yes" ]; then
+	ynh_app_setting_set --app=$app --key=is_public --value=1
+	is_public=1
+elif [ "$is_public" = "No" ]; then
+	ynh_app_setting_set --app=$app --key=is_public --value=0
+	is_public=0
+fi
+
+skipped_uris=$(ynh_app_setting_get --app=$app --key=skipped_uris)
+
+# Unused with the permission system
+if [ ! -z "$skipped_uris" ]; then
+	ynh_app_setting_delete --app=$app --key=skipped_uris
+fi
+
+protected_regex=$(ynh_app_setting_get --app=$app --key=protected_regex)
+
+# Unused with the permission system
+if [ ! -z "$protected_regex" ]; then
+	ynh_app_setting_delete --app=$app --key=protected_regex
+fi
+
+# Create the permission "upload images" only if it doesn't exist.
+if ! ynh_permission_exists --permission="create poll"
+then
+	# This is a fake permission without any URL.
+	# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
+	# We can't use a real permission for now because the actual permision system doesn't support regex.
+	ynh_permission_create --permission="create poll" --allowed="visitors"
+
+	# Make app public if necessary
+	if [ $is_public -eq 1 ]
+	then
+		if [ "$path_url" == "/" ]; then
+			# If the path is /, clear it to prevent any error with the regex.
+			path_url=""
+		fi
+		# Modify the domain to be used in a regex
+		domain_regex=$(echo "$domain" | sed 's@-@.@g')
+		ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/create_poll.php?.*$","$domain_regex$path_url/adminstuds.php?.*"
+	else
+		ynh_permission_update --permission="create poll" --remove="visitors"
+	fi
+fi
+
 # If db_name doesn't exist, create it
 if [ -z "$db_name" ]; then
 	db_name=$(ynh_sanitize_dbid --db_name=$app)
@ -146,6 +192,13 @@ then
 	  chown $app:$app "$final_path/app/inc/config.php"
 fi

+#=================================================
+# SETUP HOOKS FILE
+#=================================================
+
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess"
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess"
+
 #=================================================
 # REPLACE LOGO IMAGE (DEFAULT IS FRAMADATE)
 #=================================================
@ -180,26 +233,6 @@ fi

 chown -R $app: "$final_path/"{tpl_c,admin/stdout.log}

-#=================================================
-# SETUP SSOWAT
-#=================================================
-ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1
-
-# Make app public if necessary
-if [ $is_public -eq 1 ]
-then
-	ynh_app_setting_set --app=$app --key=skipped_uris --value="/"
-
-	# Keep /admin private
-	if [ "$path_url" == "/" ]; then
-	    # If the path is /, clear it to prevent any error with the regex.
-	    path_url=""
-	fi
-	# Modify the domain to be used in a regex
-	domain_regex=$(echo "$domain" | sed 's@-@.@g')
-	ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/admin/"
-fi
-
 #=================================================
 # RELOAD NGINX
 #=================================================