From 7f343146864da3658634745c3518546d6c1c1489 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Wed, 1 Apr 2020 16:01:52 +0200 Subject: [PATCH] fix ldap --- README.md | 7 +++++-- conf/.env | 4 ++-- manifest.json | 2 +- scripts/install | 4 ++-- scripts/upgrade | 32 +++++++++++++++++++------------- 5 files changed, 29 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 56da4f4..e09439f 100644 --- a/README.md +++ b/README.md @@ -28,8 +28,11 @@ Wekan is an open-source kanban board (task manager and organizer) ## Configuration -As LDAP authentification is enable by default, wekan admins are the members of the YunoHost LDAP admin group. -To add an account in the YunoHost, you must first install [phpLDAPadmin](https://github.com/YunoHost-Apps/phpldapadmin_ynh) , connect to the interface and in the left panel go on `dc=yunohost,dc=org`, `ou=groups`, `cn=admins`. In the right panel, in the memberUid category, click on modify group members, add the account in the group, save changes and update object +As LDAP authentification is enable by default, wekan admins are the members of the group `Wekan Admin`. +To add an admin account, you must: + +- go to the webadmin and add the specific user to the permission `Wekan Admin` +- use the command: `yunohost user permission update wekan.admin -a the_user_to_add` If you have disable ldap authentication, first registered user will be admin, and next ones normal users. If you want other admins too, you can change their permission to admin at Wekan Admin Panel. diff --git a/conf/.env b/conf/.env index 93772ad..957f134 100644 --- a/conf/.env +++ b/conf/.env @@ -322,7 +322,7 @@ LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=uid # LDAP_GROUP_FILTER_GROUP_NAME : # example : LDAP_GROUP_FILTER_GROUP_NAME=wekan_user #LDAP_GROUP_FILTER_GROUP_NAME= -LDAP_GROUP_FILTER_GROUP_NAME=sftpusers +LDAP_GROUP_FILTER_GROUP_NAME=permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org # LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier) # example : LDAP_UNIQUE_IDENTIFIER_FIELD=guid #LDAP_UNIQUE_IDENTIFIER_FIELD= @@ -370,7 +370,7 @@ LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name"} # LDAP_SYNC_GROUP_ROLES : # example : #LDAP_SYNC_GROUP_ROLES= -LDAP_SYNC_GROUP_ROLES=admins +LDAP_SYNC_GROUP_ROLES=permission=cn=__APP__.admin,ou=permission,dc=yunohost,dc=org # LDAP_DEFAULT_DOMAIN : The default domain of the ldap it is used to create email if the field is not map correctly with the LDAP_SYNC_USER_DATA_FIELDMAP # example : #LDAP_DEFAULT_DOMAIN= diff --git a/manifest.json b/manifest.json index 531800e..328a406 100644 --- a/manifest.json +++ b/manifest.json @@ -19,7 +19,7 @@ "name": "ljf" }], "requirements": { - "yunohost": ">= 3.5" + "yunohost": ">= 3.7" }, "multi_instance": true, "services": [ diff --git a/scripts/install b/scripts/install index 347ac42..c5d25a9 100755 --- a/scripts/install +++ b/scripts/install @@ -150,6 +150,7 @@ ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --ta ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$config_file" ynh_replace_string --match_string="__DOMAIN_URI__" --replace_string="$domain$path_url" --target_file="$config_file" ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$config_file" +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config_file" #================================================= # STORE THE CONFIG FILE CHECKSUM @@ -199,8 +200,7 @@ ynh_print_info --message="Configuring SSOwat..." # Make app public if necessary if [ $is_public -eq 1 ] then - # unprotected_uris allows SSO credentials to be passed anyway. - ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" + ynh_permission_update --permission "main" --add "visitors" fi #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 1119fca..5853ab2 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -21,7 +21,6 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) -is_public=$(ynh_app_setting_get --app=$app --key=is_public) final_path=$(ynh_app_setting_get --app=$app --key=final_path) db_name=$(ynh_app_setting_get --app=$app --key=db_name) port=$(ynh_app_setting_get --app=$app --key=port) @@ -119,6 +118,24 @@ if ynh_version_gt "2.56~ynh1" "${previous_version}" ; then touch $config_file fi +# Create the permission "admin" only if it doesn't exist. +if ! ynh_permission_exists --permission="admin" +then + ynh_print_info --message="Upgrading Permission configuration..." + + ynh_app_setting_delete --app=$app --key=unprotected_uris + + is_public=$(ynh_app_setting_get --app=$app --key=is_public) + + if [ $is_public -eq 1 ]; then + ynh_permission_update --permission "main" --add "visitors" + fi + + ynh_app_setting_delete --app=$app --key=is_public + + ynh_permission_create --permission="admin" +fi + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -194,6 +211,7 @@ ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --ta ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$config_file" ynh_replace_string --match_string="__DOMAIN_URI__" --replace_string="$domain$path_url" --target_file="$config_file" ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$config_file" +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config_file" ynh_store_file_checksum "$config_file" #================================================= @@ -218,18 +236,6 @@ chown -R $app: "$final_path" chmod -R 640 "$final_path" find "$final_path" -type d -print0 | xargs -0 chmod 750 -#================================================= -# SETUP SSOWAT -#================================================= -ynh_print_info --message="Upgrading SSOwat configuration..." - -# Make app public if necessary -if [ $is_public -eq 1 ] -then - # unprotected_uris allows SSO credentials to be passed anyway - ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" -fi - #================================================= # START SYSTEMD SERVICE #=================================================