diff --git a/conf/plugin_authldap.json b/conf/plugin_authldap.json new file mode 100644 index 0000000..558da7f --- /dev/null +++ b/conf/plugin_authldap.json @@ -0,0 +1,22 @@ +{ + "Enabled": "1", + "URI": "ldap://localhost/ou=users,dc=yunohost,dc=org", + "Filter": "(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s)))", + "NameAttr": "givenName", + "SecName": "sn", + "UidAttr": "uid", + "MailAttr": "mail", + "Groups": { + "administrator": "__APP__.admin", + "editor": "__APP__.editor", + "author": "", + "contributor": "", + "subscriber": "__APP__.main" + }, + "GroupAttr": "cn", + "GroupFilter": "(&(objectClass=posixGroup)(memberUid=%s))", + "GroupEnable": "1", + "GroupOverUser": "1", + "Version": 1, + "GroupBase": "ou=permission,dc=yunohost,dc=org" +} diff --git a/conf/sql/multisite.sql b/conf/sql/multisite.sql deleted file mode 100644 index 0968968..0000000 --- a/conf/sql/multisite.sql +++ /dev/null @@ -1 +0,0 @@ -REPLACE INTO __DB_PREFIX__sitemeta VALUES(NULL,1,'authLDAPOptions','a:22:{s:7:"Enabled";s:1:"1";s:7:"CachePW";b:0;s:3:"URI";s:44:"ldap://localhost/ou=users,dc=yunohost,dc=org";s:12:"URISeparator";s:1:" ";s:6:"Filter";s:__LENGTH__:"(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s))(permission=cn=__APP__.admin,ou=permission,dc=yunohost,dc=org))";s:8:"NameAttr";s:9:"givenName";s:7:"SecName";s:2:"sn";s:7:"UidAttr";s:3:"uid";s:8:"MailAttr";s:4:"mail";s:7:"WebAttr";s:0:"";s:6:"Groups";a:5:{s:13:"administrator";s:0:"";s:6:"editor";s:0:"";s:6:"author";s:0:"";s:11:"contributor";s:0:"";s:10:"subscriber";s:0:"";}s:5:"Debug";b:0;s:9:"GroupAttr";s:0:"";s:11:"GroupFilter";s:0:"";s:11:"DefaultRole";s:10:"subscriber";s:11:"GroupEnable";b:0;s:13:"GroupOverUser";b:0;s:7:"Version";i:1;s:26:"DoNotOverwriteNonLdapUsers";b:0;s:8:"StartTLS";b:0;s:14:"GroupSeparator";s:0:"";s:9:"GroupBase";s:0:"";}'); diff --git a/conf/sql/single.sql b/conf/sql/single.sql deleted file mode 100644 index 3d9887d..0000000 --- a/conf/sql/single.sql +++ /dev/null @@ -1 +0,0 @@ -REPLACE INTO __DB_PREFIX__options VALUES(NULL,'authLDAPOptions','a:22:{s:7:"Enabled";s:1:"1";s:7:"CachePW";b:0;s:3:"URI";s:44:"ldap://localhost/ou=users,dc=yunohost,dc=org";s:12:"URISeparator";s:1:" ";s:6:"Filter";s:__LENGTH__:"(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s))(permission=cn=__APP__.admin,ou=permission,dc=yunohost,dc=org))";s:8:"NameAttr";s:9:"givenName";s:7:"SecName";s:2:"sn";s:7:"UidAttr";s:3:"uid";s:8:"MailAttr";s:4:"mail";s:7:"WebAttr";s:0:"";s:6:"Groups";a:5:{s:13:"administrator";s:0:"";s:6:"editor";s:0:"";s:6:"author";s:0:"";s:11:"contributor";s:0:"";s:10:"subscriber";s:0:"";}s:5:"Debug";b:0;s:9:"GroupAttr";s:0:"";s:11:"GroupFilter";s:0:"";s:11:"DefaultRole";s:10:"subscriber";s:11:"GroupEnable";b:0;s:13:"GroupOverUser";b:0;s:7:"Version";i:1;s:26:"DoNotOverwriteNonLdapUsers";b:0;s:8:"StartTLS";b:0;s:14:"GroupSeparator";s:0:"";s:9:"GroupBase";s:0:"";}','yes'); diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md index 5e65adb..36c672b 100644 --- a/doc/DISCLAIMER.md +++ b/doc/DISCLAIMER.md @@ -4,15 +4,24 @@ Use the admin panel of your WordPress to configure this app. ## YunoHost specific features - * Integration with YunoHost users and SSO: - * private mode: Blog only accessible by YunoHost users - * public mode: Visible by anyone, YunoHost users automatically connected - * Automatic update of wordpress core, plugins and themes. - * Allow to set up a [multisite](https://codex.wordpress.org/Glossary#Multisite) instance. +* Integration with SSO does not work (automatic login of the user if previously logged on the YunoHost web portal) + * **private mode:** Blog only accessible by YunoHost users + * **public mode:** Visible by anyone +* Allow one user to be the administrator (set at the installation) +* Integration with [YunoHost permission](https://yunohost.org/groups_and_permissions): + * Users rights should be managed from the [Managing groups](https://yunohost.org/en/groups_and_permissions) to give these rights: + * `admin`: can do everything, has "super powers" + * `editor`: can edit all the posts and pages but cannot edit the Worpdress configuration (plugins, user rights, etc) + * `main`: can access with the "default right" (is `subscriber` right now for the package) + * Complete list: https://wordpress.org/documentation/article/roles-and-capabilities/#summary-of-roles + * ⚠️ Permissions defined in YunoHost take precedence over those setted in Wordpress ⚠️ + * FIXME: not sure about which has priority, need testing +* ~~Automatic update of wordpress core, plugins and themes.~~ +* Allow to set up a [multisite](https://codex.wordpress.org/Glossary#Multisite) instance. #### Multi-users support -Supported, with LDAP and SSO. +Supported, with LDAP ~~and SSO~~. ## Limitations diff --git a/scripts/install b/scripts/install index 12f3567..513d04a 100644 --- a/scripts/install +++ b/scripts/install @@ -183,6 +183,9 @@ done #================================================= ynh_script_progression --message="Installing WordPress plugins..." --weight=20 +# documentation for tool "wp-cli" +# install: https://make.wordpress.org/cli/handbook/guides/installing/ +# use: https://developer.wordpress.org/cli/commands/option/ ynh_exec_warn_less wget --no-verbose https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar --output-document=$final_path/wp-cli.phar wpcli_alias="php$phpversion $final_path/wp-cli.phar --allow-root --path=$final_path" @@ -217,20 +220,8 @@ then # Activate multisite in wordpress config ynh_replace_string --match_string="//--MULTISITE2--define" --replace_string="define" --target_file=$final_path/wp-config.php - db_prefix="wp_" - ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/multisite.sql - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/multisite.sql - ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/multisite.sql - - ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/multisite.sql plugin_network="--network" else - db_prefix="wp_" - ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/single.sql - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/single.sql - ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/single.sql - - ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/single.sql plugin_network="" fi @@ -240,6 +231,25 @@ fi ynh_script_progression --message="Activating plugins..." --weight=4 $wpcli_alias plugin activate authldap $plugin_network +# configure the plugin from a json config file +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap.json +$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json +# To display the list of all the possibles options for this plugin, from your server, enter: +# $ php8.0 ./wp-cli.phar --path=/var/www/wordpress --allow-root option get authLDAPOptions --json | jq +# ^ you might need to download it from the projet + +# Sources for writing the json file and permission management +# - https://moulinette.readthedocs.io/en/latest/ldap.html +# - https://github.com/YunoHost-Apps/nextcloud_ynh/blob/master/conf/config.json + +# Set "default user role" as 'subscriber' if no permision (aka LDAP group) found for the user. (Same settings as previous "permission managment" system. So it should no break stuff...) +# +# This setting is not included in the "plugin_authldap.json script" so the json file can be used for "install" and "upgrade" +# - Install => Set "default user role" choosen by the packager +# - Upgrade => Do not modify the default setting as the Wordpress administrator could have changed the defaut role for its use case. +# TODO: could be asked to the admin while installing the app and set it up here somehow? +$wpcli_alias option patch insert authLDAPOptions DefaultRole "subscriber" + # Do not activate http-authentication, this plugin is sometimes unstable $wpcli_alias plugin activate companion-auto-update $plugin_network $wpcli_alias plugin activate wp-fail2ban-redux $plugin_network @@ -295,8 +305,13 @@ then ynh_permission_update --permission="main" --add="visitors" fi -# Only the admin can access the admin panel of the app -ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress +# Only these "permissions or groups" can access the admin panel of Wordpress to manage it +# - "admin" has full rights in the app +# - "editor" can edit all the posts and pages +# - "main" can login and do almost nothing +# See https://wordpress.org/documentation/article/roles-and-capabilities/ +ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --show_tile=true +ynh_permission_create --permission="editor" --url="/wp-login.php" --additional_urls="/wp-admin.php" --show_tile=true #================================================= # RELOAD NGINX diff --git a/scripts/upgrade b/scripts/upgrade index a0499ee..9d61983 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -179,7 +179,16 @@ fi if ! ynh_permission_exists --permission="admin"; then # Create the required permissions - ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress + ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --show_tile=true +else + # Add "label" for user panel + ynh_permission_update --permission="admin" --show_tile=true +fi + +# If missing, create "editor permission" +if ! ynh_permission_exists --permission="editor"; then + ynh_script_progression --message="Creating the missing 'editor permission'..." + ynh_permission_create --permission="editor" --url="/wp-login.php" --additional_urls="/wp-admin.php" --show_tile=true fi #================================================= @@ -246,21 +255,9 @@ then db_prefix=$(grep '^$table_prefix' "$final_path/wp-config.php" | sed "s/.*'\(.*\)'.*/\1/" ) - ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/multisite.sql - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/multisite.sql - ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/multisite.sql - - ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/multisite.sql plugin_network="--network" else multisite=0 - db_prefix=$(grep '^$table_prefix' "$final_path/wp-config.php" | sed "s/.*'\(.*\)'.*/\1/" ) - - ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/single.sql - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/single.sql - ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/single.sql - - ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/single.sql plugin_network="" if ynh_permission_has_user --permission="main" --user="visitor" then @@ -281,6 +278,10 @@ update_plugin () { } update_plugin authldap $wpcli_alias plugin activate authldap $plugin_network +# re-apply the default LDAP configuration, hoping that admininstrator did not change these settings. +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap.json +$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json + update_plugin companion-auto-update $wpcli_alias plugin activate companion-auto-update $plugin_network