new permissions system

actions.toml

@@ -1,15 +1,3 @@
-[public_private]
-name = "Move to public or private"
-command = "/bin/bash scripts/actions/public_private"
-accepted_return_codes = [0]
-description = "Change the public access of the app."
-
-    [public_private.arguments]
-        [public_private.arguments.is_public]
-            type = "boolean"
-            ask = "Is it a public app?"
-            default = true
-
 [reset_default_nginx]
 name = "Reset the NGINX config for this app."
 command = "/bin/bash scripts/actions/reset_default_system nginx"

config_panel.toml

@@ -5,15 +5,6 @@ name = "Wordpress configuration panel"
 name = "Wordpress configuration"
 
 
-    [main.is_public]
-    name = "Public access"
-
-        [main.is_public.is_public]
-        ask = "Is it a public WordPress site?"
-        type = "boolean"
-        default = true
-
-
     [main.overwrite_files]
     name = "Overwriting config files"
 

scripts/actions/public_private

@@ -1,80 +0,0 @@
-#!/bin/bash
-
-#=================================================
-# GENERIC STARTING
-#=================================================
-# IMPORT GENERIC HELPERS
-#=================================================
-
-source /usr/share/yunohost/helpers
-
-#=================================================
-# MANAGE SCRIPT FAILURE
-#=================================================
-
-# Exit if an error occurs during the execution of the script
-ynh_abort_if_errors
-
-#=================================================
-# RETRIEVE ARGUMENTS
-#=================================================
-
-# Get is_public
-is_public=${YNH_ACTION_IS_PUBLIC}
-
-app=$YNH_APP_INSTANCE_NAME
-
-#=================================================
-# CHECK IF ARGUMENTS ARE CORRECT
-#=================================================
-
-#=================================================
-# CHECK IF AN ACTION HAS TO BE DONE
-#=================================================
-
-is_public_old=$(ynh_app_setting_get --app=$app --key=is_public)
-
-if [ $is_public -eq $is_public_old ]
-then
-	ynh_die --message="is_public is already set as $is_public." --ret_code=0
-fi
-
-#=================================================
-# SPECIFIC ACTION
-#=================================================
-# MOVE TO PUBLIC OR PRIVATE
-#=================================================
-
-if [ $is_public -eq 0 ]; then
-	public_private="private"
-else
-	public_private="public"
-fi
-ynh_script_progression --message="Moving the application to $public_private..." --weight=3
-
-if [ $is_public -eq 0 ]
-then
-	ynh_app_setting_delete --app=$app --key=unprotected_uris
-else
-	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
-fi
-
-ynh_script_progression --message="Upgrading SSOwat configuration..."
-# Regen ssowat configuration
-yunohost app ssowatconf
-
-# Update the config of the app
-ynh_app_setting_set --app=$app --key=is_public --value=$is_public
-
-#=================================================
-# RELOAD NGINX
-#=================================================
-ynh_script_progression --message="Reloading NGINX web server..."
-
-ynh_systemd_action --service_name=nginx --action=reload
-
-#=================================================
-# END OF SCRIPT
-#=================================================
-
-ynh_script_progression --message="Execution completed" --last

scripts/actions/reset_default_app

@@ -24,7 +24,6 @@ app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
-is_public=$(ynh_app_setting_get --app=$app --key=is_public)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
 
@@ -95,21 +94,6 @@ ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=5
 # Create a dedicated fail2ban config
 ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="PHP message: Leed: wrong login for .* client: <HOST>" --max_retry=5
 
-#=================================================
-# SETUP SSOWAT
-#=================================================
-ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1
-
-# Remove skipped_uris if it's still present
-ynh_app_setting_delete --app=$app --key=skipped_uris
-if [ $is_public -eq 0 ]; then
-	# Remove the public access
-	ynh_app_setting_delete --app=$app --key=unprotected_uris
-else
-	# Or replace skipped_uris by unprotected_uris
-	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
-fi
-
 #=================================================
 # RELOAD NGINX
 #=================================================

scripts/actions/reset_default_system

@@ -29,7 +29,6 @@ path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 
 multisite=$(ynh_app_setting_get --app=$app --key=multisite)
-is_public=$(ynh_app_setting_get --app=$app --key=is_public)
 
 #=================================================
 # SPECIFIC ACTION
@@ -63,7 +62,7 @@ then
 elif [ $type == phpfpm ]
 then
     # If the app is private, set the usage to low, otherwise to high.
-    if [ $is_public -eq 0 ]
+	if [ $(ynh_app_setting_get --app=$app --key=is_public) -eq 0 ]
     then
         usage=low
     else

scripts/config

@@ -26,10 +26,6 @@ fpm_config_dir=$(ynh_app_setting_get --app=$app --key=fpm_config_dir)
 # If the form has a value for a variable, take the value from the form,
 # Otherwise, keep the value from the app config.
 
-# is_public
-old_is_public="$(ynh_app_setting_get --app=$app --key=is_public)"
-is_public="${YNH_CONFIG_MAIN_IS_PUBLIC_IS_PUBLIC:-$old_is_public}"
-
 # Overwrite nginx configuration
 old_overwrite_nginx="$(ynh_app_setting_get --app=$app --key=overwrite_nginx)"
 overwrite_nginx="${YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_NGINX:-$old_overwrite_nginx}"
@@ -78,8 +74,6 @@ show_config() {
     # here you are supposed to read some config file/database/other then print the values
     # ynh_return "YNH_CONFIG_${PANEL_ID}_${SECTION_ID}_${OPTION_ID}=value"
 
-    ynh_return "YNH_CONFIG_MAIN_IS_PUBLIC_IS_PUBLIC=$is_public"
-
     ynh_return "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_NGINX=$overwrite_nginx"
     ynh_return "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_PHPFPM=$overwrite_phpfpm"
 
@@ -97,17 +91,6 @@ show_config() {
 
 apply_config() {
 
-    # Change public accessibility
-    if [ "$is_public" != "$old_is_public" ]
-    then
-        if [ "$is_public" = "1" ]
-        then
-            yunohost app action run $app public_private --args is_public=1
-        else
-            yunohost app action run $app public_private --args is_public=0
-        fi
-    fi
-
     #=================================================
     # MODIFY OVERWRITTING SETTINGS
     #=================================================

scripts/install

@@ -52,7 +52,6 @@ ynh_script_progression --message="Storing installation settings..." --weight=2
 ynh_app_setting_set --app=$app --key=domain --value=$domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=admin --value=$admin_wordpress
-ynh_app_setting_set --app=$app --key=is_public --value=$is_public
 ynh_app_setting_set --app=$app --key=language --value=$language
 ynh_app_setting_set --app=$app --key=multisite --value=$multisite
 
@@ -140,7 +139,7 @@ ynh_script_progression --message="Installing wordpress with cURL..." --weight=10
 chown -R $app: $final_path
 
 # Set the app as temporarily public for cURL call
-ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
+ynh_permission_update --permission="main" --add="visitors"
 # Regen SSOwat configuration
 yunohost app ssowatconf
 
@@ -150,6 +149,9 @@ ynh_systemd_action --service_name=nginx --action=reload
 # Wordpress installation
 ynh_local_curl "/wp-admin/install.php?step=2" "&weblog_title=YunoBlog" "user_name=$admin_wordpress" "admin_password=$db_pwd" "admin_password2=$db_pwd" "admin_email=$admin_wordpress@$domain" "Submit=Install+WordPress"
 
+# Remove the public access
+ynh_permission_update --permission="main" --remove="visitors"
+
 ynh_print_info --message="Please wait during Wordpress installation..."
 for i in `seq 1 300`
 do
@@ -257,14 +259,19 @@ ynh_add_fail2ban_config --logpath="/var/log/auth.log" --failregex="Authenticatio
 #=================================================
 # SETUP SSOWAT
 #=================================================
-ynh_script_progression --message="Configuring SSOwat..."
+ynh_script_progression --message="Configuring permissions..." --time --weight=1
 
-if [ $is_public -eq 0 ]
+# Make app public if necessary
+if [ $is_public -eq 1 ]
 then
-	# Remove the public access
-	ynh_app_setting_delete --app=$app --key=unprotected_uris
+	# Everyone can access the app.
+	# The "main" permission is automatically created before the install script.
+	ynh_permission_update --permission="main" --add="visitors"
 fi
 
+# Only the admin can access the admin panel of the app
+ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress
+
 #=================================================
 # RELOAD NGINX
 #=================================================

scripts/restore

@@ -25,7 +25,6 @@ app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
-is_public=$(ynh_app_setting_get --app=$app --key=is_public)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 admin_wordpress=$(ynh_app_setting_get --app=$app --key=admin)

scripts/upgrade

@@ -20,7 +20,6 @@ domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 admin_wordpress=$(ynh_app_setting_get --app=$app --key=admin)
 language=$(ynh_app_setting_get --app=$app --key=language)
-is_public=$(ynh_app_setting_get --app=$app --key=is_public)
 multisite=$(ynh_app_setting_get --app=$app --key=multisite)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
@@ -63,15 +62,6 @@ if [ -z "$language" ]; then
 	ynh_app_setting_set --app=$app --key=language --value=$language
 fi
 
-# Fix is_public as a boolean
-if [ "${is_public,,}" = "yes" ]; then
-	ynh_app_setting_set --app=$app --key=is_public --value=1
-	is_public=1
-elif [ "${is_public,,}" = "no" ]; then
-	ynh_app_setting_set --app=$app --key=is_public --value=0
-	is_public=0
-fi
-
 # Fix multisite as a boolean
 if [ "${multisite,,}" = "yes" ]; then
 	ynh_app_setting_set --app=$app --key=multisite --value=1
@@ -110,14 +100,6 @@ if [ -z "$overwrite_phpfpm" ]; then
     ynh_app_setting_set --app=$app --key=overwrite_phpfpm --value=$overwrite_phpfpm
 fi
 
-# If the app is private, set the usage to low, otherwise to high.
-if [ $is_public -eq 0 ]
-then
-    usage=low
-else
-    usage=high
-fi
-
 # If fpm_footprint doesn't exist, create it
 if [ -z "$fpm_footprint" ]; then
     fpm_footprint=medium
@@ -126,6 +108,13 @@ fi
 
 # If fpm_usage doesn't exist, create it
 if [ -z "$fpm_usage" ]; then
+	# If the app is private, set the usage to low, otherwise to high.
+	if [ $(ynh_app_setting_get --app=$app --key=is_public) -eq 0 ]
+	then
+		usage=low
+	else
+		usage=high
+	fi
     fpm_usage=$usage
     ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage
 fi
@@ -145,6 +134,18 @@ fi
 $wpcli_alias plugin is-installed wp-fail2ban && $wpcli_alias plugin deactivate $plugin_network wp-fail2ban && $wpcli_alias plugin uninstall wp-fail2ban
 $wpcli_alias plugin is-installed wp-fail2ban-redux || $wpcli_alias plugin install wp-fail2ban-redux
 
+# Cleaning legacy permissions
+if ynh_legacy_permissions_exists; then
+	ynh_legacy_permissions_delete_all
+
+	ynh_app_setting_delete --app=$app --key=is_public
+fi
+
+if ! ynh_permission_exists --permission="admin"; then
+	# Create the required permissions
+	ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress
+fi
+
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
@@ -225,7 +226,7 @@ then
 else
 	multisite=0
 	plugin_network=""
-	if [ $is_public -eq 1 ]
+	if ynh_permission_has_user --permission="main" --user="visitor"
 	then
 		ynh_replace_string --match_string="//--PUBLIC--define" --replace_string="define" --target_file=$final_path/wp-config.php
 	fi
@@ -297,21 +298,6 @@ ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=9
 # Create a dedicated Fail2Ban config
 ynh_add_fail2ban_config --logpath="/var/log/auth.log" --failregex="Authentication (attempt for unknown user|failure for) .* from <HOST>" --max_retry=5
 
-#=================================================
-# SETUP SSOWAT
-#=================================================
-ynh_script_progression --message="Upgrading SSOwat configuration..."
-
-# Remove skipped_uris if it's still present
-ynh_app_setting_delete --app=$app --key=skipped_uris
-if [ $is_public -eq 0 ]; then
-	# Remove the public access
-	ynh_app_setting_delete --app=$app --key=unprotected_uris
-else
-	# Or replace skipped_uris by unprotected_uris
-	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
-fi
-
 #=================================================
 # RELOAD NGINX
 #=================================================