diff --git a/locales/en.json b/locales/en.json index ebbb89fa8..2c6363608 100644 --- a/locales/en.json +++ b/locales/en.json @@ -259,9 +259,6 @@ "log_help_to_get_failed_log": "The operation '{desc}' has failed! To get help, please share the full log of this operation using the command 'yunohost log display {name} --share'", "log_does_exists": "There is not operation log with the name '{log}', use 'yunohost log list to see all available operation logs'", "log_operation_unit_unclosed_properly": "Operation unit has not been closed properly", - "log_app_addaccess": "Add access to '{}'", - "log_app_removeaccess": "Remove access to '{}'", - "log_app_clearaccess": "Remove all access to '{}'", "log_app_fetchlist": "Add an application list", "log_app_removelist": "Remove an application list", "log_app_change_url": "Change the url of '{}' application", @@ -279,9 +276,9 @@ "log_dyndns_subscribe": "Subscribe to a YunoHost subdomain '{}'", "log_dyndns_update": "Update the ip associated with your YunoHost subdomain '{}'", "log_letsencrypt_cert_install": "Install Let's encrypt certificate on '{}' domain", - "log_permission_add": "Add permission '{}' for app '{}'", - "log_permission_remove": "Remove permission '{}'", - "log_permission_update": "Update permission '{}' for app '{}'", + "log_permission_create": "Create permission '{permission}'", + "log_permission_delete": "Delete permission '{permission}'", + "log_permission_urls": "Update urls related to permission '{permission}'", "log_selfsigned_cert_install": "Install self signed certificate on '{}' domain", "log_letsencrypt_cert_renew": "Renew '{}' Let's encrypt certificate", "log_regen_conf": "Regenerate system configurations '{}'", @@ -291,8 +288,8 @@ "log_user_group_delete": "Delete '{}' group", "log_user_group_update": "Update '{}' group", "log_user_update": "Update information of '{}' user", - "log_user_permission_add": "Update '{}' permission", - "log_user_permission_remove": "Update '{}' permission", + "log_user_permission_update": "Update accesses for permission '{permission}'", + "log_user_permission_reset": "Reset permission '{permission}'", "log_tools_maindomain": "Make '{}' as main domain", "log_tools_migrations_migrate_forward": "Migrate forward", "log_tools_postinstall": "Postinstall your YunoHost server", diff --git a/src/yunohost/app.py b/src/yunohost/app.py index 1a41e2a01..14396b1cd 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -1039,8 +1039,7 @@ def app_remove(operation_logger, app): raise YunohostError("this_action_broke_dpkg") -@is_unit_operation(['permission','app']) -def app_addaccess(operation_logger, apps, users=[]): +def app_addaccess(apps, users=[]): """ Grant access right to users (everyone by default) @@ -1051,15 +1050,15 @@ def app_addaccess(operation_logger, apps, users=[]): """ from yunohost.permission import user_permission_update - permission = user_permission_update(operation_logger, app=apps, permission="main", add_username=users) + output = {} + for app in apps: + permission = user_permission_update(app+".main", add=users) + output[app] = permission["corresponding_users"] - result = {p : v['main']['allowed_users'] for p, v in permission['permissions'].items()} - - return {'allowed_users': result} + return {'allowed_users': output} -@is_unit_operation(['permission','app']) -def app_removeaccess(operation_logger, apps, users=[]): +def app_removeaccess(apps, users=[]): """ Revoke access right to users (everyone by default) @@ -1070,15 +1069,15 @@ def app_removeaccess(operation_logger, apps, users=[]): """ from yunohost.permission import user_permission_update - permission = user_permission_update(operation_logger, app=apps, permission="main", del_username=users) + output = {} + for app in apps: + permission = user_permission_update(app+".main", remove=users) + output[app] = permission["corresponding_users"] - result = {p : v['main']['allowed_users'] for p, v in permission['permissions'].items()} - - return {'allowed_users': result} + return {'allowed_users': output} -@is_unit_operation(['permission','app']) -def app_clearaccess(operation_logger, apps): +def app_clearaccess(apps): """ Reset access rights for the app @@ -1086,13 +1085,15 @@ def app_clearaccess(operation_logger, apps): apps """ - from yunohost.permission import user_permission_clear + from yunohost.permission import user_permission_reset - permission = user_permission_clear(operation_logger, app=apps, permission="main") + output = {} + for app in apps: + permission = user_permission_reset(app+".main") + output[app] = permission["corresponding_users"] - result = {p : v['main']['allowed_users'] for p, v in permission['permissions'].items()} + return {'allowed_users': output} - return {'allowed_users': result} def app_debug(app): """ diff --git a/src/yunohost/log.py b/src/yunohost/log.py index cbb850e44..8b0f893e8 100644 --- a/src/yunohost/log.py +++ b/src/yunohost/log.py @@ -44,7 +44,7 @@ CATEGORIES = ['operation', 'history', 'package', 'system', 'access', 'service', 'app'] METADATA_FILE_EXT = '.yml' LOG_FILE_EXT = '.log' -RELATED_CATEGORIES = ['app', 'domain', 'service', 'user'] +RELATED_CATEGORIES = ['app', 'domain', 'group', 'service', 'user'] logger = getActionLogger('yunohost.log') @@ -213,7 +213,7 @@ def log_display(path, number=None, share=False): return infos -def is_unit_operation(entities=['app', 'domain', 'service', 'user'], +def is_unit_operation(entities=['app', 'domain', 'group', 'service', 'user'], exclude=['password'], operation_key=None): """ Configure quickly a unit operation diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py index 54aa25e23..a4ff9fb15 100644 --- a/src/yunohost/permission.py +++ b/src/yunohost/permission.py @@ -76,6 +76,7 @@ def user_permission_list(short=False, full=False): return {'permissions': permissions} +@is_unit_operation() def user_permission_update(operation_logger, permission, add=None, remove=None, sync_perm=True): """ Allow or Disallow a user or group to a permission for a specific application @@ -98,6 +99,7 @@ def user_permission_update(operation_logger, permission, add=None, remove=None, current_allowed_groups = existing_permission["allowed"] all_existing_groups = user_group_list()['groups'].keys() + operation_logger.related_to.append(('app', permission.split(".")[0])) # Compute new allowed group list (and make sure what we're doing make sense) @@ -110,6 +112,8 @@ def user_permission_update(operation_logger, permission, add=None, remove=None, raise YunohostError('group_unknown', group=group) if group in current_allowed_groups: logger.warning(m18n.n('group_already_allowed', permission=permission, group=group)) + else: + operation_logger.related_to.append(('group', group)) new_allowed_groups += groups_to_add @@ -120,6 +124,8 @@ def user_permission_update(operation_logger, permission, add=None, remove=None, raise YunohostError('group_unknown', group=group) if group not in current_allowed_groups: logger.warning(m18n.n('group_already_disallowed', permission=permission, group=group)) + else: + operation_logger.related_to.append(('group', group)) new_allowed_groups = [g for g in new_allowed_groups if g not in groups_to_remove] @@ -132,15 +138,17 @@ def user_permission_update(operation_logger, permission, add=None, remove=None, # FIXME : write a better explanation ? logger.warning("This permission is currently enabled for all users in addition to other groups. You probably want to either remove the 'all_users' permission or remove the specific groups currently allowed.") - # Commit the new allowed group list - - operation_logger.start() - # Don't update LDAP if we update exactly the same values if set(new_allowed_groups) == set(current_allowed_groups): # FIXME : i18n logger.warning("No change was applied because not relevant modification were found") - elif ldap.update('cn=%s,ou=permission' % permission, + return + + # Commit the new allowed group list + + operation_logger.start() + + if ldap.update('cn=%s,ou=permission' % permission, {'groupPermission': ['cn=' + g + ',ou=groups,dc=yunohost,dc=org' for g in new_allowed_groups]}): logger.debug(m18n.n('permission_updated', permission=permission)) @@ -172,6 +180,7 @@ def user_permission_update(operation_logger, permission, add=None, remove=None, raise YunohostError('permission_update_failed') +@is_unit_operation() def user_permission_reset(operation_logger, permission, sync_perm=True): """ Reset a given permission to just 'all_users' @@ -191,6 +200,9 @@ def user_permission_reset(operation_logger, permission, sync_perm=True): # Update permission with default (all_users) + operation_logger.related_to.append(('app', permission.split(".")[0])) + operation_logger.start() + default_permission = {'groupPermission': ['cn=all_users,ou=groups,dc=yunohost,dc=org']} if ldap.update('cn=%s,ou=permission' % permission, default_permission): logger.debug(m18n.n('permission_updated', permission=permission)) @@ -228,7 +240,7 @@ def user_permission_reset(operation_logger, permission, sync_perm=True): # -@is_unit_operation(['permission', 'app']) +@is_unit_operation() def permission_create(operation_logger, permission, urls=None, sync_perm=True): """ Create a new permission for a specific application @@ -267,6 +279,7 @@ def permission_create(operation_logger, permission, urls=None, sync_perm=True): if urls: attr_dict['URL'] = [_normalize_url(url) for url in urls] + operation_logger.related_to.append(('app', permission.split(".")[0])) operation_logger.start() if ldap.add('cn=%s,ou=permission' % permission, attr_dict): if sync_perm: @@ -277,7 +290,7 @@ def permission_create(operation_logger, permission, urls=None, sync_perm=True): raise YunohostError('permission_creation_failed') -@is_unit_operation(['permission', 'app']) +@is_unit_operation() def permission_urls(operation_logger, permission, add=None, remove=None, sync_perm=True): """ Update urls related to a permission for a specific application @@ -316,6 +329,7 @@ def permission_urls(operation_logger, permission, add=None, remove=None, sync_pe # Actually commit the change + operation_logger.related_to.append(('app', permission.split(".")[0])) operation_logger.start() if ldap.update('cn=%s,ou=permission' % permission, {'URL': new_urls}): if sync_perm: @@ -326,7 +340,7 @@ def permission_urls(operation_logger, permission, add=None, remove=None, sync_pe raise YunohostError('premission_update_failed') -@is_unit_operation(['permission', 'app']) +@is_unit_operation() def permission_delete(operation_logger, permission, force=False, sync_perm=True): """ Delete a permission @@ -349,6 +363,7 @@ def permission_delete(operation_logger, permission, force=False, sync_perm=True) # Actually delete the permission + operation_logger.related_to.append(('app', permission.split(".")[0])) operation_logger.start() if ldap.remove('cn=%s,ou=permission' % permission): if sync_perm: diff --git a/src/yunohost/user.py b/src/yunohost/user.py index 2bf36cfd6..5631a2204 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -525,7 +525,7 @@ def user_group_list(short=False, full=False): return {'groups': groups} -@is_unit_operation([('groupname', 'user')]) +@is_unit_operation([('groupname', 'group')]) def user_group_create(operation_logger, groupname, gid=None, primary_group=False, sync_perm=True): """ Create group @@ -537,8 +537,6 @@ def user_group_create(operation_logger, groupname, gid=None, primary_group=False from yunohost.permission import permission_sync_to_user from yunohost.utils.ldap import _get_ldap_interface - operation_logger.start() - ldap = _get_ldap_interface() # Validate uniqueness of groupname in LDAP @@ -574,6 +572,7 @@ def user_group_create(operation_logger, groupname, gid=None, primary_group=False if primary_group: attr_dict["member"] = ["uid=" + groupname + ",ou=users,dc=yunohost,dc=org"] + operation_logger.start() if ldap.add('cn=%s,ou=groups' % groupname, attr_dict): logger.success(m18n.n('group_created', group=groupname)) if sync_perm: @@ -583,7 +582,7 @@ def user_group_create(operation_logger, groupname, gid=None, primary_group=False raise YunohostError('group_creation_failed', group=groupname) -@is_unit_operation([('groupname', 'user')]) +@is_unit_operation([('groupname', 'group')]) def user_group_delete(operation_logger, groupname, force=False, sync_perm=True): """ Delete user @@ -614,7 +613,7 @@ def user_group_delete(operation_logger, groupname, force=False, sync_perm=True): permission_sync_to_user() -@is_unit_operation([('groupname', 'user')]) +@is_unit_operation([('groupname', 'group')]) def user_group_update(operation_logger, groupname, add=None, remove=None, force=False, sync_perm=True): """ Update user informations @@ -650,6 +649,8 @@ def user_group_update(operation_logger, groupname, add=None, remove=None, force= if user in current_group: logger.warning(m18n.n('user_already_in_group', user=user, group=groupname)) + else: + operation_logger.related_to.append(('user', user)) new_group += users_to_add @@ -659,6 +660,8 @@ def user_group_update(operation_logger, groupname, add=None, remove=None, force= for user in users_to_remove: if user not in current_group: logger.warning(m18n.n('user_not_in_group', user=user, group=groupname)) + else: + operation_logger.related_to.append(('user', user)) # Remove users_to_remove from new_group # Kinda like a new_group -= users_to_remove @@ -666,9 +669,8 @@ def user_group_update(operation_logger, groupname, add=None, remove=None, force= new_group_dns = ["uid=" + user + ",ou=users,dc=yunohost,dc=org" for user in new_group] - operation_logger.start() - if set(new_group) != set(current_group): + operation_logger.start() ldap = _get_ldap_interface() if not ldap.update('cn=%s,ou=groups' % groupname, {"member": set(new_group_dns), "memberUid": set(new_group)}): raise YunohostError('group_update_failed', group=groupname) @@ -718,18 +720,16 @@ def user_permission_list(short=False, full=False): return yunohost.permission.user_permission_list(short, full) -@is_unit_operation([('permission', 'user')]) -def user_permission_update(operation_logger, permission, add=None, remove=None, sync_perm=True): +def user_permission_update(permission, add=None, remove=None, sync_perm=True): import yunohost.permission - return yunohost.permission.user_permission_update(operation_logger, permission, + return yunohost.permission.user_permission_update(permission, add=add, remove=remove, sync_perm=sync_perm) -@is_unit_operation([('app', 'user')]) -def user_permission_reset(operation_logger, permission, sync_perm=True): +def user_permission_reset(permission, sync_perm=True): import yunohost.permission - return yunohost.permission.user_permission_reset(operation_logger, permission, + return yunohost.permission.user_permission_reset(permission, sync_perm=sync_perm)