Implement permission helper

2024-09-03 20:06:10 +02:00 · 2018-11-28 22:06:33 +01:00 · 2018-11-28 22:06:33 +01:00 · 4c2ae4fc77
commit 4c2ae4fc77
parent ad628b7620
3 changed files with 81 additions and 3 deletions
--- a/data/helpers.d/setting
+++ b/data/helpers.d/setting
@ -25,3 +25,73 @@ ynh_app_setting_set() {
 ynh_app_setting_delete() {
    sudo yunohost app setting -d "$1" "$2" --quiet
 }
+
+# Create a new permission for the app
+#
+# usage: ynh_permission_create --app "app" --permission "permission" --defaultdisallow [--url "url" ["url" ...]]
+# | arg: app - the application id
+# | arg: permission - the name for the permission (by default a permission named "main" already exist)
+# | arg: defaultdisallow - define if all user will be allowed by default
+# | arg: url - the url for the the permission
+ynh_permission_create() {
+    declare -Ar args_array=( [a]=app= [p]=permission= [d]=defaultdisallow [u]=url= )
+    local app
+    local permission
+    local defaultdisallow
+    local url
+    ynh_handle_getopts_args "$@"
+    if [[ -n ${defaultdisallow:-} ]]; then
+        defaultdisallow=",default_allow=False"
+    fi
+
+    if [[ -n ${url:-} ]]; then
+        url=",url=['${url//';'/"','"}']"
+    fi
+    yunohost tools shell -c "from yunohost.permission import permission_add; permission_add(auth, '$app', '$permission' ${defaultdisallow:-} ${url:-}, sync_perm=False)"
+}
+
+# Remove a permission for the app (note that when the app is removed all permission is automatically removed)
+#
+# usage: ynh_permission_remove --app "app" --permission "permission"
+# | arg: app - the application id
+# | arg: permission - the name for the permission (by default a permission named "main" is removed automatically when the app is removed)
+ynh_permission_remove() {
+    declare -Ar args_array=( [a]=app= [p]=permission= )
+    local app
+    local permission
+    ynh_handle_getopts_args "$@"
+
+    yunohost tools shell -c "from yunohost.permission import permission_remove; permission_remove(auth, '$app', '$permission')"
+}
+
+# Add a path managed by the SSO
+#
+# usage: ynh_permission_add_path --app "app" --permission "permission" --url "url" ["url" ...]
+# | arg: app - the application id
+# | arg: permission - the name for the permission
+# | arg: url - the FULL url for the the permission (ex domain.tld/apps/admin)
+ynh_permission_add_path() {
+    declare -Ar args_array=( [a]=app= [p]=permission= [u]=url= )
+    local app
+    local permission
+    local url
+    ynh_handle_getopts_args "$@"
+
+    yunohost tools shell -c "from yunohost.permission import permission_update; permission_update(auth, '$app', '$permission', add_url=['${url//';'/"','"}'])"
+}
+
+# Remove a path managed by the SSO
+#
+# usage: ynh_permission_del_path --app "app" --permission "permission" --url "url" ["url" ...]
+# | arg: app - the application id
+# | arg: permission - the name for the permission
+# | arg: url - the FULL url for the the permission (ex domain.tld/apps/admin)
+ynh_permission_del_path() {
+    declare -Ar args_array=( [a]=app= [p]=permission= [u]=url= )
+    local app
+    local permission
+    local url
+    ynh_handle_getopts_args "$@"
+
+    yunohost tools shell -c "from yunohost.permission import permission_update; permission_update(auth, '$app', '$permission', remove_url=['${url//';'/"','"}'])"
+}
--- a/src/yunohost/app.py
+++ b/src/yunohost/app.py
@ -710,7 +710,7 @@ def app_install(operation_logger, auth, app, label=None, args=None, no_remove_on
    """
    from yunohost.hook import hook_add, hook_remove, hook_exec, hook_callback
    from yunohost.log import OperationLogger
-    from yunohost.permission import permission_add, permission_update
+    from yunohost.permission import permission_add, permission_update, permission_remove

    # Fetch or extract sources
    try:
@ -867,6 +867,13 @@ def app_install(operation_logger, auth, app, label=None, args=None, no_remove_on
                    os.path.join(extracted_app_folder, 'scripts/remove'),
                    args=[app_instance_name], env=env_dict_remove
                )
+                # Remove all permission in LDAP
+                result = auth.search(base='ou=permission,dc=yunohost,dc=org',
+                                    filter='(&(objectclass=permissionYnh)(cn=*.%s))' % app_instance_name, attrs=['cn'])
+                permission_list = [p['cn'][0] for p in result]
+                for l in permission_list:
+                    permission_remove(auth, app_instance_name, l.split('.')[0], force=True)
+
                if remove_retcode != 0:
                    msg = m18n.n('app_not_properly_removed',
                                 app=app_instance_name)
--- a/src/yunohost/permission.py
+++ b/src/yunohost/permission.py
@ -316,7 +316,7 @@ def user_permission_clear(operation_logger, auth, app=[], permission=None):


@is_unit_operation(['permission','app'])
-def permission_add(operation_logger, auth, app, permission, url=None):
+def permission_add(operation_logger, auth, app, permission, url=None, default_allow=True):
    """
    Create a new permission for a specific application

@ -348,8 +348,9 @@ def permission_add(operation_logger, auth, app, permission, url=None):
        'objectClass': ['top', 'permissionYnh', 'posixGroup'],
        'cn': permission_name,
        'gidNumber': gid,
-        'groupPermission': 'cn=all_users,ou=groups,dc=yunohost,dc=org'
    }
+    if default_allow:
+        attr_dict['groupPermission'] = 'cn=all_users,ou=groups,dc=yunohost,dc=org'

    if url:
        attr_dict['URL'] = []