From 7b6d6d78723d88a7267618dc1648f160a247127b Mon Sep 17 00:00:00 2001 From: xaloc33 Date: Fri, 22 Nov 2019 23:10:49 +0000 Subject: [PATCH 1/9] Translated using Weblate (Catalan) Currently translated at 100.0% (605 of 605 strings) Translation: YunoHost/core Translate-URL: https://translate.yunohost.org/projects/yunohost/core/ca/ --- locales/ca.json | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/locales/ca.json b/locales/ca.json index 26fd8c889..a079c519f 100644 --- a/locales/ca.json +++ b/locales/ca.json @@ -406,7 +406,7 @@ "regenconf_file_updated": "El fitxer de configuració «{conf}» ha estat actualitzat", "regenconf_now_managed_by_yunohost": "El fitxer de configuració «{conf}» serà gestionat per YunoHost a partir d'ara (categoria {category}).", "regenconf_up_to_date": "La configuració ja està al dia per la categoria «{category}»", - "regenconf_updated": "La configuració per la categoria «{category}» ha estat actualitzada", + "regenconf_updated": "S'ha actualitzat la configuració per la categoria «{category}»", "regenconf_would_be_updated": "La configuració hagués estat actualitzada per la categoria «{category}»", "regenconf_dry_pending_applying": "Verificació de la configuració pendent que s'hauria d'haver aplicat per la categoria «{category}»…", "regenconf_failed": "No s'ha pogut regenerar la configuració per la/les categoria/es : {categories}", @@ -457,10 +457,10 @@ "service_description_ssh": "Permet la connexió remota al servidor via terminal (protocol SSH)", "service_description_yunohost-api": "Gestiona les interaccions entre la interfície web de YunoHost i el sistema", "service_description_yunohost-firewall": "Gestiona els ports de connexió oberts i tancats als serveis", - "service_disable_failed": "No s'han pogut deshabilitar el servei «{service:s}»\n\nRegistres recents: {logs:s}", - "service_disabled": "S'ha deshabilitat el servei «{service:s}»", - "service_enable_failed": "No s'ha pogut activar el servei «{service:s}»\n\nRegistres recents: {log:s}", - "service_enabled": "S'ha activat el servei «{service:s}»", + "service_disable_failed": "No s'han pogut fer que el servei «{service:s}» no comenci a l'arrancada.\n\nRegistres recents: {logs:s}", + "service_disabled": "El servei «{service:s}» ja no començarà al arrancar el sistema.", + "service_enable_failed": "No s'ha pogut fer que el servei «{service:s}» comenci automàticament a l'arrancada.\n\nRegistres recents: {log:s}", + "service_enabled": "El servei «{service:s}» començarà automàticament durant l'arrancada del sistema.", "service_no_log": "No hi ha cap registre pel servei «{service:s}»", "service_regen_conf_is_deprecated": "«yunohost service regen-conf» està desfasat! Utilitzeu «yunohost tools regen-conf» en el seu lloc.", "service_remove_failed": "No s'ha pogut eliminar el servei «{service:s}»", @@ -663,10 +663,10 @@ "diagnosis_ip_weird_resolvconf_details": "En canvi, aquest fitxer hauria de ser un enllaç simbòlic cap a /etc/resolvconf/run/resolv.conf i que aquest apunti cap a 127.0.0.1 (dnsmasq). La configuració del «resolver» real s'hauria de fer via /etc/resolv.dnsmaq.conf.", "diagnosis_dns_good_conf": "Bona configuració DNS pel domini {domain} (categoria {category})", "diagnosis_dns_bad_conf": "Configuració DNS incorrecta o inexistent pel domini {domain} (categoria {category})", - "diagnosis_dns_missing_record": "Segons la configuració DNS recomanada, hauríeu d'afegir un registre DNS de tipus {0}, nom {1} i valor {2}", - "diagnosis_dns_discrepancy": "Segons la configuració DNS recomanada, el valor pel registre DNS de tipus {0} i nom {1} hauria de ser {2}, en comptes de {3}.", + "diagnosis_dns_missing_record": "Segons la configuració DNS recomanada, hauríeu d'afegir un registre DNS de tipus {0}, nom {1} i valor {2}. Hi ha més informació a https://yunohost.org/dns_config.", + "diagnosis_dns_discrepancy": "El registre DNS de tipus {0} i nom {1} no concorda amb la configuració recomanada. Valor actual: {2}. Valor esperat: {3}. Més informació a https://yunohost.org/dns_config.", "diagnosis_services_good_status": "El servei {service} està {status} tal i com s'esperava!", - "diagnosis_services_bad_status": "El servei {service} està {status} :/", + "diagnosis_services_bad_status": "El servei {service} està {status} :(", "diagnosis_diskusage_verylow": "El lloc d'emmagatzematge {mountpoint} (en l'aparell {device}) només té disponibles {free_abs_GB} GB ({free_percent}%). Hauríeu de considerar alliberar una mica d'espai.", "diagnosis_diskusage_low": "El lloc d'emmagatzematge {mountpoint} (en l'aparell {device}) només té disponibles {free_abs_GB} GB ({free_percent}%). Aneu amb compte.", "diagnosis_diskusage_ok": "El lloc d'emmagatzematge {mountpoint} (en l'aparell {device}) encara té {free_abs_GB} GB ({free_percent}%) lliures!", @@ -704,5 +704,17 @@ "diagnosis_mail_ougoing_port_25_blocked": "Sembla que el port de sortida 25 està bloquejat. Hauríeu d'intentar desbloquejar-lo al panell de configuració del proveïdor d'accés a internet (o allotjador). Mentrestant, el servidor no podrà enviar correus a altres servidors.", "diagnosis_description_mail": "Correu electrònic", "migration_description_0013_futureproof_apps_catalog_system": "Migrar al nou sistema de catàleg d'aplicacions resistent al pas del temps", - "app_upgrade_script_failed": "Hi ha hagut un error en el script d'actualització de l'aplicació" + "app_upgrade_script_failed": "Hi ha hagut un error en el script d'actualització de l'aplicació", + "diagnosis_services_bad_status_tip": "Podeu intentar reiniciar el servei, i si no funciona, podeu mirar els registres del servei utilitzant «yunohost service log {0}» o a través de «Serveis» a la secció de la pàgina web d'administració.", + "diagnosis_ports_forwarding_tip": "Per arreglar aquest problema, segurament s'ha de configurar el reenviament de ports en el router tal i s'explica a https://yunohost.org/isp_box_config", + "diagnosis_http_bad_status_code": "No s'ha pogut connectar al servidor com esperat, ha retornat un codi d'estat erroni. Podria ser que una altra màquina hagi contestat en lloc del servidor. S'hauria de comprovar que el reenviament del port 80 sigui correcte, que la configuració NGINX està actualitzada i que el reverse-proxy no està interferint.", + "diagnosis_no_cache": "Encara no hi ha memòria cau pel diagnòstic de la categoria «{category}»", + "diagnosis_http_timeout": "S'ha exhaurit el temps d'esperar intentant connectar amb el servidor des de l'exterior. Sembla que no s'hi pot accedir. S'hauria de comprovar que el reenviament del port 80 és correcte, que NGINX funciona, i que el tallafocs no està interferint.", + "diagnosis_http_connection_error": "Error de connexió: no s'ha pogut connectar amb el domini demanat, segurament és inaccessible.", + "diagnosis_http_unknown_error": "Hi ha hagut un error intentant accedir al domini, segurament és inaccessible.", + "yunohost_postinstall_end_tip": "S'ha completat la post-instal·lació. Per acabar la configuració, considereu:\n - afegir un primer usuari a través de la secció «Usuaris» a la pàgina web d'administració (o emprant «yunohost user create » a la línia d'ordres);\n - diagnosticar els problemes esperant a ser resolts per un correcte funcionament del servidor a través de la secció «Diagnòstics» a la pàgina web d'administració (o emprant «yunohost diagnosis run» a la línia d'ordres);\n - llegir les seccions «Finalizing your setup» i «Getting to know Yunohost» a la documentació per administradors: https://yunohost.org/admindoc.", + "migration_description_0014_remove_app_status_json": "Eliminar els fitxers d'aplicació status.json heretats", + "diagnosis_services_running": "El servei {service} s'està executant!", + "diagnosis_services_conf_broken": "La configuració pel servei {service} està trencada!", + "diagnosis_ports_needed_by": "És necessari exposar aquest port pel servei {0}" } From 6e606cc64dbb0860f94b2bb31c7db2918b90bf6d Mon Sep 17 00:00:00 2001 From: Kay0u Date: Fri, 29 Nov 2019 20:39:18 +0900 Subject: [PATCH 2/9] Visitors permission needs All Users --- data/helpers.d/setting | 2 +- locales/en.json | 2 +- src/yunohost/app.py | 6 +++--- src/yunohost/permission.py | 18 +++++++++++++----- src/yunohost/tests/test_backuprestore.py | 4 ++-- src/yunohost/tests/test_permission.py | 8 ++++---- 6 files changed, 24 insertions(+), 16 deletions(-) diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 8046dfab4..9dbbe93fa 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -189,7 +189,7 @@ EOF # We need this because app temporarily set the app as unprotected to configure it with curl... if [[ "$3" =~ ^(unprotected|skipped)_ ]] && [[ "${4:-}" == "/" ]] then - ynh_permission_update --permission "main" --remove "all_users" --add "visitors" + ynh_permission_update --permission "main" --add "visitors" fi } diff --git a/locales/en.json b/locales/en.json index 6c7d0b42d..d93d2b5f4 100644 --- a/locales/en.json +++ b/locales/en.json @@ -422,7 +422,7 @@ "permission_cannot_remove_main": "Removing a main permission is not allowed", "permission_created": "Permission '{permission:s}' created", "permission_creation_failed": "Could not create permission '{permission}': {error}", - "permission_currently_allowed_for_visitors": "This permission is currently granted to visitors in addition to other groups. You probably want to either remove the 'visitors' permission or remove the other groups it is currently granted to.", + "permission_allowed_for_visitors_but_not_for_all_users": "Visitors can't be granted if all users is not already granted.", "permission_currently_allowed_for_all_users": "This permission is currently granted to all users in addition to other groups. You probably want to either remove the 'all_users' permission or remove the other groups it is currently granted to.", "permission_deleted": "Permission '{permission:s}' deleted", "permission_deletion_failed": "Could not delete permission '{permission}': {error}", diff --git a/src/yunohost/app.py b/src/yunohost/app.py index 2d32fc0cc..063d0f97d 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -1169,12 +1169,12 @@ def _migrate_legacy_permissions(app): # If the current permission says app is protected, but there are legacy rules saying it should be public... if app_perm_currently_allowed == ["all_users"] and settings_say_it_should_be_public: # Make it public - user_permission_update(app + ".main", remove="all_users", add="visitors", sync_perm=False) + user_permission_update(app + ".main", add="visitors", sync_perm=False) # If the current permission says app is public, but there are no setting saying it should be public... if app_perm_currently_allowed == ["visitors"] and not settings_say_it_should_be_public: # Make is private - user_permission_update(app + ".main", remove="visitors", add="all_users", sync_perm=False) + user_permission_update(app + ".main", remove="visitors", sync_perm=False) @is_unit_operation() @@ -1423,7 +1423,7 @@ def app_setting(app, key, value=None, delete=False): # We need this because app temporarily set the app as unprotected to configure it with curl... if key.startswith("unprotected_") or key.startswith("skipped_") and value == "/": from permission import user_permission_update - user_permission_update(app + ".main", remove="all_users", add="visitors") + user_permission_update(app + ".main", add="visitors") def app_checkport(port): diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py index ad06c0487..011e8265d 100644 --- a/src/yunohost/permission.py +++ b/src/yunohost/permission.py @@ -140,12 +140,14 @@ def user_permission_update(operation_logger, permission, add=None, remove=None, # If we end up with something like allowed groups is ["all_users", "volunteers"] # we shall warn the users that they should probably choose between one or the other, # because the current situation is probably not what they expect / is temporary ? - - if len(new_allowed_groups) > 1: - if "all_users" in new_allowed_groups: + + if "all_users" in new_allowed_groups: + if len(new_allowed_groups) > 1 and "visitors" not in new_allowed_groups or len(new_allowed_groups) > 2: logger.warning(m18n.n("permission_currently_allowed_for_all_users")) - if "visitors" in new_allowed_groups: - logger.warning(m18n.n("permission_currently_allowed_for_visitors")) + + # If visitors are allowed, but not all users, it can break some applications, so we prohibit it. + if "visitors" in new_allowed_groups and "all_users" not in new_allowed_groups: + raise YunohostError('permission_allowed_for_visitors_but_not_for_all_users') # Don't update LDAP if we update exactly the same values if set(new_allowed_groups) == set(current_allowed_groups): @@ -258,6 +260,12 @@ def permission_create(operation_logger, permission, url=None, allowed=None, sync if url: attr_dict['URL'] = url + if allowed is not None: + if "visitors" in allowed and "all_users" not in allowed: + if not isinstance(allowed, list): + allowed = [allowed] + allowed.append("all_users") + # Validate that the groups to add actually exist all_existing_groups = user_group_list()['groups'].keys() allowed_ = [] if allowed is None else [allowed] if not isinstance(allowed, list) else allowed diff --git a/src/yunohost/tests/test_backuprestore.py b/src/yunohost/tests/test_backuprestore.py index d67ccfe37..3662226e1 100644 --- a/src/yunohost/tests/test_backuprestore.py +++ b/src/yunohost/tests/test_backuprestore.py @@ -510,7 +510,7 @@ def test_backup_and_restore_permission_app(): assert res['permissions_app.admin']['url'] == "/admin" assert res['permissions_app.dev']['url'] == "/dev" - assert res['permissions_app.main']['allowed'] == ["visitors"] + assert "visitors" in res['permissions_app.main']['allowed'] and "all_users" in res['permissions_app.main']['allowed'] assert res['permissions_app.admin']['allowed'] == ["alice"] assert res['permissions_app.dev']['allowed'] == [] @@ -524,7 +524,7 @@ def test_backup_and_restore_permission_app(): assert res['permissions_app.admin']['url'] == "/admin" assert res['permissions_app.dev']['url'] == "/dev" - assert res['permissions_app.main']['allowed'] == ["visitors"] + assert "visitors" in res['permissions_app.main']['allowed'] and "all_users" in res['permissions_app.main']['allowed'] assert res['permissions_app.admin']['allowed'] == ["alice"] assert res['permissions_app.dev']['allowed'] == [] diff --git a/src/yunohost/tests/test_permission.py b/src/yunohost/tests/test_permission.py index b3fa9fefb..f11d215f1 100644 --- a/src/yunohost/tests/test_permission.py +++ b/src/yunohost/tests/test_permission.py @@ -460,13 +460,13 @@ def test_permission_app_propagation_on_ssowat(): args="domain=%s&path=%s&is_public=1&admin=%s" % (maindomain, "/urlpermissionapp", "alice"), force=True) res = user_permission_list(full=True)['permissions'] - assert res['permissions_app.main']['allowed'] == ["visitors"] + assert "visitors" in res['permissions_app.main']['allowed'] and "all_users" in res['permissions_app.main']['allowed'] app_webroot = "https://%s/urlpermissionapp" % maindomain assert can_access_webpage(app_webroot, logged_as=None) assert can_access_webpage(app_webroot, logged_as="alice") - user_permission_update("permissions_app.main", remove="visitors", add="bob") + user_permission_update("permissions_app.main", remove=["visitors", "all_users"], add="bob") res = user_permission_list(full=True)['permissions'] assert not can_access_webpage(app_webroot, logged_as=None) @@ -491,7 +491,7 @@ def test_permission_legacy_app_propagation_on_ssowat(): # App is configured as public by default using the legacy unprotected_uri mechanics # It should automatically be migrated during the install res = user_permission_list(full=True)['permissions'] - assert res['legacy_app.main']['allowed'] == ["visitors"] + assert "visitors" in res['legacy_app.main']['allowed'] and "all_users" in res['legacy_app.main']['allowed'] app_webroot = "https://%s/legacy" % maindomain @@ -499,7 +499,7 @@ def test_permission_legacy_app_propagation_on_ssowat(): assert can_access_webpage(app_webroot, logged_as="alice") # Try to update the permission and check that permissions are still consistent - user_permission_update("legacy_app.main", remove="visitors", add="bob") + user_permission_update("legacy_app.main", remove=["visitors", "all_users"], add="bob") assert not can_access_webpage(app_webroot, logged_as=None) assert not can_access_webpage(app_webroot, logged_as="alice") From df3c7688981ff06cb1a39fb26548535e76864e25 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 29 Nov 2019 15:51:43 +0100 Subject: [PATCH 3/9] Let's convert this in list in all cases (+ simplify later core) --- src/yunohost/permission.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py index 011e8265d..049c62729 100644 --- a/src/yunohost/permission.py +++ b/src/yunohost/permission.py @@ -140,11 +140,11 @@ def user_permission_update(operation_logger, permission, add=None, remove=None, # If we end up with something like allowed groups is ["all_users", "volunteers"] # we shall warn the users that they should probably choose between one or the other, # because the current situation is probably not what they expect / is temporary ? - + if "all_users" in new_allowed_groups: if len(new_allowed_groups) > 1 and "visitors" not in new_allowed_groups or len(new_allowed_groups) > 2: logger.warning(m18n.n("permission_currently_allowed_for_all_users")) - + # If visitors are allowed, but not all users, it can break some applications, so we prohibit it. if "visitors" in new_allowed_groups and "all_users" not in new_allowed_groups: raise YunohostError('permission_allowed_for_visitors_but_not_for_all_users') @@ -261,15 +261,14 @@ def permission_create(operation_logger, permission, url=None, allowed=None, sync attr_dict['URL'] = url if allowed is not None: + if not isinstance(allowed, list): + allowed = [allowed] if "visitors" in allowed and "all_users" not in allowed: - if not isinstance(allowed, list): - allowed = [allowed] allowed.append("all_users") # Validate that the groups to add actually exist all_existing_groups = user_group_list()['groups'].keys() - allowed_ = [] if allowed is None else [allowed] if not isinstance(allowed, list) else allowed - for group in allowed_: + for group in allowed or []: if group not in all_existing_groups: raise YunohostError('group_unknown', group=group) From af054b3b85384c27d83b4eb17f1ad76fe2113ad9 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 29 Nov 2019 16:06:26 +0100 Subject: [PATCH 4/9] Let's keep one thread per line for readability + easier to indentify the issue --- src/yunohost/tests/test_backuprestore.py | 6 ++++-- src/yunohost/tests/test_permission.py | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/yunohost/tests/test_backuprestore.py b/src/yunohost/tests/test_backuprestore.py index 3662226e1..3265fa228 100644 --- a/src/yunohost/tests/test_backuprestore.py +++ b/src/yunohost/tests/test_backuprestore.py @@ -510,7 +510,8 @@ def test_backup_and_restore_permission_app(): assert res['permissions_app.admin']['url'] == "/admin" assert res['permissions_app.dev']['url'] == "/dev" - assert "visitors" in res['permissions_app.main']['allowed'] and "all_users" in res['permissions_app.main']['allowed'] + assert "visitors" in res['permissions_app.main']['allowed'] + assert "all_users" in res['permissions_app.main']['allowed'] assert res['permissions_app.admin']['allowed'] == ["alice"] assert res['permissions_app.dev']['allowed'] == [] @@ -524,7 +525,8 @@ def test_backup_and_restore_permission_app(): assert res['permissions_app.admin']['url'] == "/admin" assert res['permissions_app.dev']['url'] == "/dev" - assert "visitors" in res['permissions_app.main']['allowed'] and "all_users" in res['permissions_app.main']['allowed'] + assert "visitors" in res['permissions_app.main']['allowed'] + assert "all_users" in res['permissions_app.main']['allowed'] assert res['permissions_app.admin']['allowed'] == ["alice"] assert res['permissions_app.dev']['allowed'] == [] diff --git a/src/yunohost/tests/test_permission.py b/src/yunohost/tests/test_permission.py index f11d215f1..a4bd570e5 100644 --- a/src/yunohost/tests/test_permission.py +++ b/src/yunohost/tests/test_permission.py @@ -460,7 +460,8 @@ def test_permission_app_propagation_on_ssowat(): args="domain=%s&path=%s&is_public=1&admin=%s" % (maindomain, "/urlpermissionapp", "alice"), force=True) res = user_permission_list(full=True)['permissions'] - assert "visitors" in res['permissions_app.main']['allowed'] and "all_users" in res['permissions_app.main']['allowed'] + assert "visitors" in res['permissions_app.main']['allowed'] + assert "all_users" in res['permissions_app.main']['allowed'] app_webroot = "https://%s/urlpermissionapp" % maindomain assert can_access_webpage(app_webroot, logged_as=None) @@ -491,7 +492,8 @@ def test_permission_legacy_app_propagation_on_ssowat(): # App is configured as public by default using the legacy unprotected_uri mechanics # It should automatically be migrated during the install res = user_permission_list(full=True)['permissions'] - assert "visitors" in res['legacy_app.main']['allowed'] and "all_users" in res['legacy_app.main']['allowed'] + assert "visitors" in res['legacy_app.main']['allowed'] + assert "all_users" in res['legacy_app.main']['allowed'] app_webroot = "https://%s/legacy" % maindomain From a5866e67b96f3e189ec43042d94cff97d0c5df83 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 29 Nov 2019 16:41:50 +0100 Subject: [PATCH 5/9] Try to improve readability for these conditions --- src/yunohost/permission.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py index 049c62729..b4abf4ca7 100644 --- a/src/yunohost/permission.py +++ b/src/yunohost/permission.py @@ -138,11 +138,12 @@ def user_permission_update(operation_logger, permission, add=None, remove=None, new_allowed_groups = [g for g in new_allowed_groups if g not in groups_to_remove] # If we end up with something like allowed groups is ["all_users", "volunteers"] - # we shall warn the users that they should probably choose between one or the other, - # because the current situation is probably not what they expect / is temporary ? - - if "all_users" in new_allowed_groups: - if len(new_allowed_groups) > 1 and "visitors" not in new_allowed_groups or len(new_allowed_groups) > 2: + # we shall warn the users that they should probably choose between one or + # the other, because the current situation is probably not what they expect + # / is temporary ? Note that it's fine to have ["all_users", "visitors"] + # though, but it's not fine to have ["all_users", "visitors", "volunteers"] + if "all_users" in new_allowed_groups and len(new_allowed_groups) >= 2: + if "visitors" not in new_allowed_groups or len(new_allowed_groups) >= 3: logger.warning(m18n.n("permission_currently_allowed_for_all_users")) # If visitors are allowed, but not all users, it can break some applications, so we prohibit it. From a044f3ad7ea87bbeb12fefccae1804d59ce55ac0 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 2 Dec 2019 19:04:07 +0100 Subject: [PATCH 6/9] Implicitly add all_users when adding visitors group --- locales/en.json | 3 ++- src/yunohost/permission.py | 12 +++++++++--- src/yunohost/tests/test_permission.py | 21 +++++++++++++++++++++ 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/locales/en.json b/locales/en.json index d93d2b5f4..17014cad0 100644 --- a/locales/en.json +++ b/locales/en.json @@ -415,14 +415,15 @@ "pattern_positive_number": "Must be a positive number", "pattern_username": "Must be lower-case alphanumeric and underscore characters only", "pattern_password_app": "Sorry, passwords can not contain the following characters: {forbidden_chars}", + "permission_all_users_implicitly_added": "The permission was also implicitly granted to 'all_users' because it is required to allow the special group 'visitors'", "permission_already_allowed": "Group '{group}' already has permission '{permission}' enabled", "permission_already_disallowed": "Group '{group}' already has permission '{permission}' disabled'", "permission_already_exist": "Permission '{permission}' already exists", "permission_already_up_to_date": "The permission was not updated because the addition/removal requests already match the current state.", + "permission_cannot_remove_all_users_while_visitors_allowed": "You can't remove this permission for 'all_users' while it is still allowed for 'visitors'", "permission_cannot_remove_main": "Removing a main permission is not allowed", "permission_created": "Permission '{permission:s}' created", "permission_creation_failed": "Could not create permission '{permission}': {error}", - "permission_allowed_for_visitors_but_not_for_all_users": "Visitors can't be granted if all users is not already granted.", "permission_currently_allowed_for_all_users": "This permission is currently granted to all users in addition to other groups. You probably want to either remove the 'all_users' permission or remove the other groups it is currently granted to.", "permission_deleted": "Permission '{permission:s}' deleted", "permission_deletion_failed": "Could not delete permission '{permission}': {error}", diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py index b4abf4ca7..9cc7c7534 100644 --- a/src/yunohost/permission.py +++ b/src/yunohost/permission.py @@ -146,9 +146,15 @@ def user_permission_update(operation_logger, permission, add=None, remove=None, if "visitors" not in new_allowed_groups or len(new_allowed_groups) >= 3: logger.warning(m18n.n("permission_currently_allowed_for_all_users")) - # If visitors are allowed, but not all users, it can break some applications, so we prohibit it. - if "visitors" in new_allowed_groups and "all_users" not in new_allowed_groups: - raise YunohostError('permission_allowed_for_visitors_but_not_for_all_users') + # If visitors are to be added, we shall make sure that "all_users" are also allowed + # (e.g. if visitors are allowed to visit nextcloud, you still want to allow people to log in ...) + if add and "visitors" in groups_to_add and "all_users" not in new_allowed_groups: + new_allowed_groups.append("all_users") + logger.warning(m18n.n("permission_all_users_implicitly_added")) + # If all_users are to be added, yet visitors are still to allowed, then we + # refuse it (c.f. previous comment...) + if remove and "all_users" in groups_to_remove and "visitors" in new_allowed_groups: + raise YunohostError('permission_cannot_remove_all_users_while_visitors_allowed') # Don't update LDAP if we update exactly the same values if set(new_allowed_groups) == set(current_allowed_groups): diff --git a/src/yunohost/tests/test_permission.py b/src/yunohost/tests/test_permission.py index a4bd570e5..2e53f13a7 100644 --- a/src/yunohost/tests/test_permission.py +++ b/src/yunohost/tests/test_permission.py @@ -313,6 +313,27 @@ def test_permission_add_and_remove_group(mocker): assert res['wiki.main']['corresponding_users'] == ["alice"] +def test_permission_adding_visitors_implicitly_add_all_users(mocker): + + res = user_permission_list(full=True)['permissions'] + assert res['blog.main']['allowed'] == ["alice"] + + with message(mocker, "permission_updated", permission="blog.main"): + user_permission_update("blog.main", add="visitors") + + res = user_permission_list(full=True)['permissions'] + assert set(res['blog.main']['allowed']) == set(["alice", "visitors", "all_users"]) + + +def test_permission_cant_remove_all_users_if_visitors_allowed(mocker): + + with message(mocker, "permission_updated", permission="blog.main"): + user_permission_update("blog.main", add=["visitors", "all_users"]) + + with raiseYunohostError(mocker, 'permission_cannot_remove_all_users_while_visitors_allowed'): + user_permission_update("blog.main", remove="all_users") + + def test_permission_add_group_already_allowed(mocker): with message(mocker, "permission_already_allowed", permission="blog.main", group="alice"): user_permission_update("blog.main", add="alice") From e9c01c2f893587cd7f65f020f6f5ca693ccce3e4 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 2 Dec 2019 18:09:43 +0100 Subject: [PATCH 7/9] Additonal cleaning of legacy stuff when using new permission system + avoid duplicated entries in (un)protected_urls --- src/yunohost/app.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/yunohost/app.py b/src/yunohost/app.py index 063d0f97d..8ce5ed783 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -1662,16 +1662,18 @@ def app_ssowatconf(): # FIXME : gotta handle regex-urls here... meh url = _sanitized_absolute_url(perm_info["url"]) if "visitors" in perm_info["allowed"]: - unprotected_urls.append(url) + if url not in unprotected_urls: + unprotected_urls.append(url) - # Legacy stuff : we remove now unprotected-urls that might have been declared as protected earlier... + # Legacy stuff : we remove now protected-urls that might have been declared as unprotected earlier... protected_urls = [u for u in protected_urls if u != url] else: - # TODO : small optimization to implement : we don't need to explictly add all the app roots - protected_urls.append(url) + if url not in protected_urls: + protected_urls.append(url) - # Legacy stuff : we remove now unprotected-urls that might have been declared as protected earlier... + # Legacy stuff : we remove now unprotected-urls / skipped-urls that might have been declared as protected earlier... unprotected_urls = [u for u in unprotected_urls if u != url] + skipped_urls = [u for u in skipped_urls if u != url] for domain in domains: skipped_urls.extend([domain + '/yunohost/admin', domain + '/yunohost/api']) From d966407ff03d492c096d273bd0c1bb087217f17c Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 2 Dec 2019 20:41:42 +0100 Subject: [PATCH 8/9] Let's not remove all_users here since it shall be added if visitors are allowed --- src/yunohost/data_migrations/0011_setup_group_permission.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/data_migrations/0011_setup_group_permission.py b/src/yunohost/data_migrations/0011_setup_group_permission.py index c80686344..b07e5d21b 100644 --- a/src/yunohost/data_migrations/0011_setup_group_permission.py +++ b/src/yunohost/data_migrations/0011_setup_group_permission.py @@ -119,7 +119,7 @@ class MyMigration(Migration): # Migrate classic public app still using the legacy unprotected_uris if app_setting(app, "unprotected_uris") == "/" or app_setting(app, "skipped_uris") == "/": - user_permission_update(app+".main", remove="all_users", add="visitors", sync_perm=False) + user_permission_update(app+".main", add="visitors", sync_perm=False) permission_sync_to_user() From 8f4a1757f49fdf1402452485af8e33c6392b29c1 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 2 Dec 2019 20:45:03 +0100 Subject: [PATCH 9/9] Update changelog for 3.7.0.4 --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index f8a83d0b3..25a7469de 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +yunohost (3.7.0.4) testing; urgency=low + + - [fix] Also add all_users when allowing visitors (#855) + - [fix] Fix handling of skipped_uris (c.f. also SSOwat#149) + - [i18n] Improve translations for Catalan + + -- Alexandre Aubin Mon, 2 Dev 2019 20:44:00 +0000 + yunohost (3.7.0.3) testing; urgency=low - [mod] Some refactoring for permissions create/update/reset (#837)