Improve comments

data/helpers.d/setting

@@ -158,34 +158,69 @@ ynh_webpath_register () {
 
 # Create a new permission for the app
 #
-# example: ynh_permission_create --permission=admin --url=/admin --additional_urls=domain.tld/otherurl /superadmin --allowed=alice bob --label="My app admin"
+# example 1: ynh_permission_create --permission=admin --url=/admin --additional_urls=domain.tld/admin /superadmin --allowed=alice bob \
+#                                  --label="My app admin" --show_tile=true
+#
+# This example will create a new permission permission with this following effect:
+# - A tile named "My app admin" in the SSO will be available for the users alice and bob. This tile will point to the relative url '/admin'.
+# - Only the user alice and bob will have the access to theses following url: /admin, domain.tld/admin, /superadmin
+#
+#
+# example 2: ynh_permission_create --permission=api --url=domain.tld/api --auth_header=false --allowed=visitors \
+#                                  --label="MyApp API" --protected=true
+#
+# This example will create a new protected permission. So the admin won't be able to add/remove the visitors group of this permission.
+# In case of an API with need to be always public it avoid that the admin break anything.
+# With this permission all client will be allowed to access to the url 'domain.tld/api'.
+# Note that in this case no tile will be show on the SSO.
+# Note that the auth_header parameter is to 'false'. So no authentication header will be passed to the application.
+# Generally the API is requested by an application and enabling the auth_header has no advantage and could bring some issues in some case. 
+# So in this case it's better to disable this option for all API.
+#
 #
 # usage: ynh_permission_create --permission="permission" [--url="url"] [--additional_urls="second-url" [ "third-url" ]] [--auth_header=true|false]
 #                                                        [--allowed=group1 [ group2 ]] [--label="label"] [--show_tile=true|false]
 #                                                        [--protected=true|false]
 # | arg: -p, permission=        - the name for the permission (by default a permission named "main" already exist)
-# | arg: -u, url=               - (optional) URL for which access will be allowed/forbidden
+# | arg: -u, url=               - (optional) URL for which access will be allowed/forbidden.
+# |                                          Not that if 'show_tile' is enabled, this URL will be the URL of the tile.
 # | arg: -A, additional_urls=   - (optional) List of additional URL for which access will be allowed/forbidden
 # | arg: -h, auth_header=       - (optional) Define for the URL of this permission, if SSOwat pass the authentication header to the application. Default is true
 # | arg: -a, allowed=           - (optional) A list of group/user to allow for the permission
 # | arg: -l, label=             - (optional) Define a name for the permission. This label will be shown on the SSO and in the admin.
 # |                                     Default is "APP_LABEL (permission name)".
-# | arg: -t, show_tile=         - (optional) Define if a tile will be shown in the SSO. Default is false (for the permission different than 'main').
+# | arg: -t, show_tile=         - (optional) Define if a tile will be shown in the SSO. If yes the name of the tile will be the 'label' parameter.
+# |                                     Default is false (for the permission different than 'main').
 # | arg: -P, protected=         - (optional) Define if this permission is protected. If it is protected the administrator
 # |                             won't be able to add or remove the visitors group of this permission.
 # |                             By default it's 'true' (for the permission different than 'main').
 #
-# If provided, 'url' is assumed to be relative to the app domain/path if they
+# If provided, 'url' or 'additional_urls' is assumed to be relative to the app domain/path if they
 # start with '/'.  For example:
 #    /                             -> domain.tld/app
 #    /admin                        -> domain.tld/app/admin
 #    domain.tld/app/api            -> domain.tld/app/api
 #
-# 'url' can be later treated as a regex if it starts with "re:".
+# 'url' or 'additional_urls' can be later treated as a regex if it starts with "re:".
 # For example:
 #    re:/api/[A-Z]*$               -> domain.tld/app/api/[A-Z]*$
 #    re:domain.tld/app/api/[A-Z]*$ -> domain.tld/app/api/[A-Z]*$
 #
+# Note that globally the parameter 'url' and 'additional_urls' are same. The only difference is:
+# - 'url' is only one url, 'additional_urls' can be a list of urls. There are no limitation of 'additional_urls'
+# - 'url' is used for the url of tile in the SSO (if enabled with the 'show_tile' parameter)
+#
+#
+# About the authentication header (auth_header parameter).
+# The SSO pass (by default) to the application theses following HTTP header (linked to the authenticated user) to the application:
+#        - "Auth-User": username
+#        - "Remote-User": username
+#        - "Email": user email
+#
+# Generally this feature is usefull to authenticate automatically the user in the application but in some case the application don't work with theses header and theses header need to be disabled to have the application to work correctly. 
+# See https://github.com/YunoHost/issues/issues/1420 for more informations
+#
+#
 # Requires YunoHost version 3.7.0 or higher.
 ynh_permission_create() {
     # Declare an array to define the options of this helper.