From b38d1a495e194792e65540eae05b1eb25820adb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josu=C3=A9=20Tille?= <josue@tille.ch>
Date: Mon, 23 Dec 2019 11:21:28 +0100
Subject: [PATCH] Add force argument in permission update and change default
 value in permission creation

---
 data/helpers.d/setting     |  7 ++++---
 locales/en.json            |  1 +
 src/yunohost/app.py        |  2 +-
 src/yunohost/permission.py | 14 ++++++++++----
 4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/data/helpers.d/setting b/data/helpers.d/setting
index 3fddf6e27..f35496a1d 100644
--- a/data/helpers.d/setting
+++ b/data/helpers.d/setting
@@ -246,7 +246,8 @@ ynh_webpath_register () {
 # | arg: url - (optional) URL for which access will be allowed/forbidden
 # | arg: allowed - (optional) A list of group/user to allow for the permission
 # | arg: is_protected - (optional) Define if this permission is protected. If it is protected the administrator
-# |                                won't be able to add or remove the visitors group of this permission.  By default it's 'false'
+# |                                won't be able to add or remove the visitors group of this permission.
+# |                                By default it's 'true' (for the permission different than 'main').
 #
 # If provided, 'url' is assumed to be relative to the app domain/path if they
 # start with '/'.  For example:
@@ -347,7 +348,7 @@ ynh_permission_url() {
 # | arg: add - the list of group or users to enable add to the permission
 # | arg: remove - the list of group or users to remove from the permission
 # | arg: is_protected - (optional) Define if this permission is protected. If it is protected the administrator
-# |                                won't be able to add or remove the visitors group of this permission. By default it's 'false'
+# |                                won't be able to add or remove the visitors group of this permission.
 #
 # example: ynh_permission_update --permission admin --add samdoe --remove all_users
 # Requires YunoHost version 3.7.0 or higher.
@@ -373,5 +374,5 @@ ynh_permission_update() {
         fi
     fi
 
-    yunohost tools shell -c "from yunohost.permission import user_permission_update; user_permission_update('$app.$permission', ${add:-} ${remove} ${is_protected:-} , sync_perm=False)"
+    yunohost tools shell -c "from yunohost.permission import user_permission_update; user_permission_update('$app.$permission', ${add:-} ${remove} ${is_protected:-} , force=True, sync_perm=False)"
 }
diff --git a/locales/en.json b/locales/en.json
index ce437ba89..015655e5b 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -481,6 +481,7 @@
     "permission_updated": "Permission '{permission:s}' updated",
     "permission_update_nothing_to_do": "No permissions to update",
     "permission_protected": "Permission {permission} protected. You can't modify the visitors group to access to this permission.",
+    "permission_require_account": "Permission {permission} only makes sense for users having an account, and therefore cannot be enabled for visitors.",
     "port_already_closed": "Port {port:d} is already closed for {ip_version:s} connections",
     "port_already_opened": "Port {port:d} is already opened for {ip_version:s} connections",
     "regenconf_file_backed_up": "Configuration file '{conf}' backed up to '{backup}'",
diff --git a/src/yunohost/app.py b/src/yunohost/app.py
index 30d3ab31b..37d6fc9db 100644
--- a/src/yunohost/app.py
+++ b/src/yunohost/app.py
@@ -750,7 +750,7 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu
 
     # Initialize the main permission for the app
     # After the install, if apps don't have a domain and path defined, the default url '/' is removed from the permission
-    permission_create(app_instance_name+".main", url="/", allowed=["all_users"])
+    permission_create(app_instance_name+".main", url="/", allowed=["all_users"], is_protected=False)
 
     # Execute the app install script
     install_failed = True
diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py
index 2fc963d57..b5c59907e 100644
--- a/src/yunohost/permission.py
+++ b/src/yunohost/permission.py
@@ -82,7 +82,7 @@ def user_permission_list(short=False, full=False, ignore_system_perms=False):
     return {'permissions': permissions}
 
 @is_unit_operation()
-def user_permission_update(operation_logger, permission, add=None, remove=None, is_protected=None, sync_perm=True):
+def user_permission_update(operation_logger, permission, add=None, remove=None, is_protected=None, force=False, sync_perm=True):
     """
     Allow or Disallow a user or group to a permission for a specific application
 
@@ -91,6 +91,7 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
         add            -- List of groups or usernames to add to this permission
         remove         -- List of groups or usernames to remove from to this permission
         is_protected   -- (optional) Define if the permission can be added/removed to the visitor group
+        force          -- (optional) Give the possibility to add/remove access from the visitor group to a protected permission
     """
     from yunohost.user import user_group_list
 
@@ -100,9 +101,14 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
 
     existing_permission = user_permission_list(full=True)["permissions"].get(permission, None)
 
+    # Refuse to add "visitors" to mail, xmpp ... they require an account to make sense.
+    existing_permission = user_permission_list(full=True)["permissions"].get(permission, None)
+    if add and "visitors" in add and permission.split(".")[0] in SYSTEM_PERMS:
+        raise YunohostError('permission_require_account', permission=permission)
+
     # Refuse to add "visitors" to protected permission
-    if (add and "visitors" in add and existing_permission["protected"]) or \
-       (remove and "visitors" in remove and existing_permission["protected"]):
+    if ((add and "visitors" in add and existing_permission["protected"]) or \
+       (remove and "visitors" in remove and existing_permission["protected"])) and not force:
         raise YunohostError('permission_protected', permission=permission)
 
     # Fetch currently allowed groups for this permission
@@ -219,7 +225,7 @@ def user_permission_reset(operation_logger, permission, sync_perm=True):
 
 
 @is_unit_operation()
-def permission_create(operation_logger, permission, url=None, allowed=None, is_protected=False, sync_perm=True):
+def permission_create(operation_logger, permission, url=None, allowed=None, is_protected=True, sync_perm=True):
     """
     Create a new permission for a specific application