Naive implementation of visitors group (without any relation to the ssowat conf yet)

2024-09-03 20:06:10 +02:00 · 2019-09-15 16:59:34 +02:00 · 2019-09-15 16:59:34 +02:00 · cc59501b55
commit cc59501b55
parent 9c383ef06a
5 changed files with 32 additions and 9 deletions
--- a/data/other/ldap_scheme.yml
+++ b/data/other/ldap_scheme.yml
@ -57,6 +57,12 @@ children:
        objectClass:
            - posixGroup
            - groupOfNamesYnh
+    cn=visitors,ou=groups:
+        cn: visitors
+        gidNumber: "4003"
+        objectClass:
+            - posixGroup
+            - groupOfNamesYnh

 depends_children:
    cn=mail.main,ou=permission:
--- a/locales/en.json
+++ b/locales/en.json
@ -230,6 +230,9 @@
    "group_already_exist_on_system": "Group {group} already exists in the system group",
    "group_created": "Group '{group}' successfully created",
    "group_creation_failed": "Failed to create group {group}: {error}",
+    "group_cannot_edit_all_users": "The group 'all_users' cannot be edited manually. It is a special group meant to contain all users registered in Yunohost",
+    "group_cannot_edit_visitors": "The group 'visitors' cannot be edited manually. It is a special group representing anonymous visitors",
+    "group_cannot_edit_primary_group": "The group '{group}' cannot be edited manually. It is the primary group meant to contain only one specific user.",
    "group_cannot_be_edited": "The group {group} cannot be edited manually.",
    "group_cannot_be_deleted": "The group {group} cannot be deleted manually.",
    "group_deleted": "Group '{group}' deleted",
--- a/src/yunohost/data_migrations/0011_setup_group_permission.py
+++ b/src/yunohost/data_migrations/0011_setup_group_permission.py
@ -63,6 +63,7 @@ class MyMigration(Migration):
            self.remove_if_exists("cn=sftpusers,ou=groups")
            self.remove_if_exists("ou=permission")
            self.remove_if_exists('cn=all_users,ou=groups')
+            self.remove_if_exists('cn=visitors,ou=groups')

            attr_dict = ldap_map['parents']['ou=permission']
            ldap.add('ou=permission', attr_dict)
@ -70,6 +71,9 @@ class MyMigration(Migration):
            attr_dict = ldap_map['children']['cn=all_users,ou=groups']
            ldap.add('cn=all_users,ou=groups', attr_dict)

+            attr_dict = ldap_map['children']['cn=visitors,ou=groups']
+            ldap.add('cn=visitors,ou=groups', attr_dict)
+
            for rdn, attr_dict in ldap_map['depends_children'].items():
                ldap.add(rdn, attr_dict)
        except Exception as e:
--- a/src/yunohost/permission.py
+++ b/src/yunohost/permission.py
@ -142,10 +142,15 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
    # we shall warn the users that they should probably choose between one or the other,
    # because the current situation is probably not what they expect / is temporary ?

-    if len(new_allowed_groups) > 1 and "all_users" in new_allowed_groups:
-        # FIXME : i18n
-        # FIXME : write a better explanation ?
-        logger.warning("This permission is currently enabled for all users in addition to other groups. You probably want to either remove the 'all_users' permission or remove the specific groups currently allowed.")
+    if len(new_allowed_groups) > 1:
+        if "all_users" in new_allowed_groups:
+            # FIXME : i18n
+            # FIXME : write a better explanation ?
+            logger.warning("This permission is currently enabled for all users in addition to other groups. You probably want to either remove the 'all_users' permission or remove the other groups currently allowed.")
+        if "visitors" in new_allowed_groups:
+            # FIXME : i18n
+            # FIXME : write a better explanation ?
+            logger.warning("This permission is currently enabled for visitors in addition to other groups. You probably want to either remove the 'visitors' permission or remove the other groups currently allowed.")

    # Don't update LDAP if we update exactly the same values
    if set(new_allowed_groups) == set(current_allowed_groups):
--- a/src/yunohost/user.py
+++ b/src/yunohost/user.py
@ -635,7 +635,7 @@ def user_group_delete(operation_logger, groupname, force=False, sync_perm=True):
    #
    # We also can't delete "all_users" because that's a special group...
    existing_users = user_list()['users'].keys()
-    undeletable_groups = existing_users + ["all_users", "admins"]
+    undeletable_groups = existing_users + ["all_users", "visitors"]
    if groupname in undeletable_groups and not force:
        raise YunohostError('group_cannot_be_deleted', group=groupname)

@ -670,13 +670,18 @@ def user_group_update(operation_logger, groupname, add=None, remove=None, force=
    from yunohost.permission import permission_sync_to_user
    from yunohost.utils.ldap import _get_ldap_interface

+    existing_users = user_list()['users'].keys()
+
    # Refuse to edit a primary group of a user (e.g. group 'sam' related to user 'sam')
    # Those kind of group should only ever contain the user (e.g. sam) and only this one.
    # We also can't edit "all_users" without the force option because that's a special group...
-    existing_users = user_list()['users'].keys()
-    uneditable_groups = existing_users + ["all_users", "admins"]
-    if groupname in uneditable_groups and not force:
-        raise YunohostError('group_cannot_be_edited', group=groupname)
+    if not force:
+        if groupname == "all_users":
+            raise YunohostError('group_cannot_edit_all_users')
+        elif groupname == "all_users":
+            raise YunohostError('group_cannot_edit_visitors')
+        elif groupname in existing_users:
+            raise YunohostError('group_cannot_edit_primary_group', group=groupname)

    # We extract the uid for each member of the group to keep a simple flat list of members
    current_group = user_group_info(groupname)["members"]