Merge pull request #855 from kay0u/visitors-needs-all-users

Visitors permission needs All Users

data/helpers.d/setting

@@ -189,7 +189,7 @@ EOF
     # We need this because app temporarily set the app as unprotected to configure it with curl...
     if [[ "$3" =~ ^(unprotected|skipped)_ ]] && [[ "${4:-}" == "/" ]]
     then
-        ynh_permission_update --permission "main" --remove "all_users" --add "visitors"
+        ynh_permission_update --permission "main" --add "visitors"
     fi
 }
 

locales/en.json

@@ -464,14 +464,15 @@
     "pattern_positive_number": "Must be a positive number",
     "pattern_username": "Must be lower-case alphanumeric and underscore characters only",
     "pattern_password_app": "Sorry, passwords can not contain the following characters: {forbidden_chars}",
+    "permission_all_users_implicitly_added": "The permission was also implicitly granted to 'all_users' because it is required to allow the special group 'visitors'",
     "permission_already_allowed": "Group '{group}' already has permission '{permission}' enabled",
     "permission_already_disallowed": "Group '{group}' already has permission '{permission}' disabled'",
     "permission_already_exist": "Permission '{permission}' already exists",
     "permission_already_up_to_date": "The permission was not updated because the addition/removal requests already match the current state.",
+    "permission_cannot_remove_all_users_while_visitors_allowed": "You can't remove this permission for 'all_users' while it is still allowed for 'visitors'",
     "permission_cannot_remove_main": "Removing a main permission is not allowed",
     "permission_created": "Permission '{permission:s}' created",
     "permission_creation_failed": "Could not create permission '{permission}': {error}",
-    "permission_currently_allowed_for_visitors": "This permission is currently granted to visitors in addition to other groups. You probably want to either remove the 'visitors' permission or remove the other groups it is currently granted to.",
     "permission_currently_allowed_for_all_users": "This permission is currently granted to all users in addition to other groups. You probably want to either remove the 'all_users' permission or remove the other groups it is currently granted to.",
     "permission_deleted": "Permission '{permission:s}' deleted",
     "permission_deletion_failed": "Could not delete permission '{permission}': {error}",

src/yunohost/app.py

@@ -959,12 +959,12 @@ def _migrate_legacy_permissions(app):
     # If the current permission says app is protected, but there are legacy rules saying it should be public...
     if app_perm_currently_allowed == ["all_users"] and settings_say_it_should_be_public:
         # Make it public
-        user_permission_update(app + ".main", remove="all_users", add="visitors", sync_perm=False)
+        user_permission_update(app + ".main", add="visitors", sync_perm=False)
 
     # If the current permission says app is public, but there are no setting saying it should be public...
     if app_perm_currently_allowed == ["visitors"] and not settings_say_it_should_be_public:
         # Make is private
-        user_permission_update(app + ".main", remove="visitors", add="all_users", sync_perm=False)
+        user_permission_update(app + ".main", remove="visitors", sync_perm=False)
 
 
 @is_unit_operation()
@@ -1194,7 +1194,7 @@ def app_setting(app, key, value=None, delete=False):
     # We need this because app temporarily set the app as unprotected to configure it with curl...
     if key.startswith("unprotected_") or key.startswith("skipped_") and value == "/":
         from permission import user_permission_update
-        user_permission_update(app + ".main", remove="all_users", add="visitors")
+        user_permission_update(app + ".main", add="visitors")
 
 
 def app_register_url(app, domain, path):

src/yunohost/permission.py

@@ -138,14 +138,23 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
         new_allowed_groups = [g for g in new_allowed_groups if g not in groups_to_remove]
 
     # If we end up with something like allowed groups is ["all_users", "volunteers"]
-    # we shall warn the users that they should probably choose between one or the other,
+    # we shall warn the users that they should probably choose between one or
-    # because the current situation is probably not what they expect / is temporary ?
+    # the other, because the current situation is probably not what they expect
-
+    # / is temporary ?  Note that it's fine to have ["all_users", "visitors"]
-    if len(new_allowed_groups) > 1:
+    # though, but it's not fine to have ["all_users", "visitors", "volunteers"]
-        if "all_users" in new_allowed_groups:
+    if "all_users" in new_allowed_groups and len(new_allowed_groups) >= 2:
+        if "visitors" not in new_allowed_groups or len(new_allowed_groups) >= 3:
             logger.warning(m18n.n("permission_currently_allowed_for_all_users"))
-        if "visitors" in new_allowed_groups:
+
-            logger.warning(m18n.n("permission_currently_allowed_for_visitors"))
+    # If visitors are to be added, we shall make sure that "all_users" are also allowed
+    # (e.g. if visitors are allowed to visit nextcloud, you still want to allow people to log in ...)
+    if add and "visitors" in groups_to_add and "all_users" not in new_allowed_groups:
+        new_allowed_groups.append("all_users")
+        logger.warning(m18n.n("permission_all_users_implicitly_added"))
+    # If all_users are to be added, yet visitors are still to allowed, then we
+    # refuse it (c.f. previous comment...)
+    if remove and "all_users" in groups_to_remove and "visitors" in new_allowed_groups:
+        raise YunohostError('permission_cannot_remove_all_users_while_visitors_allowed')
 
     # Don't update LDAP if we update exactly the same values
     if set(new_allowed_groups) == set(current_allowed_groups):
@@ -258,10 +267,15 @@ def permission_create(operation_logger, permission, url=None, allowed=None, sync
     if url:
         attr_dict['URL'] = url
 
+    if allowed is not None:
+        if not isinstance(allowed, list):
+            allowed = [allowed]
+        if "visitors" in allowed and "all_users" not in allowed:
+            allowed.append("all_users")
+
     # Validate that the groups to add actually exist
     all_existing_groups = user_group_list()['groups'].keys()
-    allowed_ = [] if allowed is None else [allowed] if not isinstance(allowed, list) else allowed
+    for group in allowed or []:
-    for group in allowed_:
         if group not in all_existing_groups:
             raise YunohostError('group_unknown', group=group)
 

src/yunohost/tests/test_backuprestore.py

@@ -510,7 +510,8 @@ def test_backup_and_restore_permission_app(mocker):
     assert res['permissions_app.admin']['url'] == "/admin"
     assert res['permissions_app.dev']['url'] == "/dev"
 
-    assert res['permissions_app.main']['allowed'] == ["visitors"]
+    assert "visitors" in res['permissions_app.main']['allowed']
+    assert "all_users" in res['permissions_app.main']['allowed']
     assert res['permissions_app.admin']['allowed'] == ["alice"]
     assert res['permissions_app.dev']['allowed'] == []
 
@@ -524,7 +525,8 @@ def test_backup_and_restore_permission_app(mocker):
     assert res['permissions_app.admin']['url'] == "/admin"
     assert res['permissions_app.dev']['url'] == "/dev"
 
-    assert res['permissions_app.main']['allowed'] == ["visitors"]
+    assert "visitors" in res['permissions_app.main']['allowed']
+    assert "all_users" in res['permissions_app.main']['allowed']
     assert res['permissions_app.admin']['allowed'] == ["alice"]
     assert res['permissions_app.dev']['allowed'] == []
 

src/yunohost/tests/test_permission.py

@@ -313,6 +313,27 @@ def test_permission_add_and_remove_group(mocker):
     assert res['wiki.main']['corresponding_users'] == ["alice"]
 
 
+def test_permission_adding_visitors_implicitly_add_all_users(mocker):
+
+    res = user_permission_list(full=True)['permissions']
+    assert res['blog.main']['allowed'] == ["alice"]
+
+    with message(mocker, "permission_updated", permission="blog.main"):
+        user_permission_update("blog.main", add="visitors")
+
+    res = user_permission_list(full=True)['permissions']
+    assert set(res['blog.main']['allowed']) == set(["alice", "visitors", "all_users"])
+
+
+def test_permission_cant_remove_all_users_if_visitors_allowed(mocker):
+
+    with message(mocker, "permission_updated", permission="blog.main"):
+        user_permission_update("blog.main", add=["visitors", "all_users"])
+
+    with raiseYunohostError(mocker, 'permission_cannot_remove_all_users_while_visitors_allowed'):
+        user_permission_update("blog.main", remove="all_users")
+
+
 def test_permission_add_group_already_allowed(mocker):
     with message(mocker, "permission_already_allowed", permission="blog.main", group="alice"):
         user_permission_update("blog.main", add="alice")
@@ -460,13 +481,14 @@ def test_permission_app_propagation_on_ssowat():
                 args="domain=%s&path=%s&is_public=1&admin=%s" % (maindomain, "/urlpermissionapp", "alice"), force=True)
 
     res = user_permission_list(full=True)['permissions']
-    assert res['permissions_app.main']['allowed'] == ["visitors"]
+    assert "visitors" in res['permissions_app.main']['allowed']
+    assert "all_users" in res['permissions_app.main']['allowed']
 
     app_webroot = "https://%s/urlpermissionapp" % maindomain
     assert can_access_webpage(app_webroot, logged_as=None)
     assert can_access_webpage(app_webroot, logged_as="alice")
 
-    user_permission_update("permissions_app.main", remove="visitors", add="bob")
+    user_permission_update("permissions_app.main", remove=["visitors", "all_users"], add="bob")
     res = user_permission_list(full=True)['permissions']
 
     assert not can_access_webpage(app_webroot, logged_as=None)
@@ -491,7 +513,8 @@ def test_permission_legacy_app_propagation_on_ssowat():
     # App is configured as public by default using the legacy unprotected_uri mechanics
     # It should automatically be migrated during the install
     res = user_permission_list(full=True)['permissions']
-    assert res['legacy_app.main']['allowed'] == ["visitors"]
+    assert "visitors" in res['legacy_app.main']['allowed']
+    assert "all_users" in res['legacy_app.main']['allowed']
 
     app_webroot = "https://%s/legacy" % maindomain
 
@@ -499,7 +522,7 @@ def test_permission_legacy_app_propagation_on_ssowat():
     assert can_access_webpage(app_webroot, logged_as="alice")
 
     # Try to update the permission and check that permissions are still consistent
-    user_permission_update("legacy_app.main", remove="visitors", add="bob")
+    user_permission_update("legacy_app.main", remove=["visitors", "all_users"], add="bob")
 
     assert not can_access_webpage(app_webroot, logged_as=None)
     assert not can_access_webpage(app_webroot, logged_as="alice")