Merge pull request #837 from kay0u/refactor-permission

[enh] Refactor group permission
2024-09-03 20:06:10 +02:00 · 2019-11-14 17:45:18 +01:00 · 2019-11-14 17:45:18 +01:00 · efc1d20884
commit efc1d20884
parent 9defb30133 04a9ae6db3
1 changed files with 79 additions and 78 deletions
--- a/src/yunohost/permission.py
+++ b/src/yunohost/permission.py
@ -92,7 +92,6 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
        remove         -- List of groups or usernames to remove from to this permission
    """
    from yunohost.hook import hook_callback
-    from yunohost.user import user_group_list
    from yunohost.utils.ldap import _get_ldap_interface
    ldap = _get_ldap_interface()

@ -111,7 +110,6 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
        raise YunohostError('permission_not_found', permission=permission)

    current_allowed_groups = existing_permission["allowed"]
-    all_existing_groups = user_group_list()['groups'].keys()
    operation_logger.related_to.append(('app', permission.split(".")[0]))

    # Compute new allowed group list (and make sure what we're doing make sense)
@ -121,8 +119,6 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
    if add:
        groups_to_add = [add] if not isinstance(add, list) else add
        for group in groups_to_add:
-            if group not in all_existing_groups:
-                raise YunohostError('group_unknown', group=group)
            if group in current_allowed_groups:
                logger.warning(m18n.n('permission_already_allowed', permission=permission, group=group))
            else:
@ -133,8 +129,6 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
    if remove:
        groups_to_remove = [remove] if not isinstance(remove, list) else remove
        for group in groups_to_remove:
-            if group not in all_existing_groups:
-                raise YunohostError('group_unknown', group=group)
            if group not in current_allowed_groups:
                logger.warning(m18n.n('permission_already_disallowed', permission=permission, group=group))
            else:
@ -161,37 +155,10 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,

    operation_logger.start()

-    try:
-        ldap.update('cn=%s,ou=permission' % permission,
-                    {'groupPermission': ['cn=' + g + ',ou=groups,dc=yunohost,dc=org' for g in new_allowed_groups]})
-    except Exception as e:
-        raise YunohostError('permission_update_failed', permission=permission, error=e)
+    new_permission = _update_ldap_group_permission(permission=permission, allowed=new_allowed_groups, sync_perm=sync_perm)

    logger.debug(m18n.n('permission_updated', permission=permission))

-    # Trigger permission sync if asked
-
-    if sync_perm:
-        permission_sync_to_user()
-
-    new_permission = user_permission_list(full=True)["permissions"][permission]
-
-    # Trigger app callbacks
-
-    app = permission.split(".")[0]
-    sub_permission = permission.split(".")[1]
-
-    old_allowed_users = set(existing_permission["corresponding_users"])
-    new_allowed_users = set(new_permission["corresponding_users"])
-
-    effectively_added_users = new_allowed_users - old_allowed_users
-    effectively_removed_users = old_allowed_users - new_allowed_users
-
-    if effectively_added_users:
-        hook_callback('post_app_addaccess', args=[app, ','.join(effectively_added_users), sub_permission])
-    if effectively_removed_users:
-        hook_callback('post_app_removeaccess', args=[app, ','.join(effectively_removed_users), sub_permission])
-
    return new_permission


@ -226,35 +193,10 @@ def user_permission_reset(operation_logger, permission, sync_perm=True):
    operation_logger.related_to.append(('app', permission.split(".")[0]))
    operation_logger.start()

-    default_permission = {'groupPermission': ['cn=all_users,ou=groups,dc=yunohost,dc=org']}
-    try:
-        ldap.update('cn=%s,ou=permission' % permission, default_permission)
-    except Exception as e:
-        raise YunohostError('permission_update_failed', permission=permission, error=e)
+    new_permission = _update_ldap_group_permission(permission=permission, allowed="all_users", sync_perm=sync_perm)

    logger.debug(m18n.n('permission_updated', permission=permission))

-    if sync_perm:
-        permission_sync_to_user()
-
-    new_permission = user_permission_list(full=True)["permissions"][permission]
-
-    # Trigger app callbacks
-
-    app = permission.split(".")[0]
-    sub_permission = permission.split(".")[1]
-
-    old_allowed_users = set(existing_permission["corresponding_users"])
-    new_allowed_users = set(new_permission["corresponding_users"])
-
-    effectively_added_users = new_allowed_users - old_allowed_users
-    effectively_removed_users = old_allowed_users - new_allowed_users
-
-    if effectively_added_users:
-        hook_callback('post_app_addaccess', args=[app, ','.join(effectively_added_users), sub_permission])
-    if effectively_removed_users:
-        hook_callback('post_app_removeaccess', args=[app, ','.join(effectively_removed_users), sub_permission])
-
    return new_permission

 #
@ -288,7 +230,6 @@ def permission_create(operation_logger, permission, url=None, allowed=None, sync
       re:domain.tld/app/api/[A-Z]*$ -> domain.tld/app/api/[A-Z]*$
    """

-    from yunohost.user import user_group_list
    from yunohost.utils.ldap import _get_ldap_interface
    ldap = _get_ldap_interface()

@ -315,20 +256,6 @@ def permission_create(operation_logger, permission, url=None, allowed=None, sync
        'gidNumber': gid,
    }

-    # If who should be allowed is explicitly provided, use this info
-    if allowed:
-        if not isinstance(allowed, list):
-            allowed = [allowed]
-        # (though first we validate that the targets actually exist)
-        all_existing_groups = user_group_list()['groups'].keys()
-        for g in allowed:
-            if g not in all_existing_groups:
-                raise YunohostError('group_unknown', group=g)
-        attr_dict['groupPermission'] = ['cn=%s,ou=groups,dc=yunohost,dc=org' % g for g in allowed]
-    # For main permission, we add all users by default
-    elif permission.endswith(".main"):
-        attr_dict['groupPermission'] = ['cn=all_users,ou=groups,dc=yunohost,dc=org']
-
    if url:
        attr_dict['URL'] = url

@ -340,11 +267,20 @@ def permission_create(operation_logger, permission, url=None, allowed=None, sync
    except Exception as e:
        raise YunohostError('permission_creation_failed', permission=permission, error=e)

-    if sync_perm:
-        permission_sync_to_user()
+    to_add = None
+
+    # If who should be allowed is explicitly provided, use this info
+    if allowed:
+        if not isinstance(allowed, list):
+            to_add = [allowed]
+    # For main permission, we add all users by default
+    elif permission.endswith(".main"):
+        to_add = "all_users"
+
+    new_permission = _update_ldap_group_permission(permission=permission, allowed=to_add, sync_perm=sync_perm)

    logger.debug(m18n.n('permission_created', permission=permission))
-    return user_permission_list(full=True)["permissions"][permission]
+    return new_permission


@is_unit_operation()
@ -473,3 +409,68 @@ def permission_sync_to_user():
    # Reload unscd, otherwise the group ain't propagated to the LDAP database
    os.system('nscd --invalidate=passwd')
    os.system('nscd --invalidate=group')
+
+def _update_ldap_group_permission(permission, allowed, sync_perm=True):
+    """
+        Internal function that will rewrite user permission
+
+        permission -- Name of the permission (e.g. mail or nextcloud or wordpress.editors)
+        allowed    -- A list of group/user to allow for the permission
+    """
+
+    from yunohost.hook import hook_callback
+    from yunohost.user import user_group_list
+    from yunohost.utils.ldap import _get_ldap_interface
+    ldap = _get_ldap_interface()
+
+    # Fetch currently allowed groups for this permission
+
+    existing_permission = user_permission_list(full=True)["permissions"].get(permission, None)
+    if existing_permission is None:
+        raise YunohostError('permission_not_found', permission=permission)
+
+    all_existing_groups = user_group_list()['groups'].keys()
+
+    if allowed:
+        if not isinstance(allowed, list):
+            allowed = [allowed]
+        for group in allowed:
+            if group not in all_existing_groups:
+                raise YunohostError('group_unknown', group=group)
+    else:
+        if sync_perm:
+            permission_sync_to_user()
+
+        return user_permission_list(full=True)["permissions"][permission]
+
+    try:
+        ldap.update('cn=%s,ou=permission' % permission,
+                    {'groupPermission': ['cn=' + g + ',ou=groups,dc=yunohost,dc=org' for g in allowed]})
+    except Exception as e:
+        raise YunohostError('permission_update_failed', permission=permission, error=e)
+
+    # Trigger permission sync if asked
+
+    if sync_perm:
+        permission_sync_to_user()
+
+    new_permission = user_permission_list(full=True)["permissions"][permission]
+
+    # Trigger app callbacks
+
+    app = permission.split(".")[0]
+    sub_permission = permission.split(".")[1]
+
+    old_allowed_users = set(existing_permission["corresponding_users"])
+    new_allowed_users = set(new_permission["corresponding_users"])
+
+    effectively_added_users = new_allowed_users - old_allowed_users
+    effectively_removed_users = old_allowed_users - new_allowed_users
+
+    if effectively_added_users:
+        hook_callback('post_app_addaccess', args=[app, ','.join(effectively_added_users), sub_permission])
+    if effectively_removed_users:
+        hook_callback('post_app_removeaccess', args=[app, ','.join(effectively_removed_users), sub_permission])
+
+    return new_permission
+