YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Warn early about unexisting user/groups (otherwise this triggers a journal entry for nothing) + simplify code, explicit assumptions

Browse source
This commit is contained in:
Alexandre Aubin 2019-11-22 17:15:44 +01:00
parent 6eb8efb6f0
commit fdf5f16739
1 changed files with 25 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
src/yunohost/permission.py
View file

@ -91,9 +91,7 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
add -- List of groups or usernames to add to this permission add -- List of groups or usernames to add to this permission
remove -- List of groups or usernames to remove from to this permission remove -- List of groups or usernames to remove from to this permission
""" """
from yunohost.hook import hook_callback from yunohost.user import user_group_list
from yunohost.utils.ldap import _get_ldap_interface
ldap = _get_ldap_interface()
# By default, manipulate main permission # By default, manipulate main permission
if "." not in permission: if "." not in permission:
@ -115,10 +113,13 @@ def user_permission_update(operation_logger, permission, add=None, remove=None,
# Compute new allowed group list (and make sure what we're doing make sense) # Compute new allowed group list (and make sure what we're doing make sense)
new_allowed_groups = copy.copy(current_allowed_groups) new_allowed_groups = copy.copy(current_allowed_groups)
all_existing_groups = user_group_list()['groups'].keys()
if add: if add:
groups_to_add = [add] if not isinstance(add, list) else add groups_to_add = [add] if not isinstance(add, list) else add
for group in groups_to_add: for group in groups_to_add:
if group not in all_existing_groups:
raise YunohostError('group_unknown', group=group)
if group in current_allowed_groups: if group in current_allowed_groups:
logger.warning(m18n.n('permission_already_allowed', permission=permission, group=group)) logger.warning(m18n.n('permission_already_allowed', permission=permission, group=group))
else: else:
@ -170,9 +171,6 @@ def user_permission_reset(operation_logger, permission, sync_perm=True):
Keyword argument: Keyword argument:
permission -- Name of the permission (e.g. mail or nextcloud or wordpress.editors) permission -- Name of the permission (e.g. mail or nextcloud or wordpress.editors)
""" """
from yunohost.hook import hook_callback
from yunohost.utils.ldap import _get_ldap_interface
ldap = _get_ldap_interface()
# By default, manipulate main permission # By default, manipulate main permission
if "." not in permission: if "." not in permission:
@ -231,6 +229,7 @@ def permission_create(operation_logger, permission, url=None, allowed=None, sync
""" """
from yunohost.utils.ldap import _get_ldap_interface from yunohost.utils.ldap import _get_ldap_interface
from yunohost.user import user_group_list
ldap = _get_ldap_interface() ldap = _get_ldap_interface()
# By default, manipulate main permission # By default, manipulate main permission
@ -259,6 +258,13 @@ def permission_create(operation_logger, permission, url=None, allowed=None, sync
if url: if url:
attr_dict['URL'] = url attr_dict['URL'] = url
# Validate that the groups to add actually exist
all_existing_groups = user_group_list()['groups'].keys()
allowed_ = [] if allowed is None else [allowed] if not isinstance(allowed, list) else allowed
for group in allowed_:
if group not in all_existing_groups:
raise YunohostError('group_unknown', group=group)
operation_logger.related_to.append(('app', permission.split(".")[0])) operation_logger.related_to.append(('app', permission.split(".")[0]))
operation_logger.start() operation_logger.start()
@ -404,38 +410,34 @@ def permission_sync_to_user():
os.system('nscd --invalidate=passwd') os.system('nscd --invalidate=passwd')
os.system('nscd --invalidate=group') os.system('nscd --invalidate=group')
def _update_ldap_group_permission(permission, allowed, sync_perm=True): def _update_ldap_group_permission(permission, allowed, sync_perm=True):
""" """
Internal function that will rewrite user permission Internal function that will rewrite user permission
permission -- Name of the permission (e.g. mail or nextcloud or wordpress.editors) permission -- Name of the permission (e.g. mail or nextcloud or wordpress.editors)
allowed -- A list of group/user to allow for the permission allowed -- A list of group/user to allow for the permission
Assumptions made, that should be checked before calling this function:
- the permission does currently exists ...
- the 'allowed' list argument is *different* from the current
permission state ... otherwise ldap will miserably fail in such
case...
- the 'allowed' list contains *existing* groups.
""" """
from yunohost.hook import hook_callback from yunohost.hook import hook_callback
from yunohost.user import user_group_list
from yunohost.utils.ldap import _get_ldap_interface from yunohost.utils.ldap import _get_ldap_interface
ldap = _get_ldap_interface() ldap = _get_ldap_interface()
# Fetch currently allowed groups for this permission # Fetch currently allowed groups for this permission
existing_permission = user_permission_list(full=True)["permissions"][permission]
existing_permission = user_permission_list(full=True)["permissions"].get(permission, None) if allowed is None:
if existing_permission is None: return existing_permission
raise YunohostError('permission_not_found', permission=permission)
all_existing_groups = user_group_list()['groups'].keys() allowed = [allowed] if not isinstance(allowed, list) else allowed
if allowed:
if not isinstance(allowed, list):
allowed = [allowed]
for group in allowed:
if group not in all_existing_groups:
raise YunohostError('group_unknown', group=group)
else:
if sync_perm:
permission_sync_to_user()
return user_permission_list(full=True)["permissions"][permission]
try: try:
ldap.update('cn=%s,ou=permission' % permission, ldap.update('cn=%s,ou=permission' % permission,