Improve permissions management
This commit is contained in:
parent
1e2ee09860
commit
9b6cc80ecc
|
@ -15,7 +15,7 @@
|
||||||
"url": "http://example.com"
|
"url": "http://example.com"
|
||||||
},
|
},
|
||||||
"requirements": {
|
"requirements": {
|
||||||
"yunohost": ">= 3.7"
|
"yunohost": ">= 4.1.2"
|
||||||
},
|
},
|
||||||
"multi_instance": true,
|
"multi_instance": true,
|
||||||
"services": [
|
"services": [
|
||||||
|
|
|
@ -220,7 +220,8 @@ chown -R $app: $final_path
|
||||||
|
|
||||||
# Set the app as temporarily public for curl call
|
# Set the app as temporarily public for curl call
|
||||||
ynh_script_progression --message="Configuring SSOwat..." --time --weight=1
|
ynh_script_progression --message="Configuring SSOwat..." --time --weight=1
|
||||||
ynh_app_setting_set --app=$app --key=skipped_uris --value="/"
|
# Making the app public for curl
|
||||||
|
ynh_permission_update --permission="main" --add="visitors"
|
||||||
# Reload SSOwat config
|
# Reload SSOwat config
|
||||||
yunohost app ssowatconf
|
yunohost app ssowatconf
|
||||||
|
|
||||||
|
@ -232,7 +233,7 @@ ynh_script_progression --message="Finalizing installation..." --time --weight=1
|
||||||
ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3"
|
ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3"
|
||||||
|
|
||||||
# Remove the public access
|
# Remove the public access
|
||||||
ynh_app_setting_delete --app=$app --key=skipped_uris
|
ynh_permission_update --permission="main" --remove="visitors"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# MODIFY A CONFIG FILE
|
# MODIFY A CONFIG FILE
|
||||||
|
@ -339,11 +340,16 @@ if [ $is_public -eq 1 ]
|
||||||
then
|
then
|
||||||
# Everyone can access the app.
|
# Everyone can access the app.
|
||||||
# The "main" permission is automatically created before the install script.
|
# The "main" permission is automatically created before the install script.
|
||||||
ynh_permission_update --permission "main" --add "visitors"
|
ynh_permission_update --permission="main" --add="visitors"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Only the admin can access the admin panel of the app (if the app has an admin panel)
|
# Only the admin can access the admin panel of the app (if the app has an admin panel)
|
||||||
ynh_permission_create --permission "admin" --url "/admin" --allowed $admin
|
ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
|
||||||
|
|
||||||
|
# Everyone can access to the api part
|
||||||
|
# We don't want to display the tile in the sso so we put --show_tile="false"
|
||||||
|
# And we don't want that the YunoHost Admin can remove visitors group to this permission, so we put --protected="true"
|
||||||
|
ynh_permission_create --permission="api" --url "/api" --allowed="visitors" --show_tile="false" --protected="true"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RELOAD NGINX
|
# RELOAD NGINX
|
||||||
|
|
|
@ -52,28 +52,22 @@ if [ -z "$final_path" ]; then
|
||||||
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
|
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
|
||||||
fi
|
fi
|
||||||
|
|
||||||
### If nobody installed your app before 3.7,
|
### If nobody installed your app before 4.1,
|
||||||
### then you may safely remove these lines
|
### then you may safely remove these lines
|
||||||
|
|
||||||
# Cleaning legacy permissions
|
# Cleaning legacy permissions
|
||||||
is_public=$(ynh_app_setting_get --app=$app --key=is_public)
|
if ynh_legacy_permissions_exists; then
|
||||||
|
ynh_legacy_permissions_delete_all
|
||||||
|
|
||||||
if [ -n "$is_public" ]; then
|
|
||||||
# Remove unprotected_uris
|
|
||||||
ynh_app_setting_delete --app=$app --key=unprotected_uris
|
|
||||||
# Remove protected_uris
|
|
||||||
ynh_app_setting_delete --app=$app --key=protected_uris
|
|
||||||
|
|
||||||
# Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7
|
|
||||||
# Remove skipped_uris. If the app was public, add visitors again to the main permission
|
|
||||||
if ynh_permission_has_user --permission=main --user=visitors
|
|
||||||
then
|
|
||||||
ynh_app_setting_delete --app=$app --key=skipped_uris
|
|
||||||
ynh_permission_update --permission "main" --add "visitors"
|
|
||||||
else
|
|
||||||
ynh_app_setting_delete --app=$app --key=skipped_uris
|
|
||||||
fi
|
|
||||||
ynh_app_setting_delete --app=$app --key=is_public
|
ynh_app_setting_delete --app=$app --key=is_public
|
||||||
|
|
||||||
|
# Create the required permissions
|
||||||
|
ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create a permission if needed
|
||||||
|
if ! ynh_permission_exists --permission="api"; then
|
||||||
|
ynh_permission_create --permission="api" --url "/api" --allowed="visitors" --show_tile="false" --protected="true"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -203,16 +197,6 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failreg
|
||||||
# Set permissions on app files
|
# Set permissions on app files
|
||||||
chown -R root: $final_path
|
chown -R root: $final_path
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# SETUP SSOWAT
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Upgrading permissions configuration..." --time --weight=1
|
|
||||||
|
|
||||||
# Create the admin permission if needed
|
|
||||||
if ! ynh_permission_exists --permission "admin"; then
|
|
||||||
ynh_permission_create --permission "admin" --url "/admin" --allowed $admin
|
|
||||||
fi
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# START SYSTEMD SERVICE
|
# START SYSTEMD SERVICE
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
Loading…
Reference in New Issue
Block a user