diff --git a/manifest.json b/manifest.json index be8caa4..a04a82a 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ "url": "http://example.com" }, "requirements": { - "yunohost": ">= 3.5" + "yunohost": ">= 4.1.3" }, "multi_instance": true, "services": [ diff --git a/scripts/install b/scripts/install index 81bcbf6..5978825 100755 --- a/scripts/install +++ b/scripts/install @@ -72,7 +72,6 @@ ynh_script_progression --message="Storing installation settings..." --time --wei ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=admin --value=$admin -ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=language --value=$language #================================================= @@ -222,7 +221,8 @@ chown -R $app: $final_path # Set the app as temporarily public for curl call ynh_script_progression --message="Configuring SSOwat..." --time --weight=1 -ynh_app_setting_set --app=$app --key=skipped_uris --value="/" +# Making the app public for curl +ynh_permission_update --permission="main" --add="visitors" # Reload SSOwat config yunohost app ssowatconf @@ -234,10 +234,7 @@ ynh_script_progression --message="Finalizing installation..." --time --weight=1 ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3" # Remove the public access -if [ $is_public -eq 0 ] -then - ynh_app_setting_delete --app=$app --key=skipped_uris -fi +ynh_permission_update --permission="main" --remove="visitors" #================================================= # MODIFY A CONFIG FILE @@ -347,15 +344,24 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failreg #================================================= # SETUP SSOWAT #================================================= -ynh_script_progression --message="Configuring SSOwat..." --time --weight=1 +ynh_script_progression --message="Configuring permissions..." --time --weight=1 # Make app public if necessary if [ $is_public -eq 1 ] then - # unprotected_uris allows SSO credentials to be passed anyway. - ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" + # Everyone can access the app. + # The "main" permission is automatically created before the install script. + ynh_permission_update --permission="main" --add="visitors" fi +# Only the admin can access the admin panel of the app (if the app has an admin panel) +ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin + +# Everyone can access to the api part +# We don't want to display the tile in the sso so we put --show_tile="false" +# And we don't want that the YunoHost Admin can remove visitors group to this permission, so we put --protected="true" +ynh_permission_create --permission="api" --url "/api" --allowed="visitors" --show_tile="false" --protected="true" + #================================================= # RELOAD NGINX #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 6e61d9f..fff0363 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -19,7 +19,6 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) admin=$(ynh_app_setting_get --app=$app --key=admin) -is_public=$(ynh_app_setting_get --app=$app --key=is_public) final_path=$(ynh_app_setting_get --app=$app --key=final_path) language=$(ynh_app_setting_get --app=$app --key=language) db_name=$(ynh_app_setting_get --app=$app --key=db_name) @@ -59,6 +58,26 @@ ynh_script_progression --message="Ensuring downward compatibility..." --time --w # ynh_app_setting_set --app=$app --key=final_path --value=$final_path #fi +### If nobody installed your app before 4.1, +### then you may safely remove these lines + +# Cleaning legacy permissions +if ynh_legacy_permissions_exists; then + ynh_legacy_permissions_delete_all + + ynh_app_setting_delete --app=$app --key=is_public +fi + +if ! ynh_permission_exists --permission="admin"; then + # Create the required permissions + ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin +fi + +# Create a permission if needed +if ! ynh_permission_exists --permission="api"; then + ynh_permission_create --permission="api" --url "/api" --allowed="visitors" --show_tile="false" --protected="true" +fi + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -191,18 +210,6 @@ ynh_script_progression --message="Reconfiguring Fail2Ban..." --time --weight=1 # Create a dedicated Fail2Ban config ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login" -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Upgrading SSOwat configuration..." --time --weight=1 - -# Make app public if necessary -if [ $is_public -eq 1 ] -then - # unprotected_uris allows SSO credentials to be passed anyway - ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" -fi - #================================================= # RELOAD NGINX #=================================================