app/permissions: more refactoring to also move the 'allowed' perm inf…

…o out of LDAP
YunoHost · Feb 5, 2025 · 0770277 · 0770277
1 parent 16feb72
commit 0770277
Show file tree

Hide file tree

Showing 14 changed files with 457 additions and 517 deletions.
diff --git a/conf/slapd/config.ldif b/conf/slapd/config.ldif
@@ -206,18 +206,18 @@ olcMemberOfMemberAD: member
 olcMemberOfMemberOfAD: memberOf
 structuralObjectClass: olcMemberOf
 
-# Link permission <-> groupes
-dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcMemberOf
-olcOverlay: {1}memberof
-olcMemberOfDangling: error
-olcMemberOfDanglingError: constraintViolation
-olcMemberOfRefInt: TRUE
-olcMemberOfGroupOC: permissionYnh
-olcMemberOfMemberAD: groupPermission
-olcMemberOfMemberOfAD: permission
-structuralObjectClass: olcMemberOf
+# Link permission <-> groupes (OBSOLETE)
+#dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
+#objectClass: olcOverlayConfig
+#objectClass: olcMemberOf
+#olcOverlay: {1}memberof
+#olcMemberOfDangling: error
+#olcMemberOfDanglingError: constraintViolation
+#olcMemberOfRefInt: TRUE
+#olcMemberOfGroupOC: permissionYnh
+#olcMemberOfMemberAD: groupPermission
+#olcMemberOfMemberOfAD: permission
+#structuralObjectClass: olcMemberOf
 
 # Link permission <-> user
 dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config

diff --git a/conf/slapd/permission.ldif b/conf/slapd/permission.ldif
@@ -9,7 +9,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.1 NAME 'permission'
   DESC 'YunoHost permission on user and group side'
   SUP distinguishedName )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.2 NAME 'groupPermission'
-  DESC 'YunoHost permission for a group on permission side'
+  DESC 'YunoHost permission for a group on permission side' OBSOLETE
   SUP distinguishedName )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.3 NAME 'inheritPermission'
   DESC 'YunoHost permission for user on permission side'
@@ -39,12 +39,12 @@ olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.1 NAME 'groupOfNamesYnh'
   SUP top AUXILIARY
   MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ permission ) )
 olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.2 NAME 'permissionYnh'
-  DESC 'a YunoHost application'
+  DESC 'a YunoHost permission'
   SUP top AUXILIARY
   MUST ( cn )
   MAY ( groupPermission $ inheritPermission $ URL $ additionalUrls $ authHeader $ label $ showTile $ isProtected ) )
 # For User
 olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.3 NAME 'userPermissionYnh'
-  DESC 'a YunoHost application'
+  DESC 'a YunoHost user with permission attributes'
   SUP top AUXILIARY
   MAY ( permission ) )
diff --git a/share/actionsmap.yml b/share/actionsmap.yml
@@ -343,10 +343,6 @@ user:
                         apps:
                             help: Apps to list permission for (all by default)
                             nargs: "*"
-                        -s:
-                            full: --short
-                            help: Only list permission names
-                            action: store_true
                         -f:
                             full: --full
                             help: Display all info known about each permission, including the full user list of each group it is granted to.
@@ -405,13 +401,9 @@ user:
                             extra:
                                 pattern: *pattern_username
 
-                ## user_permission_reset()
-                reset:
-                    action_help: Reset allowed groups to the default (all_users) for a given permission
-                    api: DELETE /users/permissions/<permission>
-                    arguments:
-                        permission:
-                            help: Permission to manage (e.g. mail or nextcloud or wordpress.editors) (use "yunohost user permission list" and "yunohost user permission -f" to see all the current permissions)
+                ## user_permission_ldapsync()
+                ldapsync:
+                    action_help: Resynchronize permissions to LDAP from app settings. This is a purely technical command, only meant to be ran if you manually modified permission settings in app, which is absolutely not recommended. 
 
         ssh:
             subcategory_help: Manage ssh access

diff --git a/src/app.py b/src/app.py
@@ -563,7 +563,7 @@ def app_upgrade(
         hook_exec_with_script_debug_if_failure,
         hook_remove,
     )
-    from yunohost.permission import permission_sync_to_user
+    from yunohost.permission import _sync_permissions_with_ldap
     from yunohost.regenconf import manually_modified_files
     from yunohost.utils.legacy import _patch_legacy_helpers
 
@@ -877,7 +877,7 @@ def app_upgrade(
             if upgrade_failed or broke_the_system:
                 if not continue_on_failure or broke_the_system:
                     # display this if there are remaining apps
-                    if apps[number + 1 :]:
+                    if apps[number + 1:]:
                         not_upgraded_apps = apps[number:]
                         if broke_the_system and not continue_on_failure:
                             logger.error(
@@ -947,7 +947,7 @@ def app_upgrade(
             hook_callback("post_app_upgrade", env=env_dict)
             operation_logger.success()
 
-    permission_sync_to_user()
+    _sync_permissions_with_ldap()
 
     logger.success(m18n.n("upgrade_complete"))
 
@@ -1061,7 +1061,7 @@ def app_install(
     from yunohost.permission import (
         permission_create,
         permission_delete,
-        permission_sync_to_user,
+        _sync_permissions_with_ldap,
         user_permission_list,
     )
     from yunohost.regenconf import manually_modified_files
@@ -1352,7 +1352,7 @@ def app_install(
             shutil.rmtree(app_setting_path)
             shutil.rmtree(extracted_app_folder)
 
-            permission_sync_to_user()
+            _sync_permissions_with_ldap()
 
             raise YunohostError(failure_message_with_debug_instructions, raw_msg=True)
 
@@ -1402,7 +1402,7 @@ def app_remove(operation_logger, app, purge=False, force_workdir=None):
     from yunohost.hook import hook_callback, hook_exec, hook_remove
     from yunohost.permission import (
         permission_delete,
-        permission_sync_to_user,
+        _sync_permissions_with_ldap,
         user_permission_list,
     )
     from yunohost.utils.legacy import _patch_legacy_helpers
@@ -1488,7 +1488,7 @@ def app_remove(operation_logger, app, purge=False, force_workdir=None):
     else:
         logger.warning(m18n.n("app_not_properly_removed", app=app))
 
-    permission_sync_to_user()
+    _sync_permissions_with_ldap()
     _assert_system_is_sane_for_app(manifest, "post")
 
 
@@ -1584,7 +1584,7 @@ def app_register_url(app, domain, path):
         path -- The path to be registered (e.g. /coffee)
     """
     from yunohost.permission import (
-        permission_sync_to_user,
+        _sync_permissions_with_ldap,
         permission_url,
         user_permission_update,
     )
@@ -1615,7 +1615,7 @@ def app_register_url(app, domain, path):
     # the tile using the permission helpers.
     permission_url(app + ".main", url="/", sync_perm=False)
     user_permission_update(app + ".main", show_tile=True, sync_perm=False)
-    permission_sync_to_user()
+    _sync_permissions_with_ldap()
 
 
 def app_ssowatconf():

diff --git a/src/backup.py b/src/backup.py
@@ -968,9 +968,9 @@ def clean(self):
         End a restore operations by cleaning the working directory and
         regenerate ssowat conf (if some apps were restored)
         """
-        from .permission import permission_sync_to_user
+        from .permission import _sync_permissions_with_ldap
 
-        permission_sync_to_user()
+        _sync_permissions_with_ldap()
 
         if os.path.ismount(self.work_dir):
             ret = subprocess.call(["umount", self.work_dir])
@@ -1224,7 +1224,7 @@ def _restore_system(self):
         from yunohost.permission import (
             permission_create,
             permission_delete,
-            permission_sync_to_user,
+            _sync_permissions_with_ldap,
             user_permission_list,
         )
 
@@ -1310,7 +1310,7 @@ def _restore_system(self):
                     sync_perm=False,
                 )
 
-        permission_sync_to_user()
+        _sync_permissions_with_ldap()
 
     def _restore_apps(self):
         """Restore all apps targeted"""
@@ -1342,7 +1342,7 @@ def _restore_app(self, app_instance_name):
         app_instance_name -- (string) The app name to restore (no app with this
                              name should be already install)
         """
-        from yunohost.permission import permission_create, permission_sync_to_user
+        from yunohost.permission import permission_create, _sync_permissions_with_ldap
         from yunohost.user import user_group_list
         from yunohost.utils.legacy import _patch_legacy_helpers
 
@@ -1435,7 +1435,7 @@ def copytree(src, dst, symlinks=False, ignore=None):
                     sync_perm=False,
                 )
 
-            permission_sync_to_user()
+            _sync_permissions_with_ldap()
 
             os.remove(f"{app_settings_new_path}/permissions.yml")
 

diff --git a/src/migrations/0028_delete_legacy_xmpp_permission.py b/src/migrations/0028_delete_legacy_xmpp_permission.py
@@ -41,12 +41,13 @@ class MyMigration(Migration):
 
     @Migration.ldap_migration
     def run(self, *args):
-        from yunohost.permission import permission_delete, user_permission_list
+        #from yunohost.permission import permission_delete, user_permission_list
 
         self.ldap_migration_started = True
 
-        if "xmpp.main" in user_permission_list()["permissions"]:
-            permission_delete("xmpp.main", force=True)
+        # FIXME : xmpp will be implicitly deleted after perm refactor ?
+        #if "xmpp.main" in user_permission_list()["permissions"]:
+        #    permission_delete("xmpp.main", force=True)
 
     def run_after_system_restore(self):
         self.run()
diff --git a/...igrations/0032_rework_permission_infos.py → ...igrations/0033_rework_permission_infos.py b/...igrations/0032_rework_permission_infos.py → ...igrations/0033_rework_permission_infos.py
@@ -2,7 +2,7 @@
 
 from yunohost.tools import Migration
 from yunohost.regenconf import regen_conf
-from yunohost.permission import permission_sync_to_user
+from yunohost.permission import _sync_permissions_with_ldap
 from yunohost.app import app_setting
 
 logger = getLogger("yunohost.migration")
@@ -30,7 +30,7 @@ def run(self, *args):
         for app, permissions in permissions_per_app.items():
             app_setting(app, "_permissions", permissions)
 
-        permission_sync_to_user()
+        _sync_permissions_with_ldap()
 
     def run_after_system_restore(self):
         self.run()