Misc fixes @_@³

YunoHost · Dec 1, 2024 · 85e679b · 85e679b
1 parent 15479c5
commit 85e679b
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 66 deletions.
diff --git a/src/migrations/0032_rework_permission_infos.py b/src/migrations/0032_rework_permission_infos.py
@@ -22,7 +22,7 @@ class MyMigration(Migration):
     @Migration.ldap_migration
     def run(self, *args):
 
-        regen_conf(["slapd"])
+        regen_conf(["slapd"], force=True)
 
         self.ldap_migration_started = True
 

diff --git a/src/permission.py b/src/permission.py
@@ -266,12 +266,16 @@ def user_permission_update(
     # Commit the new allowed group list
     operation_logger.start()
 
-    new_permission = _update_ldap_group_permission(
+    _update_app_permission_setting(
         permission=permission,
-        allowed=new_allowed_groups,
         label=label,
         show_tile=show_tile,
         protected=protected,
+    )
+
+    new_permission = _update_ldap_group_permission(
+        permission=permission,
+        allowed=new_allowed_groups,
         sync_perm=sync_perm,
     )
 
@@ -385,6 +389,7 @@ def permission_create(
 
     from yunohost.utils.ldap import _get_ldap_interface
     from yunohost.user import user_group_list
+    from yunohost.app import _is_installed
 
     ldap = _get_ldap_interface()
 
@@ -433,19 +438,24 @@ def permission_create(
         )
 
     try:
-        permission_url(
-            permission,
-            url=url,
-            add_url=additional_urls,
-            auth_header=auth_header,
-            sync_perm=False,
-        )
+        if _is_installed(app):
+            permission_url(
+                permission,
+                url=url,
+                add_url=additional_urls,
+                auth_header=auth_header,
+                sync_perm=False,
+            )
+
+            _update_app_permission_setting(
+                permission=permission,
+                show_tile=show_tile,
+                protected=protected,
+            )
 
         new_permission = _update_ldap_group_permission(
             permission=permission,
             allowed=allowed,
-            show_tile=show_tile,
-            protected=protected,
             sync_perm=sync_perm,
         )
 
@@ -680,63 +690,31 @@ def permission_sync_to_user():
     os.system("nscd --invalidate=group")
 
 
-def _update_ldap_group_permission(
-    permission, allowed, label=None, show_tile=None, protected=None, sync_perm=True
-):
+def _update_app_permission_setting(permission, label=None, show_tile=None, protected=None):
     """
-    Internal function that will rewrite user permission
-
-    permission      -- Name of the permission (e.g. mail or nextcloud or wordpress.editors)
-    allowed         -- (optional) A list of group/user to allow for the permission
     label           -- (optional) Define a name for the permission. This label will be shown on the SSO and in the admin
     show_tile       -- (optional) Define if a tile will be shown in the SSO
     protected       -- (optional) Define if the permission can be added/removed to the visitor group
-
-
-    Assumptions made, that should be checked before calling this function:
-    - the permission does currently exists ...
-    - the 'allowed' list argument is *different* from the current
-      permission state ... otherwise ldap will miserably fail in such
-      case...
-    - the 'allowed' list contains *existing* groups.
     """
 
     from yunohost.app import app_setting
-    from yunohost.hook import hook_callback
-    from yunohost.utils.ldap import _get_ldap_interface
-
-    ldap = _get_ldap_interface()
 
     app, sub_permission = permission.split(".")
-    existing_permission = user_permission_info(permission)
-
-    update_ldap = {}
     update_settings = {}
 
-    if allowed is not None:
-        allowed = [allowed] if not isinstance(allowed, list) else allowed
-        # Guarantee uniqueness of values in allowed, which would otherwise make ldap.update angry.
-        allowed = set(allowed)
-        update_ldap["groupPermission"] = [
-            "cn=" + g + ",ou=groups,dc=yunohost,dc=org" for g in allowed
-        ]
+    if app in SYSTEM_PERMS:
+        logger.warning(f"Can't change label / show_tile / protected for system permission {permission}")
+        return
 
     if label is not None:
-        if app in SYSTEM_PERMS:
-            logger.warning(f"Can't change 'label' for system permission {permission}")
-        else:
-            update_settings["label"] = str(label)
+        update_settings["label"] = str(label)
 
     if protected is not None:
-        if app in SYSTEM_PERMS:
-            logger.warning(f"Can't change 'protected' for system permission {permission}")
-        else:
-            update_settings["protected"] = protected
+        update_settings["protected"] = protected
 
     if show_tile is not None:
-        if app in SYSTEM_PERMS:
-            logger.warning(f"Can't change 'show_tile' for system permission {permission}")
-        elif show_tile is True:
+        existing_permission = user_permission_info(permission)
+        if show_tile is True:
             if not existing_permission["url"]:
                 logger.warning(
                     m18n.n(
@@ -751,23 +729,53 @@ def _update_ldap_group_permission(
                 )
                 update_settings["show_tile"] = False
 
-    if app not in SYSTEM_PERMS:
+    if "label" in update_settings and sub_permission == "main":
+        label = update_settings.pop("label")
+        app_setting(app, "label", label)
 
-        if "label" in update_settings and sub_permission == "main":
-            label = update_settings.pop("label")
-            app_setting(app, "label", label)
+    perm_settings = app_setting(app, "_permissions") or {}
+    if sub_permission not in perm_settings:
+        perm_settings[sub_permission] = {}
+    perm_settings[sub_permission].update(update_settings)
+    app_setting(app, "_permissions", perm_settings)
 
-        perm_settings = app_setting(app, "_permissions") or {}
-        if sub_permission not in perm_settings:
-            perm_settings[sub_permission] = {}
-        perm_settings[sub_permission].update(update_settings)
-        app_setting(app, "_permissions", perm_settings)
 
-    if update_ldap:
-        try:
-            ldap.update(f"cn={permission},ou=permission", update_ldap)
-        except Exception as e:
-            raise YunohostError("permission_update_failed", permission=permission, error=e)
+def _update_ldap_group_permission(permission, allowed, sync_perm=True):
+    """
+    Internal function that will rewrite user permission
+
+    permission      -- Name of the permission (e.g. mail or nextcloud or wordpress.editors)
+    allowed         -- (optional) A list of group/user to allow for the permission
+
+    Assumptions made, that should be checked before calling this function:
+    - the permission does currently exists ...
+    - the 'allowed' list argument is *different* from the current
+      permission state ... otherwise ldap will miserably fail in such
+      case...
+    - the 'allowed' list contains *existing* groups.
+    """
+
+    from yunohost.hook import hook_callback
+    from yunohost.utils.ldap import _get_ldap_interface
+
+    ldap = _get_ldap_interface()
+    app, sub_permission = permission.split(".")
+    update_ldap = {}
+
+    existing_permission = user_permission_info(permission)
+
+    assert isinstance(allowed, list) or isinstance(allowed, str)
+    allowed = [allowed] if not isinstance(allowed, list) else allowed
+    # Guarantee uniqueness of values in allowed, which would otherwise make ldap.update angry.
+    allowed = set(allowed)
+    update_ldap["groupPermission"] = [
+        "cn=" + g + ",ou=groups,dc=yunohost,dc=org" for g in allowed
+    ]
+
+    try:
+        ldap.update(f"cn={permission},ou=permission", update_ldap)
+    except Exception as e:
+        raise YunohostError("permission_update_failed", permission=permission, error=e)
 
     # Trigger permission sync if asked