From 19884bad97646dd318f3bf781e1bbf509ec65ac2 Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Wed, 1 Mar 2023 19:40:29 +0100 Subject: [PATCH 01/12] enh migrate from 'sql query' to 'cli tool' --- conf/plugin_authldap_single.json | 10 ++++++++++ scripts/install | 15 ++++++++++----- 2 files changed, 20 insertions(+), 5 deletions(-) create mode 100644 conf/plugin_authldap_single.json diff --git a/conf/plugin_authldap_single.json b/conf/plugin_authldap_single.json new file mode 100644 index 0000000..58da926 --- /dev/null +++ b/conf/plugin_authldap_single.json @@ -0,0 +1,10 @@ +{ + "Enabled": "1", + "URI": "ldap://localhost/ou=users,dc=yunohost,dc=org", + "Filter": "(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s))(permission=cn=wordpress.admin,ou=permission,dc=yunohost,dc=org))", + "NameAttr": "givenName", + "SecName": "sn", + "UidAttr": "uid", + "MailAttr": "mail", + "DefaultRole": "subscriber" +} \ No newline at end of file diff --git a/scripts/install b/scripts/install index 12f3567..e29cac0 100644 --- a/scripts/install +++ b/scripts/install @@ -225,12 +225,12 @@ then ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/multisite.sql plugin_network="--network" else - db_prefix="wp_" - ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/single.sql - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/single.sql - ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/single.sql + #db_prefix="wp_" + #ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/single.sql + #ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/single.sql + #ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/single.sql - ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/single.sql + #ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/single.sql plugin_network="" fi @@ -240,6 +240,11 @@ fi ynh_script_progression --message="Activating plugins..." --weight=4 $wpcli_alias plugin activate authldap $plugin_network +$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json +# to display the list of all the possibles options, from your server: +# $ php8.0 ./wp-cli.phar --path=/var/www/wordpress --allow-root option get authLDAPOptions --json | jq + + # Do not activate http-authentication, this plugin is sometimes unstable $wpcli_alias plugin activate companion-auto-update $plugin_network $wpcli_alias plugin activate wp-fail2ban-redux $plugin_network From 2f4dbd6eec44353b0bd8728fadc119fde43a31d0 Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Wed, 1 Mar 2023 19:48:31 +0100 Subject: [PATCH 02/12] typo --- scripts/install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index e29cac0..a480b2b 100644 --- a/scripts/install +++ b/scripts/install @@ -240,7 +240,7 @@ fi ynh_script_progression --message="Activating plugins..." --weight=4 $wpcli_alias plugin activate authldap $plugin_network -$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json +$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap_single.json # to display the list of all the possibles options, from your server: # $ php8.0 ./wp-cli.phar --path=/var/www/wordpress --allow-root option get authLDAPOptions --json | jq From 5a27b787b2ad225bf562c61fde7819f9ffc0361e Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Thu, 2 Mar 2023 00:27:47 +0100 Subject: [PATCH 03/12] enh use ldap permission from yunohost instead of wordpress --- conf/plugin_authldap_single.json | 18 +++++++++++++++--- scripts/install | 27 ++++++++++++++++++++++++++- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/conf/plugin_authldap_single.json b/conf/plugin_authldap_single.json index 58da926..f92d6da 100644 --- a/conf/plugin_authldap_single.json +++ b/conf/plugin_authldap_single.json @@ -1,10 +1,22 @@ { "Enabled": "1", "URI": "ldap://localhost/ou=users,dc=yunohost,dc=org", - "Filter": "(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s))(permission=cn=wordpress.admin,ou=permission,dc=yunohost,dc=org))", + "Filter": "(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s)))", "NameAttr": "givenName", "SecName": "sn", "UidAttr": "uid", "MailAttr": "mail", - "DefaultRole": "subscriber" -} \ No newline at end of file + "Groups": { + "administrator": "__APP__.admin", + "editor": "", + "author": "", + "contributor": "", + "subscriber": "__APP__.main" + }, + "GroupAttr": "cn", + "GroupFilter": "(&(objectClass=posixGroup)(memberUid=%s))", + "GroupEnable": "1", + "GroupOverUser": "1", + "Version": 1, + "GroupBase": "ou=permission,dc=yunohost,dc=org" +} diff --git a/scripts/install b/scripts/install index a480b2b..9e43560 100644 --- a/scripts/install +++ b/scripts/install @@ -240,9 +240,30 @@ fi ynh_script_progression --message="Activating plugins..." --weight=4 $wpcli_alias plugin activate authldap $plugin_network +# configure the plugin from a json config file +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap_single.json $wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap_single.json -# to display the list of all the possibles options, from your server: + +# Set "default user role" as 'subscriber' if no LDAP group found. (Same settings as previous "permission managment" system) +# Setting not included in the "upgrade script" if the setting has been manually changed by an admin in the app. So it is not overwritten by a package upgrade +# TODO: could be asked while installing the package the default setting +$wpcli_alias option patch insert authLDAPOptions DefaultRole "subscriber" +# To display the list of all the possibles options for this plugin, from your server, enter: # $ php8.0 ./wp-cli.phar --path=/var/www/wordpress --allow-root option get authLDAPOptions --json | jq +# ^ you might need to download it from the projet + + +#$wpcli_alias option pluck authLDAPOptions DefaultRole --format=json | jq --raw-output +#is_empty=$($wpcli_alias option pluck authLDAPOptions DefaultRole --format=json | jq --raw-output) +#if [[ -z "$is_empty" ]]; then +# # $var is empty, do what you want +# $wpcli_alias option patch insert authLDAPOptions DefaultRole "subscriber" +#else +# $wpcli_alias option patch update authLDAPOptions DefaultRole "subscriber" +#fi + + + # Do not activate http-authentication, this plugin is sometimes unstable @@ -301,7 +322,11 @@ then fi # Only the admin can access the admin panel of the app +# - "admin" has full rights in the app +# - "main" can login and do almost nothing +# See https://wordpress.org/documentation/article/roles-and-capabilities/ ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress +ynh_permission_update --permission="main" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=all_users #================================================= # RELOAD NGINX From d7eb3017f4486b3ea3715ef45d2425113c45e3f5 Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Thu, 2 Mar 2023 21:42:24 +0100 Subject: [PATCH 04/12] fix perm again --- scripts/install | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index 9e43560..9ce1a72 100644 --- a/scripts/install +++ b/scripts/install @@ -325,8 +325,10 @@ fi # - "admin" has full rights in the app # - "main" can login and do almost nothing # See https://wordpress.org/documentation/article/roles-and-capabilities/ -ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress -ynh_permission_update --permission="main" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=all_users +ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --label="$app - admin" +# Add "label" for user panel +#ynh_permission_update --permission="main" --label="$app - subscriber" + #================================================= # RELOAD NGINX From 64f3f05d96824be3c33946aad46ea481dc0876b4 Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Thu, 2 Mar 2023 23:14:38 +0100 Subject: [PATCH 05/12] add tile in user portal for admin permission --- scripts/install | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index 9ce1a72..a934357 100644 --- a/scripts/install +++ b/scripts/install @@ -325,7 +325,8 @@ fi # - "admin" has full rights in the app # - "main" can login and do almost nothing # See https://wordpress.org/documentation/article/roles-and-capabilities/ -ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --label="$app - admin" +ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --show_tile=true +#ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --label="$app - admin" --show_tile=true # Add "label" for user panel #ynh_permission_update --permission="main" --label="$app - subscriber" From 01de87030461a429ac94c167feb2e7fb944688fd Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Wed, 15 Mar 2023 20:26:02 +0100 Subject: [PATCH 06/12] add documentation --- scripts/install | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/scripts/install b/scripts/install index a934357..f85aa49 100644 --- a/scripts/install +++ b/scripts/install @@ -183,6 +183,9 @@ done #================================================= ynh_script_progression --message="Installing WordPress plugins..." --weight=20 +# documentation for tool "wp-cli" +# install: https://make.wordpress.org/cli/handbook/guides/installing/ +# use: https://developer.wordpress.org/cli/commands/option/ ynh_exec_warn_less wget --no-verbose https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar --output-document=$final_path/wp-cli.phar wpcli_alias="php$phpversion $final_path/wp-cli.phar --allow-root --path=$final_path" @@ -243,28 +246,18 @@ $wpcli_alias plugin activate authldap $plugin_network # configure the plugin from a json config file ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap_single.json $wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap_single.json - -# Set "default user role" as 'subscriber' if no LDAP group found. (Same settings as previous "permission managment" system) -# Setting not included in the "upgrade script" if the setting has been manually changed by an admin in the app. So it is not overwritten by a package upgrade -# TODO: could be asked while installing the package the default setting -$wpcli_alias option patch insert authLDAPOptions DefaultRole "subscriber" # To display the list of all the possibles options for this plugin, from your server, enter: # $ php8.0 ./wp-cli.phar --path=/var/www/wordpress --allow-root option get authLDAPOptions --json | jq # ^ you might need to download it from the projet -#$wpcli_alias option pluck authLDAPOptions DefaultRole --format=json | jq --raw-output -#is_empty=$($wpcli_alias option pluck authLDAPOptions DefaultRole --format=json | jq --raw-output) -#if [[ -z "$is_empty" ]]; then -# # $var is empty, do what you want -# $wpcli_alias option patch insert authLDAPOptions DefaultRole "subscriber" -#else -# $wpcli_alias option patch update authLDAPOptions DefaultRole "subscriber" -#fi - - - - +# Set "default user role" as 'subscriber' if no permision (aka LDAP group) found for the user. (Same settings as previous "permission managment" system. So it should no break stuff...) +# +# This setting is not included in the "plugin_authldap_single.json script" so the json file can be used for "install" and "upgrade" +# - Install => Set "default user role" choosen by the packager +# - Upgrade => Do not modify the default setting as the Wordpress administrator could have changed the defaut role for its use case. +# TODO: could be asked to the admin while installing the app and set it up here somehow? +$wpcli_alias option patch insert authLDAPOptions DefaultRole "subscriber" # Do not activate http-authentication, this plugin is sometimes unstable $wpcli_alias plugin activate companion-auto-update $plugin_network @@ -326,7 +319,6 @@ fi # - "main" can login and do almost nothing # See https://wordpress.org/documentation/article/roles-and-capabilities/ ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --show_tile=true -#ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --label="$app - admin" --show_tile=true # Add "label" for user panel #ynh_permission_update --permission="main" --label="$app - subscriber" From 2c0cff6f6481df2c98566d96988ca2bf3bc3332f Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Wed, 15 Mar 2023 22:06:20 +0100 Subject: [PATCH 07/12] edit user documentation --- doc/DISCLAIMER.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md index 5e65adb..646993a 100644 --- a/doc/DISCLAIMER.md +++ b/doc/DISCLAIMER.md @@ -4,15 +4,21 @@ Use the admin panel of your WordPress to configure this app. ## YunoHost specific features - * Integration with YunoHost users and SSO: - * private mode: Blog only accessible by YunoHost users - * public mode: Visible by anyone, YunoHost users automatically connected - * Automatic update of wordpress core, plugins and themes. - * Allow to set up a [multisite](https://codex.wordpress.org/Glossary#Multisite) instance. +* Integration with SSO does not work (automatic login of the user if previously logged on the YunoHost web portal) + * private mode: Blog only accessible by YunoHost users + * public mode: Visible by anyone +* Allow one user to be the administrator (set at the installation) +* Integration with [YunoHost permission](https://yunohost.org/groups_and_permissions): + * Users rights should be managed from the "Managing groups" to give these rights: + * `admin`: has full rights + * `main`: can access with the "default right" (is `subscriber` right now for the package) + * Complete list: https://wordpress.org/documentation/article/roles-and-capabilities/#summary-of-roles +* ~~Automatic update of wordpress core, plugins and themes.~~ +* Allow to set up a [multisite](https://codex.wordpress.org/Glossary#Multisite) instance. #### Multi-users support -Supported, with LDAP and SSO. +Supported, with LDAP ~~and SSO~~. ## Limitations From af61c43d73a448b85ebeae90d9fe3122b675d9cc Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Wed, 15 Mar 2023 22:10:56 +0100 Subject: [PATCH 08/12] edit upgrade script too --- scripts/upgrade | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index a0499ee..d26684c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -281,6 +281,9 @@ update_plugin () { } update_plugin authldap $wpcli_alias plugin activate authldap $plugin_network +# re-apply the default LDAP configuration, hoping that admininstrator did not change these settings. +$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json + update_plugin companion-auto-update $wpcli_alias plugin activate companion-auto-update $plugin_network From b09f447bf4adf5a6d884f90944ee32345ec37856 Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Sat, 25 Mar 2023 18:36:07 +0100 Subject: [PATCH 09/12] edit upgrade script too : title in webui and json conf file --- scripts/upgrade | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index d26684c..b7fd401 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -179,7 +179,11 @@ fi if ! ynh_permission_exists --permission="admin"; then # Create the required permissions - ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress + ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --show_tile=true +else + # Add "label" for user panel + ynh_permission_update --permission="admin" --show_tile=true +fi fi #================================================= @@ -282,7 +286,8 @@ update_plugin () { update_plugin authldap $wpcli_alias plugin activate authldap $plugin_network # re-apply the default LDAP configuration, hoping that admininstrator did not change these settings. -$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap_single.json +$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap_single.json update_plugin companion-auto-update $wpcli_alias plugin activate companion-auto-update $plugin_network From 8776676aab31d07044b51868c2460eceebb5d907 Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Sat, 25 Mar 2023 18:45:17 +0100 Subject: [PATCH 10/12] clean and add doc for auth ldap conf file --- ...hldap_single.json => plugin_authldap.json} | 0 conf/sql/multisite.sql | 1 - conf/sql/single.sql | 1 - scripts/install | 21 ++++++------------- scripts/upgrade | 16 ++------------ 5 files changed, 8 insertions(+), 31 deletions(-) rename conf/{plugin_authldap_single.json => plugin_authldap.json} (100%) delete mode 100644 conf/sql/multisite.sql delete mode 100644 conf/sql/single.sql diff --git a/conf/plugin_authldap_single.json b/conf/plugin_authldap.json similarity index 100% rename from conf/plugin_authldap_single.json rename to conf/plugin_authldap.json diff --git a/conf/sql/multisite.sql b/conf/sql/multisite.sql deleted file mode 100644 index 0968968..0000000 --- a/conf/sql/multisite.sql +++ /dev/null @@ -1 +0,0 @@ -REPLACE INTO __DB_PREFIX__sitemeta VALUES(NULL,1,'authLDAPOptions','a:22:{s:7:"Enabled";s:1:"1";s:7:"CachePW";b:0;s:3:"URI";s:44:"ldap://localhost/ou=users,dc=yunohost,dc=org";s:12:"URISeparator";s:1:" ";s:6:"Filter";s:__LENGTH__:"(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s))(permission=cn=__APP__.admin,ou=permission,dc=yunohost,dc=org))";s:8:"NameAttr";s:9:"givenName";s:7:"SecName";s:2:"sn";s:7:"UidAttr";s:3:"uid";s:8:"MailAttr";s:4:"mail";s:7:"WebAttr";s:0:"";s:6:"Groups";a:5:{s:13:"administrator";s:0:"";s:6:"editor";s:0:"";s:6:"author";s:0:"";s:11:"contributor";s:0:"";s:10:"subscriber";s:0:"";}s:5:"Debug";b:0;s:9:"GroupAttr";s:0:"";s:11:"GroupFilter";s:0:"";s:11:"DefaultRole";s:10:"subscriber";s:11:"GroupEnable";b:0;s:13:"GroupOverUser";b:0;s:7:"Version";i:1;s:26:"DoNotOverwriteNonLdapUsers";b:0;s:8:"StartTLS";b:0;s:14:"GroupSeparator";s:0:"";s:9:"GroupBase";s:0:"";}'); diff --git a/conf/sql/single.sql b/conf/sql/single.sql deleted file mode 100644 index 3d9887d..0000000 --- a/conf/sql/single.sql +++ /dev/null @@ -1 +0,0 @@ -REPLACE INTO __DB_PREFIX__options VALUES(NULL,'authLDAPOptions','a:22:{s:7:"Enabled";s:1:"1";s:7:"CachePW";b:0;s:3:"URI";s:44:"ldap://localhost/ou=users,dc=yunohost,dc=org";s:12:"URISeparator";s:1:" ";s:6:"Filter";s:__LENGTH__:"(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s))(permission=cn=__APP__.admin,ou=permission,dc=yunohost,dc=org))";s:8:"NameAttr";s:9:"givenName";s:7:"SecName";s:2:"sn";s:7:"UidAttr";s:3:"uid";s:8:"MailAttr";s:4:"mail";s:7:"WebAttr";s:0:"";s:6:"Groups";a:5:{s:13:"administrator";s:0:"";s:6:"editor";s:0:"";s:6:"author";s:0:"";s:11:"contributor";s:0:"";s:10:"subscriber";s:0:"";}s:5:"Debug";b:0;s:9:"GroupAttr";s:0:"";s:11:"GroupFilter";s:0:"";s:11:"DefaultRole";s:10:"subscriber";s:11:"GroupEnable";b:0;s:13:"GroupOverUser";b:0;s:7:"Version";i:1;s:26:"DoNotOverwriteNonLdapUsers";b:0;s:8:"StartTLS";b:0;s:14:"GroupSeparator";s:0:"";s:9:"GroupBase";s:0:"";}','yes'); diff --git a/scripts/install b/scripts/install index f85aa49..6d73f00 100644 --- a/scripts/install +++ b/scripts/install @@ -220,20 +220,8 @@ then # Activate multisite in wordpress config ynh_replace_string --match_string="//--MULTISITE2--define" --replace_string="define" --target_file=$final_path/wp-config.php - db_prefix="wp_" - ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/multisite.sql - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/multisite.sql - ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/multisite.sql - - ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/multisite.sql plugin_network="--network" else - #db_prefix="wp_" - #ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/single.sql - #ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/single.sql - #ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/single.sql - - #ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/single.sql plugin_network="" fi @@ -244,16 +232,19 @@ ynh_script_progression --message="Activating plugins..." --weight=4 $wpcli_alias plugin activate authldap $plugin_network # configure the plugin from a json config file -ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap_single.json -$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap_single.json +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap.json +$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json # To display the list of all the possibles options for this plugin, from your server, enter: # $ php8.0 ./wp-cli.phar --path=/var/www/wordpress --allow-root option get authLDAPOptions --json | jq # ^ you might need to download it from the projet +# Sources for writing the json file and permission management +# - https://moulinette.readthedocs.io/en/latest/ldap.html +# - https://github.com/YunoHost-Apps/nextcloud_ynh/blob/master/conf/config.json # Set "default user role" as 'subscriber' if no permision (aka LDAP group) found for the user. (Same settings as previous "permission managment" system. So it should no break stuff...) # -# This setting is not included in the "plugin_authldap_single.json script" so the json file can be used for "install" and "upgrade" +# This setting is not included in the "plugin_authldap.json script" so the json file can be used for "install" and "upgrade" # - Install => Set "default user role" choosen by the packager # - Upgrade => Do not modify the default setting as the Wordpress administrator could have changed the defaut role for its use case. # TODO: could be asked to the admin while installing the app and set it up here somehow? diff --git a/scripts/upgrade b/scripts/upgrade index b7fd401..f5e509b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -250,21 +250,9 @@ then db_prefix=$(grep '^$table_prefix' "$final_path/wp-config.php" | sed "s/.*'\(.*\)'.*/\1/" ) - ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/multisite.sql - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/multisite.sql - ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/multisite.sql - - ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/multisite.sql plugin_network="--network" else multisite=0 - db_prefix=$(grep '^$table_prefix' "$final_path/wp-config.php" | sed "s/.*'\(.*\)'.*/\1/" ) - - ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/single.sql - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/single.sql - ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/single.sql - - ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/single.sql plugin_network="" if ynh_permission_has_user --permission="main" --user="visitor" then @@ -286,8 +274,8 @@ update_plugin () { update_plugin authldap $wpcli_alias plugin activate authldap $plugin_network # re-apply the default LDAP configuration, hoping that admininstrator did not change these settings. -ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap_single.json -$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap_single.json +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap.json +$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json update_plugin companion-auto-update $wpcli_alias plugin activate companion-auto-update $plugin_network From 4304cd51d362f1515139b05b41e8afe95007f5cc Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Sat, 25 Mar 2023 20:16:12 +0100 Subject: [PATCH 11/12] Add "editor" permission so YNH admin can delegate power over the "editorial content" of wordpress to a bunch of selected users/groups --- doc/DISCLAIMER.md | 13 ++++++++----- scripts/install | 7 +++---- scripts/upgrade | 5 +++++ 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md index 646993a..36c672b 100644 --- a/doc/DISCLAIMER.md +++ b/doc/DISCLAIMER.md @@ -5,14 +5,17 @@ Use the admin panel of your WordPress to configure this app. ## YunoHost specific features * Integration with SSO does not work (automatic login of the user if previously logged on the YunoHost web portal) - * private mode: Blog only accessible by YunoHost users - * public mode: Visible by anyone + * **private mode:** Blog only accessible by YunoHost users + * **public mode:** Visible by anyone * Allow one user to be the administrator (set at the installation) * Integration with [YunoHost permission](https://yunohost.org/groups_and_permissions): - * Users rights should be managed from the "Managing groups" to give these rights: - * `admin`: has full rights + * Users rights should be managed from the [Managing groups](https://yunohost.org/en/groups_and_permissions) to give these rights: + * `admin`: can do everything, has "super powers" + * `editor`: can edit all the posts and pages but cannot edit the Worpdress configuration (plugins, user rights, etc) * `main`: can access with the "default right" (is `subscriber` right now for the package) - * Complete list: https://wordpress.org/documentation/article/roles-and-capabilities/#summary-of-roles + * Complete list: https://wordpress.org/documentation/article/roles-and-capabilities/#summary-of-roles + * ⚠️ Permissions defined in YunoHost take precedence over those setted in Wordpress ⚠️ + * FIXME: not sure about which has priority, need testing * ~~Automatic update of wordpress core, plugins and themes.~~ * Allow to set up a [multisite](https://codex.wordpress.org/Glossary#Multisite) instance. diff --git a/scripts/install b/scripts/install index 6d73f00..513d04a 100644 --- a/scripts/install +++ b/scripts/install @@ -305,14 +305,13 @@ then ynh_permission_update --permission="main" --add="visitors" fi -# Only the admin can access the admin panel of the app +# Only these "permissions or groups" can access the admin panel of Wordpress to manage it # - "admin" has full rights in the app +# - "editor" can edit all the posts and pages # - "main" can login and do almost nothing # See https://wordpress.org/documentation/article/roles-and-capabilities/ ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --show_tile=true -# Add "label" for user panel -#ynh_permission_update --permission="main" --label="$app - subscriber" - +ynh_permission_create --permission="editor" --url="/wp-login.php" --additional_urls="/wp-admin.php" --show_tile=true #================================================= # RELOAD NGINX diff --git a/scripts/upgrade b/scripts/upgrade index f5e509b..9d61983 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -184,6 +184,11 @@ else # Add "label" for user panel ynh_permission_update --permission="admin" --show_tile=true fi + +# If missing, create "editor permission" +if ! ynh_permission_exists --permission="editor"; then + ynh_script_progression --message="Creating the missing 'editor permission'..." + ynh_permission_create --permission="editor" --url="/wp-login.php" --additional_urls="/wp-admin.php" --show_tile=true fi #================================================= From cdb0f9445b70724f1912a8339c647d89ef4a0e6d Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Tue, 28 Mar 2023 23:20:46 +0200 Subject: [PATCH 12/12] fix missing "editor perm" in conf file --- conf/plugin_authldap.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/plugin_authldap.json b/conf/plugin_authldap.json index f92d6da..558da7f 100644 --- a/conf/plugin_authldap.json +++ b/conf/plugin_authldap.json @@ -8,7 +8,7 @@ "MailAttr": "mail", "Groups": { "administrator": "__APP__.admin", - "editor": "", + "editor": "__APP__.editor", "author": "", "contributor": "", "subscriber": "__APP__.main"