Permissions ldap

conf/plugin_authldap.json

@@ -0,0 +1,22 @@
+{
+    "Enabled": "1",
+    "URI": "ldap://localhost/ou=users,dc=yunohost,dc=org",
+    "Filter": "(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s)))",
+    "NameAttr": "givenName",
+    "SecName": "sn",
+    "UidAttr": "uid",
+    "MailAttr": "mail",
+    "Groups": {
+      "administrator": "__APP__.admin",
+      "editor": "__APP__.editor",
+      "author": "",
+      "contributor": "",
+      "subscriber": "__APP__.main"
+    },
+    "GroupAttr": "cn",
+    "GroupFilter": "(&(objectClass=posixGroup)(memberUid=%s))",
+    "GroupEnable": "1",
+    "GroupOverUser": "1",
+    "Version": 1,
+    "GroupBase": "ou=permission,dc=yunohost,dc=org"
+}

doc/DISCLAIMER.md

@@ -4,15 +4,24 @@ Use the admin panel of your WordPress to configure this app.
 
 ## YunoHost specific features
 
- * Integration with YunoHost users and SSO:
-   * private mode: Blog only accessible by YunoHost users
-   * public mode: Visible by anyone, YunoHost users automatically connected
- * Automatic update of wordpress core, plugins and themes.
- * Allow to set up a [multisite](https://codex.wordpress.org/Glossary#Multisite) instance.
+* Integration with SSO does not work (automatic login of the user if previously logged on the YunoHost web portal)
+  * **private mode:** Blog only accessible by YunoHost users
+  * **public mode:** Visible by anyone
+* Allow one user to be the administrator (set at the installation)
+* Integration with [YunoHost permission](https://yunohost.org/groups_and_permissions):
+  * Users rights should be managed from the [Managing groups](https://yunohost.org/en/groups_and_permissions) to give these rights:
+    * `admin`: can do everything, has "super powers"
+    * `editor`: can edit all the posts and pages but cannot edit the Worpdress configuration (plugins, user rights, etc)
+    * `main`: can access with the "default right" (is `subscriber` right now for the package)
+  * Complete list: https://wordpress.org/documentation/article/roles-and-capabilities/#summary-of-roles
+  * ⚠️ Permissions defined in YunoHost take precedence over those setted in Wordpress ⚠️
+    * FIXME: not sure about which has priority, need testing
+* ~~Automatic update of wordpress core, plugins and themes.~~
+* Allow to set up a [multisite](https://codex.wordpress.org/Glossary#Multisite) instance.
 
 #### Multi-users support
 
-Supported, with LDAP and SSO.
+Supported, with LDAP ~~and SSO~~.
 
 ## Limitations
 

scripts/install

@@ -183,6 +183,9 @@ done
 #=================================================
 ynh_script_progression --message="Installing WordPress plugins..." --weight=20
 
+# documentation for tool "wp-cli"
+#   install: https://make.wordpress.org/cli/handbook/guides/installing/
+#   use: https://developer.wordpress.org/cli/commands/option/
 ynh_exec_warn_less wget --no-verbose https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar --output-document=$final_path/wp-cli.phar
 wpcli_alias="php$phpversion $final_path/wp-cli.phar --allow-root --path=$final_path"
 
@@ -217,20 +220,8 @@ then
 	# Activate multisite in wordpress config
 	ynh_replace_string --match_string="//--MULTISITE2--define" --replace_string="define" --target_file=$final_path/wp-config.php
 
-	db_prefix="wp_"
-	ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/multisite.sql
-	ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/multisite.sql
-	ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/multisite.sql
-
-	ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/multisite.sql
 	plugin_network="--network"
 else
-	db_prefix="wp_"
-	ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/single.sql
-	ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/single.sql
-	ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/single.sql
-
-	ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/single.sql
 	plugin_network=""
 fi
 
@@ -240,6 +231,25 @@ fi
 ynh_script_progression --message="Activating plugins..." --weight=4
 
 $wpcli_alias plugin activate authldap $plugin_network
+# configure the plugin from a json config file
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap.json
+$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json
+# To display the list of all the possibles options for this plugin, from your server, enter:
+#   $ php8.0 ./wp-cli.phar --path=/var/www/wordpress --allow-root option get authLDAPOptions --json | jq
+#              ^ you might need to download it from the projet
+
+# Sources for writing the json file and permission management
+# - https://moulinette.readthedocs.io/en/latest/ldap.html
+# - https://github.com/YunoHost-Apps/nextcloud_ynh/blob/master/conf/config.json
+
+# Set "default user role" as 'subscriber' if no permision (aka LDAP group) found for the user. (Same settings as previous "permission managment" system. So it should no break stuff...)
+#
+# This setting is not included in the "plugin_authldap.json script" so the json file can be used for "install" and "upgrade"
+# - Install => Set "default user role" choosen by the packager 
+# - Upgrade => Do not modify the default setting as the Wordpress administrator could have changed the defaut role for its use case.
+# TODO: could be asked to the admin while installing the app and set it up here somehow?
+$wpcli_alias option patch insert authLDAPOptions DefaultRole "subscriber"
+
 # Do not activate http-authentication, this plugin is sometimes unstable
 $wpcli_alias plugin activate companion-auto-update $plugin_network
 $wpcli_alias plugin activate wp-fail2ban-redux $plugin_network
@@ -295,8 +305,13 @@ then
 	ynh_permission_update --permission="main" --add="visitors"
 fi
 
-# Only the admin can access the admin panel of the app
-ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress
+# Only these "permissions or groups" can access the admin panel of Wordpress to manage it
+# - "admin" has full rights in the app
+# - "editor" can edit all the posts and pages
+# - "main" can login and do almost nothing
+# See https://wordpress.org/documentation/article/roles-and-capabilities/
+ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --show_tile=true
+ynh_permission_create --permission="editor" --url="/wp-login.php" --additional_urls="/wp-admin.php" --show_tile=true
 
 #=================================================
 # RELOAD NGINX

scripts/upgrade

@@ -179,7 +179,16 @@ fi
 
 if ! ynh_permission_exists --permission="admin"; then
 	# Create the required permissions
-	ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress
+	ynh_permission_create --permission="admin" --url="/wp-login.php" --additional_urls="/wp-admin.php" --allowed=$admin_wordpress --show_tile=true
+else
+	# Add "label" for user panel
+	ynh_permission_update --permission="admin" --show_tile=true
+fi
+
+# If missing, create "editor permission"
+if ! ynh_permission_exists --permission="editor"; then
+	ynh_script_progression --message="Creating the missing 'editor permission'..."
+	ynh_permission_create --permission="editor" --url="/wp-login.php" --additional_urls="/wp-admin.php" --show_tile=true
 fi
 
 #=================================================
@@ -246,21 +255,9 @@ then
 
 	db_prefix=$(grep '^$table_prefix' "$final_path/wp-config.php" | sed "s/.*'\(.*\)'.*/\1/" )
 
-	ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/multisite.sql
-	ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/multisite.sql
-	ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/multisite.sql
-
-	ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/multisite.sql
 	plugin_network="--network"
 else
 	multisite=0
-	db_prefix=$(grep '^$table_prefix' "$final_path/wp-config.php" | sed "s/.*'\(.*\)'.*/\1/" )
-
-	ynh_replace_string --match_string="__DB_PREFIX__" --replace_string="$db_prefix" --target_file=../conf/sql/single.sql
-	ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/sql/single.sql
-	ynh_replace_string --match_string="__LENGTH__" --replace_string="$((${#app} + 108))" --target_file=../conf/sql/single.sql
-
-	ynh_mysql_connect_as --user=$db_name --password=$db_pwd --database=$db_name < ../conf/sql/single.sql
 	plugin_network=""
 	if ynh_permission_has_user --permission="main" --user="visitor"
 	then
@@ -281,6 +278,10 @@ update_plugin () {
 }
 update_plugin authldap
 $wpcli_alias plugin activate authldap $plugin_network
+# re-apply the default LDAP configuration, hoping that admininstrator did not change these settings.
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../conf/plugin_authldap.json
+$wpcli_alias option update authLDAPOptions --format=json < ../conf/plugin_authldap.json
+
 update_plugin companion-auto-update
 $wpcli_alias plugin activate companion-auto-update $plugin_network