Installing an app creates the permission app.main
with all_users
allowed by default.
If you wish to make the application publicly available, instead of the old unprotected_urls
mechanism, you should give access to the special group visitors
:
ynh_permission_update --permission "main" --add visitors
If you wish to create a custom permission for your app (e.g. to restrict access to an admin interface) you may use the following helpers:
ynh_permission_create --permission "admin" --url "/admin" --allowed "$admin_user" --label "Label for your permission"
You don't need to take care of removing permissions or backing up/restoring them as it is handled by the core of YunoHost.
When migrating/fixing an app still using the legacy permission system, it should be understood that the accesses are now to be managed by features from the core, outside of the application scripts!
Application scripts are only expected to:
visitors
) or private (all_users
) or only accessible to specific groups/users ;Applications scripts should absolutely NOT mess up with any already-existing app accesses (including unprotected
/skipped_uris
settings) during any other case, as it would reset any admin-defined access rule!
When migrating away from the legacy permission, you should:
$is_public
-like or $admin_user
-like setting, except for any manifest question meant to either initialize the app as public/private or specific permissions ;It should boil down to :
if ynh_legacy_permissions_exists; then
ynh_legacy_permissions_delete_all
ynh_app_setting_delete --app=$app --key=is_public
# Create the permission using the new framework (if your app has relevant additional permissions)
ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
fi
yunohost app addaccess
and similar actions that are now obsolete and deprecated.'(&(objectClass=posixAccount)(permission=cn=YOUR_APP.main,ou=permission,dc=yunohost,dc=org))'
to allow users who have this permission. (A complete documentation of LDAP here if you want to undestand how it works with YunoHost)show_tile
which may be True
or False
. A single app may have multiple tiles in the SSO. The url of each tile corresponds to the url
parameter of the permission.ynh_permission_update
, it's still possible to add/remove the visitor
group of this permission.skipped_uris
)with auth header | no auth header | |
---|---|---|
public | unprotected_uris | skipped_uris |
private | protected_uris | N/A |
with auth header | no auth header | |
---|---|---|
public | auth_header=True, visitor group allowed | auth_header=False, visitor group allowed |
private | auth_header=True, visitor group not allowed | auth_header=False, visitor group not allowed |
All of theses feature are managable by theses following helper:
ynh_permission_create
ynh_permission_url
ynh_permission_update
If you have any question, please contact the app team
Found errors? Think you can improve this documentation? Simply click the Edit link at the top of the page, and then the icon on Github to suggest changes.
Powered by Grav + with by Trilby Media.