#!/bin/sh
# Post install script to enable permissioning for thttpd since TWiki is setup
# for apache by default. Also fix up directory permissioning for thttpd.
# This was  written for TWiki 4.0.5. Configuration variables at the top.
# Callum Gibson - December 2006.

# The user the webserver runs as
WEBUSER=www

# The group allowed to access/write TWiki topic files.
TWIKIGROUP=twiki

# The owner and group for the TWiki installation
CODEOWNER=root

########################################
# No configuration necessary below here.
########################################

if groups $WEBUSER | grep "\<$TWIKIGROUP\>" > /dev/null; then
    true
else
    echo "The user '$WEBUSER' doesn't seem to be in the group '$TWIKIGROUP'"
    exit 1
fi

# arbitrary check to see if we're in the right place.
if [ ! -f TWikiHistory.html -o "`whoami`" != root ]; then
    echo "Please run this script from the top level of your TWiki installation as root."
    exit 1
fi

# A further check - we're going to grunge around in bin so we only really
# care about that one.
if [ ! -d bin -o ! -x bin/view ]; then
    echo "This doesn't seem to be a real TWiki installation."
    exit 1
fi

# Set up LocalSite.cfg
if [ ! -f lib/LocalSite.cfg ]; then
    cp lib/LocalSite.cfg.txt lib/LocalSite.cfg
fi

# Fix up ownership
chown -R $CODEOWNER:$TWIKIGROUP lib bin templates
chown -R $WEBUSER:$TWIKIGROUP data pub

# add global read, remove global write access
chmod -R a+rX,o-w .

# But now remove it from the main code
chmod 750 lib templates
# but allow LocalSite.cfg to be edited with configure
chmod g+w lib/LocalSite.cfg

# data should be accessable only by twiki group - you can't get to it directly
chmod -R ug+w,o-rwx data

# remove execute from non-cgis which we need to serve up.
find pub -type f -print0 | xargs -0 chmod a-x

# Pub the same as data, but all can read (so attachments and pictures
# can be seen)
chmod -R ug+w,o-w,o+rX pub

# Setup restricted cgis via htpasswd.
cd bin
if [ -d .protected ]; then
    echo "The post-install script may have already been run; .protected exists!"
    echo "I've done all other permissioning, but I'm going to stop here."
    exit 2
fi
mkdir .protected

# If this was a perl script, I'd grok these out of the supplied .htpasswd.txt
# file for apache. This hard-coded list will have to suffice for now.
authfiles="attach edit manage rename save upload logon rdiffauth viewauth"

for f in $authfiles; do
    mv $f .protected
    ln -s .protected/$f
done

# The protected CGIs need access to these config files.
cd .protected
ln -s ../setlib.cfg
ln -s ../LocalLib.cfg

echo ''
echo 'You will need to copy your existing .htpasswd from the old TWiki installation'
echo 'into .../twiki/bin/.protected by hand (or create one there with the htpasswd'
echo 'program that comes with thttpd) and then make a hard link to'
echo '.../twiki/data/.htpasswd by doing the following from the twiki top:'
echo '# ln bin/.protected/.htpasswd data/.htpasswd'
echo ''
echo 'All done.'