diff --git a/actions/users b/actions/users
index 3d96c0f08..a4f93bc72 100755
--- a/actions/users
+++ b/actions/users
@@ -72,6 +72,9 @@ def parse_arguments():
subparser.add_argument(
'username', help='LDAP user to retrieve the groups for')
+ subparser = subparsers.add_parser(
+ 'get-all-groups', help='Get a list of all the LDAP groups in the system')
+
subparser = subparsers.add_parser(
'add-user-to-group', help='Add an LDAP user to an LDAP group')
subparser.add_argument('username', help='LDAP user to add to group')
@@ -343,6 +346,17 @@ def subcommand_remove_user_from_group(arguments):
flush_cache()
+def subcommand_get_all_groups(_):
+ """Get all user groups"""
+ get_groups = "getent group".split()
+ cut_names = "cut -d: -f1".split()
+ groups = subprocess.Popen(get_groups, stdout=subprocess.PIPE, shell=False)
+ trimmed_groups = subprocess.Popen(cut_names, stdin=groups.stdout,
+ stdout=subprocess.PIPE, shell=False)
+ groups.stdout.close()
+ print(trimmed_groups.communicate()[0].decode())
+
+
def flush_cache():
"""Flush nscd cache."""
_run(['nscd', '--invalidate=passwd'])
diff --git a/data/etc/apache2/conf-available/tt-rss-plinth.conf b/data/etc/apache2/conf-available/tt-rss-plinth.conf
index e3f9e288e..9e8c6e375 100644
--- a/data/etc/apache2/conf-available/tt-rss-plinth.conf
+++ b/data/etc/apache2/conf-available/tt-rss-plinth.conf
@@ -7,10 +7,13 @@ Alias /tt-rss-app /usr/share/tt-rss/www
Include includes/freedombox-single-sign-on.conf
+
+ TKTAuthToken "newsfeed" "admin"
+
Include includes/freedombox-auth-ldap.conf
Require valid-user
- # TODO Restrict access to `news` group
+ # TODO Restrict access to `newsfeed` group
diff --git a/plinth/modules/ttrss/__init__.py b/plinth/modules/ttrss/__init__.py
index f7f53fd01..bb1e90a20 100644
--- a/plinth/modules/ttrss/__init__.py
+++ b/plinth/modules/ttrss/__init__.py
@@ -28,6 +28,7 @@ from plinth import cfg
from plinth import frontpage
from plinth import service as service_module
from plinth.menu import main_menu
+from plinth.modules.users import add_group
from .manifest import clients
@@ -94,6 +95,7 @@ def setup(helper, old_version=None):
is_enabled=is_enabled, enable=enable, disable=disable)
helper.call('post', service.notify_enabled, None, True)
helper.call('post', add_shortcut)
+ add_group('newsfeed')
def add_shortcut():
diff --git a/plinth/modules/users/__init__.py b/plinth/modules/users/__init__.py
index 12ef76d84..212b53786 100644
--- a/plinth/modules/users/__init__.py
+++ b/plinth/modules/users/__init__.py
@@ -24,6 +24,7 @@ import subprocess
from plinth import action_utils
from plinth import actions
+from plinth.errors import ActionError
from plinth.menu import main_menu
@@ -94,3 +95,12 @@ def add_group(group):
def remove_group(group):
"""Remove an LDAP group."""
actions.superuser_run('users', options=['remove-group', group])
+
+
+def get_all_groups():
+ """Retrieve the set of all LDAP groups in the system"""
+ try:
+ groups = actions.superuser_run('users', options=['get-all-groups'])
+ return set(groups.strip().split())
+ except ActionError:
+ return {}
diff --git a/plinth/modules/users/forms.py b/plinth/modules/users/forms.py
index c877f1a09..e9dd953df 100644
--- a/plinth/modules/users/forms.py
+++ b/plinth/modules/users/forms.py
@@ -29,13 +29,22 @@ from plinth import actions
from plinth.errors import ActionError
from plinth.modules import first_boot
from plinth.modules.security import set_restricted_access
+from plinth.modules.users import get_all_groups
from plinth.utils import is_user_admin
from plinth import module_loader
-GROUP_CHOICES = (
- ('admin', _('admin')),
- ('wiki', _('wiki')),
-)
+PLINTH_APP_GROUPS = {
+ 'admin',
+ 'newsfeed',
+ }
+
+
+def get_group_choices():
+ groups = PLINTH_APP_GROUPS.intersection(get_all_groups())
+ return ((group, _(group)) for group in groups)
+
+
+GROUP_CHOICES = get_group_choices()
class ValidNewUsernameCheckMixin(object):