GUI: Fix permission reset

npbackup/configuration.py

@@ -534,24 +534,43 @@ def inject_permissions_into_full_config(full_config: dict) -> Tuple[bool, dict]:
                 f"{object_type}.{object_name}.manager_password"
             )
             permissions = full_config.g(f"{object_type}.{object_name}.permissions")
-            update_manager_password = full_config.g(
-                f"{object_type}.{object_name}.update_manager_password"
+            new_manager_password = full_config.g(
+                f"{object_type}.{object_name}.new_manager_password"
             )
-            if update_manager_password and manager_password:
+            # Getting current manager password is only needed in CLI mode, to avoid overwriting existing manager password
+            current_manager_password = full_config.g(
+                f"{object_type}.{object_name}.current_manager_password"
+            )
+            new_permissions = full_config.g(
+                f"{object_type}.{object_name}.new_permissions"
+            )
+
+            if new_manager_password and current_manager_password == manager_password:
+                full_config.s(
+                    f"{object_type}.{object_name}.repo_uri",
+                    (repo_uri, new_permissions, new_manager_password),
+                )
+                full_config.s(f"{object_type}.{object_name}.is_protected", True)
+                logger.info(f"New permissions set for {object_type} {object_name}")
+            elif new_manager_password:
+                logger.critical(
+                    f"Cannot set new permissions for {object_type} {object_name} without current manager password"
+                )
+            elif manager_password:
                 full_config.s(
                     f"{object_type}.{object_name}.repo_uri",
                     (repo_uri, permissions, manager_password),
                 )
                 full_config.s(f"{object_type}.{object_name}.is_protected", True)
-            elif manager_password:
-                full_config.s(f"{object_type}.{object_name}.is_protected", True)
                 logger.debug(f"Permissions exist for {object_type} {object_name}")
             else:
                 full_config.s(f"{object_type}.{object_name}.is_protected", False)
 
-            full_config.d(
-                f"{object_type}.{object_name}.update_manager_password"
-            )  # Don't keep decrypted manager password
+            # Don't keep decrypted manager password and permissions bare in config file
+            # They should be injected in repo_uri tuple
+            full_config.d(f"{object_type}.{object_name}.new_manager_password")
+            full_config.d(f"{object_type}.{object_name}.current_manager_password")
+            full_config.d(f"{object_type}.{object_name}.new_permissions")
             full_config.d(f"{object_type}.{object_name}.permissions")
             full_config.d(f"{object_type}.{object_name}.manager_password")
     return full_config

npbackup/gui/config.py

@@ -109,6 +109,7 @@ def config_gui(full_config: dict, config_file: str):
             "restore": _t("config_gui.restore_perms"),
             "restore_only": _t("config_gui.restore_only_perms"),
             "full": _t("config_gui.full_perms"),
+            None: _t("config_gui.full_perms"),
         },
     }
 
@@ -315,13 +316,15 @@ def config_gui(full_config: dict, config_file: str):
                 "prometheus.http_username",
                 "prometheus.http_password",
                 "prometheus.no_cert_verify",
-                "update_manager_password",
+                "current_manager_password",
             ) or key.startswith("prometheus.additional_labels"):
                 return
-            if key == "permissions":
+            # Note that keys with "new" must be processed after "current" keys
+            # This will happen automatically since adding new values are at the end of the config
+            if key in ("permissions", "new_permissions"):
                 window["current_permissions"].Update(combo_boxes["permissions"][value])
                 return
-            if key == "manager_password":
+            if key in ("manager_password", "new_manager_password"):
                 if value:
                     window["manager_password_set"].Update(_t("generic.yes"))
                     window["--SET-PERMISSIONS--"].Update(button_color="green")
@@ -902,13 +905,16 @@ def config_gui(full_config: dict, config_file: str):
                 permission = get_key_from_value(
                     combo_boxes["permissions"], values["permissions"]
                 )
-                full_config.s(f"{object_type}.{object_name}.permissions", permission)
                 full_config.s(
-                    f"{object_type}.{object_name}.manager_password",
+                    f"{object_type}.{object_name}.new_permissions", permission
+                )
+                full_config.s(
+                    f"{object_type}.{object_name}.new_manager_password",
                     values["-MANAGER-PASSWORD-"],
                 )
                 full_config.s(
-                    f"{object_type}.{object_name}.update_manager_password", True
+                    f"{object_type}.{object_name}.current_manager_password",
+                    full_config.g(f"{object_type}.{object_name}.manager_password"),
                 )
                 break
         window.close()
@@ -2307,7 +2313,7 @@ Google Cloud storage: GOOGLE_PROJECT_ID  GOOGLE_APPLICATION_CREDENTIALS\n\
                 full_config, object_name
             )
             if not manager_password or ask_manager_password(manager_password):
-                # We need to update full_config with current GUI values before using modifying it
+                # We need to update full_config with current GUI values before using or modifying it
                 full_config = update_config_dict(
                     full_config, current_object_type, current_object_name, values
                 )