approveuser.php3 9.75 KB
Newer Older
1 2 3
<?php
include("defs.php3");

4 5 6 7 8
#
# Standard Testbed Header
#
PAGEHEADER("New Users Approved");

9 10 11
#
# Only known and logged in users can be verified.
#
12
$uid = GETLOGIN();
13 14 15 16 17 18
LOGGEDINORDIE($uid);

#
# Walk the list of post variables, looking for the special post format.
# See approveuser_form.php3:
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
19 20 21
#             uid     menu     project/group
#	name=stoller$$approval-testbed/testbed value=approved,denied,postpone
#	name=stoller$$trust-testbed/testbed value=user,local_root
22 23 24 25 26 27 28 29 30 31
# 
while (list ($header, $value) = each ($HTTP_POST_VARS)) {
    #echo "$header: $value<br>\n";

    $approval_string = strstr($header, "\$\$approval-");
    if (! $approval_string) {
	continue;
    }

    $user     = substr($header, 0, strpos($header, "\$\$", 0));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
32 33 34
    $projgrp  = substr($approval_string, strlen("\$\$approval-"));
    $project  = substr($projgrp, 0, strpos($projgrp, "/", 0));
    $group    = substr($projgrp, strpos($projgrp, "/", 0) + 1);
35 36 37 38 39 40 41 42
    $approval = $value;

    if (!$user || strcmp($user, "") == 0) {
	TBERROR("Parse error finding user in approveuser.php3", 1);
    }
    if (!$project || strcmp($project, "") == 0) {
	TBERROR("Parse error finding project in approveuser.php3", 1);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
43 44 45
    if (!$group || strcmp($group, "") == 0) {
	TBERROR("Parse error finding group in approveuser.php3", 1);
    }
46 47 48 49 50 51 52 53
    if (!$approval || strcmp($approval, "") == 0) {
	TBERROR("Parse error finding approval in approveuser.php3", 1);
    }

    #
    # There should be a corresponding trust variable in the POST vars.
    # Note that we construct the variable name and indirect to it.
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
54
    $foo      = "$user\$\$trust-$project/$group";
55 56 57 58
    $newtrust = $$foo;
    if (!$newtrust || strcmp($newtrust, "") == 0) {
	TBERROR("Parse error finding trust in approveuser.php3", 1);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
59 60 61 62 63 64
    #echo "User $user, Project $project,
    #      Group $group, Approval $approval, Trust $newtrust<br>\n";
    
    if (strcmp($newtrust, "user") &&
	strcmp($newtrust, "local_root") &&
	strcmp($newtrust, "group_root")) {
65 66 67 68 69 70 71 72 73 74 75 76 77
	TBERROR("Invalid trust $newtrust for user $user approveuser.php3.", 1);
    }

    #
    # Get the current status for the user, which we might need to change
    # anyway, and to verify that the user is a valid user. We also need
    # the email address to let user know what happened.
    #
    # We change the status only if this person is joining his first project.
    # In this case, the status will be either "newuser" or "unapproved",
    # and we will change it to "unapproved" or "active", respectively.
    # If the status is "active", we leave it alone. 
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
78 79 80
    $query_result =
        DBQueryFatal("SELECT status,usr_email,usr_name from users where ".
		     "uid='$user'");
81 82 83 84 85 86
    if (mysql_num_rows($query_result) == 0) {
	TBERROR("Unknown user $user", 1);
    }
    $row = mysql_fetch_row($query_result);
    $curstatus  = $row[0];
    $user_email = $row[1];
87
    $user_name  = $row[2];
88 89 90 91
    #echo "Status = $curstatus, Email = $user_email<br>\n";

    #
    # We need to check that the current uid has the necessary trust level
Leigh B. Stoller's avatar
Leigh B. Stoller committed
92 93 94
    # to add this user to the project/group. Also, only project leaders
    # can add someone as group_root. This should probably be encoded in
    # the permission stuff.
95
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
96 97 98
    if (! TBProjAccessCheck($uid, $project, $group, $TB_PROJECT_ADDUSER)) {
	USERERROR("You are not allowed to approve users in ".
		  "$project/$group!", 1);
99
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
100 101 102 103 104
    TBProjLeader($project, $projleader);
    if (strcmp($uid, $projleader) &&
	strcmp($newtrust, "group_root") == 0) {
	USERERROR("You do not have permission to add new users with group ".
		  "root status!", 1);
105
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
106 107
    
    TBUserInfo($uid, $uid_name, $uid_email);
108 109

    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
110
    # If already in the group skip.
111
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
112 113 114
    TBGroupMember($user, $project, $group, $isapproved);
    if ($isapproved) {
	continue;
115 116
    }

117
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
118 119
    # Lets get group leader email, just in case the person doing the approval
    # is not the head of the project or group. This is polite to do.
120
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
121 122 123 124
    $query_result =
	DBQueryFatal("SELECT usr_email,usr_name from users as u ".
		     "left join groups as g on g.leader=u.uid ".
		     "where g.pid='$project' and g.gid='$group'");
125 126 127 128 129 130 131
    if (mysql_num_rows($query_result) == 0) {
	TBERROR("Retrieving user info for project $project leader", 1);
    }
    $row = mysql_fetch_row($query_result);
    $phead_email = $row[0];
    $phead_name  = $row[1];
   
132 133 134 135 136 137 138 139 140 141 142 143 144
    #
    # Well, looks like everything is okay. Change the project membership
    # value appropriately.
    #
    if (strcmp($approval, "postpone") == 0) {
	echo "<p><h3>
                  Membership status for user $user was postponed for
                  later decision.
              </h3>\n";
        continue;
    }
    if (strcmp($approval, "deny") == 0) {
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
145 146
        # Must delete the group_membership record since we require that the 
        # user reapply once denied. Send the luser email to let him know.
147
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
148 149 150 151 152
        $query_result =
	    DBQueryFatal("delete from group_membership ".
			 "where uid='$user' and pid='$project' and ".
			 "      gid='$group'");

153 154
        mail("$user_name '$user' <$user_email>",
             "TESTBED: Project '$project' Membership Denied",
155 156 157 158 159 160 161
	     "\n".
             "This message is to notify you that you have been denied\n".
	     "membership in project $project\n".
             "\n\n".
             "Thanks,\n".
             "Testbed Ops\n".
             "Utah Network Testbed\n",
162
             "From: $uid_name <$uid_email>\n".
163
             "Cc:  $phead_name <$phead_email>\n".
164
             "Bcc: $TBMAIL_APPROVAL\n".
165 166 167 168 169 170 171 172 173
             "Errors-To: $TBMAIL_WWW");

	echo "<h3><p>
                  User $user was denied membership in project $project.
                  The user will need to reapply again if this was in error.
              </h3>\n";

	continue;
    }
174 175
    if (strcmp($approval, "nuke") == 0) {
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
176 177
        # Must delete the group_membership record since we require that the 
        # user reapply once denied. Send the luser email to let him know.
178
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
179 180 181 182
        $query_result =
	    DBQueryFatal("delete from group_membership ".
			 "where uid='$user' and pid='$project' and ".
			 "      gid='$group'");
183 184 185

	#
	# See if user is in any other projects (even unapproved).
Leigh B. Stoller's avatar
Leigh B. Stoller committed
186 187 188
	#
        $query_result =
	    DBQueryFatal("select * from group_membership where uid='$user'");
189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218

	#
	# If yes, then we cannot safely delete the user account.
	#
	if (mysql_num_rows($query_result)) {
	    echo "<h3><p>
                  User $user was denied membership in project $project.<br>
                  Since the user is a member (or requesting membership)
		  in other projects, the account cannot be safely removed.
              </h3>\n";
	    
	    continue;
	}

	#
	# No other project membership. If the user is unapproved/newuser, 
	# it means he was never approved in any project, and so will
	# likely not be missed. He will be unapproved if he did his
	# verification.
	#
	if (strcmp($curstatus, "newuser") &&
	    strcmp($curstatus, "unapproved")) {
	    echo "<h3><p>
                  User $user was denied membership in project $project.<br>
                  Since the user has been approved by, or was active in other
		  projects in the past, the account cannot be safely removed.
              </h3>\n";
	    continue;
	}
	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
219
	$query_result = DBQueryFatal("delete FROM users where uid='$user'");
220 221 222
	
	echo "<h3><p>
                  User $user was denied membership in project $project.<br>
Jay Lepreau's avatar
Jay Lepreau committed
223
		  The account has also been terminated with prejudice!
224 225 226 227
              </h3>\n";

	continue;
    }
228 229
    if (strcmp($approval, "approve") == 0) {
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
230
        # Change the trust value in group_membership accordingly.
231
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253
        $query_result =
	    DBQueryFatal("UPDATE group_membership ".
			 "set trust='$newtrust',date_approved=now() ".
			 "WHERE uid='$user' and pid='$project' and ".
			 "      gid='$group'");

	#
	# Messy. If this is a new user joining a subgroup, and that new user
	# is not already in the project, we need to add a second record to
	# the project membership. 
	#
	if (strcmp($project, $group)) {
	    TBGroupMember($user, $project, $project, $isapproved);

	    if (! $isapproved) {
		$query_result =
		    DBQueryFatal("UPDATE group_membership ".
				 "set trust='$newtrust',date_approved=now() ".
				 "WHERE uid='$user' and pid='$project' and ".
				 "      gid='$project'");
	    }
	}
254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270

        #
        # Change the status if necessary. This only happens for new
	# users being added to their first project. After this, the status is
        # going to be "active", and we just leave it that way.
	#
        if (strcmp($curstatus, "active")) {
	    if (strcmp($curstatus, "newuser") == 0) {
		$newstatus = "unverified";
            }
	    elseif (strcmp($curstatus, "unapproved") == 0) {
		$newstatus = "active";
	    }
	    else {
	        TBERROR("Invalid $user status $curstatus in approveuser.php3",
                         1);
	    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
271 272 273
	    $query_result =
		DBQueryFatal("UPDATE users set status='$newstatus' ".
			     "WHERE uid='$user'");
274 275
	}

276 277
        mail("$user_name '$user' <$user_email>",
             "TESTBED: Project '$project' Membership Approval",
278 279 280 281 282 283 284
	     "\n".
	     "This message is to notify you that you have been approved\n".
	     "as a member of project $project with $newtrust permissions.\n".
             "\n\n".
             "Thanks,\n".
             "Testbed Ops\n".
             "Utah Network Testbed\n",
285
             "From: $uid_name <$uid_email>\n".
286
             "Cc:  $phead_name <$phead_email>\n".
287
             "Bcc: $TBMAIL_APPROVAL\n".
288 289
             "Errors-To: $TBMAIL_WWW");

290 291 292
	#
        # Create user account on control node.
        #
293
	SUEXEC($uid, "flux", "mkacct-ctrl $user", 0);
294

295 296 297 298 299 300 301 302 303 304
	echo "<h3><p>
                  User $user was granted membership in project $project
                  with $newtrust permissions.
              </h3>\n";

	continue;
    }
    TBERROR("Invalid approval value $approval in approveuser.php3.", 1);
}

305 306 307 308
#
# Standard Testbed Footer
# 
PAGEFOOTER();
309
?>