toggle.php 4.71 KB
Newer Older
1
2
3
<?php
#
# EMULAB-COPYRIGHT
4
# Copyright (c) 2000-2003, 2005, 2006 University of Utah and the Flux Group.
5
6
7
8
9
10
11
12
13
14
15
# All rights reserved.
#
include("defs.php3");

#
# This page is a generic toggle page, like adminmode.php3, but more
# generalized. There are a set of things you can toggle, and each of
# those items has a permission check and a set (pair) of valid values.
#
# Usage: toggle.php?type=swappable&value=1&pid=foo&eid=bar
# (type & value are required, others are optional and vary by type)
16
17
18
19
20
21
#
# No PAGEHEADER since we spit out a Location header later. See below.
#
# Only known and logged in users can do this.
#
$uid = GETLOGIN();
22
LOGGEDINORDIE($uid, CHECKLOGIN_USERSTATUS|CHECKLOGIN_WEBONLY);
23
$isadmin = ISADMIN($uid);
24
25

# List of valid toggles
26
$toggles = array("adminon", "webfreeze", "cvsweb", "lockdown",
27
		 "cvsrepo_public");
28
29

# list of valid values for each toggle
30
$values  = array("adminon"        => array(0,1),
31
32
33
34
		 "webfreeze"      => array(0,1),
		 "cvsweb"         => array(0,1),
		 "lockdown"       => array(0,1),
		 "cvsrepo_public" => array(0,1));
35
36

# list of valid extra variables for the each toggle, and mandatory flag.
37
$optargs = array("adminon"        => array(),
38
39
40
41
		 "webfreeze"      => array("target_uid" => 1),
		 "cvsweb"         => array("target_uid" => 1),
		 "lockdown"       => array("pid" => 1, "eid" => 1),
		 "cvsrepo_public" => array("pid" => 1));
42
43
44
45
46
47
48
49
50

# Mandatory page arguments.
$type  = $_GET['type'];
$value = $_GET['value'];

# Pedantic page argument checking. Good practice!
if (!isset($type) || !isset($value)) {
    PAGEARGERROR();
}
51
52

if (! in_array($type, $toggles)) {
53
    PAGEARGERROR("There is no toggle for $type!");
54
55
}
if (! in_array($value, $values[$type])) {
56
57
58
59
60
61
62
63
64
65
66
67
68
69
    PAGEARGERROR("The value '$value' is illegal for the $type toggle!");
}

# Check optional args and bind locally.
while (list ($arg, $required) = each ($optargs[$type])) {
    if (!isset($_GET[$arg])) {
	if ($required)
	    PAGEARGERROR("Toggle '$type' requires argument '$arg'");
	else
	    unset($$arg);
    }
    else {
	$$arg = addslashes($_GET[$arg]);
    }
70
71
72
73
74
}

#
# Permissions checks, and do the toggle...
#
75
if ($type == "adminon") {
76
    # must be admin
77
    # Do not check if they are admin mode (ISADMIN), check if they
78
79
    # have the power to change to admin mode!
    if (! ($CHECKLOGIN_STATUS & CHECKLOGIN_ISADMIN) ) {
80
81
	USERERROR("You do not have permission to toggle $type!", 1);
    }
82
    SETADMINMODE($uid, $value);
83
}
84
85
86
87
88
89
90
91
92
93
94
95
96
elseif ($type == "webfreeze") {
    # must be admin
    # Do not check if they are admin mode (ISADMIN), check if they
    # have the power to change to admin mode!
    if (! ($CHECKLOGIN_STATUS & CHECKLOGIN_ISADMIN) ) {
	USERERROR("You do not have permission to toggle $type!", 1);
    }
    if (!TBCurrentUser($target_uid)) {
	PAGEARGERROR("Target user '$target_uid' is not a valid user!");
    }
    DBQueryFatal("update users set weblogin_frozen='$value' ".
		 "where uid='$target_uid'");
}
97
98
99
100
101
102
103
104
105
106
107
elseif ($type == "cvsweb") {
    # must be admin
    if (! $isadmin) {
	USERERROR("You do not have permission to toggle $type!", 1);
    }
    if (!TBCurrentUser($target_uid)) {
	PAGEARGERROR("Target user '$target_uid' is not a valid user!");
    }
    DBQueryFatal("update users set cvsweb='$value' ".
		 "where uid='$target_uid'");
}
108
109
110
111
112
113
114
115
116
117
118
elseif ($type == "lockdown") {
    # must be admin
    if (! $isadmin) {
	USERERROR("You do not have permission to toggle $type!", 1);
    }
    if (!TBValidExperiment($pid, $eid)) {
	PAGEARGERROR("Experiment $pid/$eid is not a valid experiment!");
    }
    DBQueryFatal("update experiments set lockdown='$value' ".
		 "where pid='$pid' and eid='$eid'");
}
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
elseif ($type == "cvsrepo_public") {
    # Must validate the pid since we allow non-admins to do this.
    if (! TBvalid_pid($pid)) {
	PAGEARGERROR("Invalid characters in $pid");
    }
    if (!TBValidProject($pid)) {
	PAGEARGERROR("Project $pid is not a valid project!");
    }
    # Must be admin or project/group root.
    if (!$isadmin &&
	! TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
	USERERROR("You do not have permission to toggle $type!", 1);
    }
    DBQueryFatal("update projects set cvsrepo_public='$value' ".
		 "where pid='$pid'");
    SUEXEC($uid, $pid, "webcvsrepo_ctrl $pid", SUEXEC_ACTION_DIE);
}
136
else {
137
138
139
140
141
142
    USERERROR("Nobody has permission to toggle $type!", 1);
}
    
#
# Spit out a redirect 
#
143
144
145
if (isset($HTTP_REFERER) && $HTTP_REFERER != "" &&
    strpos($HTTP_REFERER,$_SERVER[SCRIPT_NAME])===false) {
    # Make sure the referer isn't me!
146
147
148
    header("Location: $HTTP_REFERER");
}
else {
149
150
151
152
153
154
155
    if (isset($target_uid)) {
	header("Location: $TBBASE/showuser.php3?target_uid=$target_uid");
    } elseif (isset($pid) && isset($eid)) {
	header("Location: $TBBASE/showexp.php3?pid=$pid&eid=$eid");
    } else {
	header("Location: $TBBASE/showuser.php3");
    }
156
157
158
}

?>