approveuser.php3 9.74 KB
Newer Older
1
2
3
<?php
include("defs.php3");

4
5
6
7
8
#
# Standard Testbed Header
#
PAGEHEADER("New Users Approved");

9
10
11
#
# Only known and logged in users can be verified.
#
12
$uid = GETLOGIN();
13
14
15
16
17
18
LOGGEDINORDIE($uid);

#
# Walk the list of post variables, looking for the special post format.
# See approveuser_form.php3:
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
19
20
21
#             uid     menu     project/group
#	name=stoller$$approval-testbed/testbed value=approved,denied,postpone
#	name=stoller$$trust-testbed/testbed value=user,local_root
22
23
24
25
26
27
28
29
30
31
# 
while (list ($header, $value) = each ($HTTP_POST_VARS)) {
    #echo "$header: $value<br>\n";

    $approval_string = strstr($header, "\$\$approval-");
    if (! $approval_string) {
	continue;
    }

    $user     = substr($header, 0, strpos($header, "\$\$", 0));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
32
33
34
    $projgrp  = substr($approval_string, strlen("\$\$approval-"));
    $project  = substr($projgrp, 0, strpos($projgrp, "/", 0));
    $group    = substr($projgrp, strpos($projgrp, "/", 0) + 1);
35
36
37
38
39
40
41
42
    $approval = $value;

    if (!$user || strcmp($user, "") == 0) {
	TBERROR("Parse error finding user in approveuser.php3", 1);
    }
    if (!$project || strcmp($project, "") == 0) {
	TBERROR("Parse error finding project in approveuser.php3", 1);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
43
44
45
    if (!$group || strcmp($group, "") == 0) {
	TBERROR("Parse error finding group in approveuser.php3", 1);
    }
46
47
48
49
50
51
52
53
    if (!$approval || strcmp($approval, "") == 0) {
	TBERROR("Parse error finding approval in approveuser.php3", 1);
    }

    #
    # There should be a corresponding trust variable in the POST vars.
    # Note that we construct the variable name and indirect to it.
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
54
    $foo      = "$user\$\$trust-$project/$group";
55
56
57
58
    $newtrust = $$foo;
    if (!$newtrust || strcmp($newtrust, "") == 0) {
	TBERROR("Parse error finding trust in approveuser.php3", 1);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
59
60
61
62
63
64
    #echo "User $user, Project $project,
    #      Group $group, Approval $approval, Trust $newtrust<br>\n";
    
    if (strcmp($newtrust, "user") &&
	strcmp($newtrust, "local_root") &&
	strcmp($newtrust, "group_root")) {
65
66
67
68
69
70
71
72
73
74
75
76
77
	TBERROR("Invalid trust $newtrust for user $user approveuser.php3.", 1);
    }

    #
    # Get the current status for the user, which we might need to change
    # anyway, and to verify that the user is a valid user. We also need
    # the email address to let user know what happened.
    #
    # We change the status only if this person is joining his first project.
    # In this case, the status will be either "newuser" or "unapproved",
    # and we will change it to "unapproved" or "active", respectively.
    # If the status is "active", we leave it alone. 
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
78
79
80
    $query_result =
        DBQueryFatal("SELECT status,usr_email,usr_name from users where ".
		     "uid='$user'");
81
82
83
84
85
86
    if (mysql_num_rows($query_result) == 0) {
	TBERROR("Unknown user $user", 1);
    }
    $row = mysql_fetch_row($query_result);
    $curstatus  = $row[0];
    $user_email = $row[1];
87
    $user_name  = $row[2];
88
89
90
91
    #echo "Status = $curstatus, Email = $user_email<br>\n";

    #
    # We need to check that the current uid has the necessary trust level
Leigh B. Stoller's avatar
Leigh B. Stoller committed
92
93
94
    # to add this user to the project/group. Also, only project leaders
    # can add someone as group_root. This should probably be encoded in
    # the permission stuff.
95
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
96
97
98
    if (! TBProjAccessCheck($uid, $project, $group, $TB_PROJECT_ADDUSER)) {
	USERERROR("You are not allowed to approve users in ".
		  "$project/$group!", 1);
99
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
100
101
102
103
104
    TBProjLeader($project, $projleader);
    if (strcmp($uid, $projleader) &&
	strcmp($newtrust, "group_root") == 0) {
	USERERROR("You do not have permission to add new users with group ".
		  "root status!", 1);
105
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
106
107
    
    TBUserInfo($uid, $uid_name, $uid_email);
108
109

    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
110
    # If already in the group skip.
111
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
112
113
114
    TBGroupMember($user, $project, $group, $isapproved);
    if ($isapproved) {
	continue;
115
116
    }

117
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
118
119
    # Lets get group leader email, just in case the person doing the approval
    # is not the head of the project or group. This is polite to do.
120
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
121
122
123
124
    $query_result =
	DBQueryFatal("SELECT usr_email,usr_name from users as u ".
		     "left join groups as g on g.leader=u.uid ".
		     "where g.pid='$project' and g.gid='$group'");
125
126
127
128
129
130
131
    if (mysql_num_rows($query_result) == 0) {
	TBERROR("Retrieving user info for project $project leader", 1);
    }
    $row = mysql_fetch_row($query_result);
    $phead_email = $row[0];
    $phead_name  = $row[1];
   
132
133
134
135
136
137
138
139
140
141
142
143
144
    #
    # Well, looks like everything is okay. Change the project membership
    # value appropriately.
    #
    if (strcmp($approval, "postpone") == 0) {
	echo "<p><h3>
                  Membership status for user $user was postponed for
                  later decision.
              </h3>\n";
        continue;
    }
    if (strcmp($approval, "deny") == 0) {
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
145
146
        # Must delete the group_membership record since we require that the 
        # user reapply once denied. Send the luser email to let him know.
147
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
148
149
150
151
152
        $query_result =
	    DBQueryFatal("delete from group_membership ".
			 "where uid='$user' and pid='$project' and ".
			 "      gid='$group'");

153
154
        mail("$user_name '$user' <$user_email>",
             "TESTBED: Project '$project' Membership Denied",
155
156
157
158
159
160
161
	     "\n".
             "This message is to notify you that you have been denied\n".
	     "membership in project $project\n".
             "\n\n".
             "Thanks,\n".
             "Testbed Ops\n".
             "Utah Network Testbed\n",
162
             "From: $uid_name <$uid_email>\n".
163
             "Cc:  $phead_name <$phead_email>\n".
164
             "Bcc: $TBMAIL_AUDIT\n".
165
166
167
168
169
170
171
172
173
             "Errors-To: $TBMAIL_WWW");

	echo "<h3><p>
                  User $user was denied membership in project $project.
                  The user will need to reapply again if this was in error.
              </h3>\n";

	continue;
    }
174
175
    if (strcmp($approval, "nuke") == 0) {
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
176
177
        # Must delete the group_membership record since we require that the 
        # user reapply once denied. Send the luser email to let him know.
178
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
179
180
181
182
        $query_result =
	    DBQueryFatal("delete from group_membership ".
			 "where uid='$user' and pid='$project' and ".
			 "      gid='$group'");
183
184
185

	#
	# See if user is in any other projects (even unapproved).
Leigh B. Stoller's avatar
Leigh B. Stoller committed
186
187
188
	#
        $query_result =
	    DBQueryFatal("select * from group_membership where uid='$user'");
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218

	#
	# If yes, then we cannot safely delete the user account.
	#
	if (mysql_num_rows($query_result)) {
	    echo "<h3><p>
                  User $user was denied membership in project $project.<br>
                  Since the user is a member (or requesting membership)
		  in other projects, the account cannot be safely removed.
              </h3>\n";
	    
	    continue;
	}

	#
	# No other project membership. If the user is unapproved/newuser, 
	# it means he was never approved in any project, and so will
	# likely not be missed. He will be unapproved if he did his
	# verification.
	#
	if (strcmp($curstatus, "newuser") &&
	    strcmp($curstatus, "unapproved")) {
	    echo "<h3><p>
                  User $user was denied membership in project $project.<br>
                  Since the user has been approved by, or was active in other
		  projects in the past, the account cannot be safely removed.
              </h3>\n";
	    continue;
	}
	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
219
	$query_result = DBQueryFatal("delete FROM users where uid='$user'");
220
221
222
	
	echo "<h3><p>
                  User $user was denied membership in project $project.<br>
Jay Lepreau's avatar
Jay Lepreau committed
223
		  The account has also been terminated with prejudice!
224
225
226
227
              </h3>\n";

	continue;
    }
228
229
    if (strcmp($approval, "approve") == 0) {
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
230
        # Change the trust value in group_membership accordingly.
231
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
        $query_result =
	    DBQueryFatal("UPDATE group_membership ".
			 "set trust='$newtrust',date_approved=now() ".
			 "WHERE uid='$user' and pid='$project' and ".
			 "      gid='$group'");

	#
	# Messy. If this is a new user joining a subgroup, and that new user
	# is not already in the project, we need to add a second record to
	# the project membership. 
	#
	if (strcmp($project, $group)) {
	    TBGroupMember($user, $project, $project, $isapproved);

	    if (! $isapproved) {
		$query_result =
		    DBQueryFatal("UPDATE group_membership ".
				 "set trust='$newtrust',date_approved=now() ".
				 "WHERE uid='$user' and pid='$project' and ".
				 "      gid='$project'");
	    }
	}
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270

        #
        # Change the status if necessary. This only happens for new
	# users being added to their first project. After this, the status is
        # going to be "active", and we just leave it that way.
	#
        if (strcmp($curstatus, "active")) {
	    if (strcmp($curstatus, "newuser") == 0) {
		$newstatus = "unverified";
            }
	    elseif (strcmp($curstatus, "unapproved") == 0) {
		$newstatus = "active";
	    }
	    else {
	        TBERROR("Invalid $user status $curstatus in approveuser.php3",
                         1);
	    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
271
272
273
	    $query_result =
		DBQueryFatal("UPDATE users set status='$newstatus' ".
			     "WHERE uid='$user'");
274
275
	}

276
277
        mail("$user_name '$user' <$user_email>",
             "TESTBED: Project '$project' Membership Approval",
278
279
280
281
282
283
284
	     "\n".
	     "This message is to notify you that you have been approved\n".
	     "as a member of project $project with $newtrust permissions.\n".
             "\n\n".
             "Thanks,\n".
             "Testbed Ops\n".
             "Utah Network Testbed\n",
285
             "From: $uid_name <$uid_email>\n".
286
             "Cc:  $phead_name <$phead_email>\n".
287
             "Bcc: $TBMAIL_AUDIT\n".
288
289
             "Errors-To: $TBMAIL_WWW");

290
291
292
	#
        # Create user account on control node.
        #
293
	SUEXEC($uid, "flux", "mkacct-ctrl $user", 0);
294

295
296
297
298
299
300
301
302
303
304
	echo "<h3><p>
                  User $user was granted membership in project $project
                  with $newtrust permissions.
              </h3>\n";

	continue;
    }
    TBERROR("Invalid approval value $approval in approveuser.php3.", 1);
}

305
306
307
308
#
# Standard Testbed Footer
# 
PAGEFOOTER();
309
?>