All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

approveuser.php3 9.74 KB
Newer Older
1 2 3
<?php
include("defs.php3");

4 5 6 7 8
#
# Standard Testbed Header
#
PAGEHEADER("New Users Approved");

9 10 11
#
# Only known and logged in users can be verified.
#
12
$uid = GETLOGIN();
13 14 15 16 17 18
LOGGEDINORDIE($uid);

#
# Walk the list of post variables, looking for the special post format.
# See approveuser_form.php3:
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
19 20 21
#             uid     menu     project/group
#	name=stoller$$approval-testbed/testbed value=approved,denied,postpone
#	name=stoller$$trust-testbed/testbed value=user,local_root
22 23 24 25 26 27 28 29 30 31
# 
while (list ($header, $value) = each ($HTTP_POST_VARS)) {
    #echo "$header: $value<br>\n";

    $approval_string = strstr($header, "\$\$approval-");
    if (! $approval_string) {
	continue;
    }

    $user     = substr($header, 0, strpos($header, "\$\$", 0));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
32 33 34
    $projgrp  = substr($approval_string, strlen("\$\$approval-"));
    $project  = substr($projgrp, 0, strpos($projgrp, "/", 0));
    $group    = substr($projgrp, strpos($projgrp, "/", 0) + 1);
35 36 37 38 39 40 41 42
    $approval = $value;

    if (!$user || strcmp($user, "") == 0) {
	TBERROR("Parse error finding user in approveuser.php3", 1);
    }
    if (!$project || strcmp($project, "") == 0) {
	TBERROR("Parse error finding project in approveuser.php3", 1);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
43 44 45
    if (!$group || strcmp($group, "") == 0) {
	TBERROR("Parse error finding group in approveuser.php3", 1);
    }
46 47 48 49 50 51 52 53
    if (!$approval || strcmp($approval, "") == 0) {
	TBERROR("Parse error finding approval in approveuser.php3", 1);
    }

    #
    # There should be a corresponding trust variable in the POST vars.
    # Note that we construct the variable name and indirect to it.
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
54
    $foo      = "$user\$\$trust-$project/$group";
55 56 57 58
    $newtrust = $$foo;
    if (!$newtrust || strcmp($newtrust, "") == 0) {
	TBERROR("Parse error finding trust in approveuser.php3", 1);
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
59 60 61 62 63 64
    #echo "User $user, Project $project,
    #      Group $group, Approval $approval, Trust $newtrust<br>\n";
    
    if (strcmp($newtrust, "user") &&
	strcmp($newtrust, "local_root") &&
	strcmp($newtrust, "group_root")) {
65 66 67 68 69 70 71 72 73 74 75 76 77
	TBERROR("Invalid trust $newtrust for user $user approveuser.php3.", 1);
    }

    #
    # Get the current status for the user, which we might need to change
    # anyway, and to verify that the user is a valid user. We also need
    # the email address to let user know what happened.
    #
    # We change the status only if this person is joining his first project.
    # In this case, the status will be either "newuser" or "unapproved",
    # and we will change it to "unapproved" or "active", respectively.
    # If the status is "active", we leave it alone. 
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
78 79 80
    $query_result =
        DBQueryFatal("SELECT status,usr_email,usr_name from users where ".
		     "uid='$user'");
81 82 83 84 85 86
    if (mysql_num_rows($query_result) == 0) {
	TBERROR("Unknown user $user", 1);
    }
    $row = mysql_fetch_row($query_result);
    $curstatus  = $row[0];
    $user_email = $row[1];
87
    $user_name  = $row[2];
88 89 90 91
    #echo "Status = $curstatus, Email = $user_email<br>\n";

    #
    # We need to check that the current uid has the necessary trust level
Leigh B. Stoller's avatar
Leigh B. Stoller committed
92 93 94
    # to add this user to the project/group. Also, only project leaders
    # can add someone as group_root. This should probably be encoded in
    # the permission stuff.
95
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
96 97 98
    if (! TBProjAccessCheck($uid, $project, $group, $TB_PROJECT_ADDUSER)) {
	USERERROR("You are not allowed to approve users in ".
		  "$project/$group!", 1);
99
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
100 101 102 103 104
    TBProjLeader($project, $projleader);
    if (strcmp($uid, $projleader) &&
	strcmp($newtrust, "group_root") == 0) {
	USERERROR("You do not have permission to add new users with group ".
		  "root status!", 1);
105
    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
106 107
    
    TBUserInfo($uid, $uid_name, $uid_email);
108 109

    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
110
    # If already in the group skip.
111
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
112 113 114
    TBGroupMember($user, $project, $group, $isapproved);
    if ($isapproved) {
	continue;
115 116
    }

117
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
118 119
    # Lets get group leader email, just in case the person doing the approval
    # is not the head of the project or group. This is polite to do.
120
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
121 122 123 124
    $query_result =
	DBQueryFatal("SELECT usr_email,usr_name from users as u ".
		     "left join groups as g on g.leader=u.uid ".
		     "where g.pid='$project' and g.gid='$group'");
125 126 127 128 129 130 131
    if (mysql_num_rows($query_result) == 0) {
	TBERROR("Retrieving user info for project $project leader", 1);
    }
    $row = mysql_fetch_row($query_result);
    $phead_email = $row[0];
    $phead_name  = $row[1];
   
132 133 134 135 136 137 138 139 140 141 142 143 144
    #
    # Well, looks like everything is okay. Change the project membership
    # value appropriately.
    #
    if (strcmp($approval, "postpone") == 0) {
	echo "<p><h3>
                  Membership status for user $user was postponed for
                  later decision.
              </h3>\n";
        continue;
    }
    if (strcmp($approval, "deny") == 0) {
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
145 146
        # Must delete the group_membership record since we require that the 
        # user reapply once denied. Send the luser email to let him know.
147
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
148 149 150 151 152
        $query_result =
	    DBQueryFatal("delete from group_membership ".
			 "where uid='$user' and pid='$project' and ".
			 "      gid='$group'");

153 154
        mail("$user_name '$user' <$user_email>",
             "TESTBED: Project '$project' Membership Denied",
155 156 157 158 159 160 161
	     "\n".
             "This message is to notify you that you have been denied\n".
	     "membership in project $project\n".
             "\n\n".
             "Thanks,\n".
             "Testbed Ops\n".
             "Utah Network Testbed\n",
162
             "From: $uid_name <$uid_email>\n".
163
             "Cc:  $phead_name <$phead_email>\n".
164
             "Bcc: $TBMAIL_AUDIT\n".
165 166 167 168 169 170 171 172 173
             "Errors-To: $TBMAIL_WWW");

	echo "<h3><p>
                  User $user was denied membership in project $project.
                  The user will need to reapply again if this was in error.
              </h3>\n";

	continue;
    }
174 175
    if (strcmp($approval, "nuke") == 0) {
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
176 177
        # Must delete the group_membership record since we require that the 
        # user reapply once denied. Send the luser email to let him know.
178
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
179 180 181 182
        $query_result =
	    DBQueryFatal("delete from group_membership ".
			 "where uid='$user' and pid='$project' and ".
			 "      gid='$group'");
183 184 185

	#
	# See if user is in any other projects (even unapproved).
Leigh B. Stoller's avatar
Leigh B. Stoller committed
186 187 188
	#
        $query_result =
	    DBQueryFatal("select * from group_membership where uid='$user'");
189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218

	#
	# If yes, then we cannot safely delete the user account.
	#
	if (mysql_num_rows($query_result)) {
	    echo "<h3><p>
                  User $user was denied membership in project $project.<br>
                  Since the user is a member (or requesting membership)
		  in other projects, the account cannot be safely removed.
              </h3>\n";
	    
	    continue;
	}

	#
	# No other project membership. If the user is unapproved/newuser, 
	# it means he was never approved in any project, and so will
	# likely not be missed. He will be unapproved if he did his
	# verification.
	#
	if (strcmp($curstatus, "newuser") &&
	    strcmp($curstatus, "unapproved")) {
	    echo "<h3><p>
                  User $user was denied membership in project $project.<br>
                  Since the user has been approved by, or was active in other
		  projects in the past, the account cannot be safely removed.
              </h3>\n";
	    continue;
	}
	
Leigh B. Stoller's avatar
Leigh B. Stoller committed
219
	$query_result = DBQueryFatal("delete FROM users where uid='$user'");
220 221 222
	
	echo "<h3><p>
                  User $user was denied membership in project $project.<br>
Jay Lepreau's avatar
Jay Lepreau committed
223
		  The account has also been terminated with prejudice!
224 225 226 227
              </h3>\n";

	continue;
    }
228 229
    if (strcmp($approval, "approve") == 0) {
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
230
        # Change the trust value in group_membership accordingly.
231
        #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253
        $query_result =
	    DBQueryFatal("UPDATE group_membership ".
			 "set trust='$newtrust',date_approved=now() ".
			 "WHERE uid='$user' and pid='$project' and ".
			 "      gid='$group'");

	#
	# Messy. If this is a new user joining a subgroup, and that new user
	# is not already in the project, we need to add a second record to
	# the project membership. 
	#
	if (strcmp($project, $group)) {
	    TBGroupMember($user, $project, $project, $isapproved);

	    if (! $isapproved) {
		$query_result =
		    DBQueryFatal("UPDATE group_membership ".
				 "set trust='$newtrust',date_approved=now() ".
				 "WHERE uid='$user' and pid='$project' and ".
				 "      gid='$project'");
	    }
	}
254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270

        #
        # Change the status if necessary. This only happens for new
	# users being added to their first project. After this, the status is
        # going to be "active", and we just leave it that way.
	#
        if (strcmp($curstatus, "active")) {
	    if (strcmp($curstatus, "newuser") == 0) {
		$newstatus = "unverified";
            }
	    elseif (strcmp($curstatus, "unapproved") == 0) {
		$newstatus = "active";
	    }
	    else {
	        TBERROR("Invalid $user status $curstatus in approveuser.php3",
                         1);
	    }
Leigh B. Stoller's avatar
Leigh B. Stoller committed
271 272 273
	    $query_result =
		DBQueryFatal("UPDATE users set status='$newstatus' ".
			     "WHERE uid='$user'");
274 275
	}

276 277
        mail("$user_name '$user' <$user_email>",
             "TESTBED: Project '$project' Membership Approval",
278 279 280 281 282 283 284
	     "\n".
	     "This message is to notify you that you have been approved\n".
	     "as a member of project $project with $newtrust permissions.\n".
             "\n\n".
             "Thanks,\n".
             "Testbed Ops\n".
             "Utah Network Testbed\n",
285
             "From: $uid_name <$uid_email>\n".
286
             "Cc:  $phead_name <$phead_email>\n".
287
             "Bcc: $TBMAIL_AUDIT\n".
288 289
             "Errors-To: $TBMAIL_WWW");

290 291 292
	#
        # Create user account on control node.
        #
293
	SUEXEC($uid, "flux", "mkacct-ctrl $user", 0);
294

295 296 297 298 299 300 301 302 303 304
	echo "<h3><p>
                  User $user was granted membership in project $project
                  with $newtrust permissions.
              </h3>\n";

	continue;
    }
    TBERROR("Invalid approval value $approval in approveuser.php3.", 1);
}

305 306 307 308
#
# Standard Testbed Footer
# 
PAGEFOOTER();
309
?>