From b5db9b004c76401ce275242dca0eb1c3379155a8 Mon Sep 17 00:00:00 2001
From: Leigh B Stoller <stoller@flux.utah.edu>
Date: Tue, 26 Dec 2017 13:08:32 -0700
Subject: [PATCH] Lets be a little smarter with users who are not members of
 any projects with sufficient permission to do anything useful (including geni
 users). Head them off at the pass and explain in simple (short), direct
 (short) clear (short) text why they can't do what they want to do.

---
 www/aptui/create-dataset.php |  5 ++++-
 www/aptui/geni-login.ajax    |  4 +---
 www/aptui/instantiate.php    |  3 +++
 www/aptui/manage_profile.php |  3 +++
 www/aptui/quickvm_sup.php    | 41 ++++++++++++++++++++++++++++++++++--
 www/aptui/reserve.php        |  3 +++
 www/tbauth.php3              | 37 ++++++++++++++++++++++++++++++--
 7 files changed, 88 insertions(+), 8 deletions(-)

diff --git a/www/aptui/create-dataset.php b/www/aptui/create-dataset.php
index 70c13d928..8d5aa899b 100644
--- a/www/aptui/create-dataset.php
+++ b/www/aptui/create-dataset.php
@@ -1,6 +1,6 @@
 <?php
 #
-# Copyright (c) 2000-2016 University of Utah and the Flux Group.
+# Copyright (c) 2000-2017 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -35,6 +35,9 @@ $page_title = "Create Dataset";
 #
 RedirectSecure();
 $this_user = CheckLoginOrRedirect();
+if (NOPROJECTMEMBERSHIP()) {
+    return NoProjectMembershipError($this_user);
+}
 $this_idx  = $this_user->uid_idx();
 
 #
diff --git a/www/aptui/geni-login.ajax b/www/aptui/geni-login.ajax
index 40cbf69ca..b3f9516f5 100644
--- a/www/aptui/geni-login.ajax
+++ b/www/aptui/geni-login.ajax
@@ -392,9 +392,7 @@ function Do_VerifySpeaksfor()
         $blob["url"]   = "showuser.php3";
     }
     else {
-        $blob["url"]   = ($this_user->webonly() ||
-                          !Instance::UserHasInstances($this_user)
-                          ? "instantiate.php" : "landing.php");
+        $blob["url"]   = "landing.php";
     }
     session_destroy();
     SPITAJAX_RESPONSE($blob);
diff --git a/www/aptui/instantiate.php b/www/aptui/instantiate.php
index 259cb9b49..6d6a8fe64 100644
--- a/www/aptui/instantiate.php
+++ b/www/aptui/instantiate.php
@@ -43,6 +43,9 @@ RedirectSecure();
 $this_user = CheckLogin($check_status);
 if (isset($this_user)) {
     CheckLoginOrDie(CHECKLOGIN_NONLOCAL|CHECKLOGIN_WEBONLY);
+    if (NOPROJECTMEMBERSHIP()) {
+        return NoProjectMembershipError($this_user);
+    }
 }
 else {
     RedirectLoginPage();
diff --git a/www/aptui/manage_profile.php b/www/aptui/manage_profile.php
index 5e8386c58..b146bab66 100644
--- a/www/aptui/manage_profile.php
+++ b/www/aptui/manage_profile.php
@@ -40,6 +40,9 @@ $notifyclone = 0;
 RedirectSecure();
 $this_user = CheckLoginOrRedirect();
 $this_idx  = $this_user->uid_idx();
+if ((!isset($action) || $action == "create") && NOPROJECTMEMBERSHIP()) {
+    return NoProjectMembershipError($this_user);
+}
 
 #
 # Verify page arguments.
diff --git a/www/aptui/quickvm_sup.php b/www/aptui/quickvm_sup.php
index 478553fba..2cd7973c2 100644
--- a/www/aptui/quickvm_sup.php
+++ b/www/aptui/quickvm_sup.php
@@ -49,7 +49,7 @@ if (isset($_SERVER['SERVER_NAME'])) {
 #
 # Redefine this so APT errors are styled properly. Called by PAGEERROR();.
 #
-$PAGEERROR_HANDLER = function($msg, $status_code = 0) {
+$PAGEERROR_HANDLER = function($msg = null, $status_code = 0) {
     global $drewheader, $ISCLOUD, $ISPNET, $ISEMULAB, $ISAPT, $ISPOWDER;
     global $spatrequired, $TBMAINSITE, $PORTAL_HELPFORUM;
 
@@ -57,7 +57,9 @@ $PAGEERROR_HANDLER = function($msg, $status_code = 0) {
 	SPITHEADER();
     }
     echo "<br>";
-    echo $msg;
+    if ($msg) {
+        echo $msg;
+    }
     echo "<script type='text/javascript'>\n";
     echo "    window.ISEMULAB  = " . ($ISEMULAB ? "1" : "0") . ";\n";
     echo "    window.ISCLOUD   = " . ($ISCLOUD  ? "1" : "0") . ";\n";
@@ -624,6 +626,41 @@ function SPITUSERERROR($msg)
     PAGEERROR($msg, 0);
 }
 
+function NoProjectMembershipError($this_user)
+{
+    global $drewheader, $PAGEERROR_HANDLER;
+    
+    if (! $drewheader) {
+	SPITHEADER();
+    }
+    echo "<br>";
+    echo "<p class=lead>";
+    echo "Oops, you are not a member of any projects in which you have ".
+        "permission to access this page! ";
+    echo "</p>";
+    echo "<p>";
+    if ($this_user->IsNonLocal()) {
+        echo
+            "Typically this is because you are not a member of any projects ".
+            "at your home portal (say, the Geni Portal). You must log into ".
+            "your home portal and request membership in a project, or start ".
+            "your own project. Once your membership or project is approved ".
+            "at your home portal, you can come back here and log back in.";
+    }
+    else {
+        echo
+            "Typically this is because you are not yet an approved member of ".
+            "any projects with sufficient privileges. If you are still ".
+            "awaiting approval or need your privileges adjusted, please ".
+            "contact your project leader. If you are waiting for a new ".
+            "project to be approved, please be patient, it can take a week ".
+            "to approve a new project request.";
+    }
+    echo "</p>";
+    echo "<br>";
+    $PAGEERROR_HANDLER();
+}
+
 #
 # Does not return; page exits.
 #
diff --git a/www/aptui/reserve.php b/www/aptui/reserve.php
index 9fd202f98..2722f8d0d 100644
--- a/www/aptui/reserve.php
+++ b/www/aptui/reserve.php
@@ -35,6 +35,9 @@ $page_title = "Reservations";
 #
 RedirectSecure();
 $this_user = CheckLoginOrRedirect();
+if (NOPROJECTMEMBERSHIP()) {
+    return NoProjectMembershipError($this_user);
+}
 $isadmin   = (ISADMIN() ? 1 : 0);
 $isfadmin  = (ISFOREIGN_ADMIN() ? 1 : 0);
 
diff --git a/www/tbauth.php3 b/www/tbauth.php3
index 0bce4cd03..0cf3b2571 100644
--- a/www/tbauth.php3
+++ b/www/tbauth.php3
@@ -70,6 +70,7 @@ define("CHECKLOGIN_OPSGUY",		0x0400000);  # Member of emulab-ops.
 define("CHECKLOGIN_ISFOREIGN_ADMIN",	0x0800000);  # Admin of another Emulab.
 define("CHECKLOGIN_NONLOCAL",		0x1000000);
 define("CHECKLOGIN_INACTIVE",		0x2000000);
+define("CHECKLOGIN_NOPROJECTS",		0x4000000);
 
 #
 # Constants for tracking possible login attacks.
@@ -291,6 +292,7 @@ function LoginStatus() {
     $workbench = 0;
     $frozen    = 0;
     $nonlocal  = 0;
+    $pcount    = 0;
     
     while ($row = mysql_fetch_array($query_result)) {
 	$expired = $row[0];
@@ -299,9 +301,17 @@ function LoginStatus() {
 	$status  = $row[3];
 	$admin   = $row[4];
 	$cvsweb  = $row[5];
+        $trust   = $row[6];
 
-	if (! strcmp($row[6], "project_root") ||
-	    ! strcmp($row[6], "group_root")) {
+        #
+        # Count up number of projects where user has local_root or better.
+        # These are projects where user has viable permission to do things,
+        # like create experiments.
+        #
+        if ($trust != "none" && $trust != "user") {
+            $pcount++;
+        }
+	if ($trust == "project_root" || $trust == "group_root") {
 	    $trusted = 1;
 	}
 	$adminon  = $row[7];
@@ -470,6 +480,21 @@ function LoginStatus() {
 	$CHECKLOGIN_STATUS |= CHECKLOGIN_ISFOREIGN_ADMIN;
     if ($nonlocal)
 	$CHECKLOGIN_STATUS |= CHECKLOGIN_NONLOCAL;
+    #
+    # A local user that has no privs in at least one project, or a nonlocal
+    # user where webonly=1 (which means they have project membership at
+    # their home portal). 
+    #
+    if ($nonlocal) {
+        if ($webonly) {
+            $CHECKLOGIN_STATUS |= CHECKLOGIN_NOPROJECTS;
+        }
+    }
+    else {
+        if (!$pcount) {
+            $CHECKLOGIN_STATUS |= CHECKLOGIN_NOPROJECTS;
+        }
+    }
 
     #
     # Set the magic enviroment variable, if appropriate, for the sake of
@@ -741,6 +766,14 @@ function WIKIONLY() {
 	    (CHECKLOGIN_LOGGEDIN|CHECKLOGIN_WIKIONLY));
 }
 
+function NOPROJECTMEMBERSHIP() {
+    global $CHECKLOGIN_STATUS;
+
+    return (($CHECKLOGIN_STATUS &
+	     (CHECKLOGIN_LOGGEDIN|CHECKLOGIN_NOPROJECTS)) ==
+	    (CHECKLOGIN_LOGGEDIN|CHECKLOGIN_NOPROJECTS));
+}
+
 # Is this user a real administrator (ignore onoff bit).
 function ISADMINISTRATOR() {
     global $CHECKLOGIN_STATUS;
-- 
GitLab