Commit c6291e10 authored by Russ Fish's avatar Russ Fish

Fix the approveproject:Destroy option.

approveproject.php3 - Take the user out of project group first,
    then 'nuke' the user, similar to how approveproject:Nuke does it,
    before removing the destroyed project.
tbsetup/rmuser.in - Allow removing an unapproved project leader when nuking.
tbsetup/rmgroup.in - There are no /etc/group entries for an unapproved project group.
db/Group.pm.in - More exclude_leader fixes to Group->MemberList.
parent 2e79857b
...@@ -385,7 +385,9 @@ sub EditGroup($$$$) ...@@ -385,7 +385,9 @@ sub EditGroup($$$$)
# page first. # page first.
# #
my @curmembers; my @curmembers;
if ($group->MemberList(\@curmembers, $MEMBERLIST_FLAGS_GETTRUST)) { if ($group->MemberList(\@curmembers,
$MEMBERLIST_FLAGS_GETTRUST |
$MEMBERLIST_FLAGS_EXCLUDE_LEADER)) {
$$usrerr_ref = "Error: Could not get member list for $group"; $$usrerr_ref = "Error: Could not get member list for $group";
return undef; return undef;
} }
...@@ -1117,8 +1119,6 @@ sub LeaderMailList($) ...@@ -1117,8 +1119,6 @@ sub LeaderMailList($)
sub MemberList($$;$$) sub MemberList($$;$$)
{ {
my ($self, $prval, $flags, $desired_trust) = @_; my ($self, $prval, $flags, $desired_trust) = @_;
my $leader = $self->GetLeader();
my $leader_idx = $leader->uid_idx();
# Must be a real reference. # Must be a real reference.
return -1 return -1
...@@ -1135,6 +1135,13 @@ sub MemberList($$;$$) ...@@ -1135,6 +1135,13 @@ sub MemberList($$;$$)
my $exclude_leader = ($flags & $MEMBERLIST_FLAGS_EXCLUDE_LEADER ? 1 : 0); my $exclude_leader = ($flags & $MEMBERLIST_FLAGS_EXCLUDE_LEADER ? 1 : 0);
my $trust_clause; my $trust_clause;
my $leader = $self->GetLeader();
my $leader_idx;
# There will be no leader during approveproject/Destroy.
if (defined($leader)) {
$leader_idx = $leader->uid_idx();
}
if (defined($desired_trust)) { if (defined($desired_trust)) {
$trust_clause = "and trust='$desired_trust'" $trust_clause = "and trust='$desired_trust'"
} }
...@@ -1156,7 +1163,7 @@ sub MemberList($$;$$) ...@@ -1156,7 +1163,7 @@ sub MemberList($$;$$)
while (my ($uid_idx, $uid, $trust) = $query_result->fetchrow_array()) { while (my ($uid_idx, $uid, $trust) = $query_result->fetchrow_array()) {
if ($exclude_leader && $leader_idx == $uid_idx) { if ($exclude_leader && defined($leader) && $leader_idx == $uid_idx) {
next; next;
} }
...@@ -1222,7 +1229,7 @@ sub NonMemberList($$;$) ...@@ -1222,7 +1229,7 @@ sub NonMemberList($$;$)
my $user = User->Lookup($uid_idx); my $user = User->Lookup($uid_idx);
if (!defined($user)) { if (!defined($user)) {
print "Group::Memberlist: Could not map $uid_idx to object\n"; print "Group::NonMemberList: Could not map $uid_idx to object\n";
return undef; return undef;
} }
push(@result, $user); push(@result, $user);
......
...@@ -192,59 +192,62 @@ foreach my $uid (@userlist) { ...@@ -192,59 +192,62 @@ foreach my $uid (@userlist) {
$EUID = 0; $EUID = 0;
} }
# # If the group isn't in /etc/group yet, it wasn't approved and created.
# Now remove the group from the group file on both plastic and paper. if (system("grep -q '^${unix_gid}:' /etc/group")) {
# #
print "Removing group $unix_name ($unix_gid) on local node.\n"; # Now remove the group from the group file on both plastic and paper.
#
print "Removing group $unix_name ($unix_gid) on local node.\n";
if (system("$GROUPDEL $unix_name")) { if (system("$GROUPDEL $unix_name")) {
if (($? >> 8) != 65) { if (($? >> 8) != 65) {
fatal("Could not remove group $unix_name from local node!"); fatal("Could not remove group $unix_name from local node!");
}
} }
}
if ($MAILMANSUPPORT && !$ELABINELAB) { if ($MAILMANSUPPORT && !$ELABINELAB) {
my $listname = ($pid eq $gid ? "${pid}-users" : "${pid}-${gid}-users"); my $listname = ($pid eq $gid ? "${pid}-users" : "${pid}-${gid}-users");
# For perl
$EUID = $UID;
system("$DELMMLIST -a $listname") == 0 or
fatal("$DELMMLIST -a $listname failed!");
$EUID = 0;
}
if ($OPSDBSUPPORT && !$ELABINELAB) { # For perl
# For perl $EUID = $UID;
$EUID = $UID; system("$DELMMLIST -a $listname") == 0 or
system("$OPSDBCONTROL delgroup $pid $gid") == 0 or fatal("$DELMMLIST -a $listname failed!");
fatal("$OPSDBCONTROL delgroup $pid $gid failed!"); $EUID = 0;
$EUID = 0; }
}
# if ($OPSDBSUPPORT && !$ELABINELAB) {
# Be real root for ssh. # For perl
# $EUID = $UID;
$UID = 0; system("$OPSDBCONTROL delgroup $pid $gid") == 0 or
fatal("$OPSDBCONTROL delgroup $pid $gid failed!");
$EUID = 0;
}
if ($CONTROL ne $BOSSNODE) { #
print "Removing group $unix_name ($unix_gid) on $CONTROL.\n"; # Be real root for ssh.
#
$UID = 0;
if (system("$SSH -host $CONTROL $GROUPDEL $unix_name")) { if ($CONTROL ne $BOSSNODE) {
if (($? >> 8) != 65) { print "Removing group $unix_name ($unix_gid) on $CONTROL.\n";
fatal("Could not remove group $unix_name from $CONTROL!");
if (system("$SSH -host $CONTROL $GROUPDEL $unix_name")) {
if (($? >> 8) != 65) {
fatal("Could not remove group $unix_name from $CONTROL!");
}
} }
} }
}
# #
# Remove group on the tip servers. # Remove group on the tip servers.
# #
foreach my $tipserver ( TBTipServers() ) { foreach my $tipserver ( TBTipServers() ) {
print "Removing group $unix_name ($unix_gid) on $tipserver.\n"; print "Removing group $unix_name ($unix_gid) on $tipserver.\n";
if (system("$SSH -host $tipserver $GROUPDEL $unix_name")) { if (system("$SSH -host $tipserver $GROUPDEL $unix_name")) {
if (($? >> 8) != 65) { if (($? >> 8) != 65) {
fatal("Could not remove group $unix_name from $tipserver!"); fatal("Could not remove group $unix_name from $tipserver!");
}
} }
} }
} }
......
...@@ -161,22 +161,23 @@ if (@explist) { ...@@ -161,22 +161,23 @@ if (@explist) {
# Must not be the head of the project being removed from, or any projects # Must not be the head of the project being removed from, or any projects
# if being completely removed. # if being completely removed.
# #
if (defined($project)) { if (!$nuke) {
if ($target_user->SameUser($project->GetLeader())) { if (defined($project)) {
fatal("$target_user is the leader of project $project!"); if ($target_user->SameUser($project->GetLeader())) {
} fatal("$target_user is the leader of project $project!");
} }
else {
my @leaderlist;
if ($target_user->ProjectLeaderList(\@leaderlist) != 0) {
fatal("Could not get project leader list for $target_user");
} }
if (@leaderlist) { else {
fatal("$target_user is still heading up projects!"); my @leaderlist;
if ($target_user->ProjectLeaderList(\@leaderlist) != 0) {
fatal("Could not get project leader list for $target_user");
}
if (@leaderlist) {
fatal("$target_user is still heading up projects!");
}
} }
} }
# #
# If nuke mode is also specified, then the account is being nuked from # If nuke mode is also specified, then the account is being nuked from
# web page because of a project join denial. Check to make sure user # web page because of a project join denial. Check to make sure user
......
...@@ -24,6 +24,10 @@ $optargs = OptionalPageArguments("head_uid", PAGEARG_STRING, ...@@ -24,6 +24,10 @@ $optargs = OptionalPageArguments("head_uid", PAGEARG_STRING,
"user_interface", PAGEARG_STRING, "user_interface", PAGEARG_STRING,
"message", PAGEARG_ANYTHING, "message", PAGEARG_ANYTHING,
"silent", PAGEARG_BOOLEAN); "silent", PAGEARG_BOOLEAN);
$sendemail = 1;
if (isset($silent) && $silent) {
$sendemail = 0;
}
# #
# Of course verify that this uid has admin privs! # Of course verify that this uid has admin privs!
...@@ -139,13 +143,80 @@ elseif (strcmp($approval, "moreinfo") == 0) { ...@@ -139,13 +143,80 @@ elseif (strcmp($approval, "moreinfo") == 0) {
} }
elseif ((strcmp($approval, "deny") == 0) || elseif ((strcmp($approval, "deny") == 0) ||
(strcmp($approval, "destroy") == 0)) { (strcmp($approval, "destroy") == 0)) {
SUEXEC($uid, $TBADMINGROUP, "webrmproj $pid", 1);
#
# If the "destroy" option was given, kill the users account.
#
if (strcmp($approval, "destroy") == 0) {
#
# Take the user out of the project group first.
#
SUEXEC($uid, $TBADMINGROUP, "webmodgroups -r $pid:$pid $headuid", 1);
#
# See if user is in any other projects (even unapproved).
#
$project_list = $leader->ProjectMembershipList();
$sendemail = 1; #
if (isset($silent) && $silent) { # If yes, then we cannot safely delete the user account.
$sendemail = 0; #
if (count($project_list)) {
echo "<p>
User $headuid was <b>denied</b> starting project $pid.
<br>
Since the user is a member (or requesting membership)
in other projects, the account cannot be safely removed.
<br>\n";
}
else {
#
# No other project membership. If the user is unapproved/newuser,
# it means he was never approved in any project, and so will
# likely not be missed. He will be unapproved if he did his
# verification.
#
if (strcmp($curstatus, "newuser") &&
strcmp($curstatus, "unapproved")) {
echo "<p>
User $headuid was <b>denied</b> starting project $pid.
<br>
Since the user has been approved by, or was active in other
projects in the past, the account cannot be safely removed.
\n";
}
else {
SUEXEC($uid, $TBADMINGROUP, "webrmuser -n -p $pid $headuid", 1);
if ($sendemail) {
TBMAIL("$headname '$headuid' <$headuid_email>",
"Account '$headuid' Terminated",
"\n".
"This message is to notify you that your account has \n".
"been terminated because your project $pid was denied.\n".
"\n\n".
"Thanks,\n".
"Testbed Operations\n",
"From: $TBMAIL_APPROVAL\n".
"Bcc: $TBMAIL_APPROVAL\n".
"Errors-To: $TBMAIL_WWW");
}
echo "<h3><p>
User $headuid was <b>denied</b> starting project $pid.
<br>
The account has also been <b>terminated</b>!
</h3>\n";
}
}
} }
else {
echo "<h3><p>
Project $pid (User: $headuid) has been denied.
</h3>\n";
}
SUEXEC($uid, $TBADMINGROUP, "webrmproj $pid", 1);
if ($sendemail) { if ($sendemail) {
TBMAIL("$headname '$headuid' <$headuid_email>", TBMAIL("$headname '$headuid' <$headuid_email>",
"Project '$pid' Denied", "Project '$pid' Denied",
...@@ -161,30 +232,6 @@ elseif ((strcmp($approval, "deny") == 0) || ...@@ -161,30 +232,6 @@ elseif ((strcmp($approval, "deny") == 0) ||
"Errors-To: $TBMAIL_WWW"); "Errors-To: $TBMAIL_WWW");
} }
#
# Well, if the "destroy" option was given, kill the users account.
#
if ($approval == "destroy") {
SUEXEC($uid, $TBADMINGROUP, "webrmuser $headuid", 1);
if ($sendemail) {
TBMAIL("$headname '$headuid' <$headuid_email>",
"Account '$headuid' Terminated",
"\n".
"This message is to notify you that your account has \n".
"been terminated because your project $pid was denied.\n".
"\n\n".
"Thanks,\n".
"Testbed Operations\n",
"From: $TBMAIL_APPROVAL\n".
"Bcc: $TBMAIL_APPROVAL\n".
"Errors-To: $TBMAIL_WWW");
}
}
echo "<h3><p>
Project $pid (User: $headuid) has been denied.
</h3>\n";
} }
elseif (strcmp($approval, "approve") == 0) { elseif (strcmp($approval, "approve") == 0) {
$optargs = ""; $optargs = "";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment