All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit f25e624f authored by Leigh B. Stoller's avatar Leigh B. Stoller

Rework the user approval stuff completely. Now works for users joing

multiple projects.
parent 109d85a2
<html>
<head>
<title>New User Approval</title>
<link rel='stylesheet' href='tbstyle.css' type='text/css'>
</head>
<body>
<?php
include("defs.php3");
#
# Only known and logged in users can be verified.
#
$auth_usr = "";
if (ereg("php3\?([[:alnum:]]+)", $REQUEST_URI, $Vals)) {
$auth_usr=$Vals[1];
addslashes($auth_usr);
}
else {
unset($auth_usr);
}
LOGGEDINORDIE($auth_usr);
echo "
<h1>Approve new users in your Project</h1>
Use this page to approve new members of your Project. Once approved,
they will be able to log into machines in your Project's experiments.</p>
<p> If you desire, you may set their trust/privilege levels to give them
more or less access to your nodes:
<ul>
<li>User - Can log into machines in your experiments.
<li>Root - Granted root access on your project's machines;
can create new experiments.
</ul></p></h3>\n";
$query="SELECT pid FROM proj_memb WHERE uid='$auth_usr' and trust='group_root'";
$result = mysql_db_query("tbdb", $query);
$select = "SELECT";
while ($row = mysql_fetch_row($result)) {
$pid = $row[0];
if ($select == "SELECT") {
$select .= " DISTINCT uid FROM proj_memb WHERE pid='$pid'";
} else {
$select .= " OR pid='$pid'";
}
}
if ($select=="SELECT") {
echo "<h3>You do not have Project Root permissions in any Project</h3>";
echo "</body></html>\n";
exit;
}
$selected = mysql_db_query("tbdb", $select);
$find = "SELECT";
while ($row = mysql_fetch_row($selected)) {
$uid = $row[0];
if ($find == "SELECT") {
$find .= " DISTINCT uid,usr_name,usr_email,usr_title,usr_affil,usr_addr,usr_addr2,usr_city,usr_state,usr_zip,usr_phone FROM users WHERE (status='newuser' OR status='unapproved') AND (uid='$uid'";
} else {
$find .= " OR uid='$uid'";
}
}
$find .= ")";
$found = mysql_db_query("tbdb", $find);
if ( mysql_num_rows($found) == 0 ) {
echo "<h3>You have no new project members who need approval</h3>\n";
} else {
echo "<table width=\"100%\" border=2 cellpadding=0 cellspacing=2 align='center'>
<tr>
<td rowspan=2>Action</td>
<td rowspan=2>Trust Level</td>
<td rowspan=2>User</td>
<td>Name</td>
<td>Title</td>
<td>Affil.</td>
<td>E-mail</td>
<td>Phone</td>
</tr><tr>
<td>Addr</td>
<td>Addr2</td>
<td>City</td>
<td>State</td>
<td>Zip</td>
</tr>
<form action='approved.php3?$auth_usr' method='post'>\n";
while ($row = mysql_fetch_row($found)) {
$uid = $row[0];
$name= $row[1];
$email=$row[2];
$title=$row[3];
$affil=$row[4];
$addr= $row[5];
$addr2=$row[6];
$city= $row[7];
$state=$row[8];
$zip= $row[9];
$phone=$row[10];
echo "
<tr><td colspan=8>&nbsp;</td></tr>
<tr><td rowspan=2><select name=\"$uid\">
<option value='approve'>Approve</option>
<option value='deny'>Deny</option>
<option value='later'>Postpone</option></select></td>
<td rowspan=2><select name=\"$uid-trust\">
<option value='user'>User</option>
<option value='local_root'>Root</option>";
echo "</select></td>
<td rowspan=2>&nbsp;$uid&nbsp;</td><td>&nbsp;$name&nbsp;</td><td>&nbsp;$title&nbsp;</td><td>&nbsp;$affil&nbsp;</td><td>&nbsp;$email&nbsp;</td><td>&nbsp;$phone&nbsp;</td></tr>
<tr><td>&nbsp;$addr&nbsp;</td><td>&nbsp;$addr2&nbsp;</td><td>&nbsp;city&nbsp;</td><td>&nbsp;$state&nbsp;</td><td>&nbsp;$zip&nbsp;</td>
</tr>\n";
}
echo "
<tr><td align=center colspan=8><b><input type='submit' value='Submit' name='OK'></td></tr>
</form>
</table>\n";
}
echo "
</body>
</html>";
?>
<html>
<head>
<title>New Users Approved</title>
<link rel='stylesheet' href='tbstyle.css' type='text/css'>
</head>
<body>
<?php
include("defs.php3");
#
# Only known and logged in users can be verified.
#
$auth_usr = "";
if (ereg("php3\?([[:alnum:]]+)", $REQUEST_URI, $Vals)) {
$auth_usr=$Vals[1];
addslashes($auth_usr);
}
else {
unset($auth_usr);
}
LOGGEDINORDIE($auth_usr);
echo "
<h1>Approving new users...</h1>
";
$query="SELECT pid FROM proj_memb WHERE uid='$auth_usr' and trust='group_root'";
$result = mysql_db_query("tbdb", $query);
$select = "SELECT";
$project[0]="";
$n=0;
while ($row = mysql_fetch_row($result)) {
$pid = $row[0];
$project[$n]=$pid;
$n = $n + 1;
if ($select == "SELECT") {
$select .= " DISTINCT uid FROM proj_memb WHERE pid='$pid'";
} else {
$select .= " OR pid='$pid'";
}
}
$selected = mysql_db_query("tbdb", $select);
$find = "SELECT";
while ($row = mysql_fetch_row($selected)) {
$uid = $row[0];
if ($find == "SELECT") {
$find .= " DISTINCT uid,status,usr_email FROM users WHERE (status='newuser' OR status='unapproved') AND (uid='$uid'";
} else {
$find .= " OR uid='$uid'";
}
}
$find .= ")";
$found = mysql_db_query("tbdb", $find);
while ($row = mysql_fetch_row($found)) {
$uid = $row[0];
$status=$row[1];
$email=$row[2];
$cmd = "select pid from proj_memb where uid='$uid' and trust='none' and (";
$cmd .= "pid='$project[0]'";
$n=1;
while ( isset($project[$n]) ) { $cmd .= " or pid='$project[$n]'"; $n++; }
$cmd .=")";
$result = mysql_db_query("tbdb",$cmd);
$row=mysql_fetch_row($result);
$pid=$row[0];
if (isset($$uid)) {
if ( $$uid == "approve") {
$trust=${"$uid-trust"};
if ($status=="newuser") {
$newstatus='unverified';
} else { #Status is 'unapproved'
$newstatus='active';
}
$cmd = "update users set status='$newstatus' where uid='$uid'";
$cmd .= "and status='$status'";
$result = mysql_db_query("tbdb",$cmd);
$cmd = "update proj_memb set trust='$trust' where uid='$uid'";
$cmd .= "and trust='none' and pid='$pid'";
$result = mysql_db_query("tbdb",$cmd);
mail("$email","TESTBED: Project Membership Approval",
"\nThis message is to notify you that you have been approved ".
"as a member of \nthe $pid project with $trust permissions.\n".
"\nYour status as a Testbed user is now $newstatus.".
"\n\nThanks,\nTestbed Ops\nUtah Network Testbed\n",
"From: Testbed Ops <testbed-ops@flux.cs.utah.edu>\n".
"Cc: Testbed WWW <testbed-www@flux.cs.utah.edu>\n".
"Errors-To: Testbed WWW <testbed-www@flux.cs.utah.edu>");
echo "<h3><p>User $uid was changed to status $newstatus and ";
echo "granted $trust permissions for project $pid.</p></h3>\n";
} elseif ( $$uid == "deny") {
# Delete all rows from proj_memb that are for that person, no privs
# and one of the projects that the user is a leader of
$cmd = "delete from proj_memb where uid='$uid' and trust='none' and (";
$cmd .= "pid='$project[0]'";
$n=1;
while ( isset($project[$n]) ) { $cmd .= " or pid='$project[$n]'"; $n++; }
$cmd .=")";
$result = mysql_db_query("tbdb",$cmd);
mail("$email","TESTBED: Project Membership Denied",
"\nThis message is to notify you that you have been denied ".
"as a member of \nthe $pid project\n".
"\nYour status as a Testbed user is still $status.".
"\n\nThanks,\nTestbed Ops\nUtah Network Testbed\n",
"From: Testbed Ops <testbed-ops@flux.cs.utah.edu>\n".
"Cc: Testbed WWW <testbed-www@flux.cs.utah.edu>\n".
"Errors-To: Testbed WWW <testbed-www@flux.cs.utah.edu>");
echo "<h3><p>User $uid was denied membership in your project.</p>
</h3>\n";
} else {
echo "<h3><p>User $uid was postponed for later decision.</p></h3>\n";
}
}
}
echo "
</body>
</html>";
?>
<html>
<head>
<title>New Users Approved</title>
<link rel='stylesheet' href='tbstyle.css' type='text/css'>
</head>
<body>
<?php
include("defs.php3");
#
# Only known and logged in users can be verified.
#
$uid = "";
if (ereg("php3\?([[:alnum:]]+)", $REQUEST_URI, $Vals)) {
$uid=$Vals[1];
addslashes($uid);
}
else {
unset($uid);
}
LOGGEDINORDIE($uid);
echo "<center><h1>
Project Membership Results
</h1></center>";
#
# Walk the list of post variables, looking for the special post format.
# See approveuser_form.php3:
#
# uid menu project
# name=stoller$$approval-testbed value=approved,denied,postpone
# name=stoller$$trust-testbed value=user,local_root
#
while (list ($header, $value) = each ($HTTP_POST_VARS)) {
#echo "$header: $value<br>\n";
$approval_string = strstr($header, "\$\$approval-");
if (! $approval_string) {
continue;
}
$user = substr($header, 0, strpos($header, "\$\$", 0));
$project = substr($approval_string, strlen("\$\$approval-"));
$approval = $value;
if (!$user || strcmp($user, "") == 0) {
TBERROR("Parse error finding user in approveuser.php3", 1);
}
if (!$project || strcmp($project, "") == 0) {
TBERROR("Parse error finding project in approveuser.php3", 1);
}
if (!$approval || strcmp($approval, "") == 0) {
TBERROR("Parse error finding approval in approveuser.php3", 1);
}
#
# There should be a corresponding trust variable in the POST vars.
# Note that we construct the variable name and indirect to it.
#
$foo = "$user\$\$trust-$project";
$newtrust = $$foo;
if (!$newtrust || strcmp($newtrust, "") == 0) {
TBERROR("Parse error finding trust in approveuser.php3", 1);
}
#echo "User $user,
# Project $project, Approval $approval, Trust $newtrust<br>\n";
if (strcmp($newtrust, "user") && strcmp($newtrust, "local_root")) {
TBERROR("Invalid trust $newtrust for user $user approveuser.php3.", 1);
}
#
# Get the current status for the user, which we might need to change
# anyway, and to verify that the user is a valid user. We also need
# the email address to let user know what happened.
#
# We change the status only if this person is joining his first project.
# In this case, the status will be either "newuser" or "unapproved",
# and we will change it to "unapproved" or "active", respectively.
# If the status is "active", we leave it alone.
#
$query_result = mysql_db_query($TBDBNAME,
"SELECT status,usr_email from users where uid='$user'");
if (! $query_result) {
TBERROR("Database Error restrieving user status for $user", 1);
}
if (mysql_num_rows($query_result) == 0) {
TBERROR("Unknown user $user", 1);
}
$row = mysql_fetch_row($query_result);
$curstatus = $row[0];
$user_email = $row[1];
#echo "Status = $curstatus, Email = $user_email<br>\n";
#
# We need to check that the current uid has the necessary trust level
# to add this user to the project.
#
$query_result = mysql_db_query($TBDBNAME,
"SELECT trust from proj_memb where uid='$uid' and pid='$project'");
if (! $query_result) {
TBERROR("Database Error retrieving trust for $uid in $project", 1);
}
if (mysql_num_rows($query_result) == 0) {
USERERROR("You are not allowed to add users to project $project.", 1);
}
$row = mysql_fetch_row($query_result);
$uidtrust = $row[0];
if (strcmp($uidtrust, "group_root")) {
USERERROR("You are not allowed to add users to project $project.", 1);
}
#
# Then we check that that user being added really wanted to be in that
# project, and is not already there with a valid trust value.
#
$query_result = mysql_db_query($TBDBNAME,
"SELECT trust from proj_memb where uid='$user' and pid='$project'");
if (! $query_result) {
TBERROR("Database Error retrieving trust for $user in $project", 1);
}
if (mysql_num_rows($query_result) == 0) {
USERERROR("User $user is not a member of project $project.", 1);
}
$row = mysql_fetch_row($query_result);
$usertrust = $row[0];
if (strcmp($usertrust, "none")) {
USERERROR("User $user is already a member of project $project.", 1);
}
#
# Well, looks like everything is okay. Change the project membership
# value appropriately.
#
if (strcmp($approval, "postpone") == 0) {
echo "<p><h3>
Membership status for user $user was postponed for
later decision.
</h3>\n";
continue;
}
if (strcmp($approval, "deny") == 0) {
#
# Must delete the proj_memb record since we require that the user
# reapply once denied. Send the luser email to let him know.
#
$query_result = mysql_db_query($TBDBNAME,
"delete from proj_memb where uid='$user' and pid='$project'");
if (! $query_result) {
TBERROR("Database Error removing $user from project membership ".
"after being denied.", 1);
}
mail("$user_email",
"TESTBED: Project Membership Denied",
"\n".
"This message is to notify you that you have been denied\n".
"membership in project $project\n".
"\n\n".
"Thanks,\n".
"Testbed Ops\n".
"Utah Network Testbed\n",
"From: $TBMAIL_CONTROL\n".
"Cc: $TBMAIL_CONTROL\n".
"Errors-To: $TBMAIL_WWW");
echo "<h3><p>
User $user was denied membership in project $project.
The user will need to reapply again if this was in error.
</h3>\n";
continue;
}
if (strcmp($approval, "approve") == 0) {
#
# Change the trust value in proj_memb accordingly.
#
$query_result = mysql_db_query($TBDBNAME,
"UPDATE proj_memb set trust='$newtrust' ".
"WHERE uid='$user' and pid='$project'");
if (! $query_result) {
TBERROR("Database Error adding $user to project $project.", 1);
}
#
# Change the status if necessary. This only happens for new
# users being added to their first project. After this, the status is
# going to be "active", and we just leave it that way.
#
if (strcmp($curstatus, "active")) {
if (strcmp($curstatus, "newuser") == 0) {
$newstatus = "unverified";
}
elseif (strcmp($curstatus, "unapproved") == 0) {
$newstatus = "active";
}
else {
TBERROR("Invalid $user status $curstatus in approveuser.php3",
1);
}
$query_result = mysql_db_query($TBDBNAME,
"UPDATE users set status='$newstatus' WHERE uid='$user'");
if (! $query_result) {
TBERROR("Database Error changing $user status to $newstatus.",
1);
}
}
mail("$user_email",
"TESTBED: Project Membership Approval",
"\n".
"This message is to notify you that you have been approved\n".
"as a member of project $project with $newtrust permissions.\n".
"\n\n".
"Thanks,\n".
"Testbed Ops\n".
"Utah Network Testbed\n",
"From: $TBMAIL_CONTROL\n".
"Cc: $TBMAIL_CONTROL\n".
"Errors-To: $TBMAIL_WWW");
echo "<h3><p>
User $user was granted membership in project $project
with $newtrust permissions.
</h3>\n";
continue;
}
TBERROR("Invalid approval value $approval in approveuser.php3.", 1);
}
?>
</body>
</html>
<html>
<head>
<title>New User Approval</title>
<link rel='stylesheet' href='tbstyle.css' type='text/css'>
</head>
<body>
<?php
include("defs.php3");
#
# Only known and logged in users can be verified.
#
$auth_usr = "";
if (ereg("php3\?([[:alnum:]]+)", $REQUEST_URI, $Vals)) {
$auth_usr=$Vals[1];
addslashes($auth_usr);
}
else {
unset($auth_usr);
}
LOGGEDINORDIE($auth_usr);
echo "
<h1>Approve new users in your Project</h1>
Use this page to approve new members of your Project. Once
approved, they will be able to log into machines in your Project's
experiments.
<p> If you desire, you may set their trust/privilege
levels to give them more or less access to your nodes:
<ul>
<li>Deny - Deny access to your project.
<li>User - Can log into machines in your experiments.
<li>Root - Granted root access on your project's machines;
can create new experiments.
</ul>\n";
#
# Find all of the groups that this person has group_root in, and then in
# all of those groups, all of the people who are awaiting to be approved
# (status = none).
#
# First off, just determine if this person has group_root anywhere.
#
$query_result = mysql_db_query($TBDBNAME,
"SELECT pid FROM proj_memb WHERE uid='$auth_usr' ".
"and trust='group_root'");
if (! $query_result) {
$err = mysql_error();
TBERROR("Database Error getting project info for $auth_usr: $err\n", 1);
}
if (mysql_num_rows($query_result) == 0) {
USERERROR("You do not have Project Root permissions in any Project.", 1);
}
#
# Okay, so this operation sucks out the right people by joining the
# proj_memb table with itself. Kinda obtuse if you are not a natural
# DB guy. Sorry. Well, obtuse to me.
#
$query_result = mysql_db_query($TBDBNAME,
"SELECT proj_memb.* ".
"FROM proj_memb LEFT JOIN proj_memb as authed ".
"ON proj_memb.pid=authed.pid and proj_memb.uid!='$auth_usr' ".
"and proj_memb.trust='none' ".
"WHERE authed.uid='$auth_usr' and authed.trust='group_root'");
if (! $query_result) {
$err = mysql_error();
TBERROR("Database Error getting approvable users for $auth_usr: $err\n",
1);
}
if (mysql_num_rows($query_result) == 0) {
USERERROR("You have no new project members who need approval.", 1);
}
#
# Now build a table with a bunch of selections. The thing to note about the
# form inside this table is that the selection fields are constructed with
# name= on the fly, from the uid of the user to be approved. In other words:
#
# uid menu project
# name=stoller$$approval-testbed value=approved,denied,postpone
# name=stoller$$trust-testbed value=user,local_root
#
# so that we can go through the entire list of post variables, looking
# for these. The alternative is to work backwards, and I don't like that.
#
echo "<table width=\"100%\" border=2 cellpadding=0 cellspacing=2
align='center'>\n";
echo "<tr>
<td rowspan=2>User</td>
<td rowspan=2>Project</td>
<td rowspan=2>Action</td>
<td rowspan=2>Trust</td>
<td>Name</td>
<td>Title</td>
<td>Affil</td>
<td>E-mail</td>
<td>Phone</td>
</tr>
<tr>
<td>Addr</td>
<td>Addr2</td>
<td>City</td>
<td>State</td>
<td>Zip</td>
</tr>\n";
echo "<form action='approveuser.php3?$auth_usr' method='post'>\n";
while ($usersrow = mysql_fetch_array($query_result)) {
$newuid = $usersrow[uid];
$pid = $usersrow[pid];
$userinfo_result = mysql_db_query($TBDBNAME,
"SELECT * from users where uid=\"$newuid\"");
$row = mysql_fetch_array($userinfo_result);
$name = $row[usr_name];
$email = $row[usr_email];
$title = $row[usr_title];
$affil = $row[usr_affil];
$addr = $row[usr_addr];
$addr2 = $row[usr_addr2];
$city = $row[usr_city];
$state = $row[usr_state];
$zip = $row[usr_zip];
$phone = $row[usr_phone];
echo "<tr>
<td colspan=9> </td>
</tr>
<tr>
<td rowspan=2>$newuid</td>
<td rowspan=2>$pid</td>
<td rowspan=2>
<select name=\"$newuid\$\$approval-$pid\">
<option value='approve'>Approve</option>
<option value='deny'>Deny</option>
<option value='postpone'>Postpone</option>
</select>
</td>
<td rowspan=2>
<select name=\"$newuid\$\$trust-$pid\">
<option value='user'>User</option>
<option value='local_root'>Root</option>
</select>
</td>\n";
echo " <td>&nbsp;$name&nbsp;</td>
<td>&nbsp;$title&nbsp;</td>
<td>&nbsp;$affil&nbsp;</td>
<td>&nbsp;$email&nbsp;</td>
<td>&nbsp;$phone&nbsp;</td>
</tr>\n";
echo "<tr>
<td>&nbsp;$addr&nbsp;</td>
<td>&nbsp;$addr2&nbsp;</td>
<td>&nbsp;$city&nbsp;</td>
<td>&nbsp;$state&nbsp;</td>
<td>&nbsp;$zip&nbsp;</td>
</tr>\n";
}
echo "<tr>
<td align=center colspan=9>
<b><input type='submit' value='Submit' name='OK'></td>
</tr>
</form>
</table>
</body>
</html>\n";
?>
......@@ -90,9 +90,10 @@ if (isset($uid)) {
if ($status == "active") {
if ($trust == "group_root") {
# Only group leaders can do these options
echo "<A href='approval.php3?$uid'>New User Approval</A>\n";