1. 09 Dec, 2002 10 commits
    • Leigh B. Stoller's avatar
      New set of pages for dealing with users requesting widearea accounts. · ad90fb6f
      Leigh B. Stoller authored
      A user can request a local account on the machine he/she has dedicated
      to netbed. In fact, multiple people can request local accounts. They
      just need to fill in the form, supplying the usual personal data we
      require, and then some info about the node. This includes the IP and
      the CDKey as verification (we now save the original CDKey in the DB
      forever), as well as info about the node (location, processor type,
      connection type). They must fill out the node info for the first
      account request. Otherwise, it can be ignored (that is, if an entry is
      already in widearea_nodeinfo, we do not require those fields).
      Once submitted, the user has to go through the usual verification
      step.
      
      To approve the user, admin people get a new link on the menu to
      approve widearea accounts. That page looks a lot like the normal
      join project approval page, only is tailored slightly for widearea
      accounts instead of projects.
      
      Once approved, widearea users get a webonly account. Note that it can
      be a normal account, say if the user is also in a normal project, or
      if we just want to give out an account on ops/boss to this person.
      Just need to clear the webonly flag in the DB, and the account will be
      built as normal, except they are put in the "guest" group on boss/ops
      if not a member of any projects.
      
      There are two new tables. widearea_accounts and widearea_nodeinfo. The
      accounts table maps uid's to specific nodes they get an account on
      (see changes in tmcd). The mapping also includes a trust value (user
      or root, although it should be rare to give out root access) for the
      account.
      ad90fb6f
    • Leigh B. Stoller's avatar
      Minor fix to the key deletion code. · 6215bf59
      Leigh B. Stoller authored
      6215bf59
    • Leigh B. Stoller's avatar
      When requesting a CD Key, stash the initial unlock key away forever in · 9c9526cb
      Leigh B. Stoller authored
      a new slot so that we remember it. The user needs to enter that key in
      the local account request page. This is how we enforce some semblance
      of security; the user has to know the IP of the node, and the CDKey.
      Also works to weed out the bozos who like to fill in random web
      forms.
      9c9526cb
    • Leigh B. Stoller's avatar
      Webonly users get a different menu; all they can do is edit their · c39b2cba
      Leigh B. Stoller authored
      personal info. Of course, they can still load the other pages if they
      now the page names, but since they won't be a member of any projects
      they will not have permission to actully do anything or look at
      anything.
      c39b2cba
    • Leigh B. Stoller's avatar
    • Leigh B. Stoller's avatar
      Add webonly status bit to user flags. Also add utility function to · 10753676
      Leigh B. Stoller authored
      determine if user has a real account.
      10753676
    • Leigh B. Stoller's avatar
      Wrap up mkacct calls with a function call, like ADDPUBKEY. Checks to · 356a9fc0
      Leigh B. Stoller authored
      see if user actually has an account (by checking user status user
      table). Avoids trying to run suexec as a user that does not actuall
      exist on boss cause they do not have an account (since we allow users
      to edit personal info before being approved and getting an account).
      For addpubkey, we have to run the program as someone, so when the user
      does not have an account, run it as nobody.
      356a9fc0
    • Leigh B. Stoller's avatar
    • Leigh B. Stoller's avatar
      Ease up permissions check since it always does the right thing; just · ed27821c
      Leigh B. Stoller authored
      force audit mode when a non-admin mucks with another persons account.
      Add check for "webonly" accounts and treat like other users that do
      not get an account on boss/ops.
      Check for users without any project membership, and create account
      with the guest group. This won't actually happen, but I made this
      change in case we decide to give widearea owners a real account.
      I think setgroups should get an equiv change at some point.
      ed27821c
    • Leigh B. Stoller's avatar
  2. 07 Dec, 2002 1 commit
  3. 06 Dec, 2002 13 commits
  4. 05 Dec, 2002 5 commits
  5. 04 Dec, 2002 1 commit
  6. 03 Dec, 2002 2 commits
  7. 02 Dec, 2002 7 commits
  8. 27 Nov, 2002 1 commit