1. 13 Mar, 2003 1 commit
    • Chad Barb's avatar
      · c6129ad7
      Chad Barb authored
      More rework on the groups system.
      
      * BESTOWGROUPROOT permission added to dbdefs.
      
      * Permissions criteria for group operations changed in dbdefs
        (consult code for full explanation.)
      
      * Approveuser and Editgroup now check for BESTOWGROUPROOT
        permissions before allowing changes to group_root.
      
      * approveuser_form and editgroup_form do not show "Group Root"
        as an option unless you are allowed to set it (or it is already set.)
      
      * editgroup does not UPDATE rows where trust has not been changed.
      
      * showgroup does a correct check to see whether to show the
        "group options" subpage.
      c6129ad7
  2. 12 Mar, 2003 9 commits
    • Chad Barb's avatar
      · 6052927b
      Chad Barb authored
      Approveuser now does not allow non-project-owners to approve people as
      group_root into the default group.
      
      Modified editgroup form to show only valid trust options for "add users"
      table.
      6052927b
    • Chad Barb's avatar
      · 24940013
      Chad Barb authored
      * Altered consistency checks to treat any root as equivalent
        (so, if you're project_root in the default group, but group_root in
         a group, that won't be a problem)
      
      * Moved consistency checks, which were done in two different places into
        dbdefs TBCheckGroupTrustConsistency()
      
      * Added preemptive checks, so if 'user' or '*_root' are not valid
        trusts, they aren't displayed as options in editgroup_form and
        approveuser_form (using above function)
      
      * In approveuser, a new approval may now be sent to group_root.
      24940013
    • Leigh B. Stoller's avatar
      Add a few more permission bits to jailconfig: · 53e95db5
      Leigh B. Stoller authored
      INADDRANY: When 1, jail is allowed to bind to INADDR_ANY. When packet
                 comes in, the pchlookup checks the prison IPs.
      
      ROUTING:   Jail gets access to its routing table. This presently implies
                 that the jail gets its own private routing table via new
      	   jail options.
      
      DEVMEM:    Jail gets a real /dev/mem and /dev/kmem instead of a
                 symlink to /dev/null. This pretty much bypasses security so
                 its not something to do on widearea nodes, but on local
                 nodes that fine.
      53e95db5
    • Chad Barb's avatar
      · fa716ae9
      Chad Barb authored
      Added TB_PROJECT_GROUPGRABUSERS to Perl side, for consistency.
      fa716ae9
    • Chad Barb's avatar
      · bb14f708
      Chad Barb authored
      Split notion of "EDITGROUP" permission into two:
      "EDITGROUP" and "GROUPGRABUSERS".
      
      "EDITGROUP" is easier to obtain;
                  it is now given to group_root for the group.
      "GROUPGRABUSERS" is how "EDITGROUP" _used_ to be:
                       only given to default-group_root or project_root.
      
      The ability to add users to a group who have not requested membership
      now requires "GROUPGRABUSERS".
      
      Removing or editing members still requires only EDITGROUP.
      
      So, the upshot is, now group_root users can edit and remove members from
      their own groups.
      But they still can't 'grab' users who haven't asked to join the group.
      (which would enable them to mount arbitrary users' home dirs as
       root, which would be a Bad Thing.)
      bb14f708
    • Leigh B. Stoller's avatar
    • Chad Barb's avatar
      · f79eade8
      Chad Barb authored
      Fixed missing '?' in GID link when showing group.
      f79eade8
    • Chad Barb's avatar
      · 4f39d4e1
      Chad Barb authored
      Changed link from now-defunct addusr.php to joingroup.php
      4f39d4e1
    • Mac Newbold's avatar
  3. 11 Mar, 2003 8 commits
  4. 10 Mar, 2003 11 commits
  5. 08 Mar, 2003 1 commit
  6. 07 Mar, 2003 10 commits