GitLab

More rework on the groups system.

* BESTOWGROUPROOT permission added to dbdefs.

* Permissions criteria for group operations changed in dbdefs
  (consult code for full explanation.)

* Approveuser and Editgroup now check for BESTOWGROUPROOT
  permissions before allowing changes to group_root.

* approveuser_form and editgroup_form do not show "Group Root"
  as an option unless you are allowed to set it (or it is already set.)

* editgroup does not UPDATE rows where trust has not been changed.

* showgroup does a correct check to see whether to show the
  "group options" subpage.

Approveuser now does not allow non-project-owners to approve people as
group_root into the default group.

Modified editgroup form to show only valid trust options for "add users"
table.

* Altered consistency checks to treat any root as equivalent
  (so, if you're project_root in the default group, but group_root in
   a group, that won't be a problem)

* Moved consistency checks, which were done in two different places into
  dbdefs TBCheckGroupTrustConsistency()

* Added preemptive checks, so if 'user' or '*_root' are not valid
  trusts, they aren't displayed as options in editgroup_form and
  approveuser_form (using above function)

* In approveuser, a new approval may now be sent to group_root.

Split notion of "EDITGROUP" permission into two:
"EDITGROUP" and "GROUPGRABUSERS".

"EDITGROUP" is easier to obtain;
            it is now given to group_root for the group.
"GROUPGRABUSERS" is how "EDITGROUP" _used_ to be:
                 only given to default-group_root or project_root.

The ability to add users to a group who have not requested membership
now requires "GROUPGRABUSERS".

Removing or editing members still requires only EDITGROUP.

So, the upshot is, now group_root users can edit and remove members from
their own groups.
But they still can't 'grab' users who haven't asked to join the group.
(which would enable them to mount arbitrary users' home dirs as
 root, which would be a Bad Thing.)

Fixed missing '?' in GID link when showing group.

Changed link from now-defunct addusr.php to joingroup.php

Errant '?' removed.

there are no osid/images to list.

sense to comment the hell out of these files than to have
descriptions elsewhere (setup.txt)

Also, I want people to use these rather than the defaults, because the
defaults actually have some Utah-specific stuff, like $TBMAINSITE=1,
and enabling SFS and NSE support.

Added XML view to updown (pass "output=xml" as a CGI var.)

Added Thumbnail-on-demand to showexp

a certain person who shall remain nameless unhappy!

using the new assign, and captures Leigh's linkdelays work.

De-"new!"-ification.
Added a "COOL" menu option, which puts up a gold star, without
lying. (e.g., for Join Netbed)

Fixed problem in project approval page (unclosed "<p>" tag again)
and shrunk big thumbnail a bit in showexp.

Added PC Usage reporting to thumbnail view
Added "Sort-by" to thumbnail view
Changed "Show" so link is not presented to Show mode user is already on.
Changed "Show/View/Sort by" links to not change color after visited.

Better headers on shownode page,
also added "Project" prefix to header on showproject and
"Experiment" prefix to header on showexp.

(Showing empty td's for pid="emulab-ops")

Added "brief thumbnails" view for Jay.

Added thumbnail (2x as large as the one which shows up in the list) to showexp page.
Added heading to vis(shownsfile), showexp and showproj pages, to more readily identify what you're looking at.
Added links from thumbnails to vis(shownsfile) page.
Added submenu hackiness to menu.php3 to allow embedding of things into left panel below submenu.
Removed "red letter" legend and PC  summary from bottom of thumbnail view.

Stored in $TB/www/thumbs/,
with filenames generated by hashing random data with experiment name.
(Stored in vis_experiments table in db.)

vis prerender step setgid tbvis.

Now NS47-friendly, for the Luddites among us.

Added "Created by:" to thumbnail view

2 columns instead of 3; also improved style a bit.
Still a ways to go.

Added "thumbnail view" to Experiment List page.
Added thumbnail rendering to renderer.

Note that thumbnail view is not available when viewing the idle list.

Also, loading thumbnails for "all" as admin takes a while!

message screws up the redirect!

Note: Need to remove the silly "please be patient" messages. I've been
removing those and adding redirects since these messges are never seen
(the page is not drawn until the closing </table> is sent over). I
have a little javascript thing that throws up a be patient box, that
disappears when the page is finished. Need to get that installed some
day. Worked fine on opera and explorer, but on netscape it looked
totally stupid. Netscape, what else is new.

  leader wants to be in the subgroup, he has to do it via the editgroup
  page. This required minor changes in editgroup pages, since I was special
  casing the project leader to not allow removal/addition.

* Allow mere users to be the head of a group. This was previously not
  allowed, and is totally wrong since the entire group trust mechanism
  is based on giving subgroup members *more* privs then they have in
  the default (project) group.

* Change permission check in the showgroup page to allow non group members
  to look at the group if they have group_root or better in the default
  group. I noticed that once I took myself out of a group, I could no longer
  look at the group even though I had group_root in the project.

  Also change so that the edit/del menu does not appear unless the user
  has permission to do those things.

* Change consistency check when adding a group member. New test is simpler
  and makes sure that the user does not have root privs in the project and
  user privs in the subgroup. The reverse is of course okay, and the expected
  manner in which groups should be used.

* newgroup page now spits out a redirect to showgroup page, rather then
  printing the group info itself. Avoids duplication and gets rid of the
  form post from the history. Ditto for editgroup page.

before allowing a project to be approved. (In approveproject_form,
this meant removing the automatic transition from 'newuser' to
'unverified')

Since this check is done in two places, once in the form, and once in
the page that does the work, it's possible for this to get out of
sync.

Fixed problem with idle experiment table (it was due to an unclosed <p> tag.) While I was here, did a touch of sprucing.

previously to perl generated email).