Lets be a little smarter with users who are not members of any projects

with sufficient permission to do anything useful (including geni users). Head them off at the pass and explain in simple (short), direct (short) clear (short) text why they can't do what they want to do.

Lets be a little smarter with users who are not members of any projects
with sufficient permission to do anything useful (including geni users). Head them off at the pass and explain in simple (short), direct (short) clear (short) text why they can't do what they want to do.
b5db9b00 · Leigh Stoller · 6cc159aa · b5db9b00 · b5db9b00 · b5db9b00
Commit b5db9b00 authored Dec 26, 2017 by Leigh Stoller
7 changed files
--- a/www/aptui/create-dataset.php
+++ b/www/aptui/create-dataset.php
 <?php
 #
-# Copyright (c) 2000-2016 University of Utah and the Flux Group.
+# Copyright (c) 2000-2017 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -35,6 +35,9 @@ $page_title = "Create Dataset";
 #
 RedirectSecure();
 $this_user = CheckLoginOrRedirect();
+if (NOPROJECTMEMBERSHIP()) {
+    return NoProjectMembershipError($this_user);
+}
 $this_idx  = $this_user->uid_idx();

 #

--- a/www/aptui/geni-login.ajax
+++ b/www/aptui/geni-login.ajax
@@ -392,9 +392,7 @@ function Do_VerifySpeaksfor()
        $blob["url"]   = "showuser.php3";
    }
    else {
-        $blob["url"]   = ($this_user->webonly() ||
-                          !Instance::UserHasInstances($this_user)
-                          ? "instantiate.php" : "landing.php");
+        $blob["url"]   = "landing.php";
    }
    session_destroy();
    SPITAJAX_RESPONSE($blob);

--- a/www/aptui/instantiate.php
+++ b/www/aptui/instantiate.php
@@ -43,6 +43,9 @@ RedirectSecure();
 $this_user = CheckLogin($check_status);
 if (isset($this_user)) {
    CheckLoginOrDie(CHECKLOGIN_NONLOCAL|CHECKLOGIN_WEBONLY);
+    if (NOPROJECTMEMBERSHIP()) {
+        return NoProjectMembershipError($this_user);
+    }
 }
 else {
    RedirectLoginPage();

--- a/www/aptui/manage_profile.php
+++ b/www/aptui/manage_profile.php
@@ -40,6 +40,9 @@ $notifyclone = 0;
 RedirectSecure();
 $this_user = CheckLoginOrRedirect();
 $this_idx  = $this_user->uid_idx();
+if ((!isset($action) || $action == "create") && NOPROJECTMEMBERSHIP()) {
+    return NoProjectMembershipError($this_user);
+}

 #
 # Verify page arguments.

--- a/www/aptui/quickvm_sup.php
+++ b/www/aptui/quickvm_sup.php
@@ -49,7 +49,7 @@ if (isset($_SERVER['SERVER_NAME'])) {
 #
 # Redefine this so APT errors are styled properly. Called by PAGEERROR();.
 #
-$PAGEERROR_HANDLER = function($msg, $status_code = 0) {
+$PAGEERROR_HANDLER = function($msg = null, $status_code = 0) {
    global $drewheader, $ISCLOUD, $ISPNET, $ISEMULAB, $ISAPT, $ISPOWDER;
    global $spatrequired, $TBMAINSITE, $PORTAL_HELPFORUM;

@@ -57,7 +57,9 @@ $PAGEERROR_HANDLER = function($msg, $status_code = 0) {
 	SPITHEADER();
    }
    echo "<br>";
-    echo $msg;
+    if ($msg) {
+        echo $msg;
+    }
    echo "<script type='text/javascript'>\n";
    echo "    window.ISEMULAB  = " . ($ISEMULAB ? "1" : "0") . ";\n";
    echo "    window.ISCLOUD   = " . ($ISCLOUD  ? "1" : "0") . ";\n";
@@ -624,6 +626,41 @@ function SPITUSERERROR($msg)
    PAGEERROR($msg, 0);
 }

+function NoProjectMembershipError($this_user)
+{
+    global $drewheader, $PAGEERROR_HANDLER;
+    
+    if (! $drewheader) {
+	SPITHEADER();
+    }
+    echo "<br>";
+    echo "<p class=lead>";
+    echo "Oops, you are not a member of any projects in which you have ".
+        "permission to access this page! ";
+    echo "</p>";
+    echo "<p>";
+    if ($this_user->IsNonLocal()) {
+        echo
+            "Typically this is because you are not a member of any projects ".
+            "at your home portal (say, the Geni Portal). You must log into ".
+            "your home portal and request membership in a project, or start ".
+            "your own project. Once your membership or project is approved ".
+            "at your home portal, you can come back here and log back in.";
+    }
+    else {
+        echo
+            "Typically this is because you are not yet an approved member of ".
+            "any projects with sufficient privileges. If you are still ".
+            "awaiting approval or need your privileges adjusted, please ".
+            "contact your project leader. If you are waiting for a new ".
+            "project to be approved, please be patient, it can take a week ".
+            "to approve a new project request.";
+    }
+    echo "</p>";
+    echo "<br>";
+    $PAGEERROR_HANDLER();
+}
+
 #
 # Does not return; page exits.
 #

--- a/www/aptui/reserve.php
+++ b/www/aptui/reserve.php
@@ -35,6 +35,9 @@ $page_title = "Reservations";
 #
 RedirectSecure();
 $this_user = CheckLoginOrRedirect();
+if (NOPROJECTMEMBERSHIP()) {
+    return NoProjectMembershipError($this_user);
+}
 $isadmin   = (ISADMIN() ? 1 : 0);
 $isfadmin  = (ISFOREIGN_ADMIN() ? 1 : 0);


--- a/www/tbauth.php3
+++ b/www/tbauth.php3
@@ -70,6 +70,7 @@ define("CHECKLOGIN_OPSGUY",		0x0400000);  # Member of emulab-ops.
 define("CHECKLOGIN_ISFOREIGN_ADMIN",	0x0800000);  # Admin of another Emulab.
 define("CHECKLOGIN_NONLOCAL",		0x1000000);
 define("CHECKLOGIN_INACTIVE",		0x2000000);
+define("CHECKLOGIN_NOPROJECTS",		0x4000000);

 #
 # Constants for tracking possible login attacks.
@@ -291,6 +292,7 @@ function LoginStatus() {
    $workbench = 0;
    $frozen    = 0;
    $nonlocal  = 0;
+    $pcount    = 0;
    
    while ($row = mysql_fetch_array($query_result)) {
 	$expired = $row[0];
@@ -299,9 +301,17 @@ function LoginStatus() {
 	$status  = $row[3];
 	$admin   = $row[4];
 	$cvsweb  = $row[5];
+        $trust   = $row[6];

-	if (! strcmp($row[6], "project_root") ||
-	    ! strcmp($row[6], "group_root")) {
+        #
+        # Count up number of projects where user has local_root or better.
+        # These are projects where user has viable permission to do things,
+        # like create experiments.
+        #
+        if ($trust != "none" && $trust != "user") {
+            $pcount++;
+        }
+	if ($trust == "project_root" || $trust == "group_root") {
 	    $trusted = 1;
 	}
 	$adminon  = $row[7];
@@ -470,6 +480,21 @@ function LoginStatus() {
 	$CHECKLOGIN_STATUS |= CHECKLOGIN_ISFOREIGN_ADMIN;
    if ($nonlocal)
 	$CHECKLOGIN_STATUS |= CHECKLOGIN_NONLOCAL;
+    #
+    # A local user that has no privs in at least one project, or a nonlocal
+    # user where webonly=1 (which means they have project membership at
+    # their home portal). 
+    #
+    if ($nonlocal) {
+        if ($webonly) {
+            $CHECKLOGIN_STATUS |= CHECKLOGIN_NOPROJECTS;
+        }
+    }
+    else {
+        if (!$pcount) {
+            $CHECKLOGIN_STATUS |= CHECKLOGIN_NOPROJECTS;
+        }
+    }

    #
    # Set the magic enviroment variable, if appropriate, for the sake of
@@ -741,6 +766,14 @@ function WIKIONLY() {
 	    (CHECKLOGIN_LOGGEDIN|CHECKLOGIN_WIKIONLY));
 }

+function NOPROJECTMEMBERSHIP() {
+    global $CHECKLOGIN_STATUS;
+
+    return (($CHECKLOGIN_STATUS &
+	     (CHECKLOGIN_LOGGEDIN|CHECKLOGIN_NOPROJECTS)) ==
+	    (CHECKLOGIN_LOGGEDIN|CHECKLOGIN_NOPROJECTS));
+}
+
 # Is this user a real administrator (ignore onoff bit).
 function ISADMINISTRATOR() {
    global $CHECKLOGIN_STATUS;