Commit bb14f708 authored by Chad Barb's avatar Chad Barb

Split notion of "EDITGROUP" permission into two:

"EDITGROUP" and "GROUPGRABUSERS".

"EDITGROUP" is easier to obtain;
            it is now given to group_root for the group.
"GROUPGRABUSERS" is how "EDITGROUP" _used_ to be:
                 only given to default-group_root or project_root.

The ability to add users to a group who have not requested membership
now requires "GROUPGRABUSERS".

Removing or editing members still requires only EDITGROUP.

So, the upshot is, now group_root users can edit and remove members from
their own groups.
But they still can't 'grab' users who haven't asked to join the group.
(which would enable them to mount arbitrary users' home dirs as
 root, which would be a Bad Thing.)
parent 1a87467f
......@@ -85,15 +85,16 @@ $TB_EXPT_MAX = $TB_EXPT_UPDATEACCOUNTS;
$TB_PROJECT_READINFO = 1;
$TB_PROJECT_MAKEGROUP = 2;
$TB_PROJECT_EDITGROUP = 3;
$TB_PROJECT_DELGROUP = 4;
$TB_PROJECT_LEADGROUP = 5;
$TB_PROJECT_ADDUSER = 6;
$TB_PROJECT_DELUSER = 7;
$TB_PROJECT_MAKEOSID = 8;
$TB_PROJECT_DELOSID = 9;
$TB_PROJECT_MAKEIMAGEID = 10;
$TB_PROJECT_DELIMAGEID = 11;
$TB_PROJECT_CREATEEXPT = 12;
$TB_PROJECT_GROUPGRABUSERS = 4;
$TB_PROJECT_DELGROUP = 5;
$TB_PROJECT_LEADGROUP = 6;
$TB_PROJECT_ADDUSER = 7;
$TB_PROJECT_DELUSER = 8;
$TB_PROJECT_MAKEOSID = 9;
$TB_PROJECT_DELOSID = 10;
$TB_PROJECT_MAKEIMAGEID = 11;
$TB_PROJECT_DELIMAGEID = 12;
$TB_PROJECT_CREATEEXPT = 13;
$TB_PROJECT_MIN = $TB_PROJECT_READINFO;
$TB_PROJECT_MAX = $TB_PROJECT_CREATEEXPT;
......@@ -239,6 +240,7 @@ function TBProjAccessCheck($uid, $pid, $gid, $access_type)
global $TB_PROJECT_READINFO;
global $TB_PROJECT_MAKEGROUP;
global $TB_PROJECT_EDITGROUP;
global $TB_PROJECT_GROUPGRABUSERS;
global $TB_PROJECT_DELGROUP;
global $TB_PROJECT_LEADGROUP;
global $TB_PROJECT_ADDUSER;
......@@ -304,11 +306,19 @@ function TBProjAccessCheck($uid, $pid, $gid, $access_type)
$mintrust = $TBDB_TRUST_PROJROOT;
}
else {
# Editing a group requires privs in the project, not group!
$gid = $pid;
$mintrust = $TBDB_TRUST_GROUPROOT;
}
}
elseif ($access_type == $TB_PROJECT_GROUPGRABUSERS) {
if (strcmp($gid, $pid) == 0) {
$mintrust = $TBDB_TRUST_PROJROOT;
}
else {
# Grabbing users requires privs in the project, not group!
$gid = $pid;
$mintrust = $TBDB_TRUST_GROUPROOT;
}
}
elseif ($access_type == $TB_PROJECT_DELUSER) {
$mintrust = $TBDB_TRUST_PROJROOT;
}
......
......@@ -46,6 +46,14 @@ if (! TBProjAccessCheck($uid, $pid, $gid, $TB_PROJECT_EDITGROUP)) {
"project $pid!", 1);
}
#
# See if user is allowed to add non-members to group.
#
$grabusers = 0;
if (TBProjAccessCheck($uid, $pid, $gid, $TB_PROJECT_GROUPGRABUSERS)) {
$grabusers = 1;
}
#
# Grab the current user list for the group. The group leader cannot be
# removed! Do not include members that have not been approved to main
......@@ -169,32 +177,34 @@ if (mysql_num_rows($curmembers_result)) {
# Go through the list of non members. For each one, check to see if
# the checkbox for that person was checked. If so, add the person
# to the group membership, with the trust level specified.
#
if (!$defaultgroup && mysql_num_rows($nonmembers_result)) {
# Only do this if user has permission to grab users.
#
if ($grabusers && !$defaultgroup && mysql_num_rows($nonmembers_result)) {
while ($row = mysql_fetch_array($nonmembers_result)) {
$user = $row[0];
$foo = "add_$user";
if (isset($$foo)) {
#
# There should be a corresponding trust variable in the POST vars.
# Note that we construct the variable name and indirect to it.
#
$bar = "$user\$\$trust";
#
# There should be a corresponding trust variable in the POST vars.
# Note that we construct the variable name and indirect to it.
#
$bar = "$user\$\$trust";
$newtrust = $$bar;
if (!$newtrust || strcmp($newtrust, "") == 0) {
TBERROR("Error finding trust for $user in editgroup.php3",
1);
}
if (strcmp($newtrust, "user") &&
strcmp($newtrust, "local_root") &&
strcmp($newtrust, "group_root")) {
TBERROR("Invalid trust $newtrust for $user in editgroup.php3.",
1);
}
TBCheckTrustConsistency($user, $pid, $gid, $newtrust);
}
}
......@@ -243,21 +253,22 @@ if (mysql_num_rows($curmembers_result)) {
# the checkbox for that person was checked. If so, add the person
# to the group membership, with the trust level specified.
#
if (!$defaultgroup && mysql_num_rows($nonmembers_result)) {
mysql_data_seek($nonmembers_result, 0);
if ($grabusers && !$defaultgroup && mysql_num_rows($nonmembers_result)) {
mysql_data_seek($nonmembers_result, 0);
while ($row = mysql_fetch_array($nonmembers_result)) {
$user = $row[0];
$foo = "add_$user";
if (isset($$foo)) {
#
# There should be a corresponding trust variable in the POST vars.
# Note that we construct the variable name and indirect to it.
#
$bar = "$user\$\$trust";
#
# There should be a corresponding trust variable in the POST vars.
# Note that we construct the variable name and indirect to it.
#
$bar = "$user\$\$trust";
$newtrust = $$bar;
DBQueryFatal("insert into group_membership ".
"(uid, pid, gid, trust, ".
" date_applied,date_approved) ".
......
......@@ -46,6 +46,14 @@ if (! TBProjAccessCheck($uid, $pid, $gid, $TB_PROJECT_EDITGROUP)) {
"project $pid!", 1);
}
#
# See if user is allowed to add non-members to group.
#
$grabusers = 0;
if (TBProjAccessCheck($uid, $pid, $gid, $TB_PROJECT_GROUPGRABUSERS)) {
$grabusers = 1;
}
#
# Grab the user list for the group. Provide a button selection of people
# that can be removed. The group leader cannot be removed!
......@@ -84,7 +92,7 @@ echo "<br><center>
</center>\n";
if (mysql_num_rows($curmembers_result) ||
mysql_num_rows($nonmembers_result)) {
($grabusers && mysql_num_rows($nonmembers_result))) {
echo "<br>
<form action='editgroup.php3?pid=$pid&gid=$gid' method=post>
<table align=center border=1>\n";
......@@ -156,7 +164,7 @@ if (mysql_num_rows($curmembers_result)) {
echo "</tr>\n";
}
if (mysql_num_rows($nonmembers_result)) {
if ($grabusers && mysql_num_rows($nonmembers_result)) {
echo "<tr><td align=center colspan=2 nowrap=1>
<br>
<font size=+1><b>Add Group Members</b></font>[<b>1</b>].
......@@ -188,7 +196,7 @@ if (mysql_num_rows($nonmembers_result)) {
}
if (mysql_num_rows($curmembers_result) ||
mysql_num_rows($nonmembers_result)) {
($grabusers && mysql_num_rows($nonmembers_result))) {
echo "<tr>
<td align=center colspan=2>
<b><input type=submit value=Submit></b>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment