Commit c6291e10 authored by Russ Fish's avatar Russ Fish

Fix the approveproject:Destroy option.

approveproject.php3 - Take the user out of project group first,
    then 'nuke' the user, similar to how approveproject:Nuke does it,
    before removing the destroyed project.
tbsetup/rmuser.in - Allow removing an unapproved project leader when nuking.
tbsetup/rmgroup.in - There are no /etc/group entries for an unapproved project group.
db/Group.pm.in - More exclude_leader fixes to Group->MemberList.
parent 2e79857b
......@@ -385,7 +385,9 @@ sub EditGroup($$$$)
# page first.
#
my @curmembers;
if ($group->MemberList(\@curmembers, $MEMBERLIST_FLAGS_GETTRUST)) {
if ($group->MemberList(\@curmembers,
$MEMBERLIST_FLAGS_GETTRUST |
$MEMBERLIST_FLAGS_EXCLUDE_LEADER)) {
$$usrerr_ref = "Error: Could not get member list for $group";
return undef;
}
......@@ -1117,8 +1119,6 @@ sub LeaderMailList($)
sub MemberList($$;$$)
{
my ($self, $prval, $flags, $desired_trust) = @_;
my $leader = $self->GetLeader();
my $leader_idx = $leader->uid_idx();
# Must be a real reference.
return -1
......@@ -1135,6 +1135,13 @@ sub MemberList($$;$$)
my $exclude_leader = ($flags & $MEMBERLIST_FLAGS_EXCLUDE_LEADER ? 1 : 0);
my $trust_clause;
my $leader = $self->GetLeader();
my $leader_idx;
# There will be no leader during approveproject/Destroy.
if (defined($leader)) {
$leader_idx = $leader->uid_idx();
}
if (defined($desired_trust)) {
$trust_clause = "and trust='$desired_trust'"
}
......@@ -1156,7 +1163,7 @@ sub MemberList($$;$$)
while (my ($uid_idx, $uid, $trust) = $query_result->fetchrow_array()) {
if ($exclude_leader && $leader_idx == $uid_idx) {
if ($exclude_leader && defined($leader) && $leader_idx == $uid_idx) {
next;
}
......@@ -1222,7 +1229,7 @@ sub NonMemberList($$;$)
my $user = User->Lookup($uid_idx);
if (!defined($user)) {
print "Group::Memberlist: Could not map $uid_idx to object\n";
print "Group::NonMemberList: Could not map $uid_idx to object\n";
return undef;
}
push(@result, $user);
......
......@@ -192,59 +192,62 @@ foreach my $uid (@userlist) {
$EUID = 0;
}
#
# Now remove the group from the group file on both plastic and paper.
#
print "Removing group $unix_name ($unix_gid) on local node.\n";
# If the group isn't in /etc/group yet, it wasn't approved and created.
if (system("grep -q '^${unix_gid}:' /etc/group")) {
#
# Now remove the group from the group file on both plastic and paper.
#
print "Removing group $unix_name ($unix_gid) on local node.\n";
if (system("$GROUPDEL $unix_name")) {
if (($? >> 8) != 65) {
fatal("Could not remove group $unix_name from local node!");
if (system("$GROUPDEL $unix_name")) {
if (($? >> 8) != 65) {
fatal("Could not remove group $unix_name from local node!");
}
}
}
if ($MAILMANSUPPORT && !$ELABINELAB) {
my $listname = ($pid eq $gid ? "${pid}-users" : "${pid}-${gid}-users");
# For perl
$EUID = $UID;
system("$DELMMLIST -a $listname") == 0 or
fatal("$DELMMLIST -a $listname failed!");
$EUID = 0;
}
if ($MAILMANSUPPORT && !$ELABINELAB) {
my $listname = ($pid eq $gid ? "${pid}-users" : "${pid}-${gid}-users");
if ($OPSDBSUPPORT && !$ELABINELAB) {
# For perl
$EUID = $UID;
system("$OPSDBCONTROL delgroup $pid $gid") == 0 or
fatal("$OPSDBCONTROL delgroup $pid $gid failed!");
$EUID = 0;
}
# For perl
$EUID = $UID;
system("$DELMMLIST -a $listname") == 0 or
fatal("$DELMMLIST -a $listname failed!");
$EUID = 0;
}
#
# Be real root for ssh.
#
$UID = 0;
if ($OPSDBSUPPORT && !$ELABINELAB) {
# For perl
$EUID = $UID;
system("$OPSDBCONTROL delgroup $pid $gid") == 0 or
fatal("$OPSDBCONTROL delgroup $pid $gid failed!");
$EUID = 0;
}
if ($CONTROL ne $BOSSNODE) {
print "Removing group $unix_name ($unix_gid) on $CONTROL.\n";
#
# Be real root for ssh.
#
$UID = 0;
if (system("$SSH -host $CONTROL $GROUPDEL $unix_name")) {
if (($? >> 8) != 65) {
fatal("Could not remove group $unix_name from $CONTROL!");
if ($CONTROL ne $BOSSNODE) {
print "Removing group $unix_name ($unix_gid) on $CONTROL.\n";
if (system("$SSH -host $CONTROL $GROUPDEL $unix_name")) {
if (($? >> 8) != 65) {
fatal("Could not remove group $unix_name from $CONTROL!");
}
}
}
}
#
# Remove group on the tip servers.
#
foreach my $tipserver ( TBTipServers() ) {
print "Removing group $unix_name ($unix_gid) on $tipserver.\n";
#
# Remove group on the tip servers.
#
foreach my $tipserver ( TBTipServers() ) {
print "Removing group $unix_name ($unix_gid) on $tipserver.\n";
if (system("$SSH -host $tipserver $GROUPDEL $unix_name")) {
if (($? >> 8) != 65) {
fatal("Could not remove group $unix_name from $tipserver!");
if (system("$SSH -host $tipserver $GROUPDEL $unix_name")) {
if (($? >> 8) != 65) {
fatal("Could not remove group $unix_name from $tipserver!");
}
}
}
}
......
......@@ -161,22 +161,23 @@ if (@explist) {
# Must not be the head of the project being removed from, or any projects
# if being completely removed.
#
if (defined($project)) {
if ($target_user->SameUser($project->GetLeader())) {
fatal("$target_user is the leader of project $project!");
}
}
else {
my @leaderlist;
if ($target_user->ProjectLeaderList(\@leaderlist) != 0) {
fatal("Could not get project leader list for $target_user");
if (!$nuke) {
if (defined($project)) {
if ($target_user->SameUser($project->GetLeader())) {
fatal("$target_user is the leader of project $project!");
}
}
if (@leaderlist) {
fatal("$target_user is still heading up projects!");
else {
my @leaderlist;
if ($target_user->ProjectLeaderList(\@leaderlist) != 0) {
fatal("Could not get project leader list for $target_user");
}
if (@leaderlist) {
fatal("$target_user is still heading up projects!");
}
}
}
#
# If nuke mode is also specified, then the account is being nuked from
# web page because of a project join denial. Check to make sure user
......
......@@ -24,6 +24,10 @@ $optargs = OptionalPageArguments("head_uid", PAGEARG_STRING,
"user_interface", PAGEARG_STRING,
"message", PAGEARG_ANYTHING,
"silent", PAGEARG_BOOLEAN);
$sendemail = 1;
if (isset($silent) && $silent) {
$sendemail = 0;
}
#
# Of course verify that this uid has admin privs!
......@@ -139,13 +143,80 @@ elseif (strcmp($approval, "moreinfo") == 0) {
}
elseif ((strcmp($approval, "deny") == 0) ||
(strcmp($approval, "destroy") == 0)) {
SUEXEC($uid, $TBADMINGROUP, "webrmproj $pid", 1);
#
# If the "destroy" option was given, kill the users account.
#
if (strcmp($approval, "destroy") == 0) {
#
# Take the user out of the project group first.
#
SUEXEC($uid, $TBADMINGROUP, "webmodgroups -r $pid:$pid $headuid", 1);
#
# See if user is in any other projects (even unapproved).
#
$project_list = $leader->ProjectMembershipList();
$sendemail = 1;
if (isset($silent) && $silent) {
$sendemail = 0;
#
# If yes, then we cannot safely delete the user account.
#
if (count($project_list)) {
echo "<p>
User $headuid was <b>denied</b> starting project $pid.
<br>
Since the user is a member (or requesting membership)
in other projects, the account cannot be safely removed.
<br>\n";
}
else {
#
# No other project membership. If the user is unapproved/newuser,
# it means he was never approved in any project, and so will
# likely not be missed. He will be unapproved if he did his
# verification.
#
if (strcmp($curstatus, "newuser") &&
strcmp($curstatus, "unapproved")) {
echo "<p>
User $headuid was <b>denied</b> starting project $pid.
<br>
Since the user has been approved by, or was active in other
projects in the past, the account cannot be safely removed.
\n";
}
else {
SUEXEC($uid, $TBADMINGROUP, "webrmuser -n -p $pid $headuid", 1);
if ($sendemail) {
TBMAIL("$headname '$headuid' <$headuid_email>",
"Account '$headuid' Terminated",
"\n".
"This message is to notify you that your account has \n".
"been terminated because your project $pid was denied.\n".
"\n\n".
"Thanks,\n".
"Testbed Operations\n",
"From: $TBMAIL_APPROVAL\n".
"Bcc: $TBMAIL_APPROVAL\n".
"Errors-To: $TBMAIL_WWW");
}
echo "<h3><p>
User $headuid was <b>denied</b> starting project $pid.
<br>
The account has also been <b>terminated</b>!
</h3>\n";
}
}
}
else {
echo "<h3><p>
Project $pid (User: $headuid) has been denied.
</h3>\n";
}
SUEXEC($uid, $TBADMINGROUP, "webrmproj $pid", 1);
if ($sendemail) {
TBMAIL("$headname '$headuid' <$headuid_email>",
"Project '$pid' Denied",
......@@ -161,30 +232,6 @@ elseif ((strcmp($approval, "deny") == 0) ||
"Errors-To: $TBMAIL_WWW");
}
#
# Well, if the "destroy" option was given, kill the users account.
#
if ($approval == "destroy") {
SUEXEC($uid, $TBADMINGROUP, "webrmuser $headuid", 1);
if ($sendemail) {
TBMAIL("$headname '$headuid' <$headuid_email>",
"Account '$headuid' Terminated",
"\n".
"This message is to notify you that your account has \n".
"been terminated because your project $pid was denied.\n".
"\n\n".
"Thanks,\n".
"Testbed Operations\n",
"From: $TBMAIL_APPROVAL\n".
"Bcc: $TBMAIL_APPROVAL\n".
"Errors-To: $TBMAIL_WWW");
}
}
echo "<h3><p>
Project $pid (User: $headuid) has been denied.
</h3>\n";
}
elseif (strcmp($approval, "approve") == 0) {
$optargs = "";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment