Commit 24940013 authored by Chad Barb's avatar Chad Barb

* Altered consistency checks to treat any root as equivalent
  (so, if you're project_root in the default group, but group_root in
   a group, that won't be a problem)

* Moved consistency checks, which were done in two different places into
  dbdefs TBCheckGroupTrustConsistency()

* Added preemptive checks, so if 'user' or '*_root' are not valid
  trusts, they aren't displayed as options in editgroup_form and
  approveuser_form (using above function)

* In approveuser, a new approval may now be sent to group_root.
parent 53e95db5
......@@ -96,12 +96,6 @@ while (list ($header, $value) = each ($HTTP_POST_VARS)) {
USERERROR("You are not allowed to approve users in ".
"$project/$group!", 1);
}
TBProjLeader($project, $projleader);
if (strcmp($uid, $projleader) &&
strcmp($newtrust, "group_root") == 0) {
USERERROR("You do not have permission to add new users with group ".
"root status!", 1);
}
#
# Check if already approved in the project/group. If already an
......@@ -230,63 +224,12 @@ while (list ($user, $value) = each ($projectchecks)) {
$projtrust[$pid] = $trust;
}
$pidlist[$pid] = $pid;
# Check vs. the database
TBCheckGroupTrustConsistency($user, $pid, $gid, $trust, 1);
}
reset($value);
while (list ($pid, $foo) = each ($pidlist)) {
# Skip if no subgroups were being approved.
if (! isset($grouptrust[$pid]))
continue;
#
# This does a consistency check against subgroups in the DB.
# If we are approving to any subgroups in the form submittal,
# make sure that the user is not in any other subgroups of the
# project with a different trust level.
#
$query_result =
DBQueryFatal("select trust from group_membership ".
"where uid='$user' and pid='$pid' ".
" and pid!=gid and trust!='none' ".
" and trust!='$grouptrust[$pid]'");
if (mysql_num_rows($query_result)) {
USERERROR("User $user may not have different trust levels in ".
"different subgroups of $pid!", 1);
}
#
# This does a level check between the subgroups and the project.
# Do not allow a higher trust level in the default group than in
# the subgroups.
#
if (isset($projtrust[$pid]))
$ptrust = TBTrustConvert($projtrust[$pid]);
else
$ptrust = TBProjTrust($user, $pid);
$bad = 0;
$query_result =
DBQueryFatal("select trust from group_membership ".
"where uid='$user' and trust!='none' ".
" and pid='$pid' and gid!=pid");
while ($row = mysql_fetch_array($query_result)) {
if ($ptrust > TBTrustConvert($row[0])) {
$bad = 1;
break;
}
}
#echo "F $user $bad $ptrust $pid $grouptrust[$pid]<br>\n";
if ($bad ||
$ptrust > TBTrustConvert($grouptrust[$pid])) {
USERERROR("User $user may not have a higher trust level in ".
"the default group of $pid, than in a subgroup!", 1);
}
}
}
reset($HTTP_POST_VARS);
......
......@@ -164,17 +164,6 @@ while ($usersrow = mysql_fetch_array($query_result)) {
$date_applied = "--";
}
#
# Only project leaders get to add someone as group root.
#
TBProjLeader($pid, $projleader);
if (strcmp($auth_usr, $projleader) == 0) {
$isleader = 1;
}
else {
$isleader = 0;
}
$userinfo_result =
DBQueryFatal("SELECT * from users where uid='$newuid'");
......@@ -207,12 +196,15 @@ while ($usersrow = mysql_fetch_array($query_result)) {
</select>
</td>
<td rowspan=2>
<select name=\"$newuid\$\$trust-$pid/$gid\">
<option value='user'>User </option>
<option value='local_root'>Local Root </option>\n";
if ($isleader) {
echo " <option value='group_root'>Group Root </option>\n";
<select name=\"$newuid\$\$trust-$pid/$gid\">\n";
if (TBCheckGroupTrustConsistency($newuid, $pid, $gid, "user", 0)) {
echo "<option value='user'>User </option>\n";
}
if (TBCheckGroupTrustConsistency($newuid, $pid, $gid, "local_root", 0)) {
# local_root means any root is valid.
echo "<option value='local_root'>Local Root </option>\n";
echo "<option value='group_root'>Group Root </option>\n";
}
echo " </select>
</td>\n";
......
......@@ -329,6 +329,105 @@ function TBProjAccessCheck($uid, $pid, $gid, $access_type)
return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust);
}
#
# Checks proposed Group trust change for consistency.
#
# Usage: TBCheckGroupTrustConsistency($user, $pid, $gid, $newtrust, $fail)
# returns 1 if proposed change is valid
# returns 0 if proposed change is invalid and $fail == 0
# does not return if proposed change is invalid and $fail == 1.
#
function TBCheckGroupTrustConsistency($user, $pid, $gid, $newtrust, $fail)
{
global $TBDB_TRUST_USER;
#
# set $newtrustisroot to 1 if attempting to set a rootful trust,
# 0 otherwise.
#
$newtrustisroot = TBTrustConvert($newtrust) > $TBDB_TRUST_USER ? 1 : 0;
#
# If changing subgroup trust level, then compare levels.
# A user may not have root privs in the project and user privs
# in the subgroup; it makes no sense to do that and can violate trust.
#
if (strcmp($pid, $gid)) {
#
# Setting non-default "sub"group.
# Verify that if user has root in project,
# we are setting a rootful trust for him in
# the subgroup as well.
#
$projtrustisroot = TBProjTrust($user, $pid) > $TBDB_TRUST_USER ? 1 : 0;
if ($projtrustisroot > $newtrustisroot) {
if (!$fail) { return 0; }
TBERROR("User $user may not have a root trust level in ".
"the default group of $pid, ".
"yet be non-root in subgroup $gid!", 1);
}
}
else {
#
# Setting default group.
# Don't verify anything (yet.)
#
$projtrustisroot = $newtrustisroot;
}
#
# Get all the subgroups not equal to the subgroup being changed.
#
$query_result =
DBQueryFatal("select trust,gid from group_membership ".
"where uid='$user' and pid='$pid' and trust!='none' ".
" and gid!=pid and gid!='$gid'");
while ($row = mysql_fetch_array($query_result)) {
$grptrust = $row[0];
$ogid = $row[1];
#
# Get what the user's trust level is in the
# current subgroup we're looking at.
#
$grptrustisroot =
TBTrustConvert( $grptrust ) > $TBDB_TRUST_USER ? 1 : 0;
#
# If user's trust level is higher in the default group than in the
# subgroup we are looking at, this is wrong.
#
if ($projtrustisroot > $grptrustisroot) {
if (!$fail) { return 0; }
TBERROR("User $user may not have a root trust level in ".
"the default group of $pid, ".
"yet be non-root in subgroup $ogid!", 1);
}
if (strcmp($pid, $gid)) {
#
# Iff we're modifying a subgroup,
# Make sure that the trust we're setting is as
# rootful as the trust we already have set in
# every other subgroup.
#
if ($newtrustisroot != $grptrustisroot) {
if (!$fail) { return 0; }
TBERROR("User $user may not mix root and ".
"non-root trust levels in ".
"different subgroups of $pid!", 1);
}
}
}
return 1;
}
# Usage: TBExptGroup($pid, $eid, &$gid)
# returns 0 if expt doesn't exist.
# returns 1 if expt exists.
......
......@@ -78,56 +78,6 @@ $nonmembers_result =
"where m.pid='$pid' and m.gid=m.pid and a.uid is NULL ".
" and m.trust!='none'");
function TBCheckTrustConsistency($user, $pid, $gid, $newtrust)
{
global $TBDB_TRUST_USER;
#
# If changing default group trust level, then compare levels.
# A user may not have root privs in the project and user privs
# in the group; make no sense to do that and can violate trust.
#
if (strcmp($pid, $gid)) {
$projtrust = TBProjTrust($user, $pid);
if (TBTrustConvert($newtrust) == $TBDB_TRUST_USER &&
$projtrust > $TBDB_TRUST_USER) {
USERERROR("User $user may not have a higher trust level in ".
"the default group of $pid, than in subgroup $gid!", 1);
}
}
else
$projtrust = TBTrustConvert($newtrust);
#
# Get all the subgroups not equal to the subgroup being changed.
#
$query_result =
DBQueryFatal("select trust,gid from group_membership ".
"where uid='$user' and pid='$pid' and trust!='none' ".
" and gid!=pid and gid!='$gid'");
while ($row = mysql_fetch_array($query_result)) {
$grptrust = $row[0];
$ogid = $row[1];
if ($projtrust > TBTrustConvert($grptrust)) {
USERERROR("User $user may not have a higher trust level in ".
"the default group of $pid, than in subgroup $ogid!", 1);
}
if (strcmp($pid, $gid)) {
#
# Check to make sure new trust is same as all other subgroup trust.
#
if (strcmp($newtrust, $grptrust)) {
USERERROR("User $user may not have different trust levels in ".
"different subgroups of $pid!", 1);
}
}
}
return 1;
}
#
# First pass does checks. Second pass does the real thing.
......@@ -169,7 +119,7 @@ if (mysql_num_rows($curmembers_result)) {
TBERROR("Invalid trust $newtrust for $user in editgroup.php3.", 1);
}
TBCheckTrustConsistency($user, $pid, $gid, $newtrust);
TBCheckGroupTrustConsistency($user, $pid, $gid, $newtrust, 1);
}
}
......
......@@ -146,20 +146,22 @@ if (mysql_num_rows($curmembers_result)) {
#
# We want to have the current trust value selected in the menu.
#
echo "<option value='user' " .
((strcmp($trust, "user") == 0) ? "selected" : "") .
">User </option>\n";
echo "<option value='local_root' " .
((strcmp($trust, "local_root") == 0) ? "selected" : "") .
">Local Root </option>\n";
if (TBCheckGroupTrustConsistency($user, $pid, $gid, "user", 0)) {
echo "<option value='user' " .
((strcmp($trust, "user") == 0) ? "selected" : "") .
">User </option>\n";
}
if (TBCheckGroupTrustConsistency($user, $pid, $gid, "local_root", 0)) {
echo "<option value='local_root' " .
((strcmp($trust, "local_root") == 0) ? "selected" : "") .
">Local Root </option>\n";
echo "<option value='group_root' " .
((strcmp($trust, "group_root") == 0) ? "selected" : "") .
">Group Root </option>\n";
echo "<option value='group_root' " .
((strcmp($trust, "group_root") == 0) ? "selected" : "") .
">Group Root </option>\n";
}
echo " </select>
</td>\n";
</td>\n";
}
echo "</tr>\n";
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment