Commit c6129ad7 authored by Chad Barb's avatar Chad Barb

More rework on the groups system.

* BESTOWGROUPROOT permission added to dbdefs.

* Permissions criteria for group operations changed in dbdefs
  (consult code for full explanation.)

* Approveuser and Editgroup now check for BESTOWGROUPROOT
  permissions before allowing changes to group_root.

* approveuser_form and editgroup_form do not show "Group Root"
  as an option unless you are allowed to set it (or it is already set.)

* editgroup does not UPDATE rows where trust has not been changed.

* showgroup does a correct check to see whether to show the
  "group options" subpage.
parent 6052927b
......@@ -89,20 +89,20 @@ while (list ($header, $value) = each ($HTTP_POST_VARS)) {
#
# Check that the current uid has the necessary trust level
# to approver users in the project/group. Also, only project leaders
# can add someone as group_root. This should probably be encoded in
# the permission stuff.
# can add someone to the default group as group_root.
#
if (! TBProjAccessCheck($uid, $project, $group, $TB_PROJECT_ADDUSER)) {
USERERROR("You are not allowed to approve users in ".
"$project/$group!", 1);
}
TBProjLeader($project, $projleader);
if (strcmp($uid, $projleader) &&
strcmp($newtrust, "group_root") == 0 &&
if (strcmp($newtrust, "group_root") == 0 &&
strcmp($group, $project) == 0) {
USERERROR("You do not have permission to add new users with group ".
"root status to the default group!", 1);
if (! TBProjAccessCheck($uid, $project, $group,
$TB_PROJECT_BESTOWGROUPROOT)) {
USERERROR("You do not have permission to add new users with group ".
"root trust to the default group!", 1);
}
}
#
......
......@@ -203,7 +203,10 @@ while ($usersrow = mysql_fetch_array($query_result)) {
if (TBCheckGroupTrustConsistency($newuid, $pid, $gid, "local_root", 0)) {
# local_root means any root is valid.
echo "<option value='local_root'>Local Root </option>\n";
echo "<option value='group_root'>Group Root </option>\n";
if (TBProjAccessCheck($auth_usr, $pid, $gid,
$TB_PROJECT_BESTOWGROUPROOT)) {
echo "<option value='group_root'>Group Root </option>\n";
}
}
echo " </select>
</td>\n";
......
......@@ -86,15 +86,16 @@ $TB_PROJECT_READINFO = 1;
$TB_PROJECT_MAKEGROUP = 2;
$TB_PROJECT_EDITGROUP = 3;
$TB_PROJECT_GROUPGRABUSERS = 4;
$TB_PROJECT_DELGROUP = 5;
$TB_PROJECT_LEADGROUP = 6;
$TB_PROJECT_ADDUSER = 7;
$TB_PROJECT_DELUSER = 8;
$TB_PROJECT_MAKEOSID = 9;
$TB_PROJECT_DELOSID = 10;
$TB_PROJECT_MAKEIMAGEID = 11;
$TB_PROJECT_DELIMAGEID = 12;
$TB_PROJECT_CREATEEXPT = 13;
$TB_PROJECT_BESTOWGROUPROOT = 5;
$TB_PROJECT_DELGROUP = 6;
$TB_PROJECT_LEADGROUP = 7;
$TB_PROJECT_ADDUSER = 8;
$TB_PROJECT_DELUSER = 9;
$TB_PROJECT_MAKEOSID = 10;
$TB_PROJECT_DELOSID = 11;
$TB_PROJECT_MAKEIMAGEID = 12;
$TB_PROJECT_DELIMAGEID = 13;
$TB_PROJECT_CREATEEXPT = 14;
$TB_PROJECT_MIN = $TB_PROJECT_READINFO;
$TB_PROJECT_MAX = $TB_PROJECT_CREATEEXPT;
......@@ -241,6 +242,7 @@ function TBProjAccessCheck($uid, $pid, $gid, $access_type)
global $TB_PROJECT_MAKEGROUP;
global $TB_PROJECT_EDITGROUP;
global $TB_PROJECT_GROUPGRABUSERS;
global $TB_PROJECT_BESTOWGROUPROOT;
global $TB_PROJECT_DELGROUP;
global $TB_PROJECT_LEADGROUP;
global $TB_PROJECT_ADDUSER;
......@@ -295,29 +297,59 @@ function TBProjAccessCheck($uid, $pid, $gid, $access_type)
$access_type == $TB_PROJECT_CREATEEXPT) {
$mintrust = $TBDB_TRUST_LOCALROOT;
}
elseif ($access_type == $TB_PROJECT_ADDUSER) {
elseif ($access_type == $TB_PROJECT_ADDUSER ||
$access_type == $TB_PROJECT_EDITGROUP) {
#
# Allow delegation of approving users to group_root in main group.
# If user is project_root or group_root in default group,
# allow them to add/edit/remove users in any group.
#
if (TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
return 1;
}
#
# Otherwise, editing a group requires group_root
# in that group.
#
$mintrust = $TBDB_TRUST_GROUPROOT;
}
elseif ($access_type == $TB_PROJECT_EDITGROUP) {
if (strcmp($gid, $pid) == 0) {
$mintrust = $TBDB_TRUST_PROJROOT;
elseif ($access_type == $TB_PROJECT_BESTOWGROUPROOT) {
#
# If user is project_root,
# allow them to bestow group_root in any group.
#
if (TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_PROJROOT)) {
return 1;
}
if (strcmp($gid, $pid) == 0) {
#
# Only project_root can bestow group_root in default group, and
# we already established that they're not project_root, so fail.
#
return 0;
}
else {
#
# Non-default group.
# group_root in default group may bestow group_root.
#
if (TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
return 1;
}
#
# group_root in the group in question may also bestow group_root.
#
$mintrust = $TBDB_TRUST_GROUPROOT;
}
}
elseif ($access_type == $TB_PROJECT_GROUPGRABUSERS) {
if (strcmp($gid, $pid) == 0) {
$mintrust = $TBDB_TRUST_PROJROOT;
}
else {
# Grabbing users requires privs in the project, not group!
$gid = $pid;
$mintrust = $TBDB_TRUST_GROUPROOT;
}
#
# Only project_root or group_root in default group
# may grab (involuntarily add) users into groups.
#
$gid = $pid;
$mintrust = $TBDB_TRUST_GROUPROOT;
}
elseif ($access_type == $TB_PROJECT_DELUSER) {
$mintrust = $TBDB_TRUST_PROJROOT;
......
......@@ -54,13 +54,21 @@ if (TBProjAccessCheck($uid, $pid, $gid, $TB_PROJECT_GROUPGRABUSERS)) {
$grabusers = 1;
}
#
# See if user is allowed to bestow group_root upon members of group.
#
$bestowgrouproot = 0;
if (TBProjAccessCheck($uid, $pid, $gid, $TB_PROJECT_BESTOWGROUPROOT)) {
$bestowgrouproot = 1;
}
#
# Grab the current user list for the group. The group leader cannot be
# removed! Do not include members that have not been approved to main
# group either! This will force them to go through the approval page first.
#
$curmembers_result =
DBQueryFatal("select distinct m.uid from group_membership as m ".
DBQueryFatal("select distinct m.uid, m.trust from group_membership as m ".
"left join groups as g on g.pid=m.pid and g.gid=m.gid ".
"where m.pid='$pid' and m.gid='$gid' and ".
" m.uid!=g.leader and m.trust!='none'");
......@@ -92,6 +100,7 @@ $nonmembers_result =
if (mysql_num_rows($curmembers_result)) {
while ($row = mysql_fetch_array($curmembers_result)) {
$user = $row[0];
$oldtrust = $row[1];
$foo = "change_$user";
#
......@@ -119,6 +128,18 @@ if (mysql_num_rows($curmembers_result)) {
TBERROR("Invalid trust $newtrust for $user in editgroup.php3.", 1);
}
#
# If the user is attempting to bestow group_root on a user who
# did not previously have group_root, check to see if the operation is
# permitted.
#
if (strcmp($newtrust, $oldtrust) &&
!strcmp($newtrust, "group_root") &&
!$bestowgrouproot) {
USERERROR("You do not have permission to bestow group root".
"trust to users in $pid/$gid!", 1 );
}
TBCheckGroupTrustConsistency($user, $pid, $gid, $newtrust, 1);
}
}
......@@ -154,6 +175,12 @@ if ($grabusers && !$defaultgroup && mysql_num_rows($nonmembers_result)) {
TBERROR("Invalid trust $newtrust for $user in editgroup.php3.",
1);
}
if (!strcmp($newtrust, "group_root")
&& !$bestowgrouproot) {
USERERROR("You do not have permission to bestow group root".
"trust to users in $pid/$gid!", 1 );
}
TBCheckTrustConsistency($user, $pid, $gid, $newtrust);
}
......@@ -177,6 +204,7 @@ if (mysql_num_rows($curmembers_result)) {
while ($row = mysql_fetch_array($curmembers_result)) {
$user = $row[0];
$oldtrust = $row[1];
$foo = "change_$user";
if (!$defaultgroup && !isset($$foo)) {
......@@ -193,8 +221,10 @@ if (mysql_num_rows($curmembers_result)) {
$foo = "$user\$\$trust";
$newtrust = $$foo;
DBQueryFatal("update group_membership set trust='$newtrust' ".
"where pid='$pid' and gid='$gid' and uid='$user'");
if (strcmp($oldtrust,$newtrust)) {
DBQueryFatal("update group_membership set trust='$newtrust' ".
"where pid='$pid' and gid='$gid' and uid='$user'");
}
}
}
......
......@@ -54,6 +54,14 @@ if (TBProjAccessCheck($uid, $pid, $gid, $TB_PROJECT_GROUPGRABUSERS)) {
$grabusers = 1;
}
#
# See if user is allowed to bestow group_root upon members of group.
#
$bestowgrouproot = 0;
if (TBProjAccessCheck($uid, $pid, $gid, $TB_PROJECT_BESTOWGROUPROOT)) {
$bestowgrouproot = 1;
}
#
# Grab the user list for the group. Provide a button selection of people
# that can be removed. The group leader cannot be removed!
......@@ -155,10 +163,16 @@ if (mysql_num_rows($curmembers_result)) {
echo "<option value='local_root' " .
((strcmp($trust, "local_root") == 0) ? "selected" : "") .
">Local Root </option>\n";
echo "<option value='group_root' " .
((strcmp($trust, "group_root") == 0) ? "selected" : "") .
">Group Root </option>\n";
#
# If group_root is already selected, or we have permission to set it,
# show it. Otherwise do not.
#
if (strcmp($trust, "group_root") == 0 || $bestowgrouproot) {
echo "<option value='group_root' " .
((strcmp($trust, "group_root") == 0) ? "selected" : "") .
">Group Root </option>\n";
}
}
echo " </select>
</td>\n";
......@@ -197,10 +211,12 @@ if ($grabusers && mysql_num_rows($nonmembers_result)) {
echo "<option value='local_root' " .
((strcmp($trust, "local_root") == 0) ? "selected" : "") .
">Local Root</option>\n";
echo "<option value='group_root' " .
((strcmp($trust, "group_root") == 0) ? "selected" : "") .
">Group Root</option>\n";
if ($bestowgrouproot) {
echo "<option value='group_root' " .
((strcmp($trust, "group_root") == 0) ? "selected" : "") .
">Group Root</option>\n";
}
}
echo " </select>
</td>\n";
......
......@@ -73,7 +73,8 @@ if ($isadmin || TBProjAccessCheck($uid, $pid, $pid, $TB_PROJECT_DELUSER)) {
# This menu only makes sense for people with privs to use them.
#
if (TBProjAccessCheck($uid, $pid, $gid, $TB_PROJECT_EDITGROUP) ||
TBProjAccessCheck($uid, $pid, $pid, $TB_PROJECT_DELGROUP)) {
(strcmp($gid, $pid) &&
TBProjAccessCheck($uid, $pid, $pid, $TB_PROJECT_DELGROUP))) {
SUBPAGESTART();
SUBMENUSTART("Group Options");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment