Tighten up permissions granted to geni users coming from the GPO Portal.
We now ask the portal for a the user's project membership list, and if the user is not a member of any (unexpired) projects, we do not allow them to create experiments (or much of anything else) in the Cloud Portal. I did this by setting the local holding project trust to "user" and setting the webonly bit in the users table. The user can use the picker to see public profiles, but the create button tells them no dice, go join a project at the GPO portal. We make the project check each time the user logs in via the trusted signer.
Showing with 223 additions and 25 deletions