Commit 4350e303 authored by Leigh B Stoller's avatar Leigh B Stoller

Fix up permission checking for Termination; allow project leaders

to terminate experiments.
parent 08ae0d32
......@@ -508,6 +508,21 @@ class Instance
}
return 0;
}
function CanTerminate($user) {
global $TBDB_TRUST_GROUPROOT;
if ($this->creator_idx() == $user->uid_idx()) {
return 1;
}
# Otherwise a project membership test.
$project = Project::Lookup($this->pid_idx());
if (!$project) {
return 0;
}
$uid = $user->uid();
$pid = $project->pid();
return TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT);
}
function CanDoSSH($user) {
if ($this->creator_idx() == $user->uid_idx()) {
return 1;
......
......@@ -273,7 +273,10 @@ $(function ()
lockdown_override});
xmlthing.done(callback);
});
// Disable terminate button if not allowed.
if (!window.APT_OPTIONS.canterminate) {
DisableButton("terminate");
}
// lockout change event handler.
$('#lockout_checkbox').change(function() {
DoLockout($(this).is(":checked"));
......@@ -639,9 +642,9 @@ $(function ()
if (button == "terminate") {
button = "#terminate_button";
// When admin lockdown is set, we never enable this button.
if (admin_lockdown) {
if (admin_lockdown || !window.APT_OPTIONS.canterminate) {
enable = 0;
}
}
}
else if (button == "extend")
button = "#extend_button";
......
......@@ -215,9 +215,14 @@ function Do_TerminateInstance()
{
global $instance, $creator, $this_user, $ajax_args;
if (StatusSetupAjax(1)) {
# Check for read permission, and then check for Terminate permission.
if (StatusSetupAjax(0)) {
return;
}
if (!$instance->CanTerminate($this_user)) {
SPITAJAX_ERROR(1, "Not enough permission to terminate");
return;
}
$uuid = $instance->uuid();
if ($instance->admin_lockdown()) {
......
<?php
#
# Copyright (c) 2000-2017 University of Utah and the Flux Group.
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -140,6 +140,9 @@ if ($profile = Profile::Lookup($instance->profile_id(),
$canclone = ((isset($this_user) &&
$profile->CanClone($this_user)) ||
ISADMIN() ? 1 : 0);
$canterminate = ((isset($this_user) &&
$instance->CanTerminate($this_user)) ||
ISADMIN() ? 1 : 0);
$public_url = ($instance->public_url() ?
"'" . $instance->public_url() . "'" : "null");
$isscript = ($profile->script() && $profile->script() != "" ? 1 : 0);
......@@ -150,6 +153,7 @@ else {
$profile_public = "false";
$cansnap = 0;
$canclone = 0;
$canterminate = 0;
$public_url = "null";
$isscript = 0;
......@@ -253,6 +257,7 @@ echo " window.APT_OPTIONS.isfadmin = $isfadmin;\n";
echo " window.APT_OPTIONS.isstud = $isstud;\n";
echo " window.APT_OPTIONS.cansnap = $cansnap;\n";
echo " window.APT_OPTIONS.canclone = $canclone;\n";
echo " window.APT_OPTIONS.canterminate = $canterminate;\n";
echo " window.APT_OPTIONS.wholedisk = $wholedisk;\n";
echo " window.APT_OPTIONS.snapping = $snapping;\n";
echo " window.APT_OPTIONS.hidelinktest = false;\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment