function AccessCheck($user, $access_type)
{
global $TB_NODEACCESS_READINFO;
global $TB_NODEACCESS_MODIFYINFO;
global $TB_NODEACCESS_LOADIMAGE;
global $TB_NODEACCESS_REBOOT;
global $TB_NODEACCESS_POWERCYCLE;
global $TB_NODEACCESS_MIN;
global $TB_NODEACCESS_MAX;
global $TBDB_TRUST_USER;
global $TBDB_TRUST_GROUPROOT;
global $TBDB_TRUST_LOCALROOT;
global $TBOPSPID;
global $CHECKLOGIN_USER;
$mintrust = $TBDB_TRUST_USER;
if ($access_type < $TB_NODEACCESS_MIN || $access_type > $TB_NODEACCESS_MAX) {
TBERROR("Invalid access type: {$access_type}!", 1);
}
$uid = $user->uid();
if (!($experiment = $this->Reservation())) {
#
# If the current user is in the emulab-ops project and has
# sufficient privs, then he can muck with free nodes as if he
# were an admin type.
#
if ($uid == $CHECKLOGIN_USER->uid() && OPSGUY()) {
return TBMinTrust(TBGrpTrust($uid, $TBOPSPID, $TBOPSPID), $TBDB_TRUST_LOCALROOT);
}
return 0;
}
$pid = $experiment->pid();
$gid = $experiment->gid();
$eid = $experiment->eid();
if ($access_type == $TB_NODEACCESS_READINFO) {
$mintrust = $TBDB_TRUST_USER;
} else {
$mintrust = $TBDB_TRUST_LOCALROOT;
}
return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust) || TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT);
}
function AccessCheck($user, $access_type)
{
global $TB_IMAGEID_READINFO;
global $TB_IMAGEID_MODIFYINFO;
global $TB_IMAGEID_DESTROY;
global $TB_IMAGEID_ACCESS;
global $TB_IMAGEID_EXPORT;
global $TB_IMAGEID_MIN;
global $TB_IMAGEID_MAX;
global $TBDB_TRUST_USER;
global $TBDB_TRUST_GROUPROOT;
global $TBDB_TRUST_LOCALROOT;
$mintrust = $TB_IMAGEID_READINFO;
if ($access_type < $TB_IMAGEID_MIN || $access_type > $TB_IMAGEID_MAX) {
TBERROR("Invalid access type {$access_type}!", 1);
}
#
# Admins do whatever they want!
#
if (ISADMIN()) {
return 1;
}
$shared = $this->shared();
$global = $this->isglobal();
$imageid = $this->imageid();
$pid = $this->pid();
$gid = $this->gid();
$uid = $user->uid();
$uid_idx = $user->uid_idx();
$pid_idx = $user->uid_idx();
$gid_idx = $user->uid_idx();
#
# Global ImageIDs can be read by anyone but written with permission.
#
if ($global) {
if ($access_type == $TB_IMAGEID_READINFO) {
return 1;
}
}
#
# Otherwise must have proper trust in the project.
#
if ($access_type == $TB_IMAGEID_READINFO) {
$mintrust = $TBDB_TRUST_USER;
#
# Shared imageids are readable by anyone in the project.
#
if ($shared) {
$gid = $pid;
}
} else {
$mintrust = $TBDB_TRUST_LOCALROOT;
}
if (TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust) || TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
return 1;
}
# No point in looking further; never allowed.
if ($access_type == $TB_IMAGEID_EXPORT) {
return 0;
}
#
# Look in the image permissions. First look for a user permission,
# then look for a group permission.
#
$query_result = DBQueryFatal("select allow_write from image_permissions " . "where imageid='{$imageid}' and " . " permission_type='user' and " . " permission_idx='{$uid_idx}'");
if (mysql_num_rows($query_result)) {
$row = mysql_fetch_array($query_result);
# Only allowed to read.
if ($access_type == $TB_IMAGEID_READINFO || $access_type == $TB_IMAGEID_ACCESS) {
return 1;
}
}
$trust_none = TBDB_TRUSTSTRING_NONE;
$query_result = DBQueryFatal("select allow_write from group_membership as g " . "left join image_permissions as p on " . " p.permission_type='group' and " . " p.permission_idx=g.gid_idx " . "where g.uid_idx='{$uid_idx}' and " . " p.imageid='{$imageid}' and " . " trust!='{$trust_none}'");
if (mysql_num_rows($query_result)) {
# Only allowed to read.
if ($access_type == $TB_IMAGEID_READINFO || $access_type == $TB_IMAGEID_ACCESS) {
return 1;
}
}
return 0;
}
function AccessCheck($user, $access_type)
{
global $TB_PROJECT_READINFO;
global $TB_PROJECT_MAKEGROUP;
global $TB_PROJECT_EDITGROUP;
global $TB_PROJECT_GROUPGRABUSERS;
global $TB_PROJECT_BESTOWGROUPROOT;
global $TB_PROJECT_DELGROUP;
global $TB_PROJECT_LEADGROUP;
global $TB_PROJECT_ADDUSER;
global $TB_PROJECT_DELUSER;
global $TB_PROJECT_MAKEOSID;
global $TB_PROJECT_DELOSID;
global $TB_PROJECT_MAKEIMAGEID;
global $TB_PROJECT_DELIMAGEID;
global $TB_PROJECT_CREATEEXPT;
global $TB_PROJECT_MIN;
global $TB_PROJECT_MAX;
global $TBDB_TRUST_USER;
global $TBDB_TRUST_LOCALROOT;
global $TBDB_TRUST_GROUPROOT;
global $TBDB_TRUST_PROJROOT;
# Min declaration.
$mintrust = $TB_PROJECT_READINFO;
$pid = $this->pid();
$gid = $this->gid();
$uid = $user->uid();
if ($access_type < $TB_PROJECT_MIN || $access_type > $TB_PROJECT_MAX) {
TBERROR("Invalid access type: {$access_type}!", 1);
}
#
# Admins do whatever they want!
#
if (ISADMIN()) {
return 1;
}
if ($access_type == $TB_PROJECT_READINFO) {
$mintrust = $TBDB_TRUST_USER;
} elseif ($access_type == $TB_PROJECT_MAKEGROUP || $access_type == $TB_PROJECT_DELGROUP) {
$mintrust = $TBDB_TRUST_GROUPROOT;
} elseif ($access_type == $TB_PROJECT_LEADGROUP) {
#
# Allow mere user (in default group) to lead a subgroup.
#
$mintrust = $TBDB_TRUST_USER;
} elseif ($access_type == $TB_PROJECT_MAKEOSID || $access_type == $TB_PROJECT_MAKEIMAGEID || $access_type == $TB_PROJECT_CREATEEXPT) {
$mintrust = $TBDB_TRUST_LOCALROOT;
} elseif ($access_type == $TB_PROJECT_ADDUSER || $access_type == $TB_PROJECT_EDITGROUP) {
#
# If user is project_root or group_root in default group,
# allow them to add/edit/remove users in any group.
#
if (TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
return 1;
}
#
# Otherwise, editing a group requires group_root
# in that group.
#
$mintrust = $TBDB_TRUST_GROUPROOT;
} elseif ($access_type == $TB_PROJECT_BESTOWGROUPROOT) {
#
# If user is project_root,
# allow them to bestow group_root in any group.
#
if (TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_PROJROOT)) {
return 1;
}
if ($gid == $pid) {
#
# Only project_root can bestow group_root in default group,
# and we already established that they are not project_root,
# so fail.
#
return 0;
} else {
#
# Non-default group.
# group_root in default group may bestow group_root.
#
if (TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
return 1;
}
#
# group_root in the group in question may also bestow
# group_root.
#
$mintrust = $TBDB_TRUST_GROUPROOT;
}
} elseif ($access_type == $TB_PROJECT_GROUPGRABUSERS) {
#
# Only project_root or group_root in default group
# may grab (involuntarily add) users into groups.
#
$gid = $pid;
$mintrust = $TBDB_TRUST_GROUPROOT;
} elseif ($access_type == $TB_PROJECT_DELUSER) {
$mintrust = $TBDB_TRUST_PROJROOT;
} else {
TBERROR("Unexpected access type: {$access_type}!", 1);
}
return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust);
}
function AccessCheck($user, $access_type)
{
global $TB_EXPT_READINFO;
global $TB_EXPT_MODIFY;
global $TB_EXPT_DESTROY;
global $TB_EXPT_UPDATE;
global $TB_EXPT_MIN;
global $TB_EXPT_MAX;
global $TBDB_TRUST_USER;
global $TBDB_TRUST_LOCALROOT;
global $TBDB_TRUST_GROUPROOT;
global $TBDB_TRUST_PROJROOT;
$mintrust = $TB_EXPT_READINFO;
if ($access_type < $TB_EXPT_MIN || $access_type > $TB_EXPT_MAX) {
TBERROR("Invalid access type: {$access_type}!", 1);
}
#
# Admins do whatever they want!
#
if (ISADMIN()) {
return 1;
}
if ($access_type == $TB_EXPT_READINFO) {
$mintrust = $TBDB_TRUST_USER;
} else {
$mintrust = $TBDB_TRUST_LOCALROOT;
}
$uid = $user->uid();
$pid = $this->pid();
$gid = $this->gid();
$uid = $user->uid();
#
# Either proper permission in the group, or group_root in the project.
# This lets group_roots muck with other peoples experiments, including
# those in groups they do not belong to.
#
return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust) || TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT);
}
$zapurl = CreateURL("showimageid", $image);
if ($type == "imagedoesxen") {
$image->DoesXen($value);
} else {
$image->SetGlobal($value);
}
} elseif ($type == "cvsrepo_public") {
# Must validate the pid since we allow non-admins to do this.
if (!TBvalid_pid($pid)) {
PAGEARGERROR("Invalid characters in {$pid}");
}
if (!($project = Project::Lookup($pid))) {
PAGEARGERROR("Project {$pid} is not a valid project!");
}
# Must be admin or project/group root.
if (!$isadmin && !TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
USERERROR("You do not have permission to toggle {$type}!", 1);
}
$zapurl = CreateURL("showproject", $project);
$project->SetCVSRepoPublic($value);
$unix_pid = $project->unix_gid();
SUEXEC($uid, $unix_pid, "webcvsrepo_ctrl {$pid}", SUEXEC_ACTION_DIE);
} elseif ($type == "workbench") {
# Must validate the pid since we allow non-admins to do this.
if (!TBvalid_pid($pid)) {
PAGEARGERROR("Invalid characters in {$pid}");
}
if (!($project = Project::Lookup($pid))) {
PAGEARGERROR("Project {$pid} is not a valid project!");
}
# Must be admin
