function MayEditPub($user, $isadmin, $row)
{
global $TBDB_TRUST_LOCALROOT;
if ($isadmin) {
return true;
}
if (!$user) {
return false;
}
$uid_idx = $user->uid_idx();
if ($uid_idx == $row['owner'] && $row['editable_owner']) {
return true;
}
$pid = $row['project'];
if ($pid == '') {
return false;
}
$proj = Project::LookupByPid($pid);
if (!$proj) {
return false;
}
return TBMinTrust($proj->UserTrust($user), $TBDB_TRUST_LOCALROOT);
}
function AccessCheck($user, $access_type)
{
global $TB_NODEACCESS_READINFO;
global $TB_NODEACCESS_MODIFYINFO;
global $TB_NODEACCESS_LOADIMAGE;
global $TB_NODEACCESS_REBOOT;
global $TB_NODEACCESS_POWERCYCLE;
global $TB_NODEACCESS_MIN;
global $TB_NODEACCESS_MAX;
global $TBDB_TRUST_USER;
global $TBDB_TRUST_GROUPROOT;
global $TBDB_TRUST_LOCALROOT;
global $TBOPSPID;
global $CHECKLOGIN_USER;
$mintrust = $TBDB_TRUST_USER;
if ($access_type < $TB_NODEACCESS_MIN || $access_type > $TB_NODEACCESS_MAX) {
TBERROR("Invalid access type: {$access_type}!", 1);
}
$uid = $user->uid();
if (!($experiment = $this->Reservation())) {
#
# If the current user is in the emulab-ops project and has
# sufficient privs, then he can muck with free nodes as if he
# were an admin type.
#
if ($uid == $CHECKLOGIN_USER->uid() && OPSGUY()) {
return TBMinTrust(TBGrpTrust($uid, $TBOPSPID, $TBOPSPID), $TBDB_TRUST_LOCALROOT);
}
return 0;
}
$pid = $experiment->pid();
$gid = $experiment->gid();
$eid = $experiment->eid();
if ($access_type == $TB_NODEACCESS_READINFO) {
$mintrust = $TBDB_TRUST_USER;
} else {
$mintrust = $TBDB_TRUST_LOCALROOT;
}
return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust) || TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT);
}
function AccessCheck($user, $access_type)
{
global $TB_IMAGEID_READINFO;
global $TB_IMAGEID_MODIFYINFO;
global $TB_IMAGEID_DESTROY;
global $TB_IMAGEID_ACCESS;
global $TB_IMAGEID_EXPORT;
global $TB_IMAGEID_MIN;
global $TB_IMAGEID_MAX;
global $TBDB_TRUST_USER;
global $TBDB_TRUST_GROUPROOT;
global $TBDB_TRUST_LOCALROOT;
$mintrust = $TB_IMAGEID_READINFO;
if ($access_type < $TB_IMAGEID_MIN || $access_type > $TB_IMAGEID_MAX) {
TBERROR("Invalid access type {$access_type}!", 1);
}
#
# Admins do whatever they want!
#
if (ISADMIN()) {
return 1;
}
$shared = $this->shared();
$global = $this->isglobal();
$imageid = $this->imageid();
$pid = $this->pid();
$gid = $this->gid();
$uid = $user->uid();
$uid_idx = $user->uid_idx();
$pid_idx = $user->uid_idx();
$gid_idx = $user->uid_idx();
#
# Global ImageIDs can be read by anyone but written with permission.
#
if ($global) {
if ($access_type == $TB_IMAGEID_READINFO) {
return 1;
}
}
#
# Otherwise must have proper trust in the project.
#
if ($access_type == $TB_IMAGEID_READINFO) {
$mintrust = $TBDB_TRUST_USER;
#
# Shared imageids are readable by anyone in the project.
#
if ($shared) {
$gid = $pid;
}
} else {
$mintrust = $TBDB_TRUST_LOCALROOT;
}
if (TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust) || TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
return 1;
}
# No point in looking further; never allowed.
if ($access_type == $TB_IMAGEID_EXPORT) {
return 0;
}
#
# Look in the image permissions. First look for a user permission,
# then look for a group permission.
#
$query_result = DBQueryFatal("select allow_write from image_permissions " . "where imageid='{$imageid}' and " . " permission_type='user' and " . " permission_idx='{$uid_idx}'");
if (mysql_num_rows($query_result)) {
$row = mysql_fetch_array($query_result);
# Only allowed to read.
if ($access_type == $TB_IMAGEID_READINFO || $access_type == $TB_IMAGEID_ACCESS) {
return 1;
}
}
$trust_none = TBDB_TRUSTSTRING_NONE;
$query_result = DBQueryFatal("select allow_write from group_membership as g " . "left join image_permissions as p on " . " p.permission_type='group' and " . " p.permission_idx=g.gid_idx " . "where g.uid_idx='{$uid_idx}' and " . " p.imageid='{$imageid}' and " . " trust!='{$trust_none}'");
if (mysql_num_rows($query_result)) {
# Only allowed to read.
if ($access_type == $TB_IMAGEID_READINFO || $access_type == $TB_IMAGEID_ACCESS) {
return 1;
}
}
return 0;
}
function AccessCheck($user, $access_type)
{
global $TB_EXPT_READINFO;
global $TB_EXPT_MODIFY;
global $TB_EXPT_DESTROY;
global $TB_EXPT_UPDATE;
global $TB_EXPT_MIN;
global $TB_EXPT_MAX;
global $TBDB_TRUST_USER;
global $TBDB_TRUST_LOCALROOT;
global $TBDB_TRUST_GROUPROOT;
global $TBDB_TRUST_PROJROOT;
$mintrust = $TB_EXPT_READINFO;
if ($access_type < $TB_EXPT_MIN || $access_type > $TB_EXPT_MAX) {
TBERROR("Invalid access type: {$access_type}!", 1);
}
#
# Admins do whatever they want!
#
if (ISADMIN()) {
return 1;
}
if ($access_type == $TB_EXPT_READINFO) {
$mintrust = $TBDB_TRUST_USER;
} else {
$mintrust = $TBDB_TRUST_LOCALROOT;
}
$uid = $user->uid();
$pid = $this->pid();
$gid = $this->gid();
$uid = $user->uid();
#
# Either proper permission in the group, or group_root in the project.
# This lets group_roots muck with other peoples experiments, including
# those in groups they do not belong to.
#
return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust) || TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT);
}
function AccessCheck($user, $access_type)
{
global $TB_OSID_READINFO;
global $TB_OSID_MODIFYINFO;
global $TB_OSID_DESTROY;
global $TB_OSID_MIN;
global $TB_OSID_MAX;
global $TBDB_TRUST_USER;
global $TBDB_TRUST_LOCALROOT;
$mintrust = $TB_OSID_READINFO;
if ($access_type < $TB_OSID_MIN || $access_type > $TB_OSID_MAX) {
TBERROR("Invalid access type {$access_type}!", 1);
}
#
# Admins do whatever they want!
#
if (ISADMIN()) {
return 1;
}
#
# No GIDs yet.
#
$pid = $this->pid();
$shared = $this->shared();
$uid = $user->uid();
#
# Global OSIDs can be read by anyone.
#
if ($shared) {
if ($access_type == $TB_OSID_READINFO) {
return 1;
}
return 0;
}
#
# Otherwise must have proper trust in the project.
#
if ($access_type == $TB_OSID_READINFO) {
$mintrust = $TBDB_TRUST_USER;
} else {
$mintrust = $TBDB_TRUST_LOCALROOT;
}
#
# Need the project object to complete this test.
#
if (!($project = Project::Lookup($pid))) {
TBERROR("Could not map project {$pid} to its object", 1);
}
if (TBMinTrust($project->UserTrust($user), $mintrust)) {
return 1;
} elseif (!$this->ezid()) {
return 0;
}
#
# If this is an ez image, look in the image permissions.
# First look for a user permission, then look for a group permission.
#
$osid = $this->osid();
$uid_idx = $user->uid_idx();
$trust_none = TBDB_TRUSTSTRING_NONE;
$query_result = DBQueryFatal("select allow_write from image_permissions " . "where imageid='{$osid}' and " . " permission_type='user' and " . " permission_idx='{$uid_idx}'");
if (mysql_num_rows($query_result)) {
$row = mysql_fetch_array($query_result);
# Only allowed to read.
if ($access_type == $TB_OSID_READINFO) {
return 1;
}
}
$trust_none = TBDB_TRUSTSTRING_NONE;
$query_result = DBQueryFatal("select allow_write from group_membership as g " . "left join image_permissions as p on " . " p.permission_type='group' and " . " p.permission_idx=g.gid_idx " . "where g.uid_idx='{$uid_idx}' and " . " p.imageid='{$osid}' and " . " trust!='{$trust_none}'");
if (mysql_num_rows($query_result)) {
# Only allowed to read.
if ($access_type == $TB_OSID_READINFO) {
return 1;
}
}
return 0;
}
function IsMember($user, &$approved)
{
global $TBDB_TRUST_USER;
$uid = $user->uid();
$uid_idx = $user->uid_idx();
$gid = $this->gid();
$gid_idx = $this->gid_idx();
$query_result = DBQueryFatal("select trust from group_membership " . "where uid_idx='{$uid_idx}' and gid_idx='{$gid_idx}'");
if (mysql_num_rows($query_result) == 0) {
$approved = 0;
return 0;
}
$row = mysql_fetch_row($query_result);
$trust = $row[0];
$approved = TBMinTrust($trust, $TBDB_TRUST_USER);
return 1;
}
$zapurl = CreateURL("showimageid", $image);
if ($type == "imagedoesxen") {
$image->DoesXen($value);
} else {
$image->SetGlobal($value);
}
} elseif ($type == "cvsrepo_public") {
# Must validate the pid since we allow non-admins to do this.
if (!TBvalid_pid($pid)) {
PAGEARGERROR("Invalid characters in {$pid}");
}
if (!($project = Project::Lookup($pid))) {
PAGEARGERROR("Project {$pid} is not a valid project!");
}
# Must be admin or project/group root.
if (!$isadmin && !TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
USERERROR("You do not have permission to toggle {$type}!", 1);
}
$zapurl = CreateURL("showproject", $project);
$project->SetCVSRepoPublic($value);
$unix_pid = $project->unix_gid();
SUEXEC($uid, $unix_pid, "webcvsrepo_ctrl {$pid}", SUEXEC_ACTION_DIE);
} elseif ($type == "workbench") {
# Must validate the pid since we allow non-admins to do this.
if (!TBvalid_pid($pid)) {
PAGEARGERROR("Invalid characters in {$pid}");
}
if (!($project = Project::Lookup($pid))) {
PAGEARGERROR("Project {$pid} is not a valid project!");
}
# Must be admin
