예제 #1
0
 function AccessCheck($user, $access_type)
 {
     global $TB_NODEACCESS_READINFO;
     global $TB_NODEACCESS_MODIFYINFO;
     global $TB_NODEACCESS_LOADIMAGE;
     global $TB_NODEACCESS_REBOOT;
     global $TB_NODEACCESS_POWERCYCLE;
     global $TB_NODEACCESS_MIN;
     global $TB_NODEACCESS_MAX;
     global $TBDB_TRUST_USER;
     global $TBDB_TRUST_GROUPROOT;
     global $TBDB_TRUST_LOCALROOT;
     global $TBOPSPID;
     global $CHECKLOGIN_USER;
     $mintrust = $TBDB_TRUST_USER;
     if ($access_type < $TB_NODEACCESS_MIN || $access_type > $TB_NODEACCESS_MAX) {
         TBERROR("Invalid access type: {$access_type}!", 1);
     }
     $uid = $user->uid();
     if (!($experiment = $this->Reservation())) {
         #
         # If the current user is in the emulab-ops project and has
         # sufficient privs, then he can muck with free nodes as if he
         # were an admin type.
         #
         if ($uid == $CHECKLOGIN_USER->uid() && OPSGUY()) {
             return TBMinTrust(TBGrpTrust($uid, $TBOPSPID, $TBOPSPID), $TBDB_TRUST_LOCALROOT);
         }
         return 0;
     }
     $pid = $experiment->pid();
     $gid = $experiment->gid();
     $eid = $experiment->eid();
     if ($access_type == $TB_NODEACCESS_READINFO) {
         $mintrust = $TBDB_TRUST_USER;
     } else {
         $mintrust = $TBDB_TRUST_LOCALROOT;
     }
     return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust) || TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT);
 }
예제 #2
0
 function AccessCheck($user, $access_type)
 {
     global $TB_IMAGEID_READINFO;
     global $TB_IMAGEID_MODIFYINFO;
     global $TB_IMAGEID_DESTROY;
     global $TB_IMAGEID_ACCESS;
     global $TB_IMAGEID_EXPORT;
     global $TB_IMAGEID_MIN;
     global $TB_IMAGEID_MAX;
     global $TBDB_TRUST_USER;
     global $TBDB_TRUST_GROUPROOT;
     global $TBDB_TRUST_LOCALROOT;
     $mintrust = $TB_IMAGEID_READINFO;
     if ($access_type < $TB_IMAGEID_MIN || $access_type > $TB_IMAGEID_MAX) {
         TBERROR("Invalid access type {$access_type}!", 1);
     }
     #
     # Admins do whatever they want!
     #
     if (ISADMIN()) {
         return 1;
     }
     $shared = $this->shared();
     $global = $this->isglobal();
     $imageid = $this->imageid();
     $pid = $this->pid();
     $gid = $this->gid();
     $uid = $user->uid();
     $uid_idx = $user->uid_idx();
     $pid_idx = $user->uid_idx();
     $gid_idx = $user->uid_idx();
     #
     # Global ImageIDs can be read by anyone but written with permission.
     #
     if ($global) {
         if ($access_type == $TB_IMAGEID_READINFO) {
             return 1;
         }
     }
     #
     # Otherwise must have proper trust in the project.
     #
     if ($access_type == $TB_IMAGEID_READINFO) {
         $mintrust = $TBDB_TRUST_USER;
         #
         # Shared imageids are readable by anyone in the project.
         #
         if ($shared) {
             $gid = $pid;
         }
     } else {
         $mintrust = $TBDB_TRUST_LOCALROOT;
     }
     if (TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust) || TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
         return 1;
     }
     # No point in looking further; never allowed.
     if ($access_type == $TB_IMAGEID_EXPORT) {
         return 0;
     }
     #
     # Look in the image permissions. First look for a user permission,
     # then look for a group permission.
     #
     $query_result = DBQueryFatal("select allow_write from image_permissions " . "where imageid='{$imageid}' and " . "      permission_type='user' and " . "      permission_idx='{$uid_idx}'");
     if (mysql_num_rows($query_result)) {
         $row = mysql_fetch_array($query_result);
         # Only allowed to read.
         if ($access_type == $TB_IMAGEID_READINFO || $access_type == $TB_IMAGEID_ACCESS) {
             return 1;
         }
     }
     $trust_none = TBDB_TRUSTSTRING_NONE;
     $query_result = DBQueryFatal("select allow_write from group_membership as g " . "left join image_permissions as p on " . "     p.permission_type='group' and " . "     p.permission_idx=g.gid_idx " . "where g.uid_idx='{$uid_idx}' and " . "      p.imageid='{$imageid}' and " . "      trust!='{$trust_none}'");
     if (mysql_num_rows($query_result)) {
         # Only allowed to read.
         if ($access_type == $TB_IMAGEID_READINFO || $access_type == $TB_IMAGEID_ACCESS) {
             return 1;
         }
     }
     return 0;
 }
예제 #3
0
 function AccessCheck($user, $access_type)
 {
     global $TB_PROJECT_READINFO;
     global $TB_PROJECT_MAKEGROUP;
     global $TB_PROJECT_EDITGROUP;
     global $TB_PROJECT_GROUPGRABUSERS;
     global $TB_PROJECT_BESTOWGROUPROOT;
     global $TB_PROJECT_DELGROUP;
     global $TB_PROJECT_LEADGROUP;
     global $TB_PROJECT_ADDUSER;
     global $TB_PROJECT_DELUSER;
     global $TB_PROJECT_MAKEOSID;
     global $TB_PROJECT_DELOSID;
     global $TB_PROJECT_MAKEIMAGEID;
     global $TB_PROJECT_DELIMAGEID;
     global $TB_PROJECT_CREATEEXPT;
     global $TB_PROJECT_MIN;
     global $TB_PROJECT_MAX;
     global $TBDB_TRUST_USER;
     global $TBDB_TRUST_LOCALROOT;
     global $TBDB_TRUST_GROUPROOT;
     global $TBDB_TRUST_PROJROOT;
     # Min declaration.
     $mintrust = $TB_PROJECT_READINFO;
     $pid = $this->pid();
     $gid = $this->gid();
     $uid = $user->uid();
     if ($access_type < $TB_PROJECT_MIN || $access_type > $TB_PROJECT_MAX) {
         TBERROR("Invalid access type: {$access_type}!", 1);
     }
     #
     # Admins do whatever they want!
     #
     if (ISADMIN()) {
         return 1;
     }
     if ($access_type == $TB_PROJECT_READINFO) {
         $mintrust = $TBDB_TRUST_USER;
     } elseif ($access_type == $TB_PROJECT_MAKEGROUP || $access_type == $TB_PROJECT_DELGROUP) {
         $mintrust = $TBDB_TRUST_GROUPROOT;
     } elseif ($access_type == $TB_PROJECT_LEADGROUP) {
         #
         # Allow mere user (in default group) to lead a subgroup.
         #
         $mintrust = $TBDB_TRUST_USER;
     } elseif ($access_type == $TB_PROJECT_MAKEOSID || $access_type == $TB_PROJECT_MAKEIMAGEID || $access_type == $TB_PROJECT_CREATEEXPT) {
         $mintrust = $TBDB_TRUST_LOCALROOT;
     } elseif ($access_type == $TB_PROJECT_ADDUSER || $access_type == $TB_PROJECT_EDITGROUP) {
         #
         # If user is project_root or group_root in default group,
         # allow them to add/edit/remove users in any group.
         #
         if (TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
             return 1;
         }
         #
         # Otherwise, editing a group requires group_root
         # in that group.
         #
         $mintrust = $TBDB_TRUST_GROUPROOT;
     } elseif ($access_type == $TB_PROJECT_BESTOWGROUPROOT) {
         #
         # If user is project_root,
         # allow them to bestow group_root in any group.
         #
         if (TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_PROJROOT)) {
             return 1;
         }
         if ($gid == $pid) {
             #
             # Only project_root can bestow group_root in default group,
             # and we already established that they are not project_root,
             # so fail.
             #
             return 0;
         } else {
             #
             # Non-default group.
             # group_root in default group may bestow group_root.
             #
             if (TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
                 return 1;
             }
             #
             # group_root in the group in question may also bestow
             # group_root.
             #
             $mintrust = $TBDB_TRUST_GROUPROOT;
         }
     } elseif ($access_type == $TB_PROJECT_GROUPGRABUSERS) {
         #
         # Only project_root or group_root in default group
         # may grab (involuntarily add) users into groups.
         #
         $gid = $pid;
         $mintrust = $TBDB_TRUST_GROUPROOT;
     } elseif ($access_type == $TB_PROJECT_DELUSER) {
         $mintrust = $TBDB_TRUST_PROJROOT;
     } else {
         TBERROR("Unexpected access type: {$access_type}!", 1);
     }
     return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust);
 }
예제 #4
0
 function AccessCheck($user, $access_type)
 {
     global $TB_EXPT_READINFO;
     global $TB_EXPT_MODIFY;
     global $TB_EXPT_DESTROY;
     global $TB_EXPT_UPDATE;
     global $TB_EXPT_MIN;
     global $TB_EXPT_MAX;
     global $TBDB_TRUST_USER;
     global $TBDB_TRUST_LOCALROOT;
     global $TBDB_TRUST_GROUPROOT;
     global $TBDB_TRUST_PROJROOT;
     $mintrust = $TB_EXPT_READINFO;
     if ($access_type < $TB_EXPT_MIN || $access_type > $TB_EXPT_MAX) {
         TBERROR("Invalid access type: {$access_type}!", 1);
     }
     #
     # Admins do whatever they want!
     #
     if (ISADMIN()) {
         return 1;
     }
     if ($access_type == $TB_EXPT_READINFO) {
         $mintrust = $TBDB_TRUST_USER;
     } else {
         $mintrust = $TBDB_TRUST_LOCALROOT;
     }
     $uid = $user->uid();
     $pid = $this->pid();
     $gid = $this->gid();
     $uid = $user->uid();
     #
     # Either proper permission in the group, or group_root in the project.
     # This lets group_roots muck with other peoples experiments, including
     # those in groups they do not belong to.
     #
     return TBMinTrust(TBGrpTrust($uid, $pid, $gid), $mintrust) || TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT);
 }
예제 #5
0
    $zapurl = CreateURL("showimageid", $image);
    if ($type == "imagedoesxen") {
        $image->DoesXen($value);
    } else {
        $image->SetGlobal($value);
    }
} elseif ($type == "cvsrepo_public") {
    # Must validate the pid since we allow non-admins to do this.
    if (!TBvalid_pid($pid)) {
        PAGEARGERROR("Invalid characters in {$pid}");
    }
    if (!($project = Project::Lookup($pid))) {
        PAGEARGERROR("Project {$pid} is not a valid project!");
    }
    # Must be admin or project/group root.
    if (!$isadmin && !TBMinTrust(TBGrpTrust($uid, $pid, $pid), $TBDB_TRUST_GROUPROOT)) {
        USERERROR("You do not have permission to toggle {$type}!", 1);
    }
    $zapurl = CreateURL("showproject", $project);
    $project->SetCVSRepoPublic($value);
    $unix_pid = $project->unix_gid();
    SUEXEC($uid, $unix_pid, "webcvsrepo_ctrl {$pid}", SUEXEC_ACTION_DIE);
} elseif ($type == "workbench") {
    # Must validate the pid since we allow non-admins to do this.
    if (!TBvalid_pid($pid)) {
        PAGEARGERROR("Invalid characters in {$pid}");
    }
    if (!($project = Project::Lookup($pid))) {
        PAGEARGERROR("Project {$pid} is not a valid project!");
    }
    # Must be admin