PI become another PI 2

Author: simonLeary42

resources/lib/UnityLDAP.php

@@ -252,6 +252,22 @@ public function getNonDisabledPIGroupGIDsWithMemberUID(string $uid): array
         );
     }
 
+    /** @return string[] */
+    public function getPIGroupGIDsWithOwnerMail(string $mail): array
+    {
+        $users_attributes = $this->userOU->getChildrenArrayStrict(
+            attributes: ["uid"],
+            recursive: false,
+            filter: sprintf("(mail=%s)", ldap_escape($mail, flags: LDAP_ESCAPE_FILTER)),
+        );
+        $uids = array_map(fn($x) => $x["uid"][0], $users_attributes);
+        $gids = array_map(UnityGroup::ownerUID2GID(...), $uids);
+        $entries = array_map($this->getPIGroupEntry(...), $gids);
+        $entries_that_exist = array_filter($entries, fn($x) => $x->exists());
+        $gids_that_exist = array_map(fn($x) => $x->getAttribute("cn")[0], $entries_that_exist);
+        return $gids_that_exist;
+    }
+
     /** @return string[] */
     public function getAllNonDisabledPIGroupOwnerUIDs(): array
     {

resources/lib/utils.php

@@ -87,7 +87,7 @@ function _json_encode(mixed $value, int $flags = 0, int $depth = 512): string
  * @param int<1,max> $depth
  * @throws Exception
  */
-function _json_decode(string $x, ?bool $associative, int $depth = 512, int $flags = 0): mixed
+function _json_decode(string $x, ?bool $associative = null, int $depth = 512, int $flags = 0): mixed
 {
     $output = json_decode($x, $associative, $depth, $flags);
     if ($output === null) {

test/functional/PageLoadTest.php

@@ -83,4 +83,38 @@ public function testLoadPageNonexistentUser($path)
         $output = http_get($path, ignore_die: true);
         $this->assertMatchesRegularExpression("/panel\/new_account\.php/", $output);
     }
+
+    public function testLoadPIPageForAnotherGroup()
+    {
+        $this->switchUser("CourseTeacher");
+        $output = http_get(__DIR__ . "/../../webroot/panel/pi.php", [
+            "gid" => "pi_cs123_org1_test",
+        ]);
+        $this->assertMatchesRegularExpression("/My Users/", $output);
+    }
+
+    public function testLoadPIPageForAnotherGroupForbidden()
+    {
+        global $USER;
+        $this->switchUser("EmptyPIGroupOwner");
+        $gid = $USER->getPIGroup()->gid;
+        $this->switchUser("Blank");
+        $output = http_get(
+            __DIR__ . "/../../webroot/panel/pi.php",
+            ["gid" => $gid],
+            ignore_die: true,
+        );
+        $this->assertMatchesRegularExpression("/not allowed/", $output);
+    }
+
+    public function testLoadPIPageForNonexistentGroup()
+    {
+        $this->switchUser("CourseTeacher");
+        $output = http_get(
+            __DIR__ . "/../../webroot/panel/pi.php",
+            ["gid" => "foobar"],
+            ignore_die: true,
+        );
+        $this->assertMatchesRegularExpression("/This group does not exist/", $output);
+    }
 }

test/functional/WorkerUnityCourseTest.php

@@ -6,14 +6,14 @@ public function testCreateCourse()
     {
         global $LDAP;
         $this->switchUser("Admin");
-        $pi_group_entry = $LDAP->getPIGroupEntry("pi_cs123_org1_test");
-        $owner_user_entry = $LDAP->getUserEntry("cs123_org1_test");
+        $pi_group_entry = $LDAP->getPIGroupEntry("pi_cs124_org1_test");
+        $owner_user_entry = $LDAP->getUserEntry("cs124_org1_test");
         $this->assertFalse($pi_group_entry->exists());
         $this->assertFalse($owner_user_entry->exists());
         $stdin_file = writeLinesToTmpFile([
-            "cs123",
+            "cs124",
             "Fall 2025",
-            "cs123_org1_test",
+            "cs124_org1_test",
             "user1_org1_test",
         ]);
         $stdin_file_path = getPathFromFileHandle($stdin_file);
@@ -26,21 +26,18 @@ public function testCreateCourse()
             // our LDAP conn doesn't know about changes from subprocess
             unset($GLOBALS["ldapconn"]);
             $this->switchUser("Admin");
-            $pi_group_entry = $LDAP->getPIGroupEntry("pi_cs123_org1_test");
-            $owner_user_entry = $LDAP->getUserEntry("cs123_org1_test");
+            $pi_group_entry = $LDAP->getPIGroupEntry("pi_cs124_org1_test");
+            $owner_user_entry = $LDAP->getUserEntry("cs124_org1_test");
             $this->assertTrue($pi_group_entry->exists());
             $this->assertTrue($owner_user_entry->exists());
-            $this->assertEquals(
-                "user1+cs123_org1_test@org1.test",
-                $owner_user_entry->getAttribute("mail")[0],
-            );
+            $this->assertEquals("user1@org1.test", $owner_user_entry->getAttribute("mail")[0]);
             $this->assertEqualsCanonicalizing(
-                ["cs123_org1_test", "user1_org1_test"],
+                ["cs124_org1_test", "user1_org1_test"],
                 $pi_group_entry->getAttribute("memberuid"),
             );
         } finally {
-            ensurePIGroupDoesNotExist("pi_cs123_org1_test");
-            ensureUserDoesNotExist("cs123_org1_test");
+            ensurePIGroupDoesNotExist("pi_cs124_org1_test");
+            ensureUserDoesNotExist("cs124_org1_test");
             unlink($stdin_file_path);
         }
     }

tools/docker-dev/identity/bootstrap.ldif

@@ -1200,6 +1200,7 @@ memberuid: user1299_org1_test
 memberuid: user1300_org1_test
 memberuid: user1301_org1_test
 memberuid: user1304_org1_test
+memberuid: cs123_org1_test
 
 dn: cn=user15_org3_test,ou=groups,dc=unityhpc,dc=test
 cn: user15_org3_test
@@ -37345,3 +37346,34 @@ sn: Price
 gecos: Melissa Price
 uid: user2005_org1_test
 uidnumber: 33130
+
+dn: cn=cs123_org1_test,ou=groups,dc=unityhpc,dc=test
+objectClass: posixGroup
+objectClass: top
+gidNumber: 20005
+cn: cs123_org1_test
+
+dn: cn=cs123_org1_test,ou=users,dc=unityhpc,dc=test
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+objectClass: ldapPublicKey
+uid: cs123_org1_test
+givenName: cs123
+sn: Fall 2025
+gecos: cs123 Fall 2025
+mail: user1@org1.test
+o: org1_test
+homeDirectory: /home/cs123_org1_test
+loginShell: /bin/bash
+uidNumber: 20005
+gidNumber: 20005
+cn: cs123_org1_test
+
+dn: cn=pi_cs123_org1_test,ou=pi_groups,dc=unityhpc,dc=test
+objectClass: posixGroup
+objectClass: top
+gidNumber: 20007
+cn: pi_cs123_org1_test
+memberUid: cs123_org1_test
+memberUid: user1_org1_test

webroot/css/navbar.css

@@ -26,6 +26,7 @@ nav.mainNav a {
   text-decoration: none;
   cursor: pointer;
   transition: background 0.1s;
+  overflow: hidden;
 }
 
 nav.mainNav a:hover {

webroot/panel/pi.php

@@ -4,11 +4,24 @@
 
 use UnityWebPortal\lib\UnityUser;
 use UnityWebPortal\lib\UnityHTTPD;
+use UnityWebPortal\lib\UnityGroup;
 
-$group = $USER->getPIGroup();
-
-if (!$USER->isPI()) {
-    UnityHTTPD::forbidden("not a PI", "You are not a PI.");
+if (($gid = $_GET["gid"] ?? null) !== null) {
+    $group = new UnityGroup($gid, $LDAP, $SQL, $MAILER, $WEBHOOK);
+    if (!$group->exists()) {
+        UnityHTTPD::badRequest("no such group: '$gid'", "This group does not exist.");
+    }
+    if ($group->getOwner()->getMail() !== $USER->getMail()) {
+        UnityHTTPD::forbidden(
+            "user '$USER->uid' is not allowed to manage PI group '$gid'",
+            "You are not allowed to manage this PI group."
+        );
+    }
+} else {
+    $group = $USER->getPIGroup();
+    if (!$USER->isPI()) {
+        UnityHTTPD::forbidden("not a PI", "You are not a PI.");
+    }
 }
 
 $getUserFromPost = function () {
@@ -57,6 +70,18 @@
 <hr>
 
 <?php
+foreach ($LDAP->getPIGroupGIDsWithOwnerMail($USER->getMail()) as $gid) {
+    if ($gid === $group->gid) {
+        continue;
+    }
+    echo "
+        <form method='GET' action=''>
+            <input type='hidden' value'$gid'>
+            <input type='submit' value\"Manage Group '$gid'\">
+        </form>
+    ";
+}
+
 $requests = $group->getRequests();
 $assocs = $group->getGroupMembers();
 
@@ -122,8 +147,9 @@
         <tbody>
 ";
 
+$owner_uid = $group->getOwner()->uid;
 foreach ($assocs as $assoc) {
-    if ($assoc->uid == $USER->uid) {
+    if ($assoc->uid == $owner_uid) {
         continue;
     }
 

workers/unity-course.php

@@ -13,12 +13,6 @@ function cn2org($cn)
     return $matches[1];
 }
 
-function insert_plus_address($email, $plus)
-{
-    $parts = explode("@", $email, 2);
-    return $parts[0] . "+" . $plus . "@" . $parts[1];
-}
-
 // if array is length 1 then replace it with its one element
 function flatten_attributes(array $attributes): array
 {
@@ -30,16 +24,14 @@ function flatten_attributes(array $attributes): array
 $cn = strtolower(
     trim(readline("Please enter the cn to be used for the course (example: cs123_umass_edu): ")),
 );
-$operator_uid = trim(
-    readline(
-        "Enter the UID of the Unity team member responsible for the course (example: simonleary_umass_edu): ",
-    ),
+$teacher_uid = trim(
+    readline("Enter the UID of the user teaching the course (example: simonleary_umass_edu): "),
 );
 $org_gid = cn2org($cn);
 
-$operator = new UnityUser($operator_uid, $LDAP, $SQL, $MAILER, $WEBHOOK);
-if (!$operator->exists()) {
-    _die("no such user: '$operator_uid'", 1);
+$teacher = new UnityUser($teacher_uid, $LDAP, $SQL, $MAILER, $WEBHOOK);
+if (!$teacher->exists()) {
+    _die("no such user: '$teacher_uid'", 1);
 }
 
 $course_user = new UnityUser($cn, $LDAP, $SQL, $MAILER, $WEBHOOK);
@@ -51,7 +43,7 @@ function flatten_attributes(array $attributes): array
 if (!$org->exists()) {
     print "WARNING: creating new org '$org_gid'...\n";
 }
-$mail = insert_plus_address($operator->getMail(), $cn);
+$mail = $teacher->getMail();
 $course_user->init($givenName, $sn, $mail, $org_gid);
 
 $course_pi_group = $course_user->getPIGroup();
@@ -73,6 +65,6 @@ function flatten_attributes(array $attributes): array
     JSON_PRETTY_PRINT,
 );
 
-$course_pi_group->newUserRequest($operator, false);
-$course_pi_group->approveUser($operator);
+$course_pi_group->newUserRequest($teacher, false);
+$course_pi_group->approveUser($teacher);