enforce qualified user group

Author: simonLeary42

LDAP.md

@@ -1,5 +1,8 @@
 Terminology:
 
 - **qualified user**: a user who is currently a PI or a member of at least one PI group
-- **native user**: a user who's entries exist in the OUs given in `config.ini`
-  - it is up to the administrator to ensure that no non-native entries exist in these OUs
+- **unqualified user**: inverse of qualified
+- **native user**: a user created by this account portal
+- **non-native user**: inverse of native
+  - users created for administrative purposes should not be mixed with native users in the LDAP OUs given in `config.ini` or else this account portal may get confused
+- **ghost user**: a user who is effectively deleted

phpstan.neon

@@ -4,6 +4,8 @@ parameters:
     - resources
     - webroot
     - test
+  excludePaths:
+    - test/Template.php
   ignoreErrors:
     # $this, $data comes from UnityMailer
     - messages:
@@ -21,6 +23,7 @@ parameters:
         - '#Negated boolean expression is always false\.#'
       paths:
         - test/functional/PiRemoveUserTest.php
+        - test/functional/LeaveGroupTest.php
     - messages:
         - '#If condition is always false\.#'
       paths:

resources/init.php

@@ -72,6 +72,8 @@
     $_SESSION["is_pi"] = $USER->isPI();
 
     $SQL->addLog("user_login", $OPERATOR->uid);
+
+    $USER->updateIsQualified(); // in case manual changes have been made to PI groups
 }
 
 $LOC_HEADER = __DIR__ . "/templates/header.php";

resources/lib/PosixGroup.php

@@ -68,4 +68,9 @@ public function memberUIDExists(string $uid): bool
     {
         return in_array($uid, $this->getMemberUIDs());
     }
+
+    public function overwriteMemberUIDs(array $uids): void
+    {
+        $this->entry->setAttribute("memberuid", $uids);
+    }
 }

resources/lib/UnityGroup.php

@@ -81,7 +81,7 @@ public function approveGroup(bool $send_mail = true): void
             $this->MAILER->sendMail($this->getOwner()->getMail(), "group_created");
         }
         // having your own group makes you qualified
-        $this->getOwner()->setFlag(UserFlag::QUALIFIED, true);
+        $this->getOwner()->updateIsQualified($send_mail);
     }
 
     /**
@@ -188,13 +188,7 @@ public function approveUser(UnityUser $new_user, bool $send_mail = true): void
                 "org" => $new_user->getOrg(),
             ]);
         }
-        // being in a group makes you qualified
-        $new_user->setFlag(
-            UserFlag::QUALIFIED,
-            true,
-            doSendMail: $send_mail,
-            doSendMailAdmin: false,
-        );
+        $new_user->updateIsQualified($send_mail); // being in a group makes you qualified
     }
 
     public function denyUser(UnityUser $new_user, bool $send_mail = true): void
@@ -245,6 +239,8 @@ public function removeUser(UnityUser $new_user, bool $send_mail = true): void
                 "org" => $new_user->getOrg(),
             ]);
         }
+        // if user is no longer in any PI group, disqualify them
+        $new_user->updateIsQualified($send_mail);
     }
 
     public function newUserRequest(UnityUser $new_user, bool $send_mail = true): void

resources/lib/UnityUser.php

@@ -417,4 +417,14 @@ public function isInGroup(string $uid, UnityGroup $group): bool
     {
         return in_array($uid, $group->getMemberUIDs());
     }
+
+    public function updateIsQualified(bool $send_mail = true)
+    {
+        $this->setFlag(
+            UserFlag::QUALIFIED,
+            count($this->getPIGroupGIDs()) !== 0,
+            doSendMail: $send_mail,
+            doSendMailAdmin: false,
+        );
+    }
 }

resources/mail/user_flag_added.php

@@ -1,9 +1,13 @@
 <?php use UnityWebPortal\lib\UserFlag; ?>
 <?php switch ($data["flag"]):
 case UserFlag::QUALIFIED: ?>
-<?php $this->Subject = "User Activated"; ?>
+<?php $this->Subject = "User Qualified"; ?>
 <p>Hello,</p>
-<p>Your account on the UnityHPC Platform has been activated. Your account details are below:</p>
+<p>
+    Your account on the UnityHPC Platform has been qualified.
+    You should now be able to access UnityHPC Platform services.
+    Your account details are below:
+</p>
 <p>
 <strong>Username</strong> <?php echo $data["user"]; ?>
 <br>

resources/mail/user_flag_removed.php

@@ -1,9 +1,13 @@
 <?php use UnityWebPortal\lib\UserFlag; ?>
 <?php switch ($data["flag"]):
 case UserFlag::QUALIFIED: ?>
-<?php $this->Subject = "User Deactivated"; ?>
+<?php $this->Subject = "User Disqualified"; ?>
 <p>Hello,</p>
-<p>Your account on the UnityHPC Platform has been deactivated.</p>
+<p>
+    Your account on the UnityHPC Platform has been disqualified.
+    You should no longer be able to access UnityHPC Platform services.
+</p>
+<p>In order to be qualified, you must be a PI or be a member of at least one PI group.</p>
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>
 <?php break; ?>
 

resources/mail/user_flag_removed_admin.php

@@ -1,9 +1,9 @@
 <?php use UnityWebPortal\lib\UserFlag; ?>
 <?php switch ($data["flag"]):
 case UserFlag::QUALIFIED: ?>
-<?php $this->Subject = "User Dequalified"; ?>
+<?php $this->Subject = "User Disqualified"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been dequalified. </p>
+<p>User "<?php echo $data["user"] ?>" has been disqualified. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>

test/Template.php

@@ -0,0 +1,18 @@
+<?php
+
+use PHPUnit\Framework\Attributes\DataProvider;
+use TRegx\PhpUnit\DataProviders\DataProvider as TRegxDataProvider;
+
+class FoobarTest extends UnityWebPortalTestCase
+{
+    public static function provider(): TRegxDataProvider
+    {
+        return TRegxDataProvider::list("foo", "bar");
+    }
+
+    #[DataProvider("provider")]
+    public function testFoobar(string $x)
+    {
+        $this->assertTrue(true);
+    }
+}