enforce qualified user group

[simonLeary42]

Any user who is not a PI or is not a member of at least one PI group should be disqualified and denied access to services.

• Added hooks to update a user's qualified status in all situations where it may change
• Added worker script to check all PI groups and update the qualified status of all users simultaneously

Added tests:

• user leaves group voluntarily in groups.php
• user becomes a PI
• user is removed from group by PI in pi.php
• user is removed from group by admin in pi-mgmt.php
• user is added/removed to/from group by admin by manually editing LDAP entries
  • qualified status updated when new worker script runs
  • qualified status updated the next time the user logs in

#520 allows PI groups to be disbanded and reinstated, and includes more tests that users are qualified and disqualified accordingly, but those tests are currently commented out because they rely on functionality implemented in this PR.

[Copilot]

Pull request overview

This pull request implements automated enforcement of the "qualified user" status based on PI group membership. The PR ensures that users are automatically qualified when they join a PI group and disqualified when they leave all PI groups.

Changes:

• Added a worker script to sync the qualified users group with PI group memberships
• Updated user qualification logic to automatically check group membership when users join/leave groups
• Improved email templates and documentation terminology to use "disqualified" consistently

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
workers/update-qualified-users-group.php	New worker script to synchronize qualified user group membership based on PI group memberships
test/functional/WorkerUpdateQualifiedUsersGroupTest.php	Tests for the new worker script verifying qualification and disqualification logic
test/functional/PiRemoveUserTest.php	Extended tests to verify qualified status changes when users are removed from PI groups by both PIs and admins
test/functional/PIBecomeApproveTest.php	Added assertion to verify users are disqualified when their PI group is deleted
test/functional/LeaveGroupTest.php	New tests verifying users are disqualified when leaving groups and on login after manual LDAP changes
test/Template.php	Template file for data provider pattern tests
resources/lib/UnityUser.php	Added updateIsQualified() method to centralize qualification status updates
resources/lib/UnityGroup.php	Updated group approval/removal methods to use new updateIsQualified() method
resources/lib/PosixGroup.php	Added overwriteMemberUIDs() method for bulk member updates
resources/init.php	Added automatic qualification check on user login to handle manual LDAP changes
resources/mail/*.php	Updated email templates to use "disqualified" terminology consistently
test/phpunit-bootstrap.php	Updated ensurePIGroupDoesNotExist() to properly disqualify removed members
tools/docker-dev/identity/bootstrap.ldif	Removed ghost users and other non-qualified users from the qualified users group
phpstan.neon	Added exclusions for Template.php and new test methods using dynamic invocation
LDAP.md	Clarified terminology definitions for qualified/unqualified and native/non-native users

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bryank-cs]

Why remove seemingly random accounts from this list?

[bryank-cs]

Oh, are these supposed to be the "unqualified" or whatever other status?

[simonLeary42]

Yes, those accounts were removed by the update-qualified-users-group.php worker

[simonLeary42]

#348