diff --git a/html/inc/submit_util.inc b/html/inc/submit_util.inc index 2cba300adb..c30fb770c7 100644 --- a/html/inc/submit_util.inc +++ b/html/inc/submit_util.inc @@ -54,23 +54,41 @@ function job_file_name($md5) { return "jf_$md5"; } -// does user have submit permissions? +// can user upload files? // -function submit_permissions($user) { - return BoincUserSubmit::lookup_userid($user->id); +function has_file_access($user) { + $us = BoincUserSubmit::lookup_userid($user->id); + if (!$us) return false; + return true; } -// does user have submit permissions for given app? +// can user submit to given app? // -function submit_permissions_app($user, $app) { - return BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app->id"); +function has_submit_access($user, $app_id) { + $us = BoincUserSubmit::lookup_userid($user->id); + if (!$us) return false; + if ($us->submit_all) return true; + $usa = BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app_id"); + if (!$usa) return false; + return true; +} + +// can user administer given app (or all apps if zero)? +// +function has_admin_access($user, $app_id) { + $us = BoincUserSubmit::lookup_userid($user->id); + if (!$us) return false; + if ($us->admin_all) return true; + $usa = BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app_id"); + if (!$usa) return false; + return $usa->manage; } // check whether user has permissions for a remote job submission // or job file request. // $r is a request message that includes an 'authenticator' field // $app is the app being submitted to (or null if file op) -// returns [user, UserSubmit], or give XML error +// returns user, or give XML error and quit // function check_remote_submit_permissions($r, $app) { $auth = (string)$r->authenticator; @@ -84,21 +102,25 @@ function check_remote_submit_permissions($r, $app) { log_write("bad authenticator"); xml_error(-1, "bad authenticator"); } - $user_submit = submit_permissions($user); - if (!$user_submit) { - log_write("no submit access"); - xml_error(-1, "no submit access"); - } - if ($app && !$user_submit->submit_all) { - $usa = submit_permissions_app($user, $app); - if (!$usa) { - log_write("no app submit access"); - xml_error(-1, "no app submit access"); + + // check access + // + if ($app) { + if (!has_submit_access($user, $app->id)) { + log_write("no submit access"); + xml_error(-1, "no submit access"); + } + } else { + if (!has_file_access($user)) { + log_write("no file access"); + xml_error(-1, "no file access"); } } - return array($user, $user_submit); + return $user; } +// remove all of user's permissions +// function delete_remote_submit_user($user) { BoincUserSubmit::delete_user($user->id); BoincUserSubmitApp::delete_user($user->id); @@ -165,7 +187,7 @@ function wus_nsent($wus) { } // get the physical names of a result's output files. -/ +// function get_outfile_phys_names($result) { $names = []; $xml = "".$result->xml_doc_out.""; diff --git a/html/user/buda.php b/html/user/buda.php index 7a8048844c..480542b725 100644 --- a/html/user/buda.php +++ b/html/user/buda.php @@ -86,7 +86,7 @@ function show_app($dir) { } end_table(); echo "

"; - show_button("buda.php?action=variant_form&app=$dir", 'Add variant'); + show_button_small("buda.php?action=variant_form&app=$dir", 'Add variant'); echo "

"; show_button_small( "buda.php?action=app_delete&app=$dir", "Delete science app '$dir'" @@ -289,7 +289,8 @@ function app_delete() { function app_form() { page_head('Create Docker app'); - form_start(); + form_start('buda.php'); + form_input_hidden('action', 'app_action'); form_input_text('Name', 'name'); form_submit('OK'); form_end(); @@ -321,7 +322,17 @@ function view_file() { echo "\n"; } +// check access. +// Anyone with submit access to BUDA can add/delete apps and variants. +// Might want to refine this at some point + $user = get_logged_in_user(); +$buda_app = BoincApp::lookup("name='buda'"); +if (!$buda_app) error_page('no buda app'); +if (!has_submit_access($user, $buda_app->id)) { + error_page('no access'); +} + $action = get_str('action', true); switch ($action) { case 'app_form': diff --git a/html/user/buda_submit.php b/html/user/buda_submit.php index 0dd7ca190e..307c4d6d11 100644 --- a/html/user/buda_submit.php +++ b/html/user/buda_submit.php @@ -140,13 +140,14 @@ function parse_batch_dir($batch_dir, $variant_desc) { return $batch_desc; } -function create_batch($user, $njobs, $boinc_app, $app, $variant) { +function create_batch($user, $njobs, $app, $variant) { + global $buda_app; $now = time(); $batch_name = sprintf('buda_%d_%d', $user->id, $now); $description = "$app ($variant)"; $batch_id = BoincBatch::insert(sprintf( "(user_id, create_time, logical_start_time, logical_end_time, est_completion_time, njobs, fraction_done, nerror_jobs, state, completion_time, credit_estimate, credit_canonical, credit_total, name, app_id, project_state, description, expire_time) values (%d, %d, 0, 0, 0, %d, 0, 0, %d, 0, 0, 0, 0, '%s', %d, 0, '%s', 0)", - $user->id, $now, $njobs, BATCH_STATE_INIT, $batch_name, $boinc_app->id, + $user->id, $now, $njobs, BATCH_STATE_INIT, $batch_name, $buda_app->id, $description )); return BoincBatch::lookup_id($batch_id); @@ -178,8 +179,10 @@ function stage_input_files($batch_dir, $batch_desc, $batch_id) { } function create_jobs( - $variant_desc, $batch_desc, $batch_id, $boinc_app, $batch_dir_name + $variant_desc, $batch_desc, $batch_id, $batch_dir_name ) { + global $buda_app; + // get list of names of app files // $app_file_names = $variant_desc->dockerfile_phys; @@ -203,7 +206,7 @@ function create_jobs( } $cmd = sprintf( 'cd ../..; bin/create_work --appname %s --batch %d --stdin --command_line "--dockerfile %s --verbose" --wu_template %s --result_template %s', - $boinc_app->name, $batch_id, $variant_desc->dockerfile, + $buda_app->name, $batch_id, $variant_desc->dockerfile, "buda_batches/$batch_dir_name/template_in", "buda_batches/$batch_dir_name/template_out" ); @@ -298,10 +301,6 @@ function create_templates($variant_desc, $batch_dir) { } function handle_submit($user) { - $boinc_app = BoincApp::lookup("name='buda'"); - if (!$boinc_app) { - error_page("No buda app found"); - } $app = get_str('app'); if (!is_valid_filename($app)) die('bad arg'); $variant = get_str('variant'); @@ -324,7 +323,7 @@ function handle_submit($user) { create_templates($variant_desc, $batch_dir); $batch = create_batch( - $user, count($batch_desc->jobs), $boinc_app, $app, $variant + $user, count($batch_desc->jobs), $app, $variant ); // stage input files and record the physical names @@ -332,7 +331,7 @@ function handle_submit($user) { stage_input_files($batch_dir, $batch_desc, $batch->id); create_jobs( - $variant_desc, $batch_desc, $batch->id, $boinc_app, $batch_dir_name + $variant_desc, $batch_desc, $batch->id, $batch_dir_name ); // mark batch as in progress @@ -347,6 +346,11 @@ function handle_submit($user) { } $user = get_logged_in_user(); +$buda_app = BoincApp::lookup("name='buda'"); +if (!$buda_app) error_page('no buda app'); +if (!has_submit_access($user, $buda_app->id)) { + error_page('no access'); +} $action = get_str('action', true); if ($action == 'submit') { handle_submit($user); diff --git a/html/user/submit.php b/html/user/submit.php index 75ee59f5c1..7371423361 100644 --- a/html/user/submit.php +++ b/html/user/submit.php @@ -58,6 +58,7 @@ function show_all_link($batches, $state, $limit, $user, $app) { } function show_in_progress($batches, $limit, $user, $app) { + echo "

Batches in progress

\n"; $first = true; $n = 0; foreach ($batches as $batch) { @@ -66,7 +67,6 @@ function show_in_progress($batches, $limit, $user, $app) { $n++; if ($first) { $first = false; - echo "

Batches in progress

\n"; if ($limit) { show_all_link($batches, BATCH_STATE_IN_PROGRESS, $limit, $user, $app); } @@ -95,7 +95,7 @@ function show_in_progress($batches, $limit, $user, $app) { ); } if ($first) { - echo "

No in-progress batches.\n"; + echo "

None.\n"; } else { end_table(); } @@ -273,20 +273,11 @@ function handle_toggle_loc($user) { handle_main($user); } -function check_admin_access($user, $app_id) { +// show links for everything the user has admin access to +// +function handle_admin($user) { $user_submit = BoincUserSubmit::lookup_userid($user->id); - if (!$user_submit) error_page("no access"); - if ($app_id) { - if (!$user_submit->manage_all) { - $usa = BoincUserSubmitApp::lookup("user_id = $user->id and app_id=$app_id"); - if (!$usa) error_page("no access"); - } - } else { - if (!$user_submit->manage_all) error_page("no access"); - } -} - -function handle_admin() { + if (!$user_submit) error_page('no access'); page_head("Administer job submission"); if ($user_submit->manage_all) { echo "

  • All applications
    @@ -326,9 +317,11 @@ function handle_admin() { function handle_admin_app($user) { $app_id = get_int("app_id"); - check_admin_access($user, $app_id); $app = BoincApp::lookup_id($app_id); if (!$app) error_page("no such app"); + if (!has_admin_access($user, $app_id)) { + error_page('no access'); + } page_head("Administer batches for $app->user_friendly_name"); $batches = BoincBatch::enum("app_id = $app_id order by id desc"); @@ -745,7 +738,9 @@ function handle_show_all($user) { } else { // admin looking at batches // - check_admin_access($user, $appid); + if (!has_admin_access($user, $appid)) { + error_page('no access'); + } if ($appid) { $app = BoincApp::lookup_id($appid); if (!$app) error_page("no such app"); diff --git a/html/user/submit_rpc_handler.php b/html/user/submit_rpc_handler.php index 15962ec6af..b9c3f9f34e 100644 --- a/html/user/submit_rpc_handler.php +++ b/html/user/submit_rpc_handler.php @@ -111,13 +111,16 @@ function read_input_template($app, $r) { } } -function check_max_jobs_in_progress($r, $user_submit) { - if (!$user_submit->max_jobs_in_progress) return; +// if this batch would exceed user job limit, error out +// +function check_max_jobs_in_progress($r, $user) { + $us = BoincUserSubmit::lookup_userid($user->id); + if (!$us->max_jobs_in_progress) return; $query = "select count(*) as total from DBNAME.result, DBNAME.batch where batch.user_id=$userid and result.batch = batch.id and result.server_state<".RESULT_SERVER_STATE_OVER; $db = BoincDb::get(); $n = $db->get_int($query, 'total'); if ($n === false) return; - if ($n + count($r->batch->job) > $user_submit->max_jobs_in_progress) { + if ($n + count($r->batch->job) > $us->max_jobs_in_progress) { log_write("limit on jobs in progress exceeded"); xml_error(-1, "limit on jobs in progress exceeded"); } @@ -126,7 +129,7 @@ function check_max_jobs_in_progress($r, $user_submit) { function estimate_batch($r) { xml_start_tag("estimate_batch"); $app = get_submit_app((string)($r->batch->app_name)); - list($user, $user_submit) = check_remote_submit_permissions($r, $app); + $user = check_remote_submit_permissions($r, $app); $template = read_input_template($app, $r); $e = est_elapsed_time($r, $template); @@ -462,7 +465,7 @@ function make_batch_name($user, $app) { function submit_batch($r) { xml_start_tag("submit_batch"); $app = get_submit_app((string)($r->batch->app_name)); - list($user, $user_submit) = check_remote_submit_permissions($r, $app); + $user = check_remote_submit_permissions($r, $app); $jobs = xml_get_jobs($r); $template = read_input_template($app, $r); if ($template) { @@ -568,7 +571,7 @@ function submit_batch($r) { function create_batch($r) { xml_start_tag("create_batch"); $app = get_submit_app((string)($r->app_name)); - list($user, $user_submit) = check_remote_submit_permissions($r, $app); + $user = check_remote_submit_permissions($r, $app); $now = time(); $batch_name = (string)($r->batch_name); if (!$batch_name) { @@ -614,7 +617,7 @@ function print_batch_params($batch, $get_cpu_time) { function query_batches($r) { xml_start_tag("query_batches"); - list($user, $user_submit) = check_remote_submit_permissions($r, null); + $user = check_remote_submit_permissions($r, null); $batches = BoincBatch::enum("user_id = $user->id"); $get_cpu_time = (int)($r->get_cpu_time); foreach ($batches as $batch) { @@ -716,7 +719,7 @@ function get_batch($r) { function query_batch($r) { xml_start_tag("query_batch"); - list($user, $user_submit) = check_remote_submit_permissions($r, null); + $user = check_remote_submit_permissions($r, null); $batch = get_batch($r); if ($batch->user_id != $user->id) { log_write("not owner of batch"); @@ -758,7 +761,7 @@ function results_sent($wu) { // function query_batch2($r) { xml_start_tag("query_batch2"); - list($user, $user_submit) = check_remote_submit_permissions($r, null); + $user = check_remote_submit_permissions($r, null); $batch_names = $r->batch_name; $batches = array(); foreach ($batch_names as $b) { @@ -817,7 +820,7 @@ function query_batch2($r) { function query_job($r) { xml_start_tag("query_job"); - list($user, $user_submit) = check_remote_submit_permissions($r, null); + $user = check_remote_submit_permissions($r, null); $job_id = (int)($r->job_id); $wu = BoincWorkunit::lookup_id($job_id); if (!$wu) { @@ -860,7 +863,7 @@ function query_job($r) { // function query_completed_job($r) { xml_start_tag("query_completed_job"); - list($user, $user_submit) = check_remote_submit_permissions($r, null); + $user = check_remote_submit_permissions($r, null); $job_name = (string)($r->job_name); $job_name = BoincDb::escape_string($job_name); $wu = BoincWorkunit::lookup("name='$job_name'"); @@ -909,7 +912,7 @@ function query_completed_job($r) { function handle_abort_batch($r) { xml_start_tag("abort_batch"); - list($user, $user_submit) = check_remote_submit_permissions($r, null); + $user = check_remote_submit_permissions($r, null); $batch = get_batch($r); if ($batch->user_id != $user->id) { log_write("not owner"); @@ -925,7 +928,7 @@ function handle_abort_batch($r) { // function handle_abort_jobs($r) { xml_start_tag("abort_jobs"); - list($user, $user_submit) = check_remote_submit_permissions($r, null); + $user = check_remote_submit_permissions($r, null); $batch = null; foreach ($r->job_name as $job_name) { $job_name = BoincDb::escape_string($job_name); @@ -955,7 +958,7 @@ function handle_abort_jobs($r) { function handle_retire_batch($r) { xml_start_tag("retire_batch"); - list($user, $user_submit) = check_remote_submit_permissions($r, null); + $user = check_remote_submit_permissions($r, null); $batch = get_batch($r); if ($batch->user_id != $user->id) { log_write("not owner of batch"); @@ -969,7 +972,7 @@ function handle_retire_batch($r) { function handle_set_expire_time($r) { xml_start_tag("set_expire_time"); - list($user, $user_submit) = check_remote_submit_permissions($r, null); + $user = check_remote_submit_permissions($r, null); $batch = get_batch($r); if ($batch->user_id != $user->id) { log_write("not owner of batch"); @@ -996,7 +999,7 @@ function get_templates($r) { $app = BoincApp::lookup_id($wu->appid); } - list($user, $user_submit) = check_remote_submit_permissions($r, $app); + $user = check_remote_submit_permissions($r, $app); $in = file_get_contents(project_dir() . "/templates/".$app->name."_in"); $out = file_get_contents(project_dir() . "/templates/".$app->name."_out"); if ($in === false || $out === false) {