From 8986b75ea855f9129cb8d76349e9a16ceb2a51c6 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 26 Jan 2026 09:42:54 -0500
Subject: [PATCH 1/9] refactor session

---
 resources/init.php                 | 24 ++++++++-------------
 resources/templates/header.php     | 34 ++++++------------------------
 resources/templates/home.php       |  2 +-
 test/functional/ViewAsUserTest.php |  1 -
 4 files changed, 17 insertions(+), 44 deletions(-)

diff --git a/resources/init.php b/resources/init.php
index b3fce862c..3db152f47 100644
--- a/resources/init.php
+++ b/resources/init.php
@@ -63,27 +63,21 @@
 // so we use session cache to remember if they have logged in recently and then pretend
 // they're logged in even if they aren't
 if (isset($_SERVER["REMOTE_USER"])) {
-    // Check if SSO is enabled on this page
+    $_SESSION["navbar_show_logged_in_pages"] = true;
     $SSO = UnitySSO::getSSO();
-    $_SESSION["SSO"] = $SSO;
-
-    $OPERATOR = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);
-    $_SESSION["is_admin"] = $OPERATOR->getFlag(UserFlag::ADMIN);
-
     $_SESSION["OPERATOR"] = $SSO["user"];
     $_SESSION["OPERATOR_IP"] = $_SERVER["REMOTE_ADDR"];
-
-    if (isset($_SESSION["viewUser"]) && $_SESSION["is_admin"]) {
+    if (
+        isset($_SESSION["viewUser"]) &&
+        $LDAP->userFlagGroups["admin"]->memberUIDExists($SSO["user"])
+    ) {
         $USER = new UnityUser($_SESSION["viewUser"], $LDAP, $SQL, $MAILER, $WEBHOOK);
     } else {
-        $USER = $OPERATOR;
+        $USER = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);
     }
-
-    $_SESSION["user_exists"] = $USER->exists();
-    $_SESSION["is_pi"] = $USER->isPI();
-
-    $SQL->addLog("user_login", $OPERATOR->uid);
-
+    $_SESSION["navbar_show_admin_pages"] = true;
+    $_SESSION["navbar_show_pi_pages"] = true;
+    $SQL->addLog("user_login", $SSO["user"]);
     $USER->updateIsQualified(); // in case manual changes have been made to PI groups
 
     if ($USER->getFlag(UserFlag::LOCKED)) {
diff --git a/resources/templates/header.php b/resources/templates/header.php
index 1426d15c8..ef442790a 100644
--- a/resources/templates/header.php
+++ b/resources/templates/header.php
@@ -5,10 +5,7 @@
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
     // another page should have already validated and we can't validate the same token twice
     // UnityHTTPD::validatePostCSRFToken();
-    if (
-        ($_SESSION["is_admin"] ?? false) == true
-        && ($_POST["form_type"] ?? null) == "clearView"
-    ) {
+    if (($_POST["form_type"] ?? null) == "clearView") {
         unset($_SESSION["viewUser"]);
         UnityHTTPD::redirect(getURL("admin/user-mgmt.php"));
     }
@@ -21,13 +18,8 @@
     UnityHTTPD::redirect();
 }
 
-if (isset($SSO)) {
-    if (
-        !$_SESSION["user_exists"]
-        && !str_ends_with($_SERVER['PHP_SELF'], "/panel/new_account.php")
-    ) {
-        UnityHTTPD::redirect(getURL("panel/new_account.php"));
-    }
+if (isset($USER) && !$USER->exists() && !str_ends_with($_SERVER['PHP_SELF'], "/new_account.php")) {
+    UnityHTTPD::redirect(getURL("panel/new_account.php"));
 }
 
 ?>
@@ -91,7 +83,6 @@
 
   <nav class="mainNav">
     <?php
-    // Public Items - Always Visible
     echo getHyperlink("Home", "index.php") . "\n";
 
     $num_additional_items = count(CONFIG["menuitems"]["labels"]);
@@ -100,30 +91,23 @@
         CONFIG["menuitems"]["labels"][$i] . "</a>\n";
     }
 
-    if (isset($_SESSION["user_exists"]) && $_SESSION["user_exists"]) {
+    if ($_SESSION["navbar_show_logged_in_user_pages"] ?? false) {
         echo "<hr class='navHR'>\n";
-        // Menu Items for Present Users
         echo getHyperlink("Account Settings", "panel/account.php") . "\n";
         echo getHyperlink("My PIs", "panel/groups.php") . "\n";
 
-        if (isset($_SESSION["is_pi"]) && $_SESSION["is_pi"]) {
-            // PI only pages
+        if ($_SESSION["navbar_show_pi_pages"] ?? false) {
             echo getHyperlink("My Users", "panel/pi.php") . "\n";
         }
 
-        // additional branding items
         $num_additional_items = count(CONFIG["menuitems_secure"]["labels"]);
         for ($i = 0; $i < $num_additional_items; $i++) {
             echo "<a target='_blank' href='" . CONFIG["menuitems_secure"]["links"][$i] . "'>" .
             CONFIG["menuitems_secure"]["labels"][$i] . "</a>\n";
         }
 
-        // admin pages
-        if (
-            isset($_SESSION["is_admin"]) && $_SESSION["is_admin"] && !isset($_SESSION["viewUser"])
-        ) {
+        if ($_SESSION["navbar_show_admin_pages"] ?? false) {
             echo "<hr class='navHR'>\n";
-            // Admin only pages
             echo getHyperlink("User Management", "admin/user-mgmt.php") . "\n";
             echo getHyperlink("PI Management", "admin/pi-mgmt.php") . "\n";
         }
@@ -177,11 +161,7 @@
         );
     }
     echo "</div>";
-    if (
-        isset($_SESSION["is_admin"])
-        && $_SESSION["is_admin"]
-        && isset($_SESSION["viewUser"])
-    ) {
+    if (isset($_SESSION["viewUser"])) {
         $viewUser = $_SESSION["viewUser"];
         $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput();
         echo "
diff --git a/resources/templates/home.php b/resources/templates/home.php
index 1af49a8ed..b45bf964f 100644
--- a/resources/templates/home.php
+++ b/resources/templates/home.php
@@ -3,7 +3,7 @@
     Welcome to the UnityHPC Platform Account Portal.
     Here you can manage your SSH keys, join and leave PI groups, manage your own PI group, and more.
     <?php
-    if (!($_SESSION["user_exists"] ?? false)) {
+    if (!($_SESSION["navbar_show_logged_in_user_pages"] ?? false)) {
         $hyperlink = getHyperlink("Log In", "panel/account.php");
         echo "Please $hyperlink for more information.";
     }
diff --git a/test/functional/ViewAsUserTest.php b/test/functional/ViewAsUserTest.php
index c277050b5..9e59bbb72 100644
--- a/test/functional/ViewAsUserTest.php
+++ b/test/functional/ViewAsUserTest.php
@@ -24,7 +24,6 @@ public function _testViewAsUser(string $beforeNickname, string $afterNickname)
         http_get(__DIR__ . "/../../resources/init.php");
         // now we should be new user
         $this->assertEquals($afterUid, $USER->uid);
-        // $this->assertTrue($_SESSION["user_exists"]);
         http_post(__DIR__ . "/../../webroot/panel/account.php", [
             "form_type" => "clearView",
         ]);

From 0fe8720a60d1b712f49f3d7b8dbc59e21ee7fd3a Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 26 Jan 2026 09:54:54 -0500
Subject: [PATCH 2/9] remove admin check

---
 resources/init.php | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/resources/init.php b/resources/init.php
index 3db152f47..7abc04961 100644
--- a/resources/init.php
+++ b/resources/init.php
@@ -67,10 +67,7 @@
     $SSO = UnitySSO::getSSO();
     $_SESSION["OPERATOR"] = $SSO["user"];
     $_SESSION["OPERATOR_IP"] = $_SERVER["REMOTE_ADDR"];
-    if (
-        isset($_SESSION["viewUser"]) &&
-        $LDAP->userFlagGroups["admin"]->memberUIDExists($SSO["user"])
-    ) {
+    if (isset($_SESSION["viewUser"])) {
         $USER = new UnityUser($_SESSION["viewUser"], $LDAP, $SQL, $MAILER, $WEBHOOK);
     } else {
         $USER = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);

From 2bb98114662f888951c46af20fcb5f67b0d7c060 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 26 Jan 2026 10:02:47 -0500
Subject: [PATCH 3/9] set session keys properly

---
 resources/init.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/resources/init.php b/resources/init.php
index 7abc04961..1d91953ef 100644
--- a/resources/init.php
+++ b/resources/init.php
@@ -72,8 +72,9 @@
     } else {
         $USER = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);
     }
-    $_SESSION["navbar_show_admin_pages"] = true;
-    $_SESSION["navbar_show_pi_pages"] = true;
+    $admin_group = $LDAP->userFlagGroups["admin"];
+    $_SESSION["navbar_show_admin_pages"] = $admin_group->memberUIDExists($USER->uid);
+    $_SESSION["navbar_show_pi_pages"] = $USER->getPIGroup()->exists();
     $SQL->addLog("user_login", $SSO["user"]);
     $USER->updateIsQualified(); // in case manual changes have been made to PI groups
 

From 6b5acd391d5487e296ca312c950eae7e8dfee6ea Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 26 Jan 2026 10:03:48 -0500
Subject: [PATCH 4/9] isPI

---
 resources/init.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/init.php b/resources/init.php
index 1d91953ef..2a454648d 100644
--- a/resources/init.php
+++ b/resources/init.php
@@ -74,7 +74,7 @@
     }
     $admin_group = $LDAP->userFlagGroups["admin"];
     $_SESSION["navbar_show_admin_pages"] = $admin_group->memberUIDExists($USER->uid);
-    $_SESSION["navbar_show_pi_pages"] = $USER->getPIGroup()->exists();
+    $_SESSION["navbar_show_pi_pages"] = $USER->isPI();
     $SQL->addLog("user_login", $SSO["user"]);
     $USER->updateIsQualified(); // in case manual changes have been made to PI groups
 

From bdad2d18d71983f0e42c795a2149ea9e37302c91 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 26 Jan 2026 10:04:16 -0500
Subject: [PATCH 5/9] getFlag

---
 resources/init.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/init.php b/resources/init.php
index 2a454648d..659958146 100644
--- a/resources/init.php
+++ b/resources/init.php
@@ -73,7 +73,7 @@
         $USER = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);
     }
     $admin_group = $LDAP->userFlagGroups["admin"];
-    $_SESSION["navbar_show_admin_pages"] = $admin_group->memberUIDExists($USER->uid);
+    $_SESSION["navbar_show_admin_pages"] = $USER->getFlag(UserFlag::ADMIN);
     $_SESSION["navbar_show_pi_pages"] = $USER->isPI();
     $SQL->addLog("user_login", $SSO["user"]);
     $USER->updateIsQualified(); // in case manual changes have been made to PI groups

From 42678ca161ae6566968fb214c60ffbb5acd858b6 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 26 Jan 2026 10:07:35 -0500
Subject: [PATCH 6/9] typo

---
 resources/init.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/init.php b/resources/init.php
index 659958146..ddc4201f9 100644
--- a/resources/init.php
+++ b/resources/init.php
@@ -63,7 +63,7 @@
 // so we use session cache to remember if they have logged in recently and then pretend
 // they're logged in even if they aren't
 if (isset($_SERVER["REMOTE_USER"])) {
-    $_SESSION["navbar_show_logged_in_pages"] = true;
+    $_SESSION["navbar_show_logged_in_user_pages"] = true;
     $SSO = UnitySSO::getSSO();
     $_SESSION["OPERATOR"] = $SSO["user"];
     $_SESSION["OPERATOR_IP"] = $_SERVER["REMOTE_ADDR"];

From 0d9e21c86dfa7fe2433b6752b9d06c126a875878 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 26 Jan 2026 10:09:13 -0500
Subject: [PATCH 7/9] check for viewUser

---
 resources/templates/header.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/resources/templates/header.php b/resources/templates/header.php
index ef442790a..fbfd19986 100644
--- a/resources/templates/header.php
+++ b/resources/templates/header.php
@@ -6,8 +6,12 @@
     // another page should have already validated and we can't validate the same token twice
     // UnityHTTPD::validatePostCSRFToken();
     if (($_POST["form_type"] ?? null) == "clearView") {
-        unset($_SESSION["viewUser"]);
-        UnityHTTPD::redirect(getURL("admin/user-mgmt.php"));
+        if (isset($_SESSION["viewUser"])) {
+            unset($_SESSION["viewUser"]);
+            UnityHTTPD::redirect(getURL("admin/user-mgmt.php"));
+        } else {
+            throw new Exception('Cannot clearView because $_SESSION["viewUser"] is not set!');
+        }
     }
     // Webroot files need to handle their own POSTs before loading the header
     // so that they can do UnityHTTPD::badRequest before anything else has been printed.

From 9c68143eae7efd0a479e2ae352ebc43ded579da8 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 26 Jan 2026 10:19:09 -0500
Subject: [PATCH 8/9] refactor

---
 resources/init.php | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/resources/init.php b/resources/init.php
index ddc4201f9..66b0459d2 100644
--- a/resources/init.php
+++ b/resources/init.php
@@ -56,14 +56,7 @@
     $_SESSION["csrf_tokens"] = [];
 }
 
-// $_SERVER["REMOTE_USER"] is only defined for pages where httpd requies authentication
-// the home page does not require authentication,
-// so if the user goes to a secure page and then back to home, they've effectively logged out
-// it would be bad UX to show the user that they are effectively logging in and out,
-// so we use session cache to remember if they have logged in recently and then pretend
-// they're logged in even if they aren't
 if (isset($_SERVER["REMOTE_USER"])) {
-    $_SESSION["navbar_show_logged_in_user_pages"] = true;
     $SSO = UnitySSO::getSSO();
     $_SESSION["OPERATOR"] = $SSO["user"];
     $_SESSION["OPERATOR_IP"] = $_SERVER["REMOTE_ADDR"];
@@ -72,9 +65,6 @@
     } else {
         $USER = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);
     }
-    $admin_group = $LDAP->userFlagGroups["admin"];
-    $_SESSION["navbar_show_admin_pages"] = $USER->getFlag(UserFlag::ADMIN);
-    $_SESSION["navbar_show_pi_pages"] = $USER->isPI();
     $SQL->addLog("user_login", $SSO["user"]);
     $USER->updateIsQualified(); // in case manual changes have been made to PI groups
 
@@ -89,4 +79,13 @@
             "Your account was previously locked due to inactivity.",
         );
     }
+    // $_SERVER["REMOTE_USER"] is only defined for pages where httpd requies authentication
+    // the home page does not require authentication,
+    // so if the user goes to a secure page and then back to home, they've effectively logged out
+    // it would be bad UX to show the user that they are effectively logging in and out,
+    // so we use session cache to remember if they have logged in recently and then pretend
+    // they're logged in even if they aren't
+    $_SESSION["navbar_show_logged_in_user_pages"] = true;
+    $_SESSION["navbar_show_admin_pages"] = $USER->getFlag(UserFlag::ADMIN);
+    $_SESSION["navbar_show_pi_pages"] = $USER->isPI();
 }

From 857d70bb28ffabdbc7efb5b32096bb7c1d487088 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 26 Jan 2026 10:21:05 -0500
Subject: [PATCH 9/9] move comment

---
 resources/init.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/resources/init.php b/resources/init.php
index 66b0459d2..cd2666959 100644
--- a/resources/init.php
+++ b/resources/init.php
@@ -79,6 +79,7 @@
             "Your account was previously locked due to inactivity.",
         );
     }
+
     // $_SERVER["REMOTE_USER"] is only defined for pages where httpd requies authentication
     // the home page does not require authentication,
     // so if the user goes to a secure page and then back to home, they've effectively logged out