UnityHPC · simonLeary42 · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026
diff --git a/resources/init.php b/resources/init.php
@@ -56,34 +56,16 @@
     $_SESSION["csrf_tokens"] = [];
 }
 
-// $_SERVER["REMOTE_USER"] is only defined for pages where httpd requies authentication
-// the home page does not require authentication,
-// so if the user goes to a secure page and then back to home, they've effectively logged out
-// it would be bad UX to show the user that they are effectively logging in and out,
-// so we use session cache to remember if they have logged in recently and then pretend
-// they're logged in even if they aren't
 if (isset($_SERVER["REMOTE_USER"])) {
-    // Check if SSO is enabled on this page
     $SSO = UnitySSO::getSSO();
-    $_SESSION["SSO"] = $SSO;
-
-    $OPERATOR = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);
-    $_SESSION["is_admin"] = $OPERATOR->getFlag(UserFlag::ADMIN);
-
     $_SESSION["OPERATOR"] = $SSO["user"];
     $_SESSION["OPERATOR_IP"] = $_SERVER["REMOTE_ADDR"];
-
-    if (isset($_SESSION["viewUser"]) && $_SESSION["is_admin"]) {
+    if (isset($_SESSION["viewUser"])) {
         $USER = new UnityUser($_SESSION["viewUser"], $LDAP, $SQL, $MAILER, $WEBHOOK);
     } else {
-        $USER = $OPERATOR;
+        $USER = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);
     }
-
-    $_SESSION["user_exists"] = $USER->exists();
-    $_SESSION["is_pi"] = $USER->isPI();
-
-    $SQL->addLog("user_login", $OPERATOR->uid);
-
+    $SQL->addLog("user_login", $SSO["user"]);
     $USER->updateIsQualified(); // in case manual changes have been made to PI groups
 
     if ($USER->getFlag(UserFlag::LOCKED)) {
@@ -97,4 +79,14 @@
             "Your account was previously locked due to inactivity.",
         );
     }
+
+    // $_SERVER["REMOTE_USER"] is only defined for pages where httpd requies authentication
+    // the home page does not require authentication,
+    // so if the user goes to a secure page and then back to home, they've effectively logged out
+    // it would be bad UX to show the user that they are effectively logging in and out,
+    // so we use session cache to remember if they have logged in recently and then pretend
+    // they're logged in even if they aren't
+    $_SESSION["navbar_show_logged_in_user_pages"] = true;
+    $_SESSION["navbar_show_admin_pages"] = $USER->getFlag(UserFlag::ADMIN);
+    $_SESSION["navbar_show_pi_pages"] = $USER->isPI();
 }
diff --git a/resources/templates/header.php b/resources/templates/header.php
@@ -5,12 +5,13 @@
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
     // another page should have already validated and we can't validate the same token twice
     // UnityHTTPD::validatePostCSRFToken();
-    if (
-        ($_SESSION["is_admin"] ?? false) == true
-        && ($_POST["form_type"] ?? null) == "clearView"
-    ) {
-        unset($_SESSION["viewUser"]);
-        UnityHTTPD::redirect(getURL("admin/user-mgmt.php"));
+    if (($_POST["form_type"] ?? null) == "clearView") {
+        if (isset($_SESSION["viewUser"])) {
+            unset($_SESSION["viewUser"]);
+            UnityHTTPD::redirect(getURL("admin/user-mgmt.php"));
+        } else {
+            throw new Exception('Cannot clearView because $_SESSION["viewUser"] is not set!');
+        }
     }
     // Webroot files need to handle their own POSTs before loading the header
     // so that they can do UnityHTTPD::badRequest before anything else has been printed.
@@ -21,13 +22,8 @@
     UnityHTTPD::redirect();
 }
 
-if (isset($SSO)) {
-    if (
-        !$_SESSION["user_exists"]
-        && !str_ends_with($_SERVER['PHP_SELF'], "/panel/new_account.php")
-    ) {
-        UnityHTTPD::redirect(getURL("panel/new_account.php"));
-    }
+if (isset($USER) && !$USER->exists() && !str_ends_with($_SERVER['PHP_SELF'], "/new_account.php")) {
+    UnityHTTPD::redirect(getURL("panel/new_account.php"));
 }
 
 ?>
@@ -91,7 +87,6 @@
 
   <nav class="mainNav">
     <?php
-    // Public Items - Always Visible
     echo getHyperlink("Home", "index.php") . "\n";
 
     $num_additional_items = count(CONFIG["menuitems"]["labels"]);
@@ -100,30 +95,23 @@
         CONFIG["menuitems"]["labels"][$i] . "</a>\n";
     }
 
-    if (isset($_SESSION["user_exists"]) && $_SESSION["user_exists"]) {
+    if ($_SESSION["navbar_show_logged_in_user_pages"] ?? false) {
         echo "<hr class='navHR'>\n";
-        // Menu Items for Present Users
         echo getHyperlink("Account Settings", "panel/account.php") . "\n";
         echo getHyperlink("My PIs", "panel/groups.php") . "\n";
 
-        if (isset($_SESSION["is_pi"]) && $_SESSION["is_pi"]) {
-            // PI only pages
+        if ($_SESSION["navbar_show_pi_pages"] ?? false) {
             echo getHyperlink("My Users", "panel/pi.php") . "\n";
         }
 
-        // additional branding items
         $num_additional_items = count(CONFIG["menuitems_secure"]["labels"]);
         for ($i = 0; $i < $num_additional_items; $i++) {
             echo "<a target='_blank' href='" . CONFIG["menuitems_secure"]["links"][$i] . "'>" .
             CONFIG["menuitems_secure"]["labels"][$i] . "</a>\n";
         }
 
-        // admin pages
-        if (
-            isset($_SESSION["is_admin"]) && $_SESSION["is_admin"] && !isset($_SESSION["viewUser"])
-        ) {
+        if ($_SESSION["navbar_show_admin_pages"] ?? false) {
             echo "<hr class='navHR'>\n";
-            // Admin only pages
             echo getHyperlink("User Management", "admin/user-mgmt.php") . "\n";
             echo getHyperlink("PI Management", "admin/pi-mgmt.php") . "\n";
         }
@@ -177,11 +165,7 @@
         );
     }
     echo "</div>";
-    if (
-        isset($_SESSION["is_admin"])
-        && $_SESSION["is_admin"]
-        && isset($_SESSION["viewUser"])
-    ) {
+    if (isset($_SESSION["viewUser"])) {
         $viewUser = $_SESSION["viewUser"];
         $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput();
         echo "

diff --git a/resources/templates/home.php b/resources/templates/home.php
@@ -3,7 +3,7 @@
     Welcome to the UnityHPC Platform Account Portal.
     Here you can manage your SSH keys, join and leave PI groups, manage your own PI group, and more.
     <?php
-    if (!($_SESSION["user_exists"] ?? false)) {
+    if (!($_SESSION["navbar_show_logged_in_user_pages"] ?? false)) {
         $hyperlink = getHyperlink("Log In", "panel/account.php");
         echo "Please $hyperlink for more information.";
     }

diff --git a/test/functional/ViewAsUserTest.php b/test/functional/ViewAsUserTest.php
@@ -24,7 +24,6 @@ public function _testViewAsUser(string $beforeNickname, string $afterNickname)
         http_get(__DIR__ . "/../../resources/init.php");
         // now we should be new user
         $this->assertEquals($afterUid, $USER->uid);
-        // $this->assertTrue($_SESSION["user_exists"]);
         http_post(__DIR__ . "/../../webroot/panel/account.php", [
             "form_type" => "clearView",
         ]);