From 983f6a22da45eed195c6bf0cdb9c257eb3ca896b Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Wed, 28 Jan 2026 16:38:52 -0500 Subject: [PATCH 1/5] add buttons to user-mgmt, show danger --- defaults/config.ini.default | 11 +++++ webroot/admin/user-mgmt.php | 85 ++++++++++++++++++++++++++++++++----- 2 files changed, 85 insertions(+), 11 deletions(-) diff --git a/defaults/config.ini.default b/defaults/config.ini.default index df20d2958..daac7557c 100644 --- a/defaults/config.ini.default +++ b/defaults/config.ini.default @@ -122,3 +122,14 @@ url = "https://hooks.slack.com/services/T04BB3N3M26/B050A55CBNX/IGm1YA0VhjczAfs5 [page] ; which sql objects to use for the content on these pages home = "home" support = "support" + +[expiry] +idlelock_warning_days[] = 180 +idlelock_warning_days[] = 200 +idlelock_warning_days[] = 219 +idlelock_day = 220 + +disable_warning_days[] = 360 +disable_warning_days[] = 380 +disable_warning_days[] = 399 +disable_day = 400 diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index 2b8145f68..504cf2c41 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -4,11 +4,17 @@ use UnityWebPortal\lib\UnityHTTPD; use UnityWebPortal\lib\UserFlag; +use UnityWebPortal\lib\UnityUser; if (!$USER->getFlag(UserFlag::ADMIN)) { UnityHTTPD::forbidden("not an admin", "You are not an admin."); } +$users_with_flags = []; +foreach (UserFlag::cases() as $flag) { + $users_with_flags[$flag->value] = $LDAP->userFlagGroups[$flag->value]->getMemberUIDs(); +} + if ($_SERVER["REQUEST_METHOD"] == "POST") { UnityHTTPD::validatePostCSRFToken(); switch ($_POST["form_type"]) { @@ -16,6 +22,39 @@ $_SESSION["viewUser"] = $_POST["uid"]; UnityHTTPD::redirect(getURL("panel/account.php")); break; /** @phpstan-ignore deadCode.unreachable */ + case "lockUser": + $uid = UnityHTTPD::getPostData("uid"); + $user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); + if (in_array($uid, $users_with_flags[UserFlag::LOCKED->value])) { + UnityHTTPD::messageError("Cannot lock user, already locked", $uid); + UnityHTTPD::redirect(); + } + $user->setFlag(UserFlag::LOCKED, true); + UnityHTTPD::messageSuccess("User Locked", $uid); + UnityHTTPD::redirect(); + break; /** @phpstan-ignore deadCode.unreachable */ + case "unlockUser": + $uid = UnityHTTPD::getPostData("uid"); + $user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); + if (!in_array($uid, $users_with_flags[UserFlag::LOCKED->value])) { + UnityHTTPD::messageError("Cannot unlock user, not locked", $uid); + UnityHTTPD::redirect(); + } + $user->setFlag(UserFlag::LOCKED, false); + UnityHTTPD::messageSuccess("User Unlocked", $uid); + UnityHTTPD::redirect(); + break; /** @phpstan-ignore deadCode.unreachable */ + case "disableUser": + $uid = UnityHTTPD::getPostData("uid"); + $user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); + if (in_array($uid, $users_with_flags[UserFlag::DISABLED->value])) { + UnityHTTPD::messageError("Cannot disable user, already disabled", $uid); + UnityHTTPD::redirect(); + } + $user->disable(); + UnityHTTPD::messageSuccess("User Disabled", $uid); + UnityHTTPD::redirect(); + break; /** @phpstan-ignore deadCode.unreachable */ } } @@ -55,10 +94,6 @@ class="stripe compact hover" "mail" => ["(not found)"] ] ); - $users_with_flags = []; - foreach (UserFlag::cases() as $flag) { - $users_with_flags[$flag->value] = $LDAP->userFlagGroups[$flag->value]->getMemberUIDs(); - } usort($user_attributes, fn ($a, $b) => strcmp($a["uid"][0], $b["uid"][0])); foreach ($user_attributes as $attributes) { $uid = $attributes["uid"][0]; @@ -84,13 +119,41 @@ class="stripe compact hover" echo ""; echo ""; echo ""; - echo "
- $CSRFTokenHiddenFormInput - - - -
"; + if (in_array($uid, $users_with_flags[UserFlag::LOCKED->value])) { + [$action, $action_lowercase, $form_type] = ["Unlock", "unlock", "unlockUser"]; + } else { + [$action, $action_lowercase, $form_type] = ["Lock", "lock", "lockUser"]; + } + echo " +
+
+ $CSRFTokenHiddenFormInput + + + +
+
+ $CSRFTokenHiddenFormInput + + + +
+
+ $CSRFTokenHiddenFormInput + + + +
+
+ "; echo ""; foreach ($flags_to_display as $flag) { echo sprintf( From 64cc30774a8762bb9fc98eb433e8fe1b496c8471 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Thu, 29 Jan 2026 08:43:04 -0500 Subject: [PATCH 2/5] disable access button for locked users --- webroot/admin/user-mgmt.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index 504cf2c41..1a8390894 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -120,8 +120,10 @@ class="stripe compact hover" echo ""; echo ""; if (in_array($uid, $users_with_flags[UserFlag::LOCKED->value])) { + $access_button_disabled = "disabled"; [$action, $action_lowercase, $form_type] = ["Unlock", "unlock", "unlockUser"]; } else { + $access_button_disabled = ""; [$action, $action_lowercase, $form_type] = ["Lock", "lock", "lockUser"]; } echo " @@ -130,7 +132,7 @@ class="stripe compact hover" $CSRFTokenHiddenFormInput - +
Date: Thu, 29 Jan 2026 09:08:15 -0500 Subject: [PATCH 3/5] don't disable PIs in user-mgmt --- webroot/admin/user-mgmt.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index 1a8390894..d4679286b 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -10,6 +10,7 @@ UnityHTTPD::forbidden("not an admin", "You are not an admin."); } +$pi_uids = $LDAP->getAllNonDisabledPIGroupOwnerUIDs(); $users_with_flags = []; foreach (UserFlag::cases() as $flag) { $users_with_flags[$flag->value] = $LDAP->userFlagGroups[$flag->value]->getMemberUIDs(); @@ -126,6 +127,13 @@ class="stripe compact hover" $access_button_disabled = ""; [$action, $action_lowercase, $form_type] = ["Lock", "lock", "lockUser"]; } + if (in_array($uid, $pi_uids)) { + $disable_button_disabled = "disabled"; + $disable_button_title = "PI group owners cannot be disabled."; + } else { + $disable_button_disabled = ""; + $disable_button_title = ""; + } echo "
@@ -152,7 +160,14 @@ class="stripe compact hover" $CSRFTokenHiddenFormInput - +
"; From 4e6bbf5af1f0c1c86c8fee7aec135de7cdf6f4b6 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Thu, 29 Jan 2026 11:42:37 -0500 Subject: [PATCH 4/5] enforce rule in php --- webroot/admin/user-mgmt.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index d4679286b..e0cad1f79 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -52,6 +52,10 @@ UnityHTTPD::messageError("Cannot disable user, already disabled", $uid); UnityHTTPD::redirect(); } + if ($user->isPI()) { + UnityHTTPD::messageError("Cannot disable user, user is PI", $uid); + UnityHTTPD::redirect(); + } $user->disable(); UnityHTTPD::messageSuccess("User Disabled", $uid); UnityHTTPD::redirect(); From 9dbf99b30029c65e83022708ef02109864247fb1 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Thu, 29 Jan 2026 12:13:35 -0500 Subject: [PATCH 5/5] revert config --- defaults/config.ini.default | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/defaults/config.ini.default b/defaults/config.ini.default index daac7557c..df20d2958 100644 --- a/defaults/config.ini.default +++ b/defaults/config.ini.default @@ -122,14 +122,3 @@ url = "https://hooks.slack.com/services/T04BB3N3M26/B050A55CBNX/IGm1YA0VhjczAfs5 [page] ; which sql objects to use for the content on these pages home = "home" support = "support" - -[expiry] -idlelock_warning_days[] = 180 -idlelock_warning_days[] = 200 -idlelock_warning_days[] = 219 -idlelock_day = 220 - -disable_warning_days[] = 360 -disable_warning_days[] = 380 -disable_warning_days[] = 399 -disable_day = 400