loncom/auth/lonacc.pm - diff

Return to lonacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonacc.pm between versions 1.159.2.5.2.4 and 1.184

version 1.159.2.5.2.4, 2020/10/01 21:37:16	version 1.184, 2020/12/18 15:23:03
Line 102 use Apache::loncommon();	Line 102 use Apache::loncommon();
use Apache::lonlocal;	use Apache::lonlocal;
use Apache::restrictedaccess();	use Apache::restrictedaccess();
use Apache::blockedaccess();	use Apache::blockedaccess();
	use Apache::lonprotected();
use Fcntl qw(:flock);	use Fcntl qw(:flock);
use LONCAPA qw(:DEFAULT :match);	use LONCAPA qw(:DEFAULT :match);

Line 202 sub get_posted_cgi {	Line 203 sub get_posted_cgi {
$fname='';	$fname='';
$fmime='';	$fmime='';
}	}
	if ($i<$#lines && $lines[$i+1]=~/^Content\-Type\:\s*([\w\-\/]+)/i) {
	# TODO: something with $1 !
	$i++;
	}
	if ($i<$#lines && $lines[$i+1]=~/^Content\-transfer\-encoding\:\s*([\w\-\/]+)/i) {
	# TODO: something with $1 !
	$i++;
	}
$i++;	$i++;
}	}
} else {	} else {
Line 332 sub sso_login {	Line 341 sub sso_login {
($is_balancer,$otherserver) =	($is_balancer,$otherserver) =
&Apache::lonnet::check_loadbalancing($user,$domain,'login');	&Apache::lonnet::check_loadbalancing($user,$domain,'login');
if ($is_balancer) {	if ($is_balancer) {
if ($otherserver eq '') {	# Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
	my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r);
	if (($found_server) && ($balancer_cookie =~ /^\Q$domain\E_\Q$user\E_/)) {
	$otherserver = $found_server;
	} elsif ($otherserver eq '') {
my $lowest_load;	my $lowest_load;
($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($domain);	($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($domain);
if ($lowest_load > 100) {	if ($lowest_load > 100) {
$otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$domain);	$otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$domain);
}	}
}	if ($otherserver ne '') {
if ($otherserver ne '') {	my @hosts = &Apache::lonnet::current_machine_ids();
my @hosts = &Apache::lonnet::current_machine_ids();	if (grep(/^\Q$otherserver\E$/,@hosts)) {
if (grep(/^\Q$otherserver\E$/,@hosts)) {	$hosthere = $otherserver;
$hosthere = $otherserver;	}
}	}
}	}
}	}
Line 373 sub sso_login {	Line 386 sub sso_login {
} else {	} else {
# need to login them in, so generate the need data that	# need to login them in, so generate the need data that
# migrate expects to do login	# migrate expects to do login
my $ip = $r->get_remote_host();	my $ip = &Apache::lonnet::get_requestor_ip($r);
my %info=('ip' => $ip,	my %info=('ip' => $ip,
'domain' => $domain,	'domain' => $domain,
'username' => $user,	'username' => $user,
Line 505 sub handler {	Line 518 sub handler {
my $preserved;	my $preserved;
foreach my $pair (split(/&/,$query)) {	foreach my $pair (split(/&/,$query)) {
my ($name, $value) = split(/=/,$pair);	my ($name, $value) = split(/=/,$pair);
unless ($name eq 'symb') {	unless (($name eq 'symb') \|\| ($name eq 'usehttp')) {
$preserved .= $pair.'&';	$preserved .= $pair.'&';
}	}
if (($env{'request.course.id'}) && ($name eq 'folderpath')) {	if (($env{'request.course.id'}) && ($name eq 'folderpath')) {
Line 524 sub handler {	Line 537 sub handler {
}	}
} elsif ($env{'request.course.id'} &&	} elsif ($env{'request.course.id'} &&
(($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) \|\|	(($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) \|\|
($requrl =~ m{^/public/$cdom/$cnum/syllabus$}) \|\|	($requrl eq "/public/$cdom/$cnum/syllabus") \|\|
($requrl =~ m{^/adm/$cdom/$cnum/\d+/ext\.tool$}))) {	($requrl =~ m{^/adm/$cdom/$cnum/\d+/ext\.tool$}))) {
my $query = $r->args;	my $query = $r->args;
if ($query) {	if ($query) {
Line 563 sub handler {	Line 576 sub handler {
my $checkexempt;	my $checkexempt;
if ($env{'user.loadbalexempt'} eq $r->dir_config('lonHostID')) {	if ($env{'user.loadbalexempt'} eq $r->dir_config('lonHostID')) {
if ($env{'user.loadbalcheck.time'} + 600 > time) {	if ($env{'user.loadbalcheck.time'} + 600 > time) {
$checkexempt = 1;	$checkexempt = 1;
}	}
}	}
if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) {	if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) {
$checkexempt = 1;	$checkexempt = 1;
}	}
unless ($checkexempt) {	unless (($checkexempt) \|\| (($requrl eq '/adm/switchserver') && (!$r->is_initial_req()))) {
($is_balancer,$otherserver) =	($is_balancer,$otherserver) =
&Apache::lonnet::check_loadbalancing($env{'user.name'},	&Apache::lonnet::check_loadbalancing($env{'user.name'},
$env{'user.domain'});	$env{'user.domain'});
}	if ($is_balancer) {
if ($is_balancer) {	# Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
$r->set_handlers('PerlResponseHandler'=>	my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r);
[\&Apache::switchserver::handler]);	if (($found_server) && ($balancer_cookie =~ /^\Q$env{'user.domain'}\E_\Q$env{'user.name'}\E_/)) {
if ($otherserver ne '') {	$otherserver = $found_server;
$env{'form.otherserver'} = $otherserver;	}
}	unless ($requrl eq '/adm/switchserver') {
unless (($env{'form.origurl'}) \|\| ($r->uri eq '/adm/roles') \|\|	$r->set_handlers('PerlResponseHandler'=>
($r->uri eq '/adm/switchserver') \|\| ($r->uri eq '/adm/sso')) {	[\&Apache::switchserver::handler]);
$env{'form.origurl'} = $r->uri;	}
	if ($otherserver ne '') {
	$env{'form.otherserver'} = $otherserver;
	}
	unless (($env{'form.origurl'}) \|\| ($r->uri eq '/adm/roles') \|\|
	($r->uri eq '/adm/switchserver') \|\| ($r->uri eq '/adm/sso')) {
	$env{'form.origurl'} = $r->uri;
	}
}	}
}	}
if ($requrl=~m{^/+tiny/+$match_domain/+\w+$}) {	if ($requrl=~m{^/+tiny/+$match_domain/+\w+$}) {
return OK;	if ($env{'user.name'} eq 'public' &&
	$env{'user.domain'} eq 'public') {
	$env{'request.firsturl'}=$requrl;
	return FORBIDDEN;
	} else {
	return OK;
	}
}	}

# ---------------------------------------------------------------- Check access	# ---------------------------------------------------------------- Check access
my $now = time;	my $now = time;
my $check_symb;	my $check_symb;
if ($requrl !~ m{^/(?:adm\|public\|prtspool)/}	if ($requrl !~ m{^/(?:adm\|public\|(?:prt\|zip)spool)/}
\|\| $requrl =~ /^\/adm\/.*\/(smppg\|bulletinboard)(\?\|$ )/x) {	\|\| $requrl =~ /^\/adm\/.*\/(smppg\|bulletinboard)(\?\|$ )/x) {
my ($access,$poss_symb);	my ($access,$poss_symb);
if (($env{'request.course.id'}) && (!$suppext)) {	if (($env{'request.course.id'}) && (!$suppext)) {
Line 604 sub handler {	Line 629 sub handler {
($requrl=~m\|\.problem/smpedit$\|) \|\|	($requrl=~m\|\.problem/smpedit$\|) \|\|
($requrl=~/^\/public\/.*\/syllabus$/) \|\|	($requrl=~/^\/public\/.*\/syllabus$/) \|\|
($requrl=~/^\/adm\/(viewclasslist\|navmaps)$/) \|\|	($requrl=~/^\/adm\/(viewclasslist\|navmaps)$/) \|\|
($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?\|$)/)	($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?\|$)/) \|\|
($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) {	($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) {
$check_symb = 1;	$check_symb = 1;
}	}
Line 673 sub handler {	Line 698 sub handler {
&Apache::blockedaccess::setup_handler($r);	&Apache::blockedaccess::setup_handler($r);
return OK;	return OK;
}	}
	if ($access eq 'D') {
	&Apache::lonprotected::setup_handler($r);
	return OK;
	}
if (($access ne '2') && ($access ne 'F')) {	if (($access ne '2') && ($access ne 'F')) {
if ($requrl =~ m{^/res/}) {	if ($requrl =~ m{^/res/}) {
$access = &Apache::lonnet::allowed('bro',$requrl);	$access = &Apache::lonnet::allowed('bro',$requrl);
Line 689 sub handler {	Line 718 sub handler {
}	}
}	}
} elsif (($handle =~ /^publicuser_\d+$/) && (&Apache::lonnet::is_portfolio_url($requrl))) {	} elsif (($handle =~ /^publicuser_\d+$/) && (&Apache::lonnet::is_portfolio_url($requrl))) {
my $clientip = $r->get_remote_host();	my $clientip = &Apache::lonnet::get_requestor_ip($r);
if (&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip) ne 'F') {	if (&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip) ne 'F') {
$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";	$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
Line 738 sub handler {	Line 767 sub handler {
}	}
if ($env{'form.symb'}) {	if ($env{'form.symb'}) {
$symb=&Apache::lonnet::symbclean($env{'form.symb'});	$symb=&Apache::lonnet::symbclean($env{'form.symb'});
if ($requrl =~ m\|^/adm/wrapper/\|	if ($requrl eq '/adm/navmaps') {
	my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
	&Apache::lonnet::symblist($map,$murl => [$murl,$mid]);
	} elsif ($requrl =~ m\|^/adm/wrapper/\|
\|\| $requrl =~ m\|^/adm/coursedocs/showdoc/\|) {	\|\| $requrl =~ m\|^/adm/coursedocs/showdoc/\|) {
my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);	my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
	if ($map =~ /\.page$/) {
	my $mapsymb = &Apache::lonnet::symbread($map);
	($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
	}
&Apache::lonnet::symblist($map,$murl => [$murl,$mid],	&Apache::lonnet::symblist($map,$murl => [$murl,$mid],
'last_known' =>[$murl,$mid]);	'last_known' =>[$murl,$mid]);
} elsif ((&Apache::lonnet::symbverify($symb,$requrl)) \|\|	} elsif ((&Apache::lonnet::symbverify($symb,$requrl)) \|\|
Line 749 sub handler {	Line 785 sub handler {
(($requrl=~m\|(.*/aboutme)/portfolio$\|) &&	(($requrl=~m\|(.*/aboutme)/portfolio$\|) &&
&Apache::lonnet::symbverify($symb,$1))) {	&Apache::lonnet::symbverify($symb,$1))) {
my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);	my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
	if (($map =~ /\.page$/) && ($requrl !~ /\.page$/)) {
	my $mapsymb = &Apache::lonnet::symbread($map);
	($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
	}
&Apache::lonnet::symblist($map,$murl => [$murl,$mid],	&Apache::lonnet::symblist($map,$murl => [$murl,$mid],
'last_known' =>[$murl,$mid]);	'last_known' =>[$murl,$mid]);
} else {	} else {
Line 768 sub handler {	Line 808 sub handler {
unless (&Apache::lonnet::symbverify($symb,$requrl,\$encstate)) {	unless (&Apache::lonnet::symbverify($symb,$requrl,\$encstate)) {
$invalidsymb = 1;	$invalidsymb = 1;
#	#
# If $env{'request.enc'} is true, but no encryption for $symb retrieved	# If $env{'request.enc'} inconsistent with encryption expected for $symb
# by original lonnet::symbread() call, call again to check for an instance	# retrieved by lonnet::symbread(), call again to check for an instance of
# of $requrl in the course which has encryption, and set that as the symb.	# $requrl in the course for which expected encryption matches request.enc.
# If there is no such symb, or symbverify() fails for the new symb proceed	# If symb for different instance passes lonnet::symbverify(), use that as
# to report invalid symb.	# the symb for $requrl and call &Apache::lonnet::allowed() for that symb.
	# Report invalid symb if there is no other symb. Redirect to /adm/ambiguous
	# if multiple possible symbs consistent with request.enc available for $requrl.
#	#
if ($env{'request.enc'} && !$encstate) {	if (($env{'request.enc'} && !$encstate) \|\| (!$env{'request.enc'} && $encstate)) {
my %possibles;	my %possibles;
my $nocache = 1;	my $nocache = 1;
	my $oldsymb = $symb;
$symb = &Apache::lonnet::symbread($requrl,'','','',\%possibles,$nocache);	$symb = &Apache::lonnet::symbread($requrl,'','','',\%possibles,$nocache);
if ($symb) {	if (($symb) && ($symb ne $oldsymb)) {
if (&Apache::lonnet::symbverify($symb,$requrl)) {	if (&Apache::lonnet::symbverify($symb,$requrl)) {
$invalidsymb = '';	my $access=&Apache::lonnet::allowed('bre',$requrl,$symb);
	if ($access eq 'B') {
	$env{'request.symb'} = $symb;
	&Apache::blockedaccess::setup_handler($r);
	return OK;
	} elsif (($access eq '2') \|\| ($access eq 'F')) {
	$invalidsymb = '';
	}
}	}
} elsif (keys(%possibles) > 1) {	} elsif (keys(%possibles) > 1) {
$r->internal_redirect('/adm/ambiguous');	$r->internal_redirect('/adm/ambiguous');
Line 788 sub handler {	Line 838 sub handler {
}	}
}	}
if ($invalidsymb) {	if ($invalidsymb) {
$r->log_reason('Invalid symb for '.$requrl.': '.$symb);	$r->log_reason('Invalid symb for '.$requrl.': '.$symb);
$env{'user.error.msg'}=	$env{'user.error.msg'}=
"$requrl:bre:1:1:Invalid Access";	"$requrl:bre:1:1:Invalid Access";
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
}	}
}	}
}	}
if ($symb) {	if ($symb) {
my ($map,$mid,$murl)=	my ($map,$mid,$murl)=
&Apache::lonnet::decode_symb($symb);	&Apache::lonnet::decode_symb($symb);
&Apache::lonnet::symblist($map,$murl =>[$murl,$mid],	if ($requrl eq '/adm/navmaps') {
'last_known' =>[$murl,$mid]);	&Apache::lonnet::symblist($map,$murl =>[$murl,$mid]);
	} else {
	if (($map =~ /\.page$/) && ($requrl !~ /\.page$/)) {
	my $mapsymb = &Apache::lonnet::symbread($map);
	($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
	}
	&Apache::lonnet::symblist($map,$murl =>[$murl,$mid],
	'last_known' =>[$murl,$mid]);
	}
}	}
}	}
$env{'request.symb'}=$symb;	$env{'request.symb'}=$symb;
Line 850 sub handler {	Line 908 sub handler {
}	}
# ------------------------------------ See if this is a viewable portfolio file	# ------------------------------------ See if this is a viewable portfolio file
if (&Apache::lonnet::is_portfolio_url($requrl)) {	if (&Apache::lonnet::is_portfolio_url($requrl)) {
my $clientip = $r->get_remote_host();	my $clientip = &Apache::lonnet::get_requestor_ip($r);
my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);	my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);
if ($access eq 'A') {	if ($access eq 'A') {
&Apache::restrictedaccess::setup_handler($r);	&Apache::restrictedaccess::setup_handler($r);
return OK;	return OK;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.159.2.5.2.4
changed lines
	Added in v.1.184