loncom/auth/lonacc.pm - diff

Return to lonacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonacc.pm between versions 1.159.2.8.2.9 and 1.159.2.12

version 1.159.2.8.2.9, 2021/01/04 05:15:21	version 1.159.2.12, 2020/09/30 19:33:59
Line 355 sub sso_login {	Line 355 sub sso_login {
# login but immediately go to switch server to find us a new	# login but immediately go to switch server to find us a new
# machine	# machine
&Apache::lonauth::success($r,$user,$domain,$home,'noredirect');	&Apache::lonauth::success($r,$user,$domain,$home,'noredirect');
foreach my $item (keys(%form)) {
$env{'form.'.$item} = $form{$item};
}
unless ($form{'symb'}) {
unless (($r->uri eq '/adm/roles') \|\| ($r->uri eq '/adm/sso')) {
$env{'form.origurl'} = $r->uri;
}
}
$env{'request.sso.login'} = 1;	$env{'request.sso.login'} = 1;
if (defined($r->dir_config("lonSSOReloginServer"))) {	if (defined($r->dir_config("lonSSOReloginServer"))) {
$env{'request.sso.reloginserver'} =	$env{'request.sso.reloginserver'} =
Line 377 sub sso_login {	Line 369 sub sso_login {
} else {	} else {
# need to login them in, so generate the need data that	# need to login them in, so generate the need data that
# migrate expects to do login	# migrate expects to do login
my $ip = &Apache::lonnet::get_requestor_ip($r);	my $ip = $r->get_remote_host();
my %info=('ip' => $ip,	my %info=('ip' => $ip,
'domain' => $domain,	'domain' => $domain,
'username' => $user,	'username' => $user,
Line 550 sub handler {	Line 542 sub handler {
my $lonhost = &Apache::lonnet::host_from_dns($hostname);	my $lonhost = &Apache::lonnet::host_from_dns($hostname);
if ($lonhost) {	if ($lonhost) {
my $actual = &Apache::lonnet::absolute_url($hostname);	my $actual = &Apache::lonnet::absolute_url($hostname);
my $exphostname = &Apache::lonnet::hostname($lonhost);
my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;	my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;
unless ($actual eq $expected) {	unless ($actual eq $expected) {
$env{'request.use_absolute'} = $expected;	$env{'request.use_absolute'} = $expected;
Line 572 sub handler {	Line 563 sub handler {
if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) {	if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) {
$checkexempt = 1;	$checkexempt = 1;
}	}
unless (($checkexempt) \|\| (($requrl eq '/adm/switchserver') && (!$r->is_initial_req()))) {	unless ($checkexempt) {
($is_balancer,$otherserver) =	($is_balancer,$otherserver) =
&Apache::lonnet::check_loadbalancing($env{'user.name'},	&Apache::lonnet::check_loadbalancing($env{'user.name'},
$env{'user.domain'});	$env{'user.domain'});
if ($is_balancer) {	if ($is_balancer) {
# Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)	unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {
my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r);	# Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
if (($found_server) && ($balancer_cookie =~ /^\Q$env{'user.domain'}\E_\Q$env{'user.name'}\E_/)) {	my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r);
$otherserver = $found_server;	if (($found_server) && ($balancer_cookie =~ /^\Q$env{'user.domain'}\E_\Q$env{'user.name'}\E_/)) {
}	$otherserver = $found_server;
unless ($requrl eq '/adm/switchserver') {	}
$r->set_handlers('PerlResponseHandler'=>
[\&Apache::switchserver::handler]);
}	}
	}
	}
	if ($is_balancer) {
	unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {
	$r->set_handlers('PerlResponseHandler'=>
	[\&Apache::switchserver::handler]);
if ($otherserver ne '') {	if ($otherserver ne '') {
$env{'form.otherserver'} = $otherserver;	$env{'form.otherserver'} = $otherserver;
}	}
unless (($env{'form.origurl'}) \|\| ($r->uri eq '/adm/roles') \|\|
($r->uri eq '/adm/switchserver') \|\| ($r->uri eq '/adm/sso')) {
$env{'form.origurl'} = $r->uri;
}
}	}
}	unless (($env{'form.origurl'}) \|\| ($r->uri eq '/adm/roles') \|\|
if ($requrl=~m{^/+tiny/+$match_domain/+\w+$}) {	($r->uri eq '/adm/switchserver') \|\| ($r->uri eq '/adm/sso')) {
if ($env{'user.name'} eq 'public' &&	$env{'form.origurl'} = $r->uri;
$env{'user.domain'} eq 'public') {
$env{'request.firsturl'}=$requrl;
return FORBIDDEN;
} else {
return OK;
}	}
}	}

# ---------------------------------------------------------------- Check access	# ---------------------------------------------------------------- Check access
my $now = time;	my $now = time;
my ($check_symb,$check_access,$check_block,$access,$poss_symb);	my $check_symb;
if ($requrl !~ m{^/(?:adm\|public\|(?:prt\|zip)spool)/}	if ($requrl !~ m{^/(?:adm\|public\|(?:prt\|zip)spool)/}
\|\| $requrl =~ /^\/adm\/.*\/(smppg\|bulletinboard)(\?\|$ )/x) {	\|\| $requrl =~ /^\/adm\/.*\/(smppg\|bulletinboard)(\?\|$ )/x) {
$check_access = 1;	my ($access,$poss_symb);
}	if (($env{'request.course.id'}) && (!$suppext)) {
if ((!$check_access) && ($env{'request.course.id'})) {	$requrl=~/\.(\w+)$/;
if (($requrl eq '/adm/viewclasslist') \|\|	if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') \|\|
($requrl =~ m{^(/adm/wrapper\|)\Q/uploaded/$cdom/$cnum/docs/\E}) \|\|	($requrl=~/^\/adm\/.*\/(aboutme\|smppg\|bulletinboard)(\?\|$ )/x) \|\|
($requrl =~ m{^/adm/.*/aboutme$}) \|\|	($requrl=~/^\/adm\/wrapper\//) \|\|
($requrl=~m{^/adm/coursedocs/showdoc/}) \|\|	($requrl=~m\|^/adm/coursedocs/showdoc/\|) \|\|
($requrl=~m{^(/adm/wrapper\|)/adm/$cdom/$cnum/\d+/ext\.tool$})) {	($requrl=~m\|\.problem/smpedit$\|) \|\|
$check_block = 1;	($requrl=~/^\/public\/.*\/syllabus$/) \|\|
}	($requrl=~/^\/adm\/(viewclasslist\|navmaps)$/) \|\|
}	($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?\|$)/)) {
if (($env{'request.course.id'}) && (!$suppext)) {	$check_symb = 1;
$requrl=~/\.(\w+)$/;	}
if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') \|\|
($requrl=~/^\/adm\/.*\/(aboutme\|smppg\|bulletinboard)(\?\|$ )/x) \|\|
($requrl=~/^\/adm\/wrapper\//) \|\|
($requrl=~m\|^/adm/coursedocs/showdoc/\|) \|\|
($requrl=~m\|\.problem/smpedit$\|) \|\|
($requrl=~/^\/public\/.*\/syllabus$/) \|\|
($requrl=~/^\/adm\/(viewclasslist\|navmaps)$/) \|\|
($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?\|$)/) \|\|
($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) {
$check_symb = 1;
}	}
}
if (($check_access) \|\| ($check_block)) {
if ($check_symb) {	if ($check_symb) {
if ($env{'form.symb'}) {	if ($env{'form.symb'}) {
$poss_symb=&Apache::lonnet::symbclean($env{'form.symb'});	$poss_symb=&Apache::lonnet::symbclean($env{'form.symb'});
Line 643 sub handler {	Line 617 sub handler {
my $query = $r->args;	my $query = $r->args;
foreach my $pair (split(/&/,$query)) {	foreach my $pair (split(/&/,$query)) {
my ($name, $value) = split(/=/,$pair);	my ($name, $value) = split(/=/,$pair);
$name = &unescape($name);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
if ($name eq 'symb') {	if ($name eq 'symb') {
$poss_symb = &Apache::lonnet::symbclean($value);	$poss_symb = &Apache::lonnet::symbclean($value);
last;	last;
Line 655 sub handler {	Line 626 sub handler {
if ($poss_symb) {	if ($poss_symb) {
my ($possmap,$resid,$url)=&Apache::lonnet::decode_symb($poss_symb);	my ($possmap,$resid,$url)=&Apache::lonnet::decode_symb($poss_symb);
$url = &Apache::lonnet::clutter($url);	$url = &Apache::lonnet::clutter($url);
my $toplevelmap = $env{'course.'.$env{'request.course.id'}.'.url'};	unless (($url eq $requrl) && (&Apache::lonnet::is_on_map($possmap))) {
unless (($url eq $requrl) && (($possmap eq $toplevelmap) \|\|
(&Apache::lonnet::is_on_map($possmap)))) {
undef($poss_symb);	undef($poss_symb);
}	}
if ($poss_symb) {	if ($poss_symb) {
Line 675 sub handler {	Line 644 sub handler {
} else {	} else {
$access=&Apache::lonnet::allowed('bre',$requrl);	$access=&Apache::lonnet::allowed('bre',$requrl);
}	}
}
if ($check_block) {
if ($access eq 'B') {
if ($poss_symb) {
if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
$env{'request.symb'} = $poss_symb;
}
}
&Apache::blockedaccess::setup_handler($r);
return OK;
}
} elsif ($check_access) {
if ($handle eq '') {	if ($handle eq '') {
unless ($access eq 'F') {	unless ($access eq 'F') {
if ($requrl =~ m{^/res/$match_domain/$match_username/}) {	if ($requrl =~ m{^/res/$match_domain/$match_username/}) {
Line 704 sub handler {	Line 661 sub handler {
}	}
if ($access eq 'B') {	if ($access eq 'B') {
if ($poss_symb) {	if ($poss_symb) {
	if ($requrl=~m{^(/adm/.*/aboutme)/portfolio$}) {
	$requrl = $1;
	}
if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {	if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
$env{'request.symb'} = $poss_symb;	$env{'request.symb'} = $poss_symb;
}	}
Line 727 sub handler {	Line 687 sub handler {
}	}
}	}
} elsif (($handle =~ /^publicuser_\d+$/) && (&Apache::lonnet::is_portfolio_url($requrl))) {	} elsif (($handle =~ /^publicuser_\d+$/) && (&Apache::lonnet::is_portfolio_url($requrl))) {
my $clientip = &Apache::lonnet::get_requestor_ip($r);	my $clientip = $r->get_remote_host();
if (&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip) ne 'F') {	if (&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip) ne 'F') {
$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";	$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
Line 817 sub handler {	Line 777 sub handler {
unless (&Apache::lonnet::symbverify($symb,$requrl,\$encstate)) {	unless (&Apache::lonnet::symbverify($symb,$requrl,\$encstate)) {
$invalidsymb = 1;	$invalidsymb = 1;
#	#
# If $env{'request.enc'} inconsistent with encryption expected for $symb	# If $env{'request.enc'} is true, but no encryption for $symb retrieved
# retrieved by lonnet::symbread(), call again to check for an instance of	# by original lonnet::symbread() call, call again to check for an instance
# $requrl in the course for which expected encryption matches request.enc.	# of $requrl in the course which has encryption, and set that as the symb.
# If symb for different instance passes lonnet::symbverify(), use that as	# If there is no such symb, or symbverify() fails for the new symb proceed
# the symb for $requrl and call &Apache::lonnet::allowed() for that symb.	# to report invalid symb.
# Report invalid symb if there is no other symb. Redirect to /adm/ambiguous
# if multiple possible symbs consistent with request.enc available for $requrl.
#	#
if (($env{'request.enc'} && !$encstate) \|\| (!$env{'request.enc'} && $encstate)) {	if ($env{'request.enc'} && !$encstate) {
my %possibles;	my %possibles;
my $nocache = 1;	my $nocache = 1;
my $oldsymb = $symb;
$symb = &Apache::lonnet::symbread($requrl,'','','',\%possibles,$nocache);	$symb = &Apache::lonnet::symbread($requrl,'','','',\%possibles,$nocache);
if (($symb) && ($symb ne $oldsymb)) {	if ($symb) {
if (&Apache::lonnet::symbverify($symb,$requrl)) {	if (&Apache::lonnet::symbverify($symb,$requrl)) {
my $access=&Apache::lonnet::allowed('bre',$requrl,$symb);	$invalidsymb = '';
if ($access eq 'B') {
$env{'request.symb'} = $symb;
&Apache::blockedaccess::setup_handler($r);
return OK;
} elsif (($access eq '2') \|\| ($access eq 'F')) {
$invalidsymb = '';
}
}	}
} elsif (keys(%possibles) > 1) {	} elsif (keys(%possibles) > 1) {
$r->internal_redirect('/adm/ambiguous');	$r->internal_redirect('/adm/ambiguous');
Line 917 sub handler {	Line 867 sub handler {
}	}
# ------------------------------------ See if this is a viewable portfolio file	# ------------------------------------ See if this is a viewable portfolio file
if (&Apache::lonnet::is_portfolio_url($requrl)) {	if (&Apache::lonnet::is_portfolio_url($requrl)) {
my $clientip = &Apache::lonnet::get_requestor_ip($r);	my $clientip = $r->get_remote_host();
my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);	my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);
if ($access eq 'A') {	if ($access eq 'A') {
&Apache::restrictedaccess::setup_handler($r);	&Apache::restrictedaccess::setup_handler($r);

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.159.2.8.2.9
changed lines
	Added in v.1.159.2.12