--- loncom/auth/lonacc.pm 2021/02/10 11:22:41 1.159.2.8.2.10
+++ loncom/auth/lonacc.pm 2018/07/02 20:53:07 1.170
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: lonacc.pm,v 1.159.2.8.2.10 2021/02/10 11:22:41 raeburn Exp $
+# $Id: lonacc.pm,v 1.170 2018/07/02 20:53:07 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -202,6 +202,14 @@ sub get_posted_cgi {
$fname='';
$fmime='';
}
+ if ($i<$#lines && $lines[$i+1]=~/^Content\-Type\:\s*([\w\-\/]+)/i) {
+ # TODO: something with $1 !
+ $i++;
+ }
+ if ($i<$#lines && $lines[$i+1]=~/^Content\-transfer\-encoding\:\s*([\w\-\/]+)/i) {
+ # TODO: something with $1 !
+ $i++;
+ }
$i++;
}
} else {
@@ -332,21 +340,17 @@ sub sso_login {
($is_balancer,$otherserver) =
&Apache::lonnet::check_loadbalancing($user,$domain,'login');
if ($is_balancer) {
- # Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
- my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r);
- if (($found_server) && ($balancer_cookie =~ /^\Q$domain\E_\Q$user\E_/)) {
- $otherserver = $found_server;
- } elsif ($otherserver eq '') {
+ if ($otherserver eq '') {
my $lowest_load;
($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($domain);
if ($lowest_load > 100) {
$otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$domain);
}
- if ($otherserver ne '') {
- my @hosts = &Apache::lonnet::current_machine_ids();
- if (grep(/^\Q$otherserver\E$/,@hosts)) {
- $hosthere = $otherserver;
- }
+ }
+ if ($otherserver ne '') {
+ my @hosts = &Apache::lonnet::current_machine_ids();
+ if (grep(/^\Q$otherserver\E$/,@hosts)) {
+ $hosthere = $otherserver;
}
}
}
@@ -355,14 +359,6 @@ sub sso_login {
# login but immediately go to switch server to find us a new
# machine
&Apache::lonauth::success($r,$user,$domain,$home,'noredirect');
- foreach my $item (keys(%form)) {
- $env{'form.'.$item} = $form{$item};
- }
- unless ($form{'symb'}) {
- unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/sso')) {
- $env{'form.origurl'} = $r->uri;
- }
- }
$env{'request.sso.login'} = 1;
if (defined($r->dir_config("lonSSOReloginServer"))) {
$env{'request.sso.reloginserver'} =
@@ -377,7 +373,7 @@ sub sso_login {
} else {
# need to login them in, so generate the need data that
# migrate expects to do login
- my $ip = &Apache::lonnet::get_requestor_ip($r);
+ my $ip = $r->get_remote_host();
my %info=('ip' => $ip,
'domain' => $domain,
'username' => $user,
@@ -509,7 +505,7 @@ sub handler {
my $preserved;
foreach my $pair (split(/&/,$query)) {
my ($name, $value) = split(/=/,$pair);
- unless (($name eq 'symb') || ($name eq 'usehttp')) {
+ unless ($name eq 'symb') {
$preserved .= $pair.'&';
}
if (($env{'request.course.id'}) && ($name eq 'folderpath')) {
@@ -528,7 +524,8 @@ sub handler {
}
} elsif ($env{'request.course.id'} &&
(($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) ||
- ($requrl =~ m{^/public/$cdom/$cnum/syllabus$}))) {
+ ($requrl eq "/public/$cdom/$cnum/syllabus") ||
+ ($requrl =~ m{^/adm/$cdom/$cnum/\d+/ext\.tool$}))) {
my $query = $r->args;
if ($query) {
foreach my $pair (split(/&/,$query)) {
@@ -537,7 +534,6 @@ sub handler {
if ($value =~ /^supplemental/) {
$suppext = 1;
}
- last;
}
}
}
@@ -550,7 +546,6 @@ sub handler {
my $lonhost = &Apache::lonnet::host_from_dns($hostname);
if ($lonhost) {
my $actual = &Apache::lonnet::absolute_url($hostname);
- my $exphostname = &Apache::lonnet::hostname($lonhost);
my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;
unless ($actual eq $expected) {
$env{'request.use_absolute'} = $expected;
@@ -566,127 +561,36 @@ sub handler {
my $checkexempt;
if ($env{'user.loadbalexempt'} eq $r->dir_config('lonHostID')) {
if ($env{'user.loadbalcheck.time'} + 600 > time) {
- $checkexempt = 1;
+ $checkexempt = 1;
}
}
if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) {
$checkexempt = 1;
}
- unless (($checkexempt) || (($requrl eq '/adm/switchserver') && (!$r->is_initial_req()))) {
+ unless ($checkexempt) {
($is_balancer,$otherserver) =
&Apache::lonnet::check_loadbalancing($env{'user.name'},
$env{'user.domain'});
- if ($is_balancer) {
- # Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
- my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r);
- if (($found_server) && ($balancer_cookie =~ /^\Q$env{'user.domain'}\E_\Q$env{'user.name'}\E_/)) {
- $otherserver = $found_server;
- }
- unless ($requrl eq '/adm/switchserver') {
- $r->set_handlers('PerlResponseHandler'=>
- [\&Apache::switchserver::handler]);
- }
- if ($otherserver ne '') {
- $env{'form.otherserver'} = $otherserver;
- }
- unless (($env{'form.origurl'}) || ($r->uri eq '/adm/roles') ||
- ($r->uri eq '/adm/switchserver') || ($r->uri eq '/adm/sso')) {
- $env{'form.origurl'} = $r->uri;
- }
+ }
+ if ($is_balancer) {
+ $r->set_handlers('PerlResponseHandler'=>
+ [\&Apache::switchserver::handler]);
+ if ($otherserver ne '') {
+ $env{'form.otherserver'} = $otherserver;
+ }
+ unless (($env{'form.origurl'}) || ($r->uri eq '/adm/roles') ||
+ ($r->uri eq '/adm/switchserver') || ($r->uri eq '/adm/sso')) {
+ $env{'form.origurl'} = $r->uri;
}
}
if ($requrl=~m{^/+tiny/+$match_domain/+\w+$}) {
- if ($env{'user.name'} eq 'public' &&
- $env{'user.domain'} eq 'public') {
- $env{'request.firsturl'}=$requrl;
- return FORBIDDEN;
- } else {
- return OK;
- }
+ return OK;
}
-
# ---------------------------------------------------------------- Check access
my $now = time;
- my ($check_symb,$check_access,$check_block,$access,$poss_symb);
- if ($requrl !~ m{^/(?:adm|public|(?:prt|zip)spool)/}
+ if ($requrl !~ m{^/(?:adm|public|prtspool)/}
|| $requrl =~ /^\/adm\/.*\/(smppg|bulletinboard)(\?|$ )/x) {
- $check_access = 1;
- }
- if ((!$check_access) && ($env{'request.course.id'})) {
- if (($requrl eq '/adm/viewclasslist') ||
- ($requrl =~ m{^(/adm/wrapper|)\Q/uploaded/$cdom/$cnum/docs/\E}) ||
- ($requrl =~ m{^/adm/.*/aboutme$}) ||
- ($requrl=~m{^/adm/coursedocs/showdoc/}) ||
- ($requrl=~m{^(/adm/wrapper|)/adm/$cdom/$cnum/\d+/ext\.tool$})) {
- $check_block = 1;
- }
- }
- if (($env{'request.course.id'}) && (!$suppext)) {
- $requrl=~/\.(\w+)$/;
- if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
- ($requrl=~/^\/adm\/.*\/(aboutme|smppg|bulletinboard)(\?|$ )/x) ||
- ($requrl=~/^\/adm\/wrapper\//) ||
- ($requrl=~m|^/adm/coursedocs/showdoc/|) ||
- ($requrl=~m|\.problem/smpedit$|) ||
- ($requrl=~/^\/public\/.*\/syllabus$/) ||
- ($requrl=~/^\/adm\/(viewclasslist|navmaps)$/) ||
- ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/) ||
- ($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) {
- $check_symb = 1;
- }
- }
- if (($check_access) || ($check_block)) {
- if ($check_symb) {
- if ($env{'form.symb'}) {
- $poss_symb=&Apache::lonnet::symbclean($env{'form.symb'});
- } elsif (($env{'request.course.id'}) && ($r->args ne '')) {
- my $query = $r->args;
- foreach my $pair (split(/&/,$query)) {
- my ($name, $value) = split(/=/,$pair);
- $name = &unescape($name);
- $value =~ tr/+/ /;
- $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
- if ($name eq 'symb') {
- $poss_symb = &Apache::lonnet::symbclean($value);
- last;
- }
- }
- }
- if ($poss_symb) {
- my ($possmap,$resid,$url)=&Apache::lonnet::decode_symb($poss_symb);
- $url = &Apache::lonnet::clutter($url);
- my $toplevelmap = $env{'course.'.$env{'request.course.id'}.'.url'};
- unless (($url eq $requrl) && (($possmap eq $toplevelmap) ||
- (&Apache::lonnet::is_on_map($possmap)))) {
- undef($poss_symb);
- }
- if ($poss_symb) {
- if ((!$env{'request.role.adv'}) && ($env{'acc.randomout'}) &&
- ($env{'acc.randomout'}=~/\&\Q$poss_symb\E\&/)) {
- undef($poss_symb);
- }
- }
- }
- if ($poss_symb) {
- $access=&Apache::lonnet::allowed('bre',$requrl,$poss_symb);
- } else {
- $access=&Apache::lonnet::allowed('bre',$requrl,'','','','',1);
- }
- } else {
- $access=&Apache::lonnet::allowed('bre',$requrl);
- }
- }
- if ($check_block) {
- if ($access eq 'B') {
- if ($poss_symb) {
- if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
- $env{'request.symb'} = $poss_symb;
- }
- }
- &Apache::blockedaccess::setup_handler($r);
- return OK;
- }
- } elsif ($check_access) {
+ my $access=&Apache::lonnet::allowed('bre',$requrl);
if ($handle eq '') {
unless ($access eq 'F') {
if ($requrl =~ m{^/res/$match_domain/$match_username/}) {
@@ -703,11 +607,6 @@ sub handler {
return OK;
}
if ($access eq 'B') {
- if ($poss_symb) {
- if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
- $env{'request.symb'} = $poss_symb;
- }
- }
&Apache::blockedaccess::setup_handler($r);
return OK;
}
@@ -727,7 +626,7 @@ sub handler {
}
}
} elsif (($handle =~ /^publicuser_\d+$/) && (&Apache::lonnet::is_portfolio_url($requrl))) {
- my $clientip = &Apache::lonnet::get_requestor_ip($r);
+ my $clientip = $r->get_remote_host();
if (&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip) ne 'F') {
$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
return HTTP_NOT_ACCEPTABLE;
@@ -758,7 +657,7 @@ sub handler {
$env{'user.domain'} eq 'public' &&
$requrl !~ m{^/+(res|public|uploaded)/} &&
$requrl !~ m{^/adm/[^/]+/[^/]+/aboutme/portfolio$ }x &&
- $requrl !~ m{^/adm/blockingstatus/.*$} &&
+ $requrl !~ m{^/adm/blockingstatus/.*$} &&
$requrl !~ m{^/+adm/(help|logout|restrictedaccess|randomlabel\.png)}) {
$env{'request.querystring'}=$r->args;
$env{'request.firsturl'}=$requrl;
@@ -767,8 +666,17 @@ sub handler {
# ------------------------------------------------------------- This is allowed
if ($env{'request.course.id'}) {
&Apache::lonnet::countacc($requrl);
+ $requrl=~/\.(\w+)$/;
my $query=$r->args;
- if ($check_symb) {
+ if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
+ ($requrl=~/^\/adm\/.*\/(aboutme|smppg|bulletinboard)(\?|$ )/x) ||
+ ($requrl=~/^\/adm\/wrapper\//) ||
+ ($requrl=~m|^/adm/coursedocs/showdoc/|) ||
+ ($requrl=~m|\.problem/smpedit$|) ||
+ ($requrl=~/^\/public\/.*\/syllabus$/) ||
+ ($requrl=~/^\/adm\/(viewclasslist|navmaps)$/) ||
+ ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/) ||
+ ($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) {
# ------------------------------------- This is serious stuff, get symb and log
my $symb;
if ($query) {
@@ -776,42 +684,17 @@ sub handler {
}
if ($env{'form.symb'}) {
$symb=&Apache::lonnet::symbclean($env{'form.symb'});
- if (($requrl eq '/adm/navmaps') ||
- ($requrl =~ m{^/adm/wrapper/}) ||
- ($requrl =~ m{^/adm/coursedocs/showdoc/})) {
- unless (&Apache::lonnet::symbverify($symb,$requrl)) {
- if (&Apache::lonnet::is_on_map($requrl)) {
- $symb = &Apache::lonnet::symbread($requrl);
- unless (&Apache::lonnet::symbverify($symb,$requrl)) {
- undef($symb);
- }
- }
- }
- if ($symb) {
- if ($requrl eq '/adm/navmaps') {
- my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
- &Apache::lonnet::symblist($map,$murl => [$murl,$mid]);
- } elsif (($requrl =~ m{^/adm/wrapper/}) ||
- ($requrl =~ m{^/adm/coursedocs/showdoc/})) {
- my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
- if ($map =~ /\.page$/) {
- my $mapsymb = &Apache::lonnet::symbread($map);
- ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
- }
- &Apache::lonnet::symblist($map,$murl => [$murl,$mid],
- 'last_known' =>[$murl,$mid]);
- }
- }
+ if ($requrl =~ m|^/adm/wrapper/|
+ || $requrl =~ m|^/adm/coursedocs/showdoc/|) {
+ my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
+ &Apache::lonnet::symblist($map,$murl => [$murl,$mid],
+ 'last_known' =>[$murl,$mid]);
} elsif ((&Apache::lonnet::symbverify($symb,$requrl)) ||
(($requrl=~m|(.*)/smpedit$|) &&
&Apache::lonnet::symbverify($symb,$1)) ||
(($requrl=~m|(.*/aboutme)/portfolio$|) &&
&Apache::lonnet::symbverify($symb,$1))) {
my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
- if (($map =~ /\.page$/) && ($requrl !~ /\.page$/)) {
- my $mapsymb = &Apache::lonnet::symbread($map);
- ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
- }
&Apache::lonnet::symblist($map,$murl => [$murl,$mid],
'last_known' =>[$murl,$mid]);
} else {
@@ -825,72 +708,24 @@ sub handler {
if ($requrl=~m{^(/adm/.*/aboutme)/portfolio$}) {
$requrl = $1;
}
- $symb=&Apache::lonnet::symbread($requrl);
- if (&Apache::lonnet::is_on_map($requrl) && $symb) {
- my ($encstate,$invalidsymb);
- unless (&Apache::lonnet::symbverify($symb,$requrl,\$encstate)) {
- $invalidsymb = 1;
- #
- # If $env{'request.enc'} inconsistent with encryption expected for $symb
- # retrieved by lonnet::symbread(), call again to check for an instance of
- # $requrl in the course for which expected encryption matches request.enc.
- # If symb for different instance passes lonnet::symbverify(), use that as
- # the symb for $requrl and call &Apache::lonnet::allowed() for that symb.
- # Report invalid symb if there is no other symb. Redirect to /adm/ambiguous
- # if multiple possible symbs consistent with request.enc available for $requrl.
- #
- if (($env{'request.enc'} && !$encstate) || (!$env{'request.enc'} && $encstate)) {
- my %possibles;
- my $nocache = 1;
- my $oldsymb = $symb;
- $symb = &Apache::lonnet::symbread($requrl,'','','',\%possibles,$nocache);
- if (($symb) && ($symb ne $oldsymb)) {
- if (&Apache::lonnet::symbverify($symb,$requrl)) {
- my $access=&Apache::lonnet::allowed('bre',$requrl,$symb);
- if ($access eq 'B') {
- $env{'request.symb'} = $symb;
- &Apache::blockedaccess::setup_handler($r);
- return OK;
- } elsif (($access eq '2') || ($access eq 'F')) {
- $invalidsymb = '';
- }
- }
- } elsif (keys(%possibles) > 1) {
- $r->internal_redirect('/adm/ambiguous');
- return OK;
- }
- }
- if ($invalidsymb) {
- if ($requrl eq '/adm/navmaps') {
- undef(symb);
- } else {
- $r->log_reason('Invalid symb for '.$requrl.': '.$symb);
- $env{'user.error.msg'}=
- "$requrl:bre:1:1:Invalid Access";
- return HTTP_NOT_ACCEPTABLE;
- }
- }
- }
- }
- if ($symb) {
- my ($map,$mid,$murl)=
- &Apache::lonnet::decode_symb($symb);
- if ($requrl eq '/adm/navmaps') {
- &Apache::lonnet::symblist($map,$murl =>[$murl,$mid]);
- } else {
- if (($map =~ /\.page$/) && ($requrl !~ /\.page$/)) {
- my $mapsymb = &Apache::lonnet::symbread($map);
- ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
- }
- &Apache::lonnet::symblist($map,$murl =>[$murl,$mid],
- 'last_known' =>[$murl,$mid]);
- }
+ unless ($suppext) {
+ $symb=&Apache::lonnet::symbread($requrl);
+ if (&Apache::lonnet::is_on_map($requrl) && $symb &&
+ !&Apache::lonnet::symbverify($symb,$requrl)) {
+ $r->log_reason('Invalid symb for '.$requrl.': '.$symb);
+ $env{'user.error.msg'}=
+ "$requrl:bre:1:1:Invalid Access";
+ return HTTP_NOT_ACCEPTABLE;
+ }
+ if ($symb) {
+ my ($map,$mid,$murl)=
+ &Apache::lonnet::decode_symb($symb);
+ &Apache::lonnet::symblist($map,$murl =>[$murl,$mid],
+ 'last_known' =>[$murl,$mid]);
+ }
}
}
$env{'request.symb'}=$symb;
- if (($env{'request.symbread.cached.'}) && ($env{'request.symbread.cached.'} ne $symb)) {
- $env{'request.symbread.cached.'} = $symb;
- }
&Apache::lonnet::courseacclog($symb);
} else {
# ------------------------------------------------------- This is other content
@@ -935,8 +770,8 @@ sub handler {
}
# ------------------------------------ See if this is a viewable portfolio file
if (&Apache::lonnet::is_portfolio_url($requrl)) {
- my $clientip = &Apache::lonnet::get_requestor_ip($r);
- my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);
+ my $clientip = $r->get_remote_host();
+ my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);
if ($access eq 'A') {
&Apache::restrictedaccess::setup_handler($r);
return OK;
500 Internal Server Error
Internal Server Error
The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Please contact the server administrator at
root@localhost to inform them of the time this error occurred,
and the actions you performed just before this error.
More information about this error may be available
in the server error log.