--- loncom/auth/lonacc.pm 2020/12/18 15:23:03 1.184
+++ loncom/auth/lonacc.pm 2021/10/26 14:12:50 1.197
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: lonacc.pm,v 1.184 2020/12/18 15:23:03 raeburn Exp $
+# $Id: lonacc.pm,v 1.197 2021/10/26 14:12:50 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -305,7 +305,7 @@ sub sso_login {
my $query = $r->args;
my %form;
if ($query) {
- my @items = ('role','symb','iptoken');
+ my @items = ('role','symb','iptoken','origurl','ltoken','linkkey');
&Apache::loncommon::get_unprocessed_cgi($query,\@items);
foreach my $item (@items) {
if (defined($env{'form.'.$item})) {
@@ -323,6 +323,16 @@ sub sso_login {
}
}
+ my ($linkprot,$linkkey);
+ if ($form{'ltoken'}) {
+ my %link_info = &Apache::lonnet::tmpget($form{'ltoken'});
+ $linkprot = $link_info{'linkprot'};
+ my $delete = &Apache::lonnet::tmpdel($form{'ltoken'});
+ }
+ if ($form{'linkkey'} ne '') {
+ $linkkey = $form{'linkkey'};
+ }
+
my $domain = $r->dir_config('lonSSOUserDomain');
if ($domain eq '') {
$domain = $r->dir_config('lonDefDomain');
@@ -349,7 +359,7 @@ sub sso_login {
my $lowest_load;
($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($domain);
if ($lowest_load > 100) {
- $otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$domain);
+ $otherserver = &Apache::lonnet::spareserver($r,$lowest_load,$lowest_load,1,$domain);
}
if ($otherserver ne '') {
my @hosts = &Apache::lonnet::current_machine_ids();
@@ -367,11 +377,23 @@ sub sso_login {
foreach my $item (keys(%form)) {
$env{'form.'.$item} = $form{$item};
}
- unless ($form{'symb'}) {
+ unless (($form{'symb'}) || ($form{'origurl'})) {
unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/sso')) {
$env{'form.origurl'} = $r->uri;
}
}
+ if (($r->uri eq '/adm/sso') && ($form{'origurl'} =~ m{^/+tiny/+$match_domain/+\w+$})) {
+ $env{'request.deeplink.login'} = $form{'origurl'};
+ } elsif ($r->uri =~ m{^/+tiny/+$match_domain/+\w+$}) {
+ $env{'request.deeplink.login'} = $r->uri;
+ }
+ if ($env{'request.deeplink.login'}) {
+ if ($linkprot) {
+ $env{'request.linkprot'} = $linkprot;
+ } elsif ($linkkey ne '') {
+ $env{'request.linkkey'} = $linkkey;
+ }
+ }
$env{'request.sso.login'} = 1;
if (defined($r->dir_config("lonSSOReloginServer"))) {
$env{'request.sso.reloginserver'} =
@@ -393,16 +415,28 @@ sub sso_login {
'server' => $r->dir_config('lonHostID'),
'sso.login' => 1
);
- foreach my $item ('role','symb','iptoken') {
+ foreach my $item ('role','symb','iptoken','origurl') {
if (exists($form{$item})) {
$info{$item} = $form{$item};
}
}
- unless ($info{'symb'}) {
+ unless (($info{'symb'}) || ($info{'origurl'})) {
unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/sso')) {
$info{'origurl'} = $r->uri;
}
}
+ if (($r->uri eq '/adm/sso') && ($form{'origurl'} =~ m{^/+tiny/+$match_domain/+\w+$})) {
+ $info{'deeplink.login'} = $form{'origurl'};
+ } elsif ($r->uri =~ m{^/+tiny/+$match_domain/+\w+$}) {
+ $info{'deeplink.login'} = $r->uri;
+ }
+ if ($info{'deeplink.login'}) {
+ if ($linkprot) {
+ $info{'linkprot'} = $linkprot;
+ } elsif ($linkkey ne '') {
+ $info{'linkkey'} = $linkkey;
+ }
+ }
if ($r->dir_config("ssodirecturl") == 1) {
$info{'origurl'} = $r->uri;
}
@@ -479,7 +513,7 @@ sub handler {
if ($handle eq '') {
unless ((($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) ||
($requrl =~ m{^/public/$match_domain/$match_courseid/syllabus}) ||
- ($requrl =~ m{^/adm/help/}) ||
+ ($requrl =~ m{^/adm/help/}) || ($requrl eq '/adm/sso') ||
($requrl =~ m{^/res/$match_domain/$match_username/})) {
$r->log_reason("Cookie not valid", $r->filename);
}
@@ -559,7 +593,7 @@ sub handler {
my $hostname = $r->hostname();
my $lonhost = &Apache::lonnet::host_from_dns($hostname);
if ($lonhost) {
- my $actual = &Apache::lonnet::absolute_url($hostname);
+ my $actual = &Apache::lonnet::absolute_url($hostname,1,1);
my $exphostname = &Apache::lonnet::hostname($lonhost);
my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;
unless ($actual eq $expected) {
@@ -616,24 +650,35 @@ sub handler {
}
# ---------------------------------------------------------------- Check access
my $now = time;
- my $check_symb;
+ my ($check_symb,$check_access,$check_block,$access,$poss_symb);
if ($requrl !~ m{^/(?:adm|public|(?:prt|zip)spool)/}
|| $requrl =~ /^\/adm\/.*\/(smppg|bulletinboard)(\?|$ )/x) {
- my ($access,$poss_symb);
- if (($env{'request.course.id'}) && (!$suppext)) {
- $requrl=~/\.(\w+)$/;
- if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
- ($requrl=~/^\/adm\/.*\/(aboutme|smppg|bulletinboard)(\?|$ )/x) ||
- ($requrl=~/^\/adm\/wrapper\//) ||
- ($requrl=~m|^/adm/coursedocs/showdoc/|) ||
- ($requrl=~m|\.problem/smpedit$|) ||
- ($requrl=~/^\/public\/.*\/syllabus$/) ||
- ($requrl=~/^\/adm\/(viewclasslist|navmaps)$/) ||
- ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/) ||
- ($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) {
- $check_symb = 1;
- }
+ $check_access = 1;
+ }
+ if ((!$check_access) && ($env{'request.course.id'})) {
+ if (($requrl eq '/adm/viewclasslist') ||
+ ($requrl =~ m{^(/adm/wrapper|)\Q/uploaded/$cdom/$cnum/docs/\E}) ||
+ ($requrl =~ m{^/adm/.*/aboutme$}) ||
+ ($requrl=~m{^/adm/coursedocs/showdoc/}) ||
+ ($requrl=~m{^(/adm/wrapper|)/adm/$cdom/$cnum/\d+/ext\.tool$})) {
+ $check_block = 1;
+ }
+ }
+ if (($env{'request.course.id'}) && (!$suppext)) {
+ $requrl=~/\.(\w+)$/;
+ if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
+ ($requrl=~/^\/adm\/.*\/(aboutme|smppg|bulletinboard)(\?|$ )/x) ||
+ ($requrl=~/^\/adm\/wrapper\//) ||
+ ($requrl=~m|^/adm/coursedocs/showdoc/|) ||
+ ($requrl=~m|\.problem/smpedit$|) ||
+ ($requrl=~/^\/public\/.*\/syllabus$/) ||
+ ($requrl=~/^\/adm\/(viewclasslist|navmaps)$/) ||
+ ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/) ||
+ ($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) {
+ $check_symb = 1;
}
+ }
+ if (($check_access) || ($check_block)) {
if ($check_symb) {
if ($env{'form.symb'}) {
$poss_symb=&Apache::lonnet::symbclean($env{'form.symb'});
@@ -653,13 +698,18 @@ sub handler {
if ($poss_symb) {
my ($possmap,$resid,$url)=&Apache::lonnet::decode_symb($poss_symb);
$url = &Apache::lonnet::clutter($url);
- unless (($url eq $requrl) && (&Apache::lonnet::is_on_map($possmap))) {
+ my $toplevelmap = $env{'course.'.$env{'request.course.id'}.'.url'};
+ unless (($url eq $requrl) && (($possmap eq $toplevelmap) ||
+ (&Apache::lonnet::is_on_map($possmap)))) {
undef($poss_symb);
}
if ($poss_symb) {
if ((!$env{'request.role.adv'}) && ($env{'acc.randomout'}) &&
($env{'acc.randomout'}=~/\&\Q$poss_symb\E\&/)) {
undef($poss_symb);
+ } elsif ((!$env{'request.role.adv'}) && ($env{'acc.deeplinkout'}) &&
+ ($env{'acc.deeplinkout'}=~/\&\Q$poss_symb\E\&/)) {
+ undef($poss_symb);
}
}
}
@@ -669,8 +719,31 @@ sub handler {
$access=&Apache::lonnet::allowed('bre',$requrl,'','','','',1);
}
} else {
- $access=&Apache::lonnet::allowed('bre',$requrl);
+ my $nodeeplinkcheck;
+ if (($check_access) && ($requrl =~ /\.(sequence|page)$/)) {
+ unless ($env{'form.navmap'}) {
+ if ($r->args ne '') {
+ &Apache::loncommon::get_unprocessed_cgi($r->args,['navmap']);
+ unless ($env{'form.navmap'}) {
+ $nodeeplinkcheck = 1;
+ }
+ }
+ }
+ }
+ $access=&Apache::lonnet::allowed('bre',$requrl,'','','','','',$nodeeplinkcheck);
}
+ }
+ if ($check_block) {
+ if ($access eq 'B') {
+ if ($poss_symb) {
+ if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
+ $env{'request.symb'} = $poss_symb;
+ }
+ }
+ &Apache::blockedaccess::setup_handler($r);
+ return OK;
+ }
+ } elsif ($check_access) {
if ($handle eq '') {
unless ($access eq 'F') {
if ($requrl =~ m{^/res/$match_domain/$match_username/}) {
@@ -688,9 +761,6 @@ sub handler {
}
if ($access eq 'B') {
if ($poss_symb) {
- if ($requrl=~m{^(/adm/.*/aboutme)/portfolio$}) {
- $requrl = $1;
- }
if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
$env{'request.symb'} = $poss_symb;
}
@@ -767,18 +837,32 @@ sub handler {
}
if ($env{'form.symb'}) {
$symb=&Apache::lonnet::symbclean($env{'form.symb'});
- if ($requrl eq '/adm/navmaps') {
- my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
- &Apache::lonnet::symblist($map,$murl => [$murl,$mid]);
- } elsif ($requrl =~ m|^/adm/wrapper/|
- || $requrl =~ m|^/adm/coursedocs/showdoc/|) {
- my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
- if ($map =~ /\.page$/) {
- my $mapsymb = &Apache::lonnet::symbread($map);
- ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
+ if (($requrl eq '/adm/navmaps') ||
+ ($requrl =~ m{^/adm/wrapper/}) ||
+ ($requrl =~ m{^/adm/coursedocs/showdoc/})) {
+ unless (&Apache::lonnet::symbverify($symb,$requrl)) {
+ if (&Apache::lonnet::is_on_map($requrl)) {
+ $symb = &Apache::lonnet::symbread($requrl);
+ unless (&Apache::lonnet::symbverify($symb,$requrl)) {
+ undef($symb);
+ }
+ }
+ }
+ if ($symb) {
+ if ($requrl eq '/adm/navmaps') {
+ my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
+ &Apache::lonnet::symblist($map,$murl => [$murl,$mid]);
+ } elsif (($requrl =~ m{^/adm/wrapper/}) ||
+ ($requrl =~ m{^/adm/coursedocs/showdoc/})) {
+ my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
+ if ($map =~ /\.page$/) {
+ my $mapsymb = &Apache::lonnet::symbread($map);
+ ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
+ }
+ &Apache::lonnet::symblist($map,$murl => [$murl,$mid],
+ 'last_known' =>[$murl,$mid]);
+ }
}
- &Apache::lonnet::symblist($map,$murl => [$murl,$mid],
- 'last_known' =>[$murl,$mid]);
} elsif ((&Apache::lonnet::symbverify($symb,$requrl)) ||
(($requrl=~m|(.*)/smpedit$|) &&
&Apache::lonnet::symbverify($symb,$1)) ||
@@ -838,10 +922,14 @@ sub handler {
}
}
if ($invalidsymb) {
- $r->log_reason('Invalid symb for '.$requrl.': '.$symb);
- $env{'user.error.msg'}=
- "$requrl:bre:1:1:Invalid Access";
- return HTTP_NOT_ACCEPTABLE;
+ if ($requrl eq '/adm/navmaps') {
+ undef($symb);
+ } else {
+ $r->log_reason('Invalid symb for '.$requrl.': '.$symb);
+ $env{'user.error.msg'}=
+ "$requrl:bre:1:1:Invalid Access";
+ return HTTP_NOT_ACCEPTABLE;
+ }
}
}
}
500 Internal Server Error
Internal Server Error
The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Please contact the server administrator at
root@localhost to inform them of the time this error occurred,
and the actions you performed just before this error.
More information about this error may be available
in the server error log.