loncom/auth/lonauth.pm - diff

Return to lonauth.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonauth.pm between versions 1.121.2.15 and 1.121.2.17

-version 1.121.2.15, 2017/01/21 21:25:26
+version 1.121.2.17, 2019/08/01 00:42:34
  Line 32  use strict;
  use LONCAPA;
  use Apache::Constants qw(:common);
  use CGI qw(:standard);
- use DynaLoader; # for Crypt::DES version
- use Crypt::DES;
  use Apache::loncommon();
  use Apache::lonnet;
  use Apache::lonmenu();
- Line 73  sub success {
+ Line 71  sub success {
      }
  # ------------------------------------------------------------ Get cookie ready
-     $cookie="lonID=$cookie; path=/";
+     $cookie="lonID=$cookie; path=/; HttpOnly";
  # -------------------------------------------------------- Menu script and info
      my $destination = $lowerurl;
- Line 301  sub handler {
+ Line 299  sub handler {
  # split user logging in and "su"-user
-     ($form{'uname'},$form{'suname'})=split(/\:/,$form{'uname'});
+     ($form{'uname'},$form{'suname'},$form{'sudom'})=split(/\:/,$form{'uname'});
      $form{'uname'} = &LONCAPA::clean_username($form{'uname'});
      $form{'suname'}= &LONCAPA::clean_username($form{'suname'});
-     $form{'udom'}  = &LONCAPA::clean_domain(  $form{'udom'});
+     $form{'udom'}  = &LONCAPA::clean_domain($form{'udom'});
+     $form{'sudom'} = &LONCAPA::clean_domain($form{'sudom'});
      my $role   = $r->dir_config('lonRole');
      my $domain = $r->dir_config('lonDefDomain');
- Line 429  sub handler {
+ Line 428  sub handler {
  # --------------------------------- Are we attempting to login as somebody else?
      if ($form{'suname'}) {
+         my ($suname,$sudom,$sudomref);
+         $suname = $form{'suname'};
+         $sudom = $form{'udom'};
+         if ($form{'sudom'}) {
+             unless ($sudom eq $form{'sudom'}) {
+                 if (&Apache::lonnet::domain($form{'sudom'})) {
+                     $sudomref = [$form{'sudom'}];
+                     $sudom = $form{'sudom'};
+                 }
+             }
+         }
  # ------------ see if the original user has enough privileges to pull this stunt
- 	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'})) {
+ 	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'},$sudomref)) {
  # ---------------------------------------------------- see if the su-user exists
- 	    unless (&Apache::lonnet::homeserver($form{'suname'},$form{'udom'})
+ 	    unless (&Apache::lonnet::homeserver($suname,$sudom) eq 'no_host') {
- 		eq 'no_host') {
- 		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($form{'suname'},$form{'udom'}));
  # ------------------------------ see if the su-user is not too highly privileged
- 		unless (&Apache::lonnet::privileged($form{'suname'},$form{'udom'})) {
+ 		if (&Apache::lonnet::privileged($suname,$sudom)) {
+                     &Apache::lonnet::logthis('Attempted switch user to privileged user');
+                 } else {
+                     my $noprivswitch;
+ #
+ # su-user's home server and user's home server must have one of:
+ # (a) same domain
+ # (b) same primary library server for the two domains
+ # (c) same "internet domain" for primary library server(s) for home servers' domains
+ #
+                     my $suprim = &Apache::lonnet::domain($sudom,'primary');
+                     my $suintdom = &Apache::lonnet::internet_dom($suprim);
+                     unless ($sudom eq $form{'udom'}) {
+                         my $uprim = &Apache::lonnet::domain($form{'udom'},'primary');
+                         my $uintdom = &Apache::lonnet::internet_dom($uprim);
+                         unless ($suprim eq $uprim) {
+                             unless ($suintdom eq $uintdom) {
+                                 &Apache::lonnet::logthis('Attempted switch user '
+                                    .'to user with different "internet domain".');
+                                 $noprivswitch = 1;
+                             }
+                         }
+                     }
+                     unless ($noprivswitch) {
+ #
+ # server where log-in occurs must have same "internet domain" as su-user's home
+ # server
+ #
+                         my $lonhost = $r->dir_config('lonHostID');
+                         my $hostintdom = &Apache::lonnet::internet_dom($lonhost);
+                         if ($hostintdom ne $suintdom) {
+                             &Apache::lonnet::logthis('Attempted switch user on a '
+                                 .'server with a different "internet domain".');
+                         } else {
  # -------------------------------------------------------- actually switch users
- 		    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}.
- 			' logging in as '.$form{'suname'});
+ 			    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.
- 		    $form{'uname'}=$form{'suname'};
+ 				$form{'udom'}.' logging in as '.$suname.':'.$sudom);
- 		} else {
+ 			    $form{'uname'}=$suname;
- 		    &Apache::lonnet::logthis('Attempted switch user to privileged user');
+                             if ($form{'udom'} ne $sudom) {
+                                 $form{'udom'}=$sudom;
+                             }
+                         }
+                     }
  		}
  	    }
  	} else {

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.121.2.15
changed lines
	Added in v.1.121.2.17