--- loncom/auth/loncacc.pm	2005/04/07 06:56:21	1.38
+++ loncom/auth/loncacc.pm	2009/10/07 14:47:48	1.50
@@ -2,7 +2,7 @@
 # Cookie Based Access Handler for Construction Area
 # (lonacc: 5/21/99,5/22,5/29,5/31 Gerd Kortemeyer)
 #
-# $Id: loncacc.pm,v 1.38 2005/04/07 06:56:21 albertel Exp $
+# $Id: loncacc.pm,v 1.50 2009/10/07 14:47:48 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -27,20 +27,78 @@
 # http://www.lon-capa.org/
 #
 
+=pod
+
+=head1 NAME
+
+Apache::lonacc - Cookie Based Access Handler for Construction Area
+
+=head1 SYNOPSIS
+
+Invoked (for various locations) by /etc/httpd/conf/loncapa_apache.conf:
+
+ PerlAccessHandler       Apache::loncacc
+
+=head1 INTRODUCTION
+
+This module enables cookie based authentication for construction area
+and is used to control access for three (essentially equivalent) URIs.
+
+ <LocationMatch "^/priv.*">
+ <LocationMatch "^/\~.*">
+ <LocationMatch "^/\~.*/$">
+
+Whenever the client sends the cookie back to the server, 
+if the cookie is missing or invalid, the user is re-challenged
+for login information.
+
+This is part of the LearningOnline Network with CAPA project
+described at http://www.lon-capa.org.
+
+=head1 HANDLER SUBROUTINE
+
+This routine is called by Apache and mod_perl.
+
+=over 4
+
+=item *
+
+load POST parameters
+
+=item *
+
+store where they wanted to go (first url entered)
+
+=back
+
+=head1 OTHERSUBROUTINES
+
+=over
+
+=item constructaccess($url,$ownerdomain)
+
+See if the owner domain and name
+in the URL match those in the expected environment.  If so, return 
+two element list ($ownername,$ownerdomain).  Else, return null string.
+
+=back
+
+=cut
+
+
 package Apache::loncacc;
 
 use strict;
 use Apache::Constants qw(:common :http :methods REDIRECT);
-use Apache::File;
-use CGI::Cookie();
 use Fcntl qw(:flock);
 use Apache::lonlocal;
 use Apache::lonnet;
-
+use Apache::lonacc;
+use LONCAPA qw(:DEFAULT :match);
 
 sub constructaccess {
-    my ($url,$ownerdomain)=@_;
-    my ($ownername)=($url=~/\/(?:\~|priv\/|home\/)(\w+)\//);
+    my ($url,$ownerdomain,$setpriv)=@_;
+    my ($ownername)=($url=~/\/(?:\~|priv\/|home\/)($match_username)\//);
     unless (($ownername) && ($ownerdomain)) { return ''; }
     # We do not allow editing of previous versions of files.
     if ($url=~/\.(\d+)\.(\w+)$/) { return ''; }
@@ -54,55 +112,80 @@ sub constructaccess {
     }
     
     foreach my $domain (@possibledomains) {
-	my $capriv='user.priv.ca./'.$domain.'/'.$ownername.'./';
-	foreach (keys %env) {
-	    if ($_ eq $capriv) {
-		return ($ownername,$domain);
-	    }
+	if (exists($env{'user.priv.ca./'.$domain.'/'.$ownername.'./'}) ||
+	    exists($env{'user.priv.aa./'.$domain.'/'.$ownername.'./'}) ) {
+	    return ($ownername,$domain);
 	}
     }
+
+    my $then=$env{'user.login.time'};
+    my %dcroles = ();
+    if (&is_active_dc($ownerdomain,$then)) {
+        my %blocked=&Apache::lonnet::get('environment',['domcoord.author'],
+                                         $ownerdomain,$ownername);
+        unless ($blocked{'domcoord.author'} eq 'blocked') {
+            if (grep(/^$ownerdomain$/,@possibledomains)) {
+                if ($setpriv) {
+                    my $now = time;
+                    &Apache::lonnet::check_adhoc_privs($ownerdomain,$ownername,
+                                                       $then,$now,'ca');
+                }
+                return($ownername,$ownerdomain);
+            }
+        }
+    }
     return '';
 }
 
+sub is_active_dc {
+    my ($ownerdomain,$then) = @_;
+    my $livedc;
+    if ($env{'user.adv'}) {
+        my $domrole = $env{'user.role.dc./'.$ownerdomain.'/'};
+        if ($domrole) {
+            my ($tstart,$tend)=split(/\./,$domrole);
+            $livedc = 1;
+            if ($tstart && $tstart>$then) { undef($livedc); }
+            if ($tend   && $tend  <$then) { undef($livedc); }
+        }
+    }
+    return $livedc;
+}
+
+
 sub handler {
     my $r = shift;
     my $requrl=$r->uri;
     $env{'request.editurl'}=$requrl;
-    my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
-    my $lonid=$cookies{'lonID'};
-    my $cookie;
-    if ($lonid) {
-	my $handle=$lonid->value;
-        $handle=~s/\W//g;
-        my $lonidsdir=$r->dir_config('lonIDsDir');
-        if ((-e "$lonidsdir/$handle.id") && ($handle ne '')) {
 
-# ------------------------------------------------------ Initialize Environment
+    my $handle =  &Apache::lonnet::check_for_valid_session($r);
+    if ($handle ne '') {
 
-            &Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
+# ------------------------------------------------------ Initialize Environment
+        my $lonidsdir=$r->dir_config('lonIDsDir');
+	&Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
 
 # --------------------------------------------------------- Initialize Language
  
- 	    &Apache::lonlocal::get_language_handle($r);
+	&Apache::lonlocal::get_language_handle($r);
 
 # -------------------------------------------------------------- Resource State
 
-            $env{'request.state'}    = "construct";
-            $env{'request.filename'} = $r->filename;
+	$env{'request.state'}    = "construct";
+	$env{'request.filename'} = $r->filename;
 
-            unless (&constructaccess($requrl,$r->dir_config('lonDefDomain'))) {
-                $r->log_reason("Unauthorized $requrl", $r->filename); 
-	        return HTTP_NOT_ACCEPTABLE;
-            }
+	unless (&constructaccess($requrl,$r->dir_config('lonDefDomain'),'setpriv')) {
+	    $r->log_reason("Unauthorized $requrl", $r->filename); 
+	    return HTTP_NOT_ACCEPTABLE;
+	}
 
 # -------------------------------------------------------- Load POST parameters
 
-	    &Apache::loncommon::get_posted_cgi($r);
+	&Apache::lonacc::get_posted_cgi($r);
 
-            return OK; 
-        } else { 
-            $r->log_reason("Cookie $handle not valid", $r->filename) 
-        };
+	return OK; 
+    } else { 
+	$r->log_reason("Cookie $handle not valid", $r->filename) 
     }
 
 # ----------------------------------------------- Store where they wanted to go
@@ -114,61 +197,6 @@ sub handler {
 1;
 __END__
 
-=head1 NAME
-
-Apache::lonacc - Cookie Based Access Handler for Construction Area
-
-=head1 SYNOPSIS
-
-Invoked (for various locations) by /etc/httpd/conf/loncapa_apache.conf:
-
- PerlAccessHandler       Apache::loncacc
-
-=head1 INTRODUCTION
-
-This module enables cookie based authentication for construction area
-and is used to control access for three (essentially equivalent) URIs.
-
- <LocationMatch "^/priv.*">
- <LocationMatch "^/\~.*">
- <LocationMatch "^/\~.*/$">
-
-Whenever the client sends the cookie back to the server, 
-if the cookie is missing or invalid, the user is re-challenged
-for login information.
-
-This is part of the LearningOnline Network with CAPA project
-described at http://www.lon-capa.org.
-
-=head1 HANDLER SUBROUTINE
-
-This routine is called by Apache and mod_perl.
-
-=over 4
-
-=item *
-
-load POST parameters
-
-=item *
-
-store where they wanted to go (first url entered)
-
-=back
-
-=head1 OTHERSUBROUTINES
-
-=over 4
-
-=item *
-
-constructaccess($url,$ownerdomain) : See if the owner domain and name
-in the URL match those in the expected environment.  If so, return 
-two element list ($ownername,$ownerdomain).  Else, return null string.
-
-=back
-
-=cut