--- loncom/auth/loncacc.pm 2011/10/24 22:39:14 1.55 +++ loncom/auth/loncacc.pm 2012/10/29 17:39:06 1.60 @@ -2,7 +2,7 @@ # Cookie Based Access Handler for Construction Area # (lonacc: 5/21/99,5/22,5/29,5/31 Gerd Kortemeyer) # -# $Id: loncacc.pm,v 1.55 2011/10/24 22:39:14 www Exp $ +# $Id: loncacc.pm,v 1.60 2012/10/29 17:39:06 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -42,11 +42,11 @@ Invoked (for various locations) by /etc/ =head1 INTRODUCTION This module enables cookie based authentication for construction area -and is used to control access for three (essentially equivalent) URIs. +and is used to control access for the following two types of URI +(one for files, and one for directories): - - + Whenever the client sends the cookie back to the server, if the cookie is missing or invalid, the user is re-challenged @@ -71,18 +71,6 @@ store where they wanted to go (first url =back -=head1 OTHERSUBROUTINES - -=over - -=item constructaccess($url,$setpriv) - -See if the owner domain and name -in the URL match those in the expected environment. If so, return -two element list ($ownername,$ownerdomain). Else, return null string. -If 'setpriv' is set to 'setpriv', it actually assigns the privileges. -=back - =cut @@ -96,65 +84,6 @@ use Apache::lonnet; use Apache::lonacc; use LONCAPA qw(:DEFAULT :match); -sub constructaccess { - my ($url,$setpriv)=@_; - -# We do not allow editing of previous versions of files - if ($url=~/\.(\d+)\.(\w+)$/) { return ''; } - -# Get username and domain from URL - my ($ownerdomain,$ownername)=($url=~/^\/priv\/($match_domain)\/($match_username)\//); - -# The URL does not really point to any authorspace, forget it - unless (($ownername) && ($ownerdomain)) { return ''; } - -# Now we need to see if the user has access to the authorspace of -# $ownername at $ownerdomain - - if (($ownername eq $env{'user.name'}) && ($ownerdomain eq $env{'user.domain'})) { -# Real author for this? - if (exists($env{'user.priv.au./'.$ownerdomain.'/./'})) { - return ($ownername,$ownerdomain); - } - } else { -# Co-author for this? - if (exists($env{'user.priv.ca./'.$ownerdomain.'/'.$ownername.'./'}) || - exists($env{'user.priv.aa./'.$ownerdomain.'/'.$ownername.'./'}) ) { - return ($ownername,$ownerdomain); - } - } -# We don't have any access right now. If we are not possibly going to do anything about this, -# we might as well leave - unless ($setpriv) { return ''; } - -# Backdoor access? - my $allowed=&Apache::lonnet::allowed('eco',$ownerdomain); -# Nope - unless ($allowed) { return ''; } -# Looks like we may have access, but could be locked by the owner of the construction space - if ($allowed eq 'U') { - my %blocked=&Apache::lonnet::get('environment',['domcoord.author'], - $ownerdomain,$ownername); -# Is blocked by owner - if ($blocked{'domcoord.author'} eq 'blocked') { return ''; } - } - if (($allowed eq 'F') || ($allowed eq 'U')) { -# Grant temporary access - my $then=$env{'user.login.time'}; - my $update==$env{'user.update.time'}; - if (!$update) { $update = $then; } - my $refresh=$env{'user.refresh.time'}; - if (!$refresh) { $refresh = $update; } - my $now = time; - &Apache::lonnet::check_adhoc_privs($ownerdomain,$ownername, - $update,$refresh,$now,'ca', - 'constructaccess'); - return($ownername,$ownerdomain); - } -# No business here - return ''; -} - sub handler { my $r = shift; my $requrl=$r->uri; @@ -176,7 +105,19 @@ sub handler { $env{'request.state'} = "construct"; $env{'request.filename'} = $r->filename; - unless (&constructaccess($requrl,'setpriv')) { + my $allowed; + my ($ownername,$ownerdom,$ownerhome) = + &Apache::lonnet::constructaccess($requrl,'setpriv'); + if (($ownername ne '') && ($ownerdom ne '') && ($ownerhome ne '')) { + unless ($ownerhome eq 'no_host') { + my @hosts = &Apache::lonnet::current_machine_ids(); + if (grep(/^\Q$ownerhome\E$/,@hosts)) { + $allowed = 1; + } + } + } + + unless ($allowed) { $r->log_reason("Unauthorized $requrl", $r->filename); return HTTP_NOT_ACCEPTABLE; } @@ -186,7 +127,7 @@ sub handler { &Apache::lonacc::get_posted_cgi($r); return OK; - } else { + } else { $r->log_reason("Cookie $handle not valid", $r->filename) } @@ -199,10 +140,3 @@ sub handler { 1; __END__ - - - - - - -