--- loncom/auth/lonlogin.pm	2022/05/25 18:05:56	1.196
+++ loncom/auth/lonlogin.pm	2022/06/18 02:10:18	1.199
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Login Screen
 #
-# $Id: lonlogin.pm,v 1.196 2022/05/25 18:05:56 raeburn Exp $
+# $Id: lonlogin.pm,v 1.199 2022/06/18 02:10:18 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -68,6 +68,9 @@ sub handler {
             $env{'form.ltoken'} = $info{'ltoken'};
         } elsif ($info{'linkprot'}) {
             $env{'form.linkprot'} = $info{'linkprot'};
+            if ($info{'linkprotuser'} ne '') {
+                $env{'form.linkprotuser'} = $info{'linkprotuser'};
+            }
         } elsif ($info{'linkkey'} ne '') {
             $env{'form.linkkey'} = $info{'linkkey'};
         }
@@ -181,6 +184,9 @@ sub handler {
                     $link_info{'ltoken'} = $env{'form.ltoken'};
                 } elsif ($env{'form.linkprot'}) {
                     $link_info{'linkprot'} = $env{'form.linkprot'};
+                    if ($env{'form.linkprotuser'} ne '') {
+                        $link_info{'linkprotuser'} = $env{'form.linkprotuser'};
+                    }
                 } elsif ($env{'form.linkkey'} ne '') {
                     $link_info{'linkkey'} = $env{'form.linkkey'};
                 }
@@ -249,16 +255,31 @@ sub handler {
             $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
         }
         if (($env{'form.ltoken'}) || ($env{'form.linkprot'})) {
-            my $linkprot;
+            my ($linkprot,$linkprotuser);
             if ($env{'form.ltoken'}) {
                 my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
                 $linkprot = $info{'linkprot'};
+                if ($info{'linkprotuser'} ne '') {
+                    $linkprotuser = $info{'linkprotuser'};
+                } 
                 my $delete = &Apache::lonnet::tmpdel($env{'form.ltoken'});
             } else {
                 $linkprot = $env{'form.linkprot'};
+                $linkprotuser = $env{'form.linkprotuser'};
             }
             if ($linkprot) {
                 my ($linkprotector,$deeplink) = split(/:/,$linkprot,2);
+                if (($deeplink =~ m{^/tiny/$match_domain/\w+$}) &&
+                    ($linkprotuser ne '') && ($linkprotuser ne $env{'user.name'}.':'.$env{'user.domain'})) {
+                    my $ip = &Apache::lonnet::get_requestor_ip();
+                    my %linkprotinfo = (
+                                          origurl => $deeplink,
+                                          linkprot => $linkprot,
+                                          linkprotuser => $linkprotuser,
+                                       );    
+                    &Apache::migrateuser::logout($r,$ip,$handle,undef,undef,\%linkprotinfo);
+                    return OK;
+                }
                 if ($env{'user.linkprotector'}) {
                     my @protectors = split(/,/,$env{'user.linkprotector'});
                     unless (grep(/^\Q$linkprotector\E$/,@protectors)) {
@@ -429,7 +450,7 @@ sub handler {
 
 # -------------------------------------------------------- Store away log token
     my ($tokenextras,$tokentype,$linkprot_for_login);
-    my @names = ('role','symb','iptoken','ltoken','linkprot','linkkey');
+    my @names = ('role','symb','iptoken','ltoken','linkprotuser','linkprot','linkkey');
     foreach my $name (@names) {
         if ($env{'form.'.$name} ne '') {
             if ($name eq 'ltoken') {
@@ -437,13 +458,17 @@ sub handler {
                 if ($info{'linkprot'}) {
                     $linkprot_for_login = $info{'linkprot'};
                     $tokenextras .= '&linkprot='.&escape($info{'linkprot'});
+                    if ($info{'linkprotuser'}) {
+                        $tokenextras .= '&linkprotuser='.&escape($info{'linkprotuser'});
+                    }
                     $tokentype = 'link';
                     last;
                 }
             } else {
                 $tokenextras .= '&'.$name.'='.&escape($env{'form.'.$name});
                 if (($name eq 'linkkey') || ($name eq 'linkprot')) {
-                    if (($env{'form.retry'}) && (!$env{'form.ltoken'}) && ($name eq 'linkprot')) {
+                    if ((($env{'form.retry'}) || ($env{'form.sso'})) && 
+                        (!$env{'form.ltoken'}) && ($name eq 'linkprot')) {
                         $linkprot_for_login = $env{'form.linkprot'};
                     }
                     $tokentype = 'link';
@@ -907,7 +932,7 @@ ENDSAML
         my ($linkprotector,$linkproturi) = split(/:/,$linkprot_for_login,2);
         if (($linkprotector =~ /^\d+(c|d)$/) && ($linkproturi =~ m{^/+tiny/+$LONCAPA::match_domain/+\w+$})) {
             my $set_target;
-            if ($env{'form.retry'}) {
+            if (($env{'form.retry'}) || ($env{'form.sso'})) {
                 if ($linkproturi eq $env{'form.firsturl'}) {
                     $set_target = "    document.server.target = '_self';";
                 }
@@ -1031,6 +1056,7 @@ $versionrow
     <br style="clear:both;" />
  </div>
 
+$in_frame_js
 <script type="text/javascript">
 // <![CDATA[
 // the if prevents the script error if the browser can not handle this
@@ -1123,28 +1149,52 @@ sub redirect_page {
         $path = '/'.$path;
     }
     my $url = $protocol.'://'.$hostname.$path;
-    if ($env{'form.firsturl'} ne '') {
+    if ($env{'form.firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+        $url = $protocol.'://'.$hostname.$env{'form.firsturl'};
+        if (($env{'form.ltoken'}) || ($env{'form.linkprot'} ne '') ||
+            ($env{'form.linkkey'} ne '')) {
+            my %link_info;
+            if ($env{'form.ltoken'}) {
+                %link_info = &Apache::lonnet::tmpget($env{'form.ltoken'});
+                &Apache::lonnet::tmpdel($env{'form.ltoken'});
+            } elsif ($env{'form.linkprot'}) {
+                $link_info{'linkprot'} = $env{'form.linkprot'};
+                if ($env{'form.linkprotuser'}) {
+                    $link_info{'linkprotuser'} = $env{'form.linkprotuser'};
+                }
+            } elsif ($env{'form.linkkey'} ne '') {
+                $link_info{'linkkey'} = $env{'form.linkkey'};
+            }
+            my $token = &Apache::lonnet::tmpput(\%link_info,$desthost,'link');
+            unless (($token eq 'con_lost') || ($token eq 'refused') ||
+                    ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+                $url .= '?ltoken='.$token;
+            }
+        }
+    } else {
         my $querystring;
-        if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
-            $querystring = &uri_escape_utf8($env{'form.firsturl'});
-        } else {
-            $querystring = &uri_escape($env{'form.firsturl'});
+        if ($env{'form.firsturl'} ne '') {
+            if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+                $querystring = &uri_escape_utf8($env{'form.firsturl'});
+            } else {
+                $querystring = &uri_escape($env{'form.firsturl'});
+            }
+            $querystring = &HTML::Entities::encode($querystring,"'");
+            $querystring = '?firsturl='.$querystring;
         }
-        $querystring = &HTML::Entities::encode($querystring,"'");
-        $url .='?firsturl='.$querystring;
-    }
-    if (($env{'form.ltoken'}) || ($env{'form.linkkey'} ne '')) {
-        my %link_info;
         if ($env{'form.ltoken'}) {
-            $link_info{'ltoken'} = $env{'form.ltoken'};
-        } elsif ($env{'form.linkkey'} ne '') {
-            $link_info{'linkkey'} = $env{'form.linkkey'};
-        }
-        my $token = &Apache::lonnet::tmpput(\%link_info,$desthost,'link');
-        unless (($token eq 'con_lost') || ($token eq 'refused') ||
-                ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
-            $url .= (($url=~/\?/)?'&amp;':'?') . 'ttoken='.$token;
+            my %link_info = &Apache::lonnet::tmpget($env{'form.ltoken'});
+            &Apache::lonnet::tmpdel($env{'form.ltoken'});
+            my $token = &Apache::lonnet::tmpput(\%link_info,$desthost,'link');
+            unless (($token eq 'con_lost') || ($token eq 'refused') || ($token =~ /^error:/) ||
+                    ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+                unless (($path eq '/adm/roles') || ($path eq '/adm/login')) {
+                    $url = $protocol.'://'.$hostname.'/adm/roles';
+                }
+                $querystring .= (($querystring =~/^\?/)?'&amp;':'?') . 'ttoken='.$token;
+            }
         }
+        $url .= $querystring;
     }
     my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef,
                                                     {'redirect' => [0,$url],});