--- loncom/auth/lonroles.pm 2021/04/19 23:07:33 1.347 +++ loncom/auth/lonroles.pm 2021/07/19 14:26:40 1.351 @@ -1,7 +1,7 @@ # The LearningOnline Network with CAPA # User Roles Screen # -# $Id: lonroles.pm,v 1.347 2021/04/19 23:07:33 raeburn Exp $ +# $Id: lonroles.pm,v 1.351 2021/07/19 14:26:40 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -728,7 +728,7 @@ ENDCLOSE $furl .= '&orgurl='.&HTML::Entities::encode($env{'form.orgurl'},'<>&"'); } if ($env{'form.symb'}) { - $furl .= '&symb='.&HTML::Entities::encode($env{'form.symb'}; + $furl .= '&symb='.&HTML::Entities::encode($env{'form.symb'},'<>&"'); } } if (($ferr) && ($tadv)) { @@ -736,7 +736,7 @@ ENDCLOSE } else { if ($env{'request.course.id'} eq $cdom.'_'.$cnum) { if (($env{'form.orgurl'} ne '') && ($env{'form.symb'} ne '')) { - unless (&Apache::lonnet::symbverify($env{'form.symb'},$env{'form.orgurl'}) { + unless (&Apache::lonnet::symbverify($env{'form.symb'},$env{'form.orgurl'})) { $dest=$env{'form.orgurl'}; } } @@ -831,8 +831,9 @@ ENDCLOSE if (($dest =~ m{^\Q/public/$cdom/$cnum/syllabus\E.*(\?|\&)usehttp=1}) || ($dest =~ m{^\Q/adm/wrapper/ext/\E(?!https:)})) { if ($ENV{'SERVER_PORT'} == 443) { - unless (&Apache::lonnet::uses_sts()) { - my $hostname = $r->hostname(); + my $hostname = $r->hostname(); + unless ((&Apache::lonnet::uses_sts()) || + (&Apache::lonnet::waf_allssl($hostname))) { if ($hostname ne '') { $dest = 'http://'.$hostname.$dest; } @@ -901,23 +902,44 @@ ENDCLOSE } } # Are we allowed to look at the first resource? - my $access; - if ($furl =~ m{^(/adm/wrapper|)/ext/}) { - # If it's an external resource, - # strip off the symb argument and possible query - my ($exturl,$symb) = ($furl =~ m{^(.+)(?:\?|\&)symb=(.+)$}); - # Unencode $symb - $symb = &unescape($symb); - # Then check for permission - $access = &Apache::lonnet::allowed('bre',$exturl,$symb); - # For other resources just check for permission + # + # $furl returned by lonuserstate::readmap() has format: + # $url?symb=escaped($symb). If the resource has the + # encrypturl parameter in effect, the entire string + # $url?symb=escaped($symb) is encrypted as a string + # beginning /enc/. + # + my ($access,$unencfurl,$unencsymb); + if ($furl =~ m{^(.+)(?:\?|\&)symb=([^&]+)(?:$|&)}) { + my ($poss_url,$poss_symb) = ($1,$2); + $unencsymb = &unescape($poss_symb); + $unencfurl = $poss_url; + } elsif ($furl =~ m{^/enc/}) { + my $unenc = &Apache::lonenc::unencrypted($furl); + if ($unenc =~ m{^(.+)(?:\?|\&)symb=([^&]+)(?:$|&)}) { + ($unencfurl,$unencsymb) = ($1,$2); + $unencsymb = &unescape($unencsymb); + } else { + $unencfurl = $unenc; + } } else { - $access = &Apache::lonnet::allowed('bre',$furl); + $unencfurl = $furl; } - if (!$access) { + if ($unencsymb) { + my $symb = &Apache::lonnet::symbclean($unencsymb); + if (($symb ne '') && (&Apache::lonnet::symbverify($symb,$unencfurl))) { + $access = &Apache::lonnet::allowed('bre',$unencfurl,$symb); + } else { + $access = &Apache::lonnet::allowed('bre',$unencfurl); + } + } else { + $access = &Apache::lonnet::allowed('bre',$unencfurl); + } + if ((!$access) || ($access eq 'B') || ($access eq 'D')) { $furl = &Apache::lonpageflip::first_accessible_resource(); - } elsif ($access eq 'B') { - $furl = '/adm/navmaps?showOnlyHomework=1'; + if ($furl eq '') { + $furl = '/adm/navmaps?showOnlyHomework=1'; + } } if ($env{'request.lti.login'}) { undef($msg);