--- loncom/cgi/loncgi.pm 2008/11/28 20:39:43 1.9 +++ loncom/cgi/loncgi.pm 2018/07/04 16:58:26 1.16 @@ -1,7 +1,7 @@ # # LON-CAPA helpers for cgi-bin scripts # -# $Id: loncgi.pm,v 1.9 2008/11/28 20:39:43 raeburn Exp $ +# $Id: loncgi.pm,v 1.16 2018/07/04 16:58:26 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -37,10 +37,7 @@ loncgi =head1 SYNOPSIS Provides subroutines for checking a LON-CAPA cookie, loading the user's -environment, retrieving arguments passed in via a CGI's Query String, -checking access controls, providing a user with an explanation -when access is denied, and descriptions of various server status pages -generated by CGI scripts which use these subroutines for authorization. +environment, and retrieving arguments passed in via a CGI's Query String. =head1 Subroutines @@ -57,8 +54,9 @@ use warnings FATAL=>'all'; no warnings 'uninitialized'; use lib '/home/httpd/lib/perl/'; -use CGI(); +use CGI qw(:standard); use CGI::Cookie(); +use MIME::Types(); use Fcntl qw(:flock); use LONCAPA; use LONCAPA::Configuration(); @@ -81,26 +79,24 @@ BEGIN { =item check_cookie_and_load_env() -Inputs: none +Inputs: 1 ( optional). When called from a handler in mod_perl, + pass in the request object. -Returns: 1 if the user has a LON-CAPA cookie 0 if not. -Loads the users environment into the %env hash if the cookie is correct. +Returns: 1 if the user has a LON-CAPA cookie, 0 if not. +Side effect: Loads the user's environment into the %env hash + if the cookie is correct. =cut ############################################# ############################################# sub check_cookie_and_load_env { - my %cookies=fetch CGI::Cookie; - if (exists($cookies{'lonID'}) && - -e "$lonidsdir/".$cookies{'lonID'}->value.".id") { - # cookie found - &transfer_profile_to_env($cookies{'lonID'}->value); - return 1; - } else { - # No cookie found - return 0; + my ($r) = @_; + my ($hascookie,$handle) = &check_cookie($r); + if (($hascookie) && ($handle)) { + &transfer_profile_to_env($handle); } + return $hascookie; } ############################################# @@ -112,6 +108,11 @@ sub check_cookie_and_load_env { Inputs: none +Array context: +Returns: (1,$handle) if the user has a LON-CAPA cookie; +(0) if user does not have a LON-CAPA cookie. + +Scalar context: Returns: 1 if the user has a LON-CAPA cookie and 0 if not. =cut @@ -119,13 +120,52 @@ Returns: 1 if the user has a LON-CAPA co ############################################# ############################################# sub check_cookie { - my %cookies=fetch CGI::Cookie; - if (exists($cookies{'lonID'}) && - -e "$lonidsdir/".$cookies{'lonID'}->value.".id") { - # cookie found - return 1; + my ($r) = @_; + my %cookies; + if (ref($r)) { + %cookies = CGI::Cookie->fetch($r); + } else { + %cookies = CGI::Cookie->fetch(); + } + if (keys(%cookies)) { + my $name = 'lonID'; + my $secure = 'lonSID'; + my $linkname = 'lonLinkID'; + my $pubname = 'lonPubID'; + my $lonid; + if (exists($cookies{$secure})) { + $lonid=$cookies{$secure}; + } elsif (exists($cookies{$name})) { + $lonid=$cookies{$name}; + } elsif (exists($cookies{$linkname})) { + $lonid=$cookies{$linkname}; + } elsif (exists($cookies{$pubname})) { + $lonid=$cookies{$pubname}; + } + if ($lonid) { + my $handle=&LONCAPA::clean_handle($lonid->value); + if ($handle) { + if (-l "$lonidsdir/$handle.id") { + my $link = readlink("$lonidsdir/$handle.id"); + if ((-e $link) && ($link =~ m{^\Q$lonidsdir\E/(.+)\.id$})) { + $handle = $1; + } + } + if (-e "$lonidsdir/".$handle.".id") { + # valid cookie found + if (wantarray) { + return (1,$handle); + } else { + return 1; + } + } + } + } + } + # No valid cookie found + if (wantarray) { + return (0); } else { - # No cookie found return 0; } } @@ -149,7 +189,7 @@ Returns: undef ############################################# sub transfer_profile_to_env { my ($handle)=@_; - if (tie(my %disk_env,'GDBM_File',"$lonidsdir/$handle.id",&GDBM_READER(), + if (tie(my %disk_env,'GDBM_File',"$lonidsdir/$handle.id",&GDBM_READER(), 0640)) { %Apache::lonnet::env = %disk_env; untie(%disk_env); @@ -163,162 +203,6 @@ sub transfer_profile_to_env { =pod -=item check_ipbased_access() - -Inputs: $page, the identifier of the page to be viewed, - can be one of the keys in the hash from &serverstatus_titles() - - $ip, the IP address of the client requesting the page. - -Returns: 1 if access is permitted for the requestor's IP. - Access is allowed if on of the following is true: - (a) the requestor IP is the loopback address - (b) Domain configurations for domains hosted on this server include - the requestor's IP as one of the specified IPs with access - to this page. (does not apply to 'ping' page type) -=cut - -############################################# -############################################# -sub check_ipbased_access { - my ($page,$ip) = @_; - my $allowed; - if (!defined($ip)) { - $ip = $ENV{'REMOTE_ADDR'}; - } - if (($page ne 'lonstatus') && ($page ne 'serverstatus')) { - if ($ip eq '127.0.0.1') { - $allowed = 1; - return $allowed; - } - } - if ($page ne 'ping') { - my @poss_domains = &Apache::lonnet::current_machine_domains(); - foreach my $dom (@poss_domains) { - my %domconfig = &Apache::lonnet::get_dom('configuration',['serverstatuses'],$dom); - if (ref($domconfig{'serverstatuses'}) eq 'HASH') { - if (ref($domconfig{'serverstatuses'}{$page}) eq 'HASH') { - if ($domconfig{'serverstatuses'}{$page}{'machines'} ne '') { - my @okmachines = split(/,/,$domconfig{'serverstatuses'}{$page}{'machines'}); - if (grep(/^\Q$ip\E$/,@okmachines)) { - $allowed = 1; - last; - } - } - } - } - } - } - return $allowed; -} - -############################################# -############################################# - -=pod - -=item can_view() - -Inputs: $page, the identifier of the page to be viewed, - can be one of the keys in the hash from &serverstatus_titles() - -Returns: 1 if access to the page is permitted. - Access allowed if one of the following is true: - (a) Requestor has LON-CAPA superuser role - (b) Requestor's role is Domain Coordinator in one of the domains - hosted on this server - (c) Domain configurations for domains hosted on this server include - the requestor as one of the named users (username:domain) with access - to the page. - - In the case of requests for the 'ping' page, and access is also allowed if - at least one domain hosted on requestor's server is also hosted on this server. - -=cut - -############################################# -############################################# -sub can_view { - my ($page) = @_; - my $allowed; - if ($Apache::lonnet::env{'request.role'} =~ m{^su\./}) { - $allowed = 1; - } elsif ($page eq 'ping') { - my @poss_domains = &Apache::lonnet::current_machine_domains(); - my @hostids= &Apache::lonnet::get_hosts_from_ip($ENV{'REMOTE_ADDR'}); - foreach my $hostid (@hostids) { - my $hostdom = &Apache::lonnet::host_domain($hostid); - if (grep(/^\Q$hostdom\E$/,@poss_domains)) { - $allowed = 1; - last; - } - } - } else { - my @poss_domains = &Apache::lonnet::current_machine_domains(); - foreach my $dom (@poss_domains) { - my %domconfig = &Apache::lonnet::get_dom('configuration',['serverstatuses'],$dom); - if ($Apache::lonnet::env{'request.role'} eq "dc./$dom/") { - $allowed = 1; - } elsif (ref($domconfig{'serverstatuses'}) eq 'HASH') { - if (ref($domconfig{'serverstatuses'}{$page}) eq 'HASH') { - if ($domconfig{'serverstatuses'}{$page}{'namedusers'} ne '') { - my @okusers = split(/,/,$domconfig{'serverstatuses'}{$page}{'namedusers'}); - if (grep(/^\Q$Apache::lonnet::env{'user.name'}:$Apache::lonnet::env{'user.domain'}\E$/,@okusers)) { - $allowed = 1; - } - } - } - } - last if $allowed; - } - } - return $allowed; -} - -############################################# -############################################# - -=pod - -=unauthorized_msg() - -Inputs: $page, the identifier of the page to be viewed, - can be one of the keys in the hash from &serverstatus_titles() - -Returns: A string explaining why access was denied for the particular page. - -=cut - -############################################# -############################################# -sub unauthorized_msg { - my ($page) = @_; - my $titles = &serverstatus_titles(); - if ($page eq 'clusterstatus') { - return &mt('Your current role does not permit you to view the requested server status page: [_1]',$titles->{$page}); - } - my @poss_domains = &Apache::lonnet::current_machine_domains(); - if (@poss_domains == 1) { - my $domdesc = &Apache::lonnet::domain($poss_domains[0]); - return &mt('The configuration for domain: [_1] does not permit you to view the requested server status page: [_2].',"$domdesc ($poss_domains[0])",$titles->{$page}); - } elsif (@poss_domains > 1) { - my $output = &mt('Configurations for the domains housed on this server: ').''.&mt('do not permit you to view the requested server status page: [_1]',$titles->{$page}); - return $output; - } else { - return &mt('No domain information exists for this server'); - } -} - -############################################# -############################################# - -=pod - =item missing_cookie_msg() Inputs: none @@ -349,34 +233,35 @@ END =pod -=item serverstatus_titles() +=cgi_getitems() -Inputs: none +Inputs: $query - the CGI query string (required) + $getitems - reference to a hash (required) + $possname - permitted names of keys (optional) + +Returns: nothing -Returns: a reference to a hash of pages, where in the hash - keys are names of pages which employ loncgi.pm - or lonstatusacc.pm for access control, - and corresponding values are descriptions of each page +Side Effects: populates $getitems hash ref with key => value + where each key is the name of the form item in the query string + and value is an array of corresponding values. =cut ############################################# ############################################# -sub serverstatus_titles { - my %titles = &Apache::lonlocal::texthash ( - 'userstatus' => 'User Status Summary', - 'lonstatus' => 'Display Detailed Report', - 'loncron' => 'Generate Detailed Report', - 'server-status' => 'Apache Status Page', - 'codeversions' => 'LON-CAPA Module Versions', - 'clusterstatus' => 'Domain status', - 'metadata_keywords' => 'Display Metadata Keywords', - 'metadata_harvest' => 'Harvest Metadata Searches', - 'takeoffline' => 'Offline - replace Log-in page', - 'takeonline' => 'Online - restore Log-in page', - 'showenv' => "Show user environment", - ); - return \%titles; +sub cgi_getitems { + my ($query,$getitems,$possnames)= @_; + foreach (split(/&/,$query)) { + my ($name, $value) = split(/=/,$_); + $name = &unescape($name); + if (ref($possnames) eq 'ARRAY') { + next unless (grep(/^\Q$name\E$/,@{$possnames})); + } + $value =~ tr/+/ /; + $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg; + push(@{$$getitems{$name}},$value); + } + return; } ############################################# @@ -384,27 +269,33 @@ sub serverstatus_titles { =pod -=cgi_getitems() +=cgi_header() -Inputs: $query (the CGI query string), and $getitems, a reference to a hash +Inputs: $contenttype - Content Type (e.g., text/html or text/plain) + $nocache - Boolean 1 = nocache +Returns: HTTP Response headers constructed using CGI.pm -Returns: nothing - -Side Effects: populates $getitems hash ref with key => value - where each key is the name of the form item in the query string - and value is an array of corresponding values. =cut ############################################# ############################################# -sub cgi_getitems { - my ($query,$getitems)= @_; - foreach (split(/&/,$query)) { - my ($name, $value) = split(/=/,$_); - $name = &unescape($name); - $value =~ tr/+/ /; - $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg; - push(@{$$getitems{$name}},$value); +sub cgi_header { + my ($contenttype,$nocache) = @_; + my $mimetypes = MIME::Types->new; + my %headers; + if ($contenttype ne '') { + if ($mimetypes->type($contenttype) ne '') { + $headers{'-type'} = $contenttype; + if ($contenttype =~ m{^text/}) { + $headers{'-charset'} = 'utf-8'; + } + } + } + if ($nocache) { + $headers{'-expires'} = 'now'; + } + if (%headers) { + return CGI::header(%headers); } return; }