--- loncom/lti/ltiauth.pm	2018/04/14 02:30:07	1.8
+++ loncom/lti/ltiauth.pm	2021/11/22 23:41:00	1.26
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Basic LTI Authentication Module
 #
-# $Id: ltiauth.pm,v 1.8 2018/04/14 02:30:07 raeburn Exp $
+# $Id: ltiauth.pm,v 1.26 2021/11/22 23:41:00 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -42,8 +42,23 @@ use LONCAPA::ltiutils;
 sub handler {
     my $r = shift;
     my $requri = $r->uri;
+    my $hostname = $r->hostname;
+#
+# Check for existing session, and temporarily delete any form items
+# in %env, if session exists
+#
+    my %savedform;
+    my $handle = &Apache::lonnet::check_for_valid_session($r);
+    if ($handle ne '') {
+        foreach my $key (sort(keys(%env))) {
+            if ($key =~ /^form\.(.+)$/) {
+                $savedform{$1} = $env{$key};
+                delete($env{$key});
+            }
+        }
+    }
 #
-# Retrieve data POSTed by LTI Consumer on launch  
+# Retrieve data POSTed by LTI launch
 #
     &Apache::lonacc::get_posted_cgi($r);
     my $params = {};
@@ -52,6 +67,17 @@ sub handler {
             $params->{$1} = $env{$key};
         }
     }
+#
+# Check for existing session, and restore temporarily
+# deleted form items to %env, if session exists.
+#
+    if ($handle ne '') {
+        if (keys(%savedform)) {
+            foreach my $key (sort(keys(%savedform))) {
+                $env{'form.'.$key} = $savedform{$key};
+            }
+        }
+    }
 
     unless (keys(%{$params})) {
         &invalid_request($r,1);
@@ -72,12 +98,131 @@ sub handler {
 # Retrieve "internet domains" for all this institution's LON-CAPA
 # nodes.
 #
-    my ($udom,$uname,$uhome,$cdom,$cnum,$symb,$mapurl,@intdoms);
+    my @intdoms;
     my $lonhost = $r->dir_config('lonHostID');
     my $internet_names = &Apache::lonnet::get_internet_names($lonhost);
     if (ref($internet_names) eq 'ARRAY') {
         @intdoms = @{$internet_names};
     }
+#
+# Determine course's domain in LON-CAPA
+# for basic launch using key and secret managed
+# in LON-CAPA course (i.e., uri begins /adm/launch)
+#
+
+   my ($cdom,$cnum);
+
+# Note: "internet domain" for course's domain must be one of the
+# internet domains for the institution's LON-CAPA servers.
+#
+    if ($requri =~ m{^/adm/launch(|/.*)$}) {
+        my $tail = $1;
+        if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
+            my ($urlcdom,$urlcnum) = &course_from_tinyurl($tail);
+            if (($urlcdom ne '') && ($urlcnum ne '')) {
+                $cdom = $urlcdom;
+                $cnum = $urlcnum;
+                my $primary_id = &Apache::lonnet::domain($cdom,'primary');
+                if ($primary_id ne '') {
+                    my $intdom = &Apache::lonnet::internet_dom($primary_id);
+                    if (($intdom ne '') && (grep(/^\Q$intdom\E$/,@intdoms))) {
+#
+# Retrieve information for LTI link protectors in course
+# where url was /adm/launch/tiny/$cdom/$uniqueid
+#
+                        my (%crslti,%crslti_by_key,$itemid,$ltitype);
+                        %crslti = &Apache::lonnet::get_course_lti($cnum,$cdom,'provider');
+                        if (keys(%crslti)) {
+                            foreach my $id (keys(%crslti)) {
+                                if (ref($crslti{$id}) eq 'HASH') {
+                                    my $key = $crslti{$id}{'key'};
+                                    push(@{$crslti_by_key{$key}},$id);
+                                }
+                            }
+                        }
+#
+# Verify the signed request using the secret for LTI link
+# protectors for which the key in the POSTed data matches
+# keys in the course configuration.
+#
+# Request is invalid if the signed request could not be verified
+# for the key and secret from LON-CAPA course configuration for
+# LTI link protectors or from LON-CAPA configuration for the
+# course's domain if there are LTI Providers which may be used.
+#
+# Determine if nonce in POSTed data has expired.
+# If unexpired, confirm it has not already been used.
+#
+                        if (keys(%crslti)) {
+                            $itemid = &get_lti_itemid($requri,$hostname,$params,\%crslti,\%crslti_by_key);
+                        }
+                        if (($itemid) && (ref($crslti{$itemid}) eq 'HASH')) {
+                            $ltitype = 'c';
+                            unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'},
+                                                                    $crslti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) {
+                                &invalid_request($r,3);
+                                return OK;
+                            }
+                        } else {
+                            my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider');
+                            unless (keys(%lti) > 0) {
+                                &invalid_request($r,4);
+                                return OK;
+                            }
+                            my (%domlti_by_key,%domlti);
+                            foreach my $id (keys(%lti)) {
+                                if (ref($lti{$id}) eq 'HASH') {
+                                    my $key = $lti{$id}{'key'};
+                                    if (!$lti{$itemid}{'requser'}) {
+                                        push(@{$domlti_by_key{$key}},$id);
+                                        $domlti{$id} = $lti{$id};
+                                    }
+                                }
+                            }
+                            if (keys(%domlti)) {
+                                $itemid = &get_lti_itemid($requri,$hostname,$params,\%domlti,\%domlti_by_key);
+                            }
+                            if (($itemid) && (ref($domlti{$itemid}) eq 'HASH')) {
+                                $ltitype = 'd';
+                                unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'},
+                                                                        $domlti{$itemid}{'lifetime'},$cdom,
+                                                                        $r->dir_config('lonLTIDir'))) {
+                                    &invalid_request($r,5);
+                                    return OK;
+                                }
+                            }
+                        }
+                        if ($itemid) {
+                            foreach my $key (%{$params}) {
+                                delete($env{'form.'.$key});
+                            }
+                            my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail},
+                                                                 $lonhost,'link');
+                            if ($ltoken) {
+                                $r->internal_redirect($tail.'?ltoken='.$ltoken);
+                                $r->set_handlers('PerlHandler'=> undef);
+                            } else {
+                                &invalid_request($r,6);
+                            }
+                        } else {
+                            &invalid_request($r,7);
+                        }
+                    } else {
+                        &invalid_request($r,8);
+                    }
+                } else {
+                    &invalid_request($r,9);
+                }
+            } else {
+                &invalid_request($r,10);
+            }
+        } else {
+            &invalid_request($r,11);
+        }
+        return OK;
+    }
+
+    my ($udom,$uname,$uhome,$symb,$mapurl);
 
 #
 # For user who launched LTI in Consumer, determine user's domain in 
@@ -140,7 +285,7 @@ sub handler {
 # Order is:
 #
 # (a) from custom_coursedomain item in POSTed data
-# (b) from tail of requested URL (after /adm/lti) if it has format of a symb  
+# (b) from tail of requested URL (after /adm/lti/) if it has format of a symb  
 # (c) from tail of requested URL (after /adm/lti) if it has format of a map 
 # (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID
 # (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+
@@ -173,42 +318,34 @@ sub handler {
         if ($tail =~ m{^/uploaded/($match_domain)/($match_courseid)/(?:default|supplemental)(?:|_\d+)\.(?:sequence|page)(|___\d+___.+)$}) {
             ($urlcdom,$urlcnum,my $rest) = ($1,$2,$3);
             if (($cdom ne '') && ($cdom ne $urlcdom)) {
-                &invalid_request($r,3);
+                &invalid_request($r,12);
                 return OK;
             }
             if ($rest eq '') {
                 $mapurl = $tail;
             } else {
                 $symb = $tail;
-                $symb =~ s{^/+}{};
+                $symb =~ s{^/}{};
+            }
+        } elsif ($tail =~ m{^/res/(?:$match_domain)/(?:$match_username)/.+\.(?:sequence|page)(|___\d+___.+)$}) {
+            if ($1 eq '') {
+                $mapurl = $tail;
+            } else {
+                $symb = $tail;
+                $symb =~ s{^/res/}{};
             }
         } elsif ($tail =~ m{^/($match_domain)/($match_courseid)$}) {
             ($urlcdom,$urlcnum) = ($1,$2);
             if (($cdom ne '') && ($cdom ne $urlcdom)) {
-                &invalid_request($r,4);
+                &invalid_request($r,13);
                 return OK;
             }
         } elsif ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
-            ($urlcdom,my $key) = ($1,$2);
-            if (($cdom ne '') && ($cdom ne $urlcdom)) {
-                &invalid_request($r,5);
+            ($urlcdom,$urlcnum) = &course_from_tinyurl($tail);
+            if (($urlcdom eq '') || ($urlcnum eq '')) {
+                &invalid_request($r,14);
                 return OK;
             }
-            my $tinyurl;
-            my ($result,$cached)=&Apache::lonnet::is_cached_new('tiny',$urlcdom."\0".$key);
-            if (defined($cached)) {
-                $tinyurl = $result;
-            } else {
-                my $configuname = &Apache::lonnet::get_domainconfiguser($urlcdom);
-                my %currtiny = &Apache::lonnet::get('tiny',[$key],$urlcdom,$configuname);
-                if ($currtiny{$key} ne '') {
-                    $tinyurl = $currtiny{$key};
-                    &Apache::lonnet::do_cache_new('tiny',$urlcdom."\0".$key,$currtiny{$key},600);
-                }
-            }
-            if ($tinyurl ne '') {
-                $urlcnum = (split(/\&/,$tinyurl))[0];
-            }
         }
         if (($cdom eq '') && ($urlcdom ne '')) { 
             my $cprimary_id = &Apache::lonnet::domain($urlcdom,'primary');
@@ -231,14 +368,14 @@ sub handler {
     }
 
 #
-# Retrieve information for LTI Consumers in course domain
+# Retrieve information for LTI Consumers in course's domain
 # and populate hash --  %lti_by_key -- for which keys
 # are those defined in domain configuration for LTI.
 #
  
     my %lti = &Apache::lonnet::get_domain_lti($cdom,'provider');
     unless (keys(%lti) > 0) {
-        &invalid_request($r,6);
+        &invalid_request($r,15);
         return OK;
     }
     my %lti_by_key;
@@ -254,31 +391,11 @@ sub handler {
 #
 # Verify the signed request using the secret for those
 # Consumers for which the key in the POSTed data matches 
-# keys in the domain configuration for LTI.
+# keys in the course configuration or the domain configuration
+# for LTI.
 #
-    my $hostname = $r->hostname;
-    my $protocol = 'http';
-    if ($ENV{'SERVER_PORT'} == 443) {
-        $protocol = 'https';
-    }
 
-    my ($itemid,$consumer_key,$secret);
-    $consumer_key = $params->{'oauth_consumer_key'};
-    if (ref($lti_by_key{$consumer_key}) eq 'ARRAY') {
-        foreach my $id (@{$lti_by_key{$consumer_key}}) {
-            if (ref($lti{$id}) eq 'HASH') {
-                $secret = $lti{$id}{'secret'};
-                my $request = Net::OAuth->request('request token')->from_hash($params,
-                                                   request_url => $protocol.'://'.$hostname.$requri,
-                                                   request_method => $env{'request.method'},
-                                                   consumer_secret => $secret,);
-                if ($request->verify()) {
-                    $itemid = $id;
-                    last;
-                }
-            }
-        }
-    }
+    my $itemid = &get_lti_itemid($requri,$hostname,$params,\%lti,\%lti_by_key);
 
 #
 # Request is invalid if the signed request could not be verified
@@ -286,7 +403,7 @@ sub handler {
 # configuration in LON-CAPA for that LTI Consumer.
 #
     unless (($itemid) && (ref($lti{$itemid}) eq 'HASH')) {
-        &invalid_request($r,7);
+        &invalid_request($r,16);
         return OK;
     }
 
@@ -296,7 +413,32 @@ sub handler {
 #
     unless (&LONCAPA::ltiutils::check_nonce($params->{'oauth_nonce'},$params->{'oauth_timestamp'},
                                             $lti{$itemid}{'lifetime'},$cdom,$r->dir_config('lonLTIDir'))) {
-        &invalid_request($r,8);
+        &invalid_request($r,17);
+        return OK;
+    }
+
+#
+# Determine if a username is required from the domain
+# configuration for the specific LTI Consumer
+#
+
+    if (!$lti{$itemid}{'requser'}) {
+        if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
+            my $ltitype = 'd';
+            foreach my $key (%{$params}) {
+                delete($env{'form.'.$key});
+            }
+            my $ltoken = &Apache::lonnet::tmpput({'linkprot' => $itemid.$ltitype.':'.$tail},
+                                                   $lonhost);
+            if ($ltoken) {
+                $r->internal_redirect($tail.'?ltoken='.$ltoken);
+                $r->set_handlers('PerlHandler'=> undef);
+            } else {
+                &invalid_request($r,18);
+            }
+        } else {
+            &invalid_request($r,19);
+        }
         return OK;
     }
 
@@ -329,7 +471,7 @@ sub handler {
 #
 # (a) from course mapping (if the link between Consumer "course" and 
 # Provider "course" has been established previously).
-# (b) from tail of requested URL (after /adm/lti) if it has format of a symb
+# (b) from tail of requested URL (after /adm/lti/) if it has format of a symb
 # (c) from tail of requested URL (after /adm/lti) if it has format of a map
 # (d) from tail of requested URL (after /adm/lti) if it has format /domain/courseID
 # (e) from tail of requested URL (after /adm/lti) if it has format /tiny/domain/\w+
@@ -356,7 +498,7 @@ sub handler {
             if ($consumers{$sourcecrs} =~ /^$match_courseid$/) {
                 my $crshome = &Apache::lonnet::homeserver($consumers{$sourcecrs},$cdom);
                 if ($crshome =~ /(con_lost|no_host|no_such_host)/) {
-                    &invalid_request($r,9);
+                    &invalid_request($r,20);
                     return OK;
                 } else {
                     $posscnum = $consumers{$sourcecrs};
@@ -368,7 +510,7 @@ sub handler {
     if ($urlcnum ne '') {
         if ($posscnum ne '') {
             if ($posscnum ne $urlcnum) {
-                &invalid_request($r,10);
+                &invalid_request($r,21);
                 return OK;
             } else {
                 $cnum = $posscnum;
@@ -376,7 +518,7 @@ sub handler {
         } else {
             my $crshome = &Apache::lonnet::homeserver($urlcnum,$cdom);
             if ($crshome =~ /(con_lost|no_host|no_such_host)/) {
-                &invalid_request($r,11);
+                &invalid_request($r,22);
                 return OK;
             } else {
                 $cnum = $urlcnum;
@@ -396,35 +538,16 @@ sub handler {
 #
 
     my (@ltiroles,@lcroles);
-
     my @lcroleorder = ('cc','in','ta','ep','st');
-    my @ltiroleorder = ('Instructor','TeachingAssistant','Mentor','Learner');
-    if ($params->{'roles'} =~ /,/) {
-        my @possltiroles = split(/\s*,\s*/,$params->{'role'});
-        foreach my $ltirole (@ltiroleorder) {
-            if (grep(/^\Q$ltirole\E$/,@possltiroles)) {
-                push(@ltiroles,$ltirole);
-            }
-        }
-    } else {
-        my $singlerole = $params->{'roles'};
-        $singlerole =~ s/^\s|\s+$//g;
-        if (grep(/^\Q$singlerole\E$/,@ltiroleorder)) {
-            @ltiroles = ($singlerole);
-        }
+    my ($lcrolesref,$ltirolesref) = 
+        &LONCAPA::ltiutils::get_lc_roles($params->{'roles'},
+                                         \@lcroleorder,
+                                         $lti{$itemid}{maproles});
+    if (ref($lcrolesref) eq 'ARRAY') {
+        @lcroles = @{$lcrolesref};
     }
-    if (@ltiroles) {
-        if (ref($lti{$itemid}{maproles}) eq 'HASH') {
-            my %possroles;
-            map { $possroles{$lti{$itemid}{maproles}{$_}} = 1; } @ltiroles;
-            if (keys(%possroles) > 0) {
-                foreach my $item (@lcroleorder) {
-                    if ($possroles{$item}) {
-                        push(@lcroles,$item);
-                    }
-                }
-            }
-        }
+    if (ref($ltirolesref) eq 'ARRAY') {
+        @ltiroles = @{$ltirolesref};
     }
 
 #
@@ -447,119 +570,38 @@ sub handler {
                 }
             }
             if ($selfcreate) {
-                my (%rulematch,%inst_results,%curr_rules,%got_rules,%alerts,%info);
-                my $checkhash = { "$uname:$udom" => { 'newuser' => 1, }, };
-                my $checks = { 'username' => 1, };
-                &Apache::loncommon::user_rule_check($checkhash,$checks,\%alerts,\%rulematch,
-                                                    \%inst_results,\%curr_rules,\%got_rules);
-                my ($userchkmsg,$lcauth,$lcauthparm);
-                my $allowed = 1;
-                if (ref($alerts{'username'}) eq 'HASH') {
-                    if (ref($alerts{'username'}{$udom}) eq 'HASH') {
-                        my $domdesc =
-                            &Apache::lonnet::domain($udom,'description');
-                        if ($alerts{'username'}{$udom}{$uname}) {
-                            if (ref($curr_rules{$udom}) eq 'HASH') {
-                                $userchkmsg =
-                                    &Apache::loncommon::instrule_disallow_msg('username',$domdesc,1).
-                                    &Apache::loncommon::user_rule_formats($udom,$domdesc,
-                                                                          $curr_rules{$udom}{'username'},
-                                                                           'username');
-                            }
-                            $allowed = 0;
-                        }
-                    }
-                }
-                if ($allowed) {
-                    if (ref($rulematch{$uname.':'.$udom}) eq 'HASH') {
-                        my $matchedrule = $rulematch{$uname.':'.$udom}{'username'};
-                        my ($rules,$ruleorder) =
-                            &Apache::lonnet::inst_userrules($udom,'username');
-                        if (ref($rules) eq 'HASH') {
-                            if (ref($rules->{$matchedrule}) eq 'HASH') {
-                                $lcauth = $rules->{$matchedrule}{'authtype'};
-                                $lcauthparm = $rules->{$matchedrule}{'authparm'};
-                            }
-                        }
-                    }
-                    if ($lcauth eq '') {
-                        $lcauth = $lti{$itemid}{'lcauth'};
-                        if ($lcauth eq 'internal') {
-                            $lcauthparm = &create_passwd();
-                        } else {
-                            $lcauthparm = $lti{$itemid}{'lcauthparm'};
-                        }
-                    }
-                } else {
-                    &invalid_request($r,12);
-                }
-                my @userinfo = ('firstname','middlename','lastname','generation',
-                                'permanentemail','id');
-                my %useinstdata;
-                if (ref($lti{$itemid}{'instdata'}) eq 'ARRAY') {
-                    map { $useinstdata{$_} = 1; } @{$lti{$itemid}{'instdata'}};
-                }
-                foreach my $item (@userinfo) {
-                    if (($useinstdata{$item}) && (ref($inst_results{$uname.':'.$udom}) eq 'HASH') &&
-                        ($inst_results{$uname.':'.$udom}{$item} ne '')) {
-                        $info{$item} = $inst_results{$uname.':'.$udom}{$item};
-                    } else {
-                        if ($item eq 'permanentemail') {
-                            if ($env{'form.lis_person_contact_email_primary'} =~/^[^\@]+\@[^@]+$/) {
-                                $info{$item} = $env{'form.lis_person_contact_email_primary'};
-                            }
-                        } elsif ($item eq 'firstname') {
-                            $info{$item} = $env{'form.lis_person_name_given'};
-                        } elsif ($item eq 'lastname') {
-                            $info{$item} = $env{'form.lis_person_name_family'};
-                        }
-                    }
-                }
-                if (($info{'middlename'} eq '') && ($env{'form.lis_person_name_full'} ne '')) {
-                    unless ($useinstdata{'middlename'}) {
-                        my $fullname = $env{'form.lis_person_name_full'};
-                        if ($info{'firstname'}) {
-                            $fullname =~ s/^\s*\Q$info{'firstname'}\E\s*//i;
-                        }
-                        if ($info{'lastname'}) {
-                            $fullname =~ s/\s*\Q$info{'lastname'}\E\s*$//i;
-                        }
-                        if ($fullname ne '') {
-                            $fullname =~ s/^\s+|\s+$//g;
-                            if ($fullname ne '') {
-                                $info{'middlename'} = $fullname;
-                            }
-                        }
-                    }
-                }
-                if (ref($inst_results{$uname.':'.$udom}{'inststatus'}) eq 'ARRAY') {
-                    my @inststatuses = @{$inst_results{$uname.':'.$udom}{'inststatus'}};
-                    $info{'inststatus'} = join(':',map { &escape($_); } @inststatuses);
-                }
+                my (%rulematch,%inst_results,%curr_rules,%got_rules,%alerts);
+                my $domdesc = &Apache::lonnet::domain($udom,'description');
+                my %data = (
+                    'permanentemail' => $env{'form.lis_person_contact_email_primary'},
+                    'firstname'      => $env{'form.lis_person_name_given'},
+                    'lastname'       => $env{'form.lis_person_name_family'},
+                    'fullname'       => $env{'form.lis_person_name_full'},
+                );
                 my $result =
-                    &Apache::lonnet::modifyuser($udom,$uname,$info{'id'},
-                                                $lcauth,$lcauthparm,$info{'firstname'},
-                                                $info{'middlename'},$info{'lastname'},
-                                                $info{'generation'},undef,undef,
-                                                $info{'permanentemail'},$info{'inststatus'});
-                if ($result eq 'ok') {
+                    &LONCAPA::ltiutils::create_user($lti{$itemid},$uname,$udom,
+                                                    $domdesc,\%data,\%alerts,\%rulematch,
+                                                    \%inst_results,\%curr_rules,%got_rules);
+                if ($result eq 'notallowed') {
+                    &invalid_request($r,23);
+                } elsif ($result eq 'ok') {
                     if (($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'mapcrs'}) &&
                         ($lti{$itemid}{'makecrs'})) {
                         unless (&Apache::lonnet::usertools_access($uname,$udom,'lti','reload','requestcourses')) {
-                            &Apache::lonnet::put('environment',{ 'requestcourses.lti' => 1, },$udom,$uname);
+                            &Apache::lonnet::put('environment',{ 'requestcourses.lti' => 'autolimit=', },$udom,$uname);
                         }
                     }
                 } else {
-                    &invalid_request($r,13);
+                    &invalid_request($r,24);
                     return OK;
                 }
             } else {
-                &invalid_request($r,14);
+                &invalid_request($r,25);
                 return OK;
             }
         }
     } else {
-        &invalid_request($r,15);
+        &invalid_request($r,26);
         return OK;
     }
 
@@ -571,20 +613,26 @@ sub handler {
 
     my $reqcrs;
     if ($cnum eq '') {
-        if ((@ltiroles) && ($lti{$itemid}{'mapcrs'}) &&
-            ($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'makecrs'})) {
-            my (%can_request,%request_domains);
-            &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom);
-            if ($can_request{'lti'}) {
-                $reqcrs = 1;
-                &lti_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail,
-                             $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,
-                             $reqcrs,$sourcecrs);
+        if ($lti{$itemid}{'crsinc'}) {
+            if ((@ltiroles) && ($lti{$itemid}{'mapcrs'}) &&
+                ($ltiroles[0] eq 'Instructor') && ($lcroles[0] eq 'cc') && ($lti{$itemid}{'makecrs'})) {
+                my (%can_request,%request_domains);
+                &Apache::lonnet::check_can_request($cdom,\%can_request,\%request_domains,$uname,$udom);
+                if ($can_request{'lti'}) {
+                    $reqcrs = 1;
+                    &lti_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail,
+                                 $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,
+                                 $reqcrs,$sourcecrs);
+                } else {
+                    &invalid_request($r,27);
+                }
             } else {
-                &invalid_request($r,16);
+                &invalid_request($r,28);
             }
         } else {
-            &invalid_request($r,17);
+            &lti_session($r,$itemid,$uname,$udom,$uhome,$lonhost,undef,$mapurl,$tail,
+                         $symb,$cdom,$cnum,$params,\@ltiroles,$lti{$itemid},\@lcroles,
+                         $reqcrs,$sourcecrs);
         }
         return OK;
     }
@@ -670,7 +718,7 @@ sub handler {
             }
         }
         if ($reqrole eq '') {
-            &invalid_request($r,18);
+            &invalid_request($r,29);
             return OK;
         } else {
             unless (%crsenv) {
@@ -680,10 +728,10 @@ sub handler {
             my $default_enrollment_end_date   = $crsenv{'default_enrollment_end_date'};
             my $now = time;
             if ($default_enrollment_end_date && $default_enrollment_end_date <= $now) {
-                &invalid_request($r,19);
+                &invalid_request($r,30);
                 return OK;
             } elsif ($default_enrollment_start_date && $default_enrollment_start_date >$now) {
-                &invalid_request($r,20);
+                &invalid_request($r,31);
                 return OK;
             } else {
                 $selfenrollrole = $reqrole.'./'.$cdom.'/'.$cnum;
@@ -714,6 +762,41 @@ sub handler {
     return OK;
 }
 
+sub get_lti_itemid {
+    my ($requri,$hostname,$params,$lti,$lti_by_key) = @_;
+    return unless ((ref($params) eq 'HASH') && (ref($lti) eq 'HASH')  && (ref($lti_by_key) eq 'HASH'));
+
+    if (exists($params->{'oauth_callback'})) {
+        $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0A;
+    } else {
+        $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0;
+    }
+
+    my $protocol = 'http';
+    if ($ENV{'SERVER_PORT'} == 443) {
+        $protocol = 'https';
+    }
+
+    my ($itemid,$consumer_key,$secret);
+    my $consumer_key = $params->{'oauth_consumer_key'};
+    if (ref($lti_by_key->{$consumer_key}) eq 'ARRAY') {
+        foreach my $id (@{$lti_by_key->{$consumer_key}}) {
+            if (ref($lti->{$id}) eq 'HASH') {
+                $secret = $lti->{$id}{'secret'};
+                my $request = Net::OAuth->request('request token')->from_hash($params,
+                                                   request_url => $protocol.'://'.$hostname.$requri,
+                                                   request_method => $env{'request.method'},
+                                                   consumer_secret => $secret,);
+                if ($request->verify()) {
+                    $itemid = $id;
+                    last;
+                }
+            }
+        }
+    }
+    return $itemid;
+}
+
 sub lti_enroll {
     my ($uname,$udom,$selfenrollrole) = @_;
     my $enrollresult;
@@ -725,31 +808,8 @@ sub lti_enroll {
             my %coursehash = &Apache::lonnet::coursedescription($cdom.'_'.$cnum);
             my $start = $coursehash{'default_enrollment_start_date'};
             my $end = $coursehash{'default_enrollment_end_date'};
-            my $area = "/$cdom/$cnum";
-            if (($role ne 'cc') && ($role ne 'co') && ($sec ne '')) {
-                $area .= '/'.$sec;
-            }
-            my $spec = $role.'.'.$area;
-            my $instcid;
-            if ($role eq 'st') {
-                $enrollresult =
-                    &Apache::lonnet::modify_student_enrollment($udom,$uname,undef,undef,undef,
-                                                               undef,undef,$sec,$end,$start,
-                                                               'ltienroll',undef,$cdom.'_'.$cnum,1,
-                                                               'ltienroll','',$instcid);
-            } elsif ($role =~ /^(cc|in|ta|ep)$/) {
-                $enrollresult =
-                    &Apache::lonnet::assignrole($udom,$uname,$area,$role,$end,$start,
-                                                undef,1,'ltienroll');
-            }
-            if ($enrollresult eq 'ok') {
-                my (%userroles,%newrole,%newgroups);
-                &Apache::lonnet::standard_roleprivs(\%newrole,$role,$cdom,$spec,$cnum,
-                                                    $area);
-                &Apache::lonnet::set_userprivs(\%userroles,\%newrole,\%newgroups);
-                $userroles{'user.role.'.$spec} = $start.'.'.$end;
-                &Apache::lonnet::appenv(\%userroles,[$role,'cm']);
-            }
+            $enrollresult = &LONCAPA::ltiutils::enrolluser($udom,$uname,$role,$cdom,$cnum,$sec,
+                                                           $start,$end,1);
         }
     }
     return $enrollresult;
@@ -800,7 +860,7 @@ sub lti_session {
             my $lowest_load;
             ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($udom);
             if ($lowest_load > 100) {
-                $otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$udom);
+                $otherserver = &Apache::lonnet::spareserver($r,$lowest_load,$lowest_load,1,$udom);
             }
         }
         if ($otherserver ne '') {
@@ -810,12 +870,24 @@ sub lti_session {
             }
         }
     }
+    my $protocol = 'http';
+    if ($ENV{'SERVER_PORT'} == 443) {
+        $protocol = 'https';
+    }
     if (($is_balancer) && (!$hosthere)) {
         # login but immediately go to switch server.
         &Apache::lonauth::success($r,$uname,$udom,$uhome,'noredirect');
+        if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) {
+            &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$otherserver,
+                                                      $ltihash->{'key'},
+                                                      $ltihash->{'secret'},
+                                                      $params->{$ltihash->{'callback'}},
+                                                      $r->dir_config('ltiIDsDir'),
+                                                      $protocol,$r->hostname);
+        }
         if ($symb) {
             $env{'form.symb'} = $symb;
-            $env{'request.lti.uri'} = $symb;
+            $env{'request.lti.uri'} = $tail;
         } else {
             if ($mapurl) {
                 $env{'form.origurl'} = $mapurl;
@@ -823,9 +895,14 @@ sub lti_session {
             } elsif ($tail =~ m{^\Q/tiny/$cdom/\E\w+$}) {
                 $env{'form.origurl'} = $tail;
                 $env{'request.lti.uri'} = $tail;
+            } elsif ($tail eq "/$cdom/$cnum") {
+                $env{'form.origurl'} = '/adm/navmaps';
+                $env{'request.lti.uri'} = $tail;
             } else {
                 unless ($tail eq '/adm/roles') {
-                    $env{'form.origurl'} = '/adm/navmaps';
+                    if ($cnum) {
+                        $env{'form.origurl'} = '/adm/navmaps';
+                    }
                 }
             }
         }
@@ -838,7 +915,7 @@ sub lti_session {
             $env{'request.lti.sourcecrs'} = $sourcecrs;
         }
         if ($selfenrollrole) {
-            $env{'request.lti.selfenroll'} = $selfenrollrole;
+            $env{'request.lti.selfenrollrole'} = $selfenrollrole;
             $env{'request.lti.sourcecrs'} = $sourcecrs;
         }
         if ($ltihash->{'passback'}) {
@@ -857,11 +934,11 @@ sub lti_session {
                 $env{'request.lti.rosterurl'} = $params->{'ext_ims_lis_memberships_url'};
             }
         }
-        $env{'request.lti.login'} = 1;
+        $env{'request.lti.login'} = $itemid;
         if ($params->{'launch_presentation_document_target'}) {
             $env{'request.lti.target'} = $params->{'launch_presentation_document_target'};
         }
-        foreach my $key (%{$params}) {
+        foreach my $key (keys(%{$params})) {
             delete($env{'form.'.$key});
         }
         my $redirecturl = '/adm/switchserver';
@@ -873,15 +950,23 @@ sub lti_session {
     } else {
         # need to login them in, so generate the need data that
         # migrate expects to do login
-        foreach my $key (%{$params}) {
+        foreach my $key (keys(%{$params})) {
             delete($env{'form.'.$key});
         }
+        if (($ltihash->{'callback'}) && ($params->{$ltihash->{'callback'}})) {
+            &LONCAPA::ltiutils::setup_logout_callback($uname,$udom,$lonhost,
+                                                      $ltihash->{'key'},
+                                                      $ltihash->{'secret'},
+                                                      $params->{$ltihash->{'callback'}},
+                                                      $r->dir_config('ltiIDsDir'),
+                                                      $protocol,$r->hostname);
+        }
         my $ip = $r->get_remote_host();
         my %info=('ip'        => $ip,
                   'domain'    => $udom,
                   'username'  => $uname,
                   'server'    => $lonhost,
-                  'lti.login' => 1,
+                  'lti.login' => $itemid,
                   'lti.uri'   => $tail,
                  );
         if ($role) {
@@ -925,7 +1010,9 @@ sub lti_session {
                 $info{'origurl'} = $tail;
             } else {
                 unless ($tail eq '/adm/roles') {
-                    $info{'origurl'} = '/adm/navmaps';
+                    if ($cnum) {
+                        $info{'origurl'} = '/adm/navmaps';
+                    }
                 }
             }
         }
@@ -949,30 +1036,34 @@ sub invalid_request {
     }
     &Apache::lonlocal::get_language_handle($r);
     $r->print(
-        &Apache::loncommon::start_page('Invalid LTI call').
+        &Apache::loncommon::start_page('Invalid LTI call','',{ 'only_body' => 1,}).
         &mt('Invalid LTI call [_1]',$num).
         &Apache::loncommon::end_page());
     return;
 }
 
-sub create_passwd {
-    my $passwd = '';
-    my @letts = ("a".."z");
-    for (my $i=0; $i<8; $i++) {
-        my $lettnum = int(rand(2));
-        my $item = '';
-        if ($lettnum) {
-            $item = $letts[int(rand(26))];
-            my $uppercase = int(rand(2));
-            if ($uppercase) {
-                $item =~ tr/a-z/A-Z/;
-            }
+sub course_from_tinyurl {
+    my ($tail) = @_;
+    my ($urlcdom,$urlcnum);
+    if ($tail =~ m{^/tiny/($match_domain)/(\w+)$}) {
+        ($urlcdom,my $key) = ($1,$2);
+        my $tinyurl;
+        my ($result,$cached)=&Apache::lonnet::is_cached_new('tiny',$urlcdom."\0".$key);
+        if (defined($cached)) {
+            $tinyurl = $result;
         } else {
-            $item = int(rand(10));
+            my $configuname = &Apache::lonnet::get_domainconfiguser($urlcdom);
+            my %currtiny = &Apache::lonnet::get('tiny',[$key],$urlcdom,$configuname);
+            if ($currtiny{$key} ne '') {
+                $tinyurl = $currtiny{$key};
+                &Apache::lonnet::do_cache_new('tiny',$urlcdom."\0".$key,$currtiny{$key},600);
+            }
+        }
+        if ($tinyurl ne '') {
+            $urlcnum = (split(/\&/,$tinyurl))[0];
         }
-        $passwd .= $item;
     }
-    return ($passwd);
+    return ($urlcdom,$urlcnum);
 }
 
 1;