--- loncom/auth/lonacc.pm	2020/09/30 19:33:59	1.159.2.12
+++ loncom/auth/lonacc.pm	2020/10/06 17:39:04	1.159.2.14
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Cookie Based Access Handler
 #
-# $Id: lonacc.pm,v 1.159.2.12 2020/09/30 19:33:59 raeburn Exp $
+# $Id: lonacc.pm,v 1.159.2.14 2020/10/06 17:39:04 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -617,6 +617,9 @@ sub handler {
                     my $query = $r->args;
                     foreach my $pair (split(/&/,$query)) {
                         my ($name, $value) = split(/=/,$pair);
+                        $name = &unescape($name);
+                        $value =~ tr/+/ /;
+                        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
                         if ($name eq 'symb') {
                             $poss_symb = &Apache::lonnet::symbclean($value);
                             last;
@@ -777,19 +780,29 @@ sub handler {
                         unless (&Apache::lonnet::symbverify($symb,$requrl,\$encstate)) {
                             $invalidsymb = 1;
                             #
-                            # If $env{'request.enc'} is true, but no encryption for $symb retrieved
-                            # by original lonnet::symbread() call, call again to check for an instance
-                            # of $requrl in the course which has encryption, and set that as the symb.
-                            # If there is no such symb, or symbverify() fails for the new symb proceed
-                            # to report invalid symb.
+                            # If $env{'request.enc'} inconsistent with encryption expected for $symb
+                            # retrieved by lonnet::symbread(), call again to check for an instance of
+                            # $requrl in the course for which expected encryption matches request.enc.
+                            # If symb for different instance passes lonnet::symbverify(), use that as
+                            # the symb for $requrl and call &Apache::lonnet::allowed() for that symb.
+                            # Report invalid symb if there is no other symb. Redirect to /adm/ambiguous
+                            # if multiple possible symbs consistent with request.enc available for $requrl.
                             #
-                            if ($env{'request.enc'} && !$encstate) {
+                            if (($env{'request.enc'} && !$encstate) || (!$env{'request.enc'} && $encstate)) {
                                 my %possibles;
                                 my $nocache = 1;
+                                my $oldsymb = $symb;
                                 $symb = &Apache::lonnet::symbread($requrl,'','','',\%possibles,$nocache);
-                                if ($symb) {
+                                if (($symb) && ($symb ne $oldsymb)) {
                                     if (&Apache::lonnet::symbverify($symb,$requrl)) {
-                                        $invalidsymb = '';
+                                        my $access=&Apache::lonnet::allowed('bre',$requrl,$symb);
+                                        if ($access eq 'B') {
+                                            $env{'request.symb'} = $symb;
+                                            &Apache::blockedaccess::setup_handler($r);
+                                            return OK;
+                                        } elsif (($access eq '2') || ($access eq 'F')) {
+                                            $invalidsymb = '';
+                                        }
                                     }
                                 } elsif (keys(%possibles) > 1) {
                                     $r->internal_redirect('/adm/ambiguous');