loncom/auth/lonacc.pm - diff

Return to lonacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonacc.pm between versions 1.154 and 1.178

version 1.154, 2014/03/10 02:07:01	version 1.178, 2020/08/10 03:22:54
Line 102 use Apache::loncommon();	Line 102 use Apache::loncommon();
use Apache::lonlocal;	use Apache::lonlocal;
use Apache::restrictedaccess();	use Apache::restrictedaccess();
use Apache::blockedaccess();	use Apache::blockedaccess();
	use Apache::lonprotected();
use Fcntl qw(:flock);	use Fcntl qw(:flock);
use LONCAPA qw(:DEFAULT :match);	use LONCAPA qw(:DEFAULT :match);

Line 109 sub cleanup {	Line 110 sub cleanup {
my ($r)=@_;	my ($r)=@_;
if (! $r->is_initial_req()) { return DECLINED; }	if (! $r->is_initial_req()) { return DECLINED; }
&Apache::lonnet::save_cache();	&Apache::lonnet::save_cache();
&Apache::lontexconvert::jsMath_reset();
return OK;	return OK;
}	}

Line 160 sub get_posted_cgi {	Line 160 sub get_posted_cgi {
if (length($value) == 1) {	if (length($value) == 1) {
$value=~s/[\r\n]$//;	$value=~s/[\r\n]$//;
}	}
} elsif ($fname =~ /\.(xls\|doc\|ppt)x$/i) {	} elsif ($fname =~ /\.(xls\|doc\|ppt)(x\|m)$/i) {
$value=~s/[\r\n]$//;	$value=~s/[\r\n]$//;
}	}
if (ref($fields) eq 'ARRAY') {	if (ref($fields) eq 'ARRAY') {
Line 203 sub get_posted_cgi {	Line 203 sub get_posted_cgi {
$fname='';	$fname='';
$fmime='';	$fmime='';
}	}
	if ($i<$#lines && $lines[$i+1]=~/^Content\-Type\:\s*([\w\-\/]+)/i) {
	# TODO: something with $1 !
	$i++;
	}
	if ($i<$#lines && $lines[$i+1]=~/^Content\-transfer\-encoding\:\s*([\w\-\/]+)/i) {
	# TODO: something with $1 !
	$i++;
	}
$i++;	$i++;
}	}
} else {	} else {
Line 282 sub upload_size_allowed {	Line 290 sub upload_size_allowed {
sub sso_login {	sub sso_login {
my ($r,$handle,$username) = @_;	my ($r,$handle,$username) = @_;

my $lonidsdir=$r->dir_config('lonIDsDir');	if (($r->user eq '') \|\| ($username ne '') \|\| ($r->user eq 'public:public') \|\|
if (($r->user eq '') \|\| ($username ne '') \|\|
(defined($env{'user.name'}) && (defined($env{'user.domain'}))	(defined($env{'user.name'}) && (defined($env{'user.domain'}))
&& ($handle ne ''))) {	&& ($handle ne ''))) {
# not an SSO case or already logged in	# not an SSO case or already logged in
return undef;	return undef;
}	}

my ($user) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);	my ($user) = ($r->user =~ m/^($match_username)$/);
	if ($user eq '') {
	return undef;
	}

my $query = $r->args;	my $query = $r->args;
my %form;	my %form;
Line 307 sub sso_login {	Line 317 sub sso_login {
my %sessiondata;	my %sessiondata;
if ($form{'iptoken'}) {	if ($form{'iptoken'}) {
%sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});	%sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
my $delete = &Apache::lonnet::tmpdel($form{'token'});	my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
	unless ($sessiondata{'sessionserver'}) {
	delete($form{'iptoken'});
	}
}	}

my $domain = $r->dir_config('lonSSOUserDomain');	my $domain = $r->dir_config('lonSSOUserDomain');
Line 319 sub sso_login {	Line 332 sub sso_login {
&Apache::lonnet::logthis(" SSO authorized user $user ");	&Apache::lonnet::logthis(" SSO authorized user $user ");
my ($is_balancer,$otherserver,$hosthere);	my ($is_balancer,$otherserver,$hosthere);
if ($form{'iptoken'}) {	if ($form{'iptoken'}) {
if (($sessiondata{'domain'} eq $form{'udom'}) &&	if (($sessiondata{'domain'} eq $domain) &&
($sessiondata{'username'} eq $form{'uname'})) {	($sessiondata{'username'} eq $user)) {
$hosthere = 1;	$hosthere = 1;
}	}
}	}
unless ($hosthere) {	unless ($hosthere) {
($is_balancer,$otherserver) =	($is_balancer,$otherserver) =
&Apache::lonnet::check_loadbalancing($user,$domain);	&Apache::lonnet::check_loadbalancing($user,$domain,'login');
	if ($is_balancer) {
	# Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
	my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r);
	if (($found_server) && ($balancer_cookie =~ /^\Q$domain\E_\Q$user\E_/)) {
	$otherserver = $found_server;
	} elsif ($otherserver eq '') {
	my $lowest_load;
	($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($domain);
	if ($lowest_load > 100) {
	$otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$domain);
	}
	if ($otherserver ne '') {
	my @hosts = &Apache::lonnet::current_machine_ids();
	if (grep(/^\Q$otherserver\E$/,@hosts)) {
	$hosthere = $otherserver;
	}
	}
	}
	}
}	}
	if (($is_balancer) && (!$hosthere)) {
if ($is_balancer) {
# login but immediately go to switch server to find us a new	# login but immediately go to switch server to find us a new
# machine	# machine
&Apache::lonauth::success($r,$user,$domain,$home,'noredirect');	&Apache::lonauth::success($r,$user,$domain,$home,'noredirect');
	foreach my $item (keys(%form)) {
	$env{'form.'.$item} = $form{$item};
	}
	unless ($form{'symb'}) {
	unless (($r->uri eq '/adm/roles') \|\| ($r->uri eq '/adm/sso')) {
	$env{'form.origurl'} = $r->uri;
	}
	}
$env{'request.sso.login'} = 1;	$env{'request.sso.login'} = 1;
if (defined($r->dir_config("lonSSOReloginServer"))) {	if (defined($r->dir_config("lonSSOReloginServer"))) {
$env{'request.sso.reloginserver'} =	$env{'request.sso.reloginserver'} =
Line 347 sub sso_login {	Line 386 sub sso_login {
} else {	} else {
# need to login them in, so generate the need data that	# need to login them in, so generate the need data that
# migrate expects to do login	# migrate expects to do login
my $ip;	my $ip = $r->get_remote_host();
my $c = $r->connection;
eval {
$ip = $c->remote_ip();
};
if ($@) {
$ip = $c->client_ip();
}
my %info=('ip' => $ip,	my %info=('ip' => $ip,
'domain' => $domain,	'domain' => $domain,
'username' => $user,	'username' => $user,
'server' => $r->dir_config('lonHostID'),	'server' => $r->dir_config('lonHostID'),
'sso.login' => 1	'sso.login' => 1
);	);
foreach my $item ('role','symb') {	foreach my $item ('role','symb','iptoken') {
if (exists($form{$item})) {	if (exists($form{$item})) {
$info{$item} = $form{$item};	$info{$item} = $form{$item};
}	}
Line 378 sub sso_login {	Line 410 sub sso_login {
$info{'sso.reloginserver'} =	$info{'sso.reloginserver'} =
$r->dir_config('lonSSOReloginServer');	$r->dir_config('lonSSOReloginServer');
}	}
	if (($is_balancer) && ($hosthere)) {
	$info{'noloadbalance'} = $hosthere;
	}
my $token =	my $token =
&Apache::lonnet::tmpput(\%info,	&Apache::lonnet::tmpput(\%info,
$r->dir_config('lonHostID'));	$r->dir_config('lonHostID'));
Line 386 sub sso_login {	Line 421 sub sso_login {
$r->set_handlers('PerlHandler'=> undef);	$r->set_handlers('PerlHandler'=> undef);
}	}
return OK;	return OK;
} elsif (defined($r->dir_config('lonSSOUserUnknownRedirect'))) {	} else {
&Apache::lonnet::logthis(" SSO authorized unknown user $user ");	&Apache::lonnet::logthis(" SSO authorized unknown user $user ");
$r->subprocess_env->set('SSOUserUnknown' => $user);
$r->subprocess_env->set('SSOUserDomain' => $domain);
my @cancreate;	my @cancreate;
my %domconfig =	my %domconfig =
&Apache::lonnet::get_dom('configuration',['usercreation'],$domain);	&Apache::lonnet::get_dom('configuration',['usercreation'],$domain);
Line 403 sub sso_login {	Line 436 sub sso_login {
}	}
}	}
}	}
if (grep(/^sso$/,@cancreate)) {	if ((grep(/^sso$/,@cancreate)) \|\| (defined($r->dir_config('lonSSOUserUnknownRedirect')))) {
$r->set_handlers('PerlHandler'=>	$r->subprocess_env->set('SSOUserUnknown' => $user);
[\&Apache::createaccount::handler]);	$r->subprocess_env->set('SSOUserDomain' => $domain);
$r->handler('perl-script');	if (grep(/^sso$/,@cancreate)) {
} else {	$r->set_handlers('PerlHandler'=> [\&Apache::createaccount::handler]);
$r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));	$r->handler('perl-script');
$r->set_handlers('PerlHandler'=> undef);	} else {
	$r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));
	$r->set_handlers('PerlHandler'=> undef);
	}
	return OK;
}	}
return OK;
}	}
return undef;	return undef;
}	}
Line 441 sub handler {	Line 477 sub handler {
my ($is_balancer,$otherserver);	my ($is_balancer,$otherserver);

if ($handle eq '') {	if ($handle eq '') {
unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {	unless ((($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) \|\|
	($requrl =~ m{^/public/$match_domain/$match_courseid/syllabus}) \|\|
	($requrl =~ m{^/adm/help/}) \|\|
	($requrl =~ m{^/res/$match_domain/$match_username/})) {
$r->log_reason("Cookie not valid", $r->filename);	$r->log_reason("Cookie not valid", $r->filename);
}	}
} elsif ($handle ne '') {	} elsif ($handle ne '') {
Line 472 sub handler {	Line 511 sub handler {
}	}
$env{'request.filename'} = $r->filename;	$env{'request.filename'} = $r->filename;
$env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl);	$env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl);
my $suppext;	my ($suppext,$checkabsolute);
if ($requrl =~ m{^/adm/wrapper/ext/}) {	if ($requrl =~ m{^/adm/wrapper/ext/}) {
my $query = $r->args;	my $query = $r->args;
if ($query) {	if ($query) {
my $preserved;	my $preserved;
foreach my $pair (split(/&/,$query)) {	foreach my $pair (split(/&/,$query)) {
my ($name, $value) = split(/=/,$pair);	my ($name, $value) = split(/=/,$pair);
unless ($name eq 'symb') {	unless (($name eq 'symb') \|\| ($name eq 'usehttp')) {
$preserved .= $pair.'&';	$preserved .= $pair.'&';
}	}
if (($env{'request.course.id'}) && ($name eq 'folderpath')) {	if (($env{'request.course.id'}) && ($name eq 'folderpath')) {
Line 493 sub handler {	Line 532 sub handler {
$env{'request.external.querystring'} = $preserved;	$env{'request.external.querystring'} = $preserved;
}	}
}	}
	if ($env{'request.course.id'}) {
	$checkabsolute = 1;
	}
} elsif ($env{'request.course.id'} &&	} elsif ($env{'request.course.id'} &&
(($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) \|\|	(($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) \|\|
($requrl =~ m{^/public/$cdom/$cnum/syllabus$}))) {	($requrl eq "/public/$cdom/$cnum/syllabus") \|\|
	($requrl =~ m{^/adm/$cdom/$cnum/\d+/ext\.tool$}))) {
my $query = $r->args;	my $query = $r->args;
if ($query) {	if ($query) {
foreach my $pair (split(/&/,$query)) {	foreach my $pair (split(/&/,$query)) {
Line 507 sub handler {	Line 550 sub handler {
}	}
}	}
}	}
	if ($requrl =~ m{^/public/$cdom/$cnum/syllabus$}) {
	$checkabsolute = 1;
	}
	}
	if ($checkabsolute) {
	my $hostname = $r->hostname();
	my $lonhost = &Apache::lonnet::host_from_dns($hostname);
	if ($lonhost) {
	my $actual = &Apache::lonnet::absolute_url($hostname);
	my $exphostname = &Apache::lonnet::hostname($lonhost);
	my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;
	unless ($actual eq $expected) {
	$env{'request.use_absolute'} = $expected;
	}
	}
}	}
# -------------------------------------------------------- Load POST parameters	# -------------------------------------------------------- Load POST parameters

Line 517 sub handler {	Line 575 sub handler {
my $checkexempt;	my $checkexempt;
if ($env{'user.loadbalexempt'} eq $r->dir_config('lonHostID')) {	if ($env{'user.loadbalexempt'} eq $r->dir_config('lonHostID')) {
if ($env{'user.loadbalcheck.time'} + 600 > time) {	if ($env{'user.loadbalcheck.time'} + 600 > time) {
$checkexempt = 1;	$checkexempt = 1;
}	}
}	}
if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) {	if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) {
Line 527 sub handler {	Line 585 sub handler {
($is_balancer,$otherserver) =	($is_balancer,$otherserver) =
&Apache::lonnet::check_loadbalancing($env{'user.name'},	&Apache::lonnet::check_loadbalancing($env{'user.name'},
$env{'user.domain'});	$env{'user.domain'});
	if ($is_balancer) {
	unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {
	# Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
	my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r);
	if (($found_server) && ($balancer_cookie =~ /^\Q$env{'user.domain'}\E_\Q$env{'user.name'}\E_/)) {
	$otherserver = $found_server;
	}
	}
	}
}	}
if ($is_balancer) {	if ($is_balancer) {
$r->set_handlers('PerlResponseHandler'=>	unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {
[\&Apache::switchserver::handler]);	$r->set_handlers('PerlResponseHandler'=>
if ($otherserver ne '') {	[\&Apache::switchserver::handler]);
$env{'form.otherserver'} = $otherserver;	if ($otherserver ne '') {
	$env{'form.otherserver'} = $otherserver;
	}
}	}
unless (($env{'form.origurl'}) \|\| ($r->uri eq '/adm/roles') \|\|	unless (($env{'form.origurl'}) \|\| ($r->uri eq '/adm/roles') \|\|
($r->uri eq '/adm/switchserver') \|\| ($r->uri eq '/adm/sso')) {	($r->uri eq '/adm/switchserver') \|\| ($r->uri eq '/adm/sso')) {
$env{'form.origurl'} = $r->uri;	$env{'form.origurl'} = $r->uri;
}	}
}	}
	if ($requrl=~m{^/+tiny/+$match_domain/+\w+$}) {
	if ($env{'user.name'} eq 'public' &&
	$env{'user.domain'} eq 'public') {
	$env{'request.firsturl'}=$requrl;
	return FORBIDDEN;
	} else {
	return OK;
	}
	}
# ---------------------------------------------------------------- Check access	# ---------------------------------------------------------------- Check access
my $now = time;	my $now = time;
if ($requrl !~ m{^/(?:adm\|public\|prtspool)/}	if ($requrl !~ m{^/(?:adm\|public\|(?:prt\|zip)spool)/}
\|\| $requrl =~ /^\/adm\/.*\/(smppg\|bulletinboard)(\?\|$ )/x) {	\|\| $requrl =~ /^\/adm\/.*\/(smppg\|bulletinboard)(\?\|$ )/x) {
my $access=&Apache::lonnet::allowed('bre',$requrl);	my $access=&Apache::lonnet::allowed('bre',$requrl);
	if ($handle eq '') {
	unless ($access eq 'F') {
	if ($requrl =~ m{^/res/$match_domain/$match_username/}) {
	$r->log_reason("Cookie not valid", $r->filename);
	}
	}
	}
if ($access eq '1') {	if ($access eq '1') {
$env{'user.error.msg'}="$requrl:bre:0:0:Choose Course";	$env{'user.error.msg'}="$requrl:bre:0:0:Choose Course";
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
Line 557 sub handler {	Line 641 sub handler {
&Apache::blockedaccess::setup_handler($r);	&Apache::blockedaccess::setup_handler($r);
return OK;	return OK;
}	}
	if ($access eq 'D') {
	&Apache::lonprotected::setup_handler($r);
	return OK;
	}
if (($access ne '2') && ($access ne 'F')) {	if (($access ne '2') && ($access ne 'F')) {
if ($requrl =~ m{^/res/}) {	if ($requrl =~ m{^/res/}) {
$access = &Apache::lonnet::allowed('bro',$requrl);	$access = &Apache::lonnet::allowed('bro',$requrl);
Line 572 sub handler {	Line 660 sub handler {
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
}	}
}	}
	} elsif (($handle =~ /^publicuser_\d+$/) && (&Apache::lonnet::is_portfolio_url($requrl))) {
	my $clientip = $r->get_remote_host();
	if (&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip) ne 'F') {
	$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
	return HTTP_NOT_ACCEPTABLE;
	}
} else {	} else {
$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";	$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
Line 616 sub handler {	Line 710 sub handler {
($requrl=~m\|\.problem/smpedit$\|) \|\|	($requrl=~m\|\.problem/smpedit$\|) \|\|
($requrl=~/^\/public\/.*\/syllabus$/) \|\|	($requrl=~/^\/public\/.*\/syllabus$/) \|\|
($requrl=~/^\/adm\/(viewclasslist\|navmaps)$/) \|\|	($requrl=~/^\/adm\/(viewclasslist\|navmaps)$/) \|\|
($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?\|$)/)) {	($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?\|$)/) \|\|
	($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) {
# ------------------------------------- This is serious stuff, get symb and log	# ------------------------------------- This is serious stuff, get symb and log
my $symb;	my $symb;
if ($query) {	if ($query) {
Line 624 sub handler {	Line 719 sub handler {
}	}
if ($env{'form.symb'}) {	if ($env{'form.symb'}) {
$symb=&Apache::lonnet::symbclean($env{'form.symb'});	$symb=&Apache::lonnet::symbclean($env{'form.symb'});
if ($requrl =~ m\|^/adm/wrapper/\|	if ($requrl eq '/adm/navmaps') {
	my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
	&Apache::lonnet::symblist($map,$murl => [$murl,$mid]);
	} elsif ($requrl =~ m\|^/adm/wrapper/\|
\|\| $requrl =~ m\|^/adm/coursedocs/showdoc/\|) {	\|\| $requrl =~ m\|^/adm/coursedocs/showdoc/\|) {
my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);	my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
	if ($map =~ /\.page$/) {
	my $mapsymb = &Apache::lonnet::symbread($map);
	($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
	}
&Apache::lonnet::symblist($map,$murl => [$murl,$mid],	&Apache::lonnet::symblist($map,$murl => [$murl,$mid],
'last_known' =>[$murl,$mid]);	'last_known' =>[$murl,$mid]);
} elsif ((&Apache::lonnet::symbverify($symb,$requrl)) \|\|	} elsif ((&Apache::lonnet::symbverify($symb,$requrl)) \|\|
Line 635 sub handler {	Line 737 sub handler {
(($requrl=~m\|(.*/aboutme)/portfolio$\|) &&	(($requrl=~m\|(.*/aboutme)/portfolio$\|) &&
&Apache::lonnet::symbverify($symb,$1))) {	&Apache::lonnet::symbverify($symb,$1))) {
my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);	my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
	if (($map =~ /\.page$/) && ($requrl !~ /\.page$/)) {
	my $mapsymb = &Apache::lonnet::symbread($map);
	($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
	}
&Apache::lonnet::symblist($map,$murl => [$murl,$mid],	&Apache::lonnet::symblist($map,$murl => [$murl,$mid],
'last_known' =>[$murl,$mid]);	'last_known' =>[$murl,$mid]);
} else {	} else {
Line 660 sub handler {	Line 766 sub handler {
if ($symb) {	if ($symb) {
my ($map,$mid,$murl)=	my ($map,$mid,$murl)=
&Apache::lonnet::decode_symb($symb);	&Apache::lonnet::decode_symb($symb);
&Apache::lonnet::symblist($map,$murl =>[$murl,$mid],	if ($requrl eq '/adm/navmaps') {
'last_known' =>[$murl,$mid]);	&Apache::lonnet::symblist($map,$murl =>[$murl,$mid]);
	} else {
	if (($map =~ /\.page$/) && ($requrl !~ /\.page$/)) {
	my $mapsymb = &Apache::lonnet::symbread($map);
	($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
	}
	&Apache::lonnet::symblist($map,$murl =>[$murl,$mid],
	'last_known' =>[$murl,$mid]);
	}
}	}
}	}
}	}
Line 710 sub handler {	Line 824 sub handler {
}	}
# ------------------------------------ See if this is a viewable portfolio file	# ------------------------------------ See if this is a viewable portfolio file
if (&Apache::lonnet::is_portfolio_url($requrl)) {	if (&Apache::lonnet::is_portfolio_url($requrl)) {
my $access=&Apache::lonnet::allowed('bre',$requrl);	my $clientip = $r->get_remote_host();
	my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);
if ($access eq 'A') {	if ($access eq 'A') {
&Apache::restrictedaccess::setup_handler($r);	&Apache::restrictedaccess::setup_handler($r);
return OK;	return OK;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.154
changed lines
	Added in v.1.178