loncom/auth/lonacc.pm - diff

Return to lonacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonacc.pm between versions 1.159.2.8.2.11 and 1.159.2.21.2.1

version 1.159.2.8.2.11, 2021/02/10 11:37:49	version 1.159.2.21.2.1, 2021/12/30 04:47:38
Line 102 use Apache::loncommon();	Line 102 use Apache::loncommon();
use Apache::lonlocal;	use Apache::lonlocal;
use Apache::restrictedaccess();	use Apache::restrictedaccess();
use Apache::blockedaccess();	use Apache::blockedaccess();
	use Apache::lonprotected();
use Fcntl qw(:flock);	use Fcntl qw(:flock);
use LONCAPA qw(:DEFAULT :match);	use LONCAPA qw(:DEFAULT :match);

Line 159 sub get_posted_cgi {	Line 160 sub get_posted_cgi {
if (length($value) == 1) {	if (length($value) == 1) {
$value=~s/[\r\n]$//;	$value=~s/[\r\n]$//;
}	}
} elsif ($fname =~ /\.(xls\|doc\|ppt)(x\|m)$/i) {	}
	if ($fname =~ /\.(xls\|doc\|ppt)(x\|m)$/i) {
$value=~s/[\r\n]$//;	$value=~s/[\r\n]$//;
}	}
if (ref($fields) eq 'ARRAY') {	if (ref($fields) eq 'ARRAY') {
Line 296 sub sso_login {	Line 298 sub sso_login {
my $query = $r->args;	my $query = $r->args;
my %form;	my %form;
if ($query) {	if ($query) {
my @items = ('role','symb','iptoken');
	my @items = ('role','symb','iptoken','origurl','ttoken',
	'ltoken','linkkey','logtoken','sso');
&Apache::loncommon::get_unprocessed_cgi($query,\@items);	&Apache::loncommon::get_unprocessed_cgi($query,\@items);
foreach my $item (@items) {	foreach my $item (@items) {
if (defined($env{'form.'.$item})) {	if (defined($env{'form.'.$item})) {
Line 314 sub sso_login {	Line 318 sub sso_login {
}	}
}	}

	my ($linkprot,$linkkey);

	#
	# If Shibboleth auth is in use, and a dual SSO and non-SSO login page
	# is in use, then the query string will contain the logtoken item with
	# a value set to the name of a .tmp file in /home/httpd/perl/tmp
	# containing the url to display after authentication, and also,
	# optionally, role and symb, or linkprot or linkkey (deep-link access).
	#
	# If Shibboleth auth is in use, but a dual log-in page is not in use,
	# and the originally requested URL was /tiny/$domain/$id (i.e.,
	# for deeplinking), then the query string will contain the sso item
	# with a value set to the name of a .tmp file in /home/httpd/perl/tmp
	# containing the url to display after authentication, and also,
	# optionally, linkprot or linkkey (deep-link access).
	#
	# Otherwise the query string may contain role and symb, or if the
	# originally requested URL was /tiny/$domain/$id (i.e. for deeplinking)
	# then the query string may contain a ttoken item with a value set
	# to the name of a .tmp file in /home/httpd/perl/tmp containing either
	# linkprot or linkkey (deep-link access).
	#
	# If deep-linked, i.e., the originally requested URL was /tiny/$domain/$id
	# the linkkey may have originally been sent in POSTed data, which will
	# have been processed in lontrans.pm
	#

	if ($form{'ttoken'}) {
	my %info = &Apache::lonnet::tmpget($form{'ttoken'});
	&Apache::lonnet::tmpdel($form{'ttoken'});
	if ($info{'origurl'}) {
	$form{'origurl'} = $info{'origurl'};
	}
	if ($info{'linkprot'}) {
	$linkprot = $info{'linkprot'};
	} elsif ($info{'linkkey'} ne '') {
	$linkkey = $info{'linkkey'};
	}
	} elsif ($form{'logtoken'}) {
	my ($firsturl,@rest);
	my $lonhost = $r->dir_config('lonHostID');
	my $tmpinfo = &Apache::lonnet::reply('tmpget:'.$form{'logtoken'},$lonhost);
	my $delete = &Apache::lonnet::tmpdel($form{'logtoken'});
	unless (($tmpinfo=~/^error/) \|\| ($tmpinfo eq 'con_lost') \|\|
	($tmpinfo eq 'no_such_host')) {
	(undef,$firsturl,@rest) = split(/&/,$tmpinfo);
	if ($firsturl ne '') {
	$firsturl = &unescape($firsturl);
	}
	foreach my $item (@rest) {
	my ($key,$value) = split(/=/,$item);
	$form{$key} = &unescape($value);
	}
	if ($firsturl =~ m{^/tiny/$match_domain/\w+$}) {
	$form{'origurl'} = $firsturl;
	}
	if ($form{'linkprot'}) {
	$linkprot = $form{'linkprot'};
	} elsif ($form{'linkkey'} ne '') {
	$linkkey = $form{'linkkey'};
	}
	if ($form{'iptoken'}) {
	%sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
	my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
	}
	}
	} elsif ($form{'sso'}) {
	my $lonhost = $r->dir_config('lonHostID');
	my $info = &Apache::lonnet::reply('tmpget:'.$form{'sso'},$lonhost);
	&Apache::lonnet::tmpdel($form{'sso'});
	unless (($info=~/^error/) \|\| ($info eq 'con_lost') \|\|
	($info eq 'no_such_host')) {
	my ($firsturl,@rest)=split(/\&/,$info);
	if ($firsturl ne '') {
	$form{'origurl'} = &unescape($firsturl);
	}
	foreach my $item (@rest) {
	my ($key,$value) = split(/=/,$item);
	$form{$key} = &unescape($value);
	}
	if ($form{'linkprot'}) {
	$linkprot = $form{'linkprot'};
	} elsif ($form{'linkkey'} ne '') {
	$linkkey = $form{'linkkey'};
	}
	}
	} elsif ($form{'ltoken'}) {
	my %link_info = &Apache::lonnet::tmpget($form{'ltoken'});
	$linkprot = $link_info{'linkprot'};
	my $delete = &Apache::lonnet::tmpdel($form{'ltoken'});
	delete($form{'ltoken'});
	} elsif ($form{'linkkey'} ne '') {
	$linkkey = $form{'linkkey'};
	}

my $domain = $r->dir_config('lonSSOUserDomain');	my $domain = $r->dir_config('lonSSOUserDomain');
if ($domain eq '') {	if ($domain eq '') {
$domain = $r->dir_config('lonDefDomain');	$domain = $r->dir_config('lonDefDomain');
Line 340 sub sso_login {	Line 439 sub sso_login {
my $lowest_load;	my $lowest_load;
($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($domain);	($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($domain);
if ($lowest_load > 100) {	if ($lowest_load > 100) {
$otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$domain);	$otherserver = &Apache::lonnet::spareserver($r,$lowest_load,$lowest_load,1,$domain);
}	}
if ($otherserver ne '') {	if ($otherserver ne '') {
my @hosts = &Apache::lonnet::current_machine_ids();	my @hosts = &Apache::lonnet::current_machine_ids();
Line 358 sub sso_login {	Line 457 sub sso_login {
foreach my $item (keys(%form)) {	foreach my $item (keys(%form)) {
$env{'form.'.$item} = $form{$item};	$env{'form.'.$item} = $form{$item};
}	}
unless ($form{'symb'}) {	unless (($form{'symb'}) \|\| ($form{'origurl'})) {
unless (($r->uri eq '/adm/roles') \|\| ($r->uri eq '/adm/sso')) {	unless (($r->uri eq '/adm/roles') \|\| ($r->uri eq '/adm/sso')) {
$env{'form.origurl'} = $r->uri;	$env{'form.origurl'} = $r->uri;
}	}
}	}
	if (($r->uri eq '/adm/sso') && ($form{'origurl'} =~ m{^/+tiny/+$match_domain/+\w+$})) {
	$env{'request.deeplink.login'} = $form{'origurl'};
	} elsif ($r->uri =~ m{^/+tiny/+$match_domain/+\w+$}) {
	$env{'request.deeplink.login'} = $r->uri;
	}
	if ($env{'request.deeplink.login'}) {
	if ($linkprot) {
	$env{'request.linkprot'} = $linkprot;
	} elsif ($linkkey ne '') {
	$env{'request.linkkey'} = $linkkey;
	}
	}
$env{'request.sso.login'} = 1;	$env{'request.sso.login'} = 1;
if (defined($r->dir_config("lonSSOReloginServer"))) {	if (defined($r->dir_config("lonSSOReloginServer"))) {
$env{'request.sso.reloginserver'} =	$env{'request.sso.reloginserver'} =
Line 384 sub sso_login {	Line 495 sub sso_login {
'server' => $r->dir_config('lonHostID'),	'server' => $r->dir_config('lonHostID'),
'sso.login' => 1	'sso.login' => 1
);	);
foreach my $item ('role','symb','iptoken') {	foreach my $item ('role','symb','iptoken','origurl') {
if (exists($form{$item})) {	if (exists($form{$item})) {
$info{$item} = $form{$item};	$info{$item} = $form{$item};
	} elsif ($sessiondata{$item} ne '') {
	$info{$item} = $sessiondata{$item};
}	}
}	}
unless ($info{'symb'}) {	unless (($info{'symb'}) \|\| ($info{'origurl'})) {
unless (($r->uri eq '/adm/roles') \|\| ($r->uri eq '/adm/sso')) {	unless (($r->uri eq '/adm/roles') \|\| ($r->uri eq '/adm/sso')) {
$info{'origurl'} = $r->uri;	$info{'origurl'} = $r->uri;
}	}
}	}
	if (($r->uri eq '/adm/sso') && ($form{'origurl'} =~ m{^/+tiny/+$match_domain/+\w+$})) {
	$info{'deeplink.login'} = $form{'origurl'};
	} elsif ($r->uri =~ m{^/+tiny/+$match_domain/+\w+$}) {
	$info{'deeplink.login'} = $r->uri;
	}
	if ($info{'deeplink.login'}) {
	if ($linkprot) {
	$info{'linkprot'} = $linkprot;
	} elsif ($linkkey ne '') {
	$info{'linkkey'} = $linkkey;
	}
	}
if ($r->dir_config("ssodirecturl") == 1) {	if ($r->dir_config("ssodirecturl") == 1) {
$info{'origurl'} = $r->uri;	$info{'origurl'} = $r->uri;
}	}
Line 431 sub sso_login {	Line 556 sub sso_login {
$r->subprocess_env->set('SSOUserUnknown' => $user);	$r->subprocess_env->set('SSOUserUnknown' => $user);
$r->subprocess_env->set('SSOUserDomain' => $domain);	$r->subprocess_env->set('SSOUserDomain' => $domain);
if (grep(/^sso$/,@cancreate)) {	if (grep(/^sso$/,@cancreate)) {
	#FIXME - need to preserve origurl, role and symb, or linkprot or linkkey for use after account
	# creation
$r->set_handlers('PerlHandler'=> [\&Apache::createaccount::handler]);	$r->set_handlers('PerlHandler'=> [\&Apache::createaccount::handler]);
$r->handler('perl-script');	$r->handler('perl-script');
} else {	} else {
Line 470 sub handler {	Line 597 sub handler {
if ($handle eq '') {	if ($handle eq '') {
unless ((($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) \|\|	unless ((($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) \|\|
($requrl =~ m{^/public/$match_domain/$match_courseid/syllabus}) \|\|	($requrl =~ m{^/public/$match_domain/$match_courseid/syllabus}) \|\|
($requrl =~ m{^/adm/help/}) \|\|	($requrl =~ m{^/adm/help/}) \|\| ($requrl eq '/adm/sso') \|\|
($requrl =~ m{^/res/$match_domain/$match_username/})) {	($requrl =~ m{^/res/$match_domain/$match_username/})) {
$r->log_reason("Cookie not valid", $r->filename);	$r->log_reason("Cookie not valid", $r->filename);
}	}
Line 549 sub handler {	Line 676 sub handler {
my $hostname = $r->hostname();	my $hostname = $r->hostname();
my $lonhost = &Apache::lonnet::host_from_dns($hostname);	my $lonhost = &Apache::lonnet::host_from_dns($hostname);
if ($lonhost) {	if ($lonhost) {
my $actual = &Apache::lonnet::absolute_url($hostname);	my $actual = &Apache::lonnet::absolute_url($hostname,1,1);
my $exphostname = &Apache::lonnet::hostname($lonhost);
my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;	my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;
unless ($actual eq $expected) {	unless ($actual eq $expected) {
$env{'request.use_absolute'} = $expected;	$env{'request.use_absolute'} = $expected;
Line 604 sub handler {	Line 730 sub handler {
return OK;	return OK;
}	}
}	}

# ---------------------------------------------------------------- Check access	# ---------------------------------------------------------------- Check access
my $now = time;	my $now = time;
my ($check_symb,$check_access,$check_block,$access,$poss_symb);	my ($check_symb,$check_access,$check_block,$access,$poss_symb);
Line 664 sub handler {	Line 789 sub handler {
if ((!$env{'request.role.adv'}) && ($env{'acc.randomout'}) &&	if ((!$env{'request.role.adv'}) && ($env{'acc.randomout'}) &&
($env{'acc.randomout'}=~/\&\Q$poss_symb\E\&/)) {	($env{'acc.randomout'}=~/\&\Q$poss_symb\E\&/)) {
undef($poss_symb);	undef($poss_symb);
	} elsif ((!$env{'request.role.adv'}) && ($env{'acc.deeplinkout'}) &&
	($env{'acc.deeplinkout'}=~/\&\Q$poss_symb\E\&/)) {
	undef($poss_symb);
}	}
}	}
}	}
Line 673 sub handler {	Line 801 sub handler {
$access=&Apache::lonnet::allowed('bre',$requrl,'','','','',1);	$access=&Apache::lonnet::allowed('bre',$requrl,'','','','',1);
}	}
} else {	} else {
$access=&Apache::lonnet::allowed('bre',$requrl);	my $nodeeplinkcheck;
	if (($check_access) && ($requrl =~ /\.(sequence\|page)$/)) {
	unless ($env{'form.navmap'}) {
	if ($r->args ne '') {
	&Apache::loncommon::get_unprocessed_cgi($r->args,['navmap']);
	unless ($env{'form.navmap'}) {
	$nodeeplinkcheck = 1;
	}
	}
	}
	}
	my $clientip = &Apache::lonnet::get_requestor_ip($r);
	$access=&Apache::lonnet::allowed('bre',$requrl,'','',$clientip,'','',$nodeeplinkcheck);
}	}
}	}
if ($check_block) {	if ($check_block) {
Line 686 sub handler {	Line 826 sub handler {
&Apache::blockedaccess::setup_handler($r);	&Apache::blockedaccess::setup_handler($r);
return OK;	return OK;
}	}
} elsif ($check_access) {	} elsif ($check_access) {
if ($handle eq '') {	if ($handle eq '') {
unless ($access eq 'F') {	unless ($access eq 'F') {
if ($requrl =~ m{^/res/$match_domain/$match_username/}) {	if ($requrl =~ m{^/res/$match_domain/$match_username/}) {
Line 711 sub handler {	Line 851 sub handler {
&Apache::blockedaccess::setup_handler($r);	&Apache::blockedaccess::setup_handler($r);
return OK;	return OK;
}	}
	if ($access eq 'D') {
	&Apache::lonprotected::setup_handler($r);
	return OK;
	}
if (($access ne '2') && ($access ne 'F')) {	if (($access ne '2') && ($access ne 'F')) {
if ($requrl =~ m{^/res/}) {	if ($requrl =~ m{^/res/}) {
$access = &Apache::lonnet::allowed('bro',$requrl);	$access = &Apache::lonnet::allowed('bro',$requrl);

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.159.2.8.2.11
changed lines
	Added in v.1.159.2.21.2.1