--- loncom/auth/lonacc.pm 2006/08/08 17:20:15 1.92 +++ loncom/auth/lonacc.pm 2007/04/27 22:03:02 1.110 @@ -1,7 +1,7 @@ # The LearningOnline Network # Cookie Based Access Handler # -# $Id: lonacc.pm,v 1.92 2006/08/08 17:20:15 albertel Exp $ +# $Id: lonacc.pm,v 1.110 2007/04/27 22:03:02 banghart Exp $ # # Copyright Michigan State University Board of Trustees # @@ -36,6 +36,7 @@ use Apache::lonnet; use Apache::loncommon(); use Apache::lonlocal; use Apache::restrictedaccess(); +use Apache::blockedaccess(); use CGI::Cookie(); use Fcntl qw(:flock); use LONCAPA; @@ -44,6 +45,7 @@ sub cleanup { my ($r)=@_; if (! $r->is_initial_req()) { return DECLINED; } &Apache::lonnet::save_cache(); + &Apache::lontexconvert::jsMath_reset(); return OK; } @@ -137,9 +139,77 @@ sub get_posted_cgi { $r->headers_in->unset('Content-length'); } +# handle the case of the single sign on user, at this point $r->user +# will be set and valid now need to find the loncapa user info and possibly +# balance them +# returns OK if it was a SSO and user was handled +# undef if not SSO or no means to hanle the user +sub sso_login { + my ($r,$lonid,$handle) = @_; + + my $lonidsdir=$r->dir_config('lonIDsDir'); + if (!($r->user + && (!defined($env{'user.name'}) && !defined($env{'user.domain'})) + && (!$lonid || !-e "$lonidsdir/$handle.id" || $handle eq ''))) { + # not an SSO case or already logged in + return undef; + } + + my ($user) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/); + + my $domain = $r->dir_config('lonDefDomain'); + my $home=&Apache::lonnet::homeserver($user,$domain); + if ($home !~ /(con_lost|no_host|no_such_host)/) { + &Apache::lonnet::logthis(" SSO authorized user $user "); + if ($r->dir_config("lonBalancer") eq 'yes') { + # login but immeaditly go to switch server to find us a new + # machine + &Apache::lonauth::success($r,$user,$domain,$home,'noredirect'); + $env{'request.sso.login'} = 1; + if (defined($r->dir_config("lonSSOReloginServer"))) { + $env{'request.sso.reloginserver'} = + $r->dir_config('lonSSOReloginServer'); + } + $r->internal_redirect('/adm/switchserver'); + $r->set_handlers('PerlHandler'=> undef); + } else { + # need to login them in, so generate the need data that + # migrate expects to do login + my %info=('ip' => $r->connection->remote_ip(), + 'domain' => $domain, + 'username' => $user, + 'server' => $r->dir_config('lonHostID'), + 'sso.login' => 1 + ); + if (defined($r->dir_config("lonSSOReloginServer"))) { + $info{'sso.reloginserver'} = + $r->dir_config('lonSSOReloginServer'); + } + my $token = + &Apache::lonnet::tmpput(\%info, + $r->dir_config('lonHostID')); + $env{'form.token'} = $token; + $r->internal_redirect('/adm/migrateuser'); + $r->set_handlers('PerlHandler'=> undef); + } + return OK; + } elsif (defined($r->dir_config('lonSSOUserUnknownRedirect'))) { + &Apache::lonnet::logthis(" SSO authorized unknown user $user "); + $r->subprocess_env->set('SSOUserUnknown' => $user); + $r->subprocess_env->set('SSOUserDomain' => $domain); + $r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect')); + $r->set_handlers('PerlHandler'=> undef); + return OK; + } + return undef; +} + sub handler { my $r = shift; my $requrl=$r->uri; + if (&Apache::lonnet::is_domainimage($requrl)) { + return OK; + } my %cookies=CGI::Cookie->parse($r->header_in('Cookie')); my $lonid=$cookies{'lonID'}; my $cookie; @@ -147,27 +217,15 @@ sub handler { my $handle; if ($lonid) { - $handle=$lonid->value; - $handle=~s/\W//g; - } - - my ($sso_login); - if ($r->user - && (!$lonid || !-e "$lonidsdir/$handle.id" || $handle eq '') ) { - $sso_login = 1; - my $domain = $r->dir_config('lonDefDomain'); - my $home=&Apache::lonnet::homeserver($r->user,$domain); - if ($home !~ /(con_lost|no_such_host)/) { - $handle=&Apache::lonauth::success($r,$r->user,$domain, - $home,'noredirect'); - $r->header_out('Set-cookie',"lonID=$handle; path=/"); - } + $handle=&LONCAPA::clean_handle($lonid->value); } - if ($sso_login) { - &Apache::lonnet::appenv('request.sso.login' => 1); + my $result = &sso_login($r,$lonid,$handle); + if (defined($result)) { + return $result } + if ($r->dir_config("lonBalancer") eq 'yes') { $r->set_handlers('PerlResponseHandler'=> [\&Apache::switchserver::handler]); @@ -204,7 +262,8 @@ sub handler { # ---------------------------------------------------------------- Check access my $now = time; - if ($requrl!~/^\/adm|public|prtspool\//) { + if ($requrl !~ m{^/(?:adm|public|prtspool)/} + || $requrl =~ /^\/adm\/.*\/(smppg|bulletinboard)(\?|$ )/x) { my $access=&Apache::lonnet::allowed('bre',$requrl); if ($access eq '1') { $env{'user.error.msg'}="$requrl:bre:0:0:Choose Course"; @@ -214,6 +273,10 @@ sub handler { &Apache::restrictedaccess::setup_handler($r); return OK; } + if ($access eq 'B') { + &Apache::blockedaccess::setup_handler($r); + return OK; + } if (($access ne '2') && ($access ne 'F')) { $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; return HTTP_NOT_ACCEPTABLE; @@ -224,6 +287,14 @@ sub handler { $env{'user.domain'}; if ($requrl !~ /^\Q$start\E/) { $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; + return HTTP_NOT_ACCEPTABLE; + } + } + if ($requrl =~ m|^/zipspool/|) { + my $start='/zipspool/zipout/'.$env{'user.name'}.":". + $env{'user.domain'}; + if ($requrl !~ /^\Q$start\E/) { + $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; return HTTP_NOT_ACCEPTABLE; } }