loncom/auth/lonacc.pm - diff

Return to lonacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonacc.pm between versions 1.103 and 1.123

-version 1.103, 2006/12/11 14:06:04
+version 1.123, 2008/12/10 16:28:03
  Line 27
  #
  ###
+ =head1 NAME
+ Apache::lonacc - Cookie Based Access Handler
+ =head1 SYNOPSIS
+ Invoked (for various locations) by /etc/httpd/conf/srm.conf:
+  PerlAccessHandler       Apache::lonacc
+ =head1 INTRODUCTION
+ This module enables cookie based authentication and is used
+ to control access for many different LON-CAPA URIs.
+ Whenever the client sends the cookie back to the server,
+ this cookie is handled by either lonacc.pm or loncacc.pm
+ (see srm.conf for what is invoked when).  If
+ the cookie is missing or invalid, the user is re-challenged
+ for login information.
+ This is part of the LearningOnline Network with CAPA project
+ described at http://www.lon-capa.org.
+ =head1 HANDLER SUBROUTINE
+ This routine is called by Apache and mod_perl.
+ =over 4
+ =item *
+ transfer profile into environment
+ =item *
+ load POST parameters
+ =item *
+ check access
+ =item *
+ if allowed, get symb, log, generate course statistics if applicable
+ =item *
+ otherwise return error
+ =item *
+ see if public resource
+ =item *
+ store attempted access
+ =back
+ =head1 NOTABLE SUBROUTINES
+ =over
+ =cut
  package Apache::lonacc;
  use strict;
- Line 37  use Apache::loncommon();
+ Line 104  use Apache::loncommon();
  use Apache::lonlocal;
  use Apache::restrictedaccess();
  use Apache::blockedaccess();
- use CGI::Cookie();
  use Fcntl qw(:flock);
  use LONCAPA;
- Line 58  sub goodbye {
+ Line 124  sub goodbye {
  ###############################################
  sub get_posted_cgi {
-     my ($r) = @_;
+     my ($r,$fields) = @_;
      my $buffer;
      if ($r->header_in('Content-length')) {
  	$r->read($buffer,$r->header_in('Content-length'),0);
      }
-     unless ($buffer=~/^(\-+\w+)\s+Content\-Disposition\:\s*form\-data/si) {
+     my $content_type = $r->header_in('Content-type');
+     if ($content_type !~ m{^multipart/form-data}) {
  	my @pairs=split(/&/,$buffer);
  	my $pair;
  	foreach $pair (@pairs) {
- Line 73  sub get_posted_cgi {
+ Line 140  sub get_posted_cgi {
  	    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
  	    $name  =~ tr/+/ /;
  	    $name  =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
+             if (ref($fields) eq 'ARRAY') {
+                 next if (!grep(/^\Q$name\E$/,@{$fields}));
+             }
  	    &Apache::loncommon::add_to_env("form.$name",$value);
  	}
      } else {
- 	my $contentsep=$1;
+ 	my ($contentsep) = ($content_type =~ /boundary=\"?([^\";,]+)\"?/);
  	my @lines = split (/\n/,$buffer);
  	my $name='';
  	my $value='';
- Line 84  sub get_posted_cgi {
+ Line 154  sub get_posted_cgi {
  	my $fmime='';
  	my $i;
  	for ($i=0;$i<=$#lines;$i++) {
- 	    if ($lines[$i]=~/^$contentsep/) {
+ 	    if ($lines[$i]=~/^--\Q$contentsep\E/) {
  		if ($name) {
  		    chomp($value);
- 		    if ($fname) {
+                     if (ref($fields) eq 'ARRAY') {
- 			$env{"form.$name.filename"}=$fname;
+                         next if (!grep(/^\Q$name\E$/,@{$fields}));
- 			$env{"form.$name.mimetype"}=$fmime;
+                     }
- 		    } else {
+                     if ($fname) {
- 			$value=~s/\s+$//s;
+                         if ($env{'form.symb'} ne '') {
- 		    }
+                             my $size = (length($value))/(1024.0 * 1024.0);
- 		    &Apache::loncommon::add_to_env("form.$name",$value);
+                             if (&upload_size_allowed($name,$size,$fname) eq 'ok') {
+                                 $env{"form.$name.filename"}=$fname;
+                                 $env{"form.$name.mimetype"}=$fmime;
+                                 &Apache::loncommon::add_to_env("form.$name",$value);
+                             }
+                         } else {
+                             $env{"form.$name.filename"}=$fname;
+                             $env{"form.$name.mimetype"}=$fmime;
+                             &Apache::loncommon::add_to_env("form.$name",$value);
+                         }
+                     } else {
+                         $value=~s/\s+$//s;
+                         &Apache::loncommon::add_to_env("form.$name",$value);
+                     }
  		}
  		if ($i<$#lines) {
  		    $i++;
- Line 139  sub get_posted_cgi {
+ Line 222  sub get_posted_cgi {
      $r->headers_in->unset('Content-length');
  }
- # handle the case of the single sign on user, at this point $r->user
+ =pod
- # will be set and valid now need to find the loncapa user info and possibly
- # balance them
+ =item upload_size_allowed()
- # returns OK if it was a SSO and user was handled
- #         undef if not SSO or no means to hanle the user
+ 	Perform size checks for file uploads to essayresponse items in course context.
+ 	Add form.HWFILESIZE.$part_$id to %env with file size (MB)
+ 	If file exceeds maximum allowed size, add form.HWFILETOOBIG.$part_$id to %env.
+ =cut
+ sub upload_size_allowed {
+     my ($name,$size,$fname) = @_;
+     if ($name =~ /^HWFILE(\w+)$/) {
+         my $ident = $1;
+         my $item = 'HWFILESIZE'.$ident;
+         my $savesize = sprintf("%.6f",$size);
+         &Apache::loncommon::add_to_env("form.$item",$savesize);
+         my $maxsize= &Apache::lonnet::EXT("resource.$ident.maxfilesize");
+         if (!$maxsize) {
+             $maxsize = 10.0; # FIXME This should become a domain configuration.
+         }
+         if ($size > $maxsize) {
+             my $warn = 'HWFILETOOBIG'.$ident;
+             &Apache::loncommon::add_to_env("form.$warn",$fname);
+             return;
+         }
+     }
+     return 'ok';
+ }
+ =pod
+ =item sso_login()
+ 	handle the case of the single sign on user, at this point $r->user
+ 	will be set and valid now need to find the loncapa user info and possibly
+ 	balance them
+ 	returns OK if it was a SSO and user was handled
+         undef if not SSO or no means to hanle the user
+ =cut
  sub sso_login {
-     my ($r,$lonid,$handle) = @_;
+     my ($r,$handle) = @_;
      my $lonidsdir=$r->dir_config('lonIDsDir');
      if (!($r->user
  	  && (!defined($env{'user.name'}) && !defined($env{'user.domain'}))
- 	  && (!$lonid || !-e "$lonidsdir/$handle.id" || $handle eq ''))) {
+ 	  && ($handle eq ''))) {
  	# not an SSO case or already logged in
  	return undef;
      }
- Line 160  sub sso_login {
+ Line 281  sub sso_login {
      my $domain = $r->dir_config('lonDefDomain');
      my $home=&Apache::lonnet::homeserver($user,$domain);
      if ($home !~ /(con_lost|no_host|no_such_host)/) {
+ 	&Apache::lonnet::logthis(" SSO authorized user $user ");
  	if ($r->dir_config("lonBalancer") eq 'yes') {
  	    # login but immeaditly go to switch server to find us a new
  	    # machine
  	    &Apache::lonauth::success($r,$user,$domain,$home,'noredirect');
+             $env{'request.sso.login'} = 1;
+             if (defined($r->dir_config("lonSSOReloginServer"))) {
+                 $env{'request.sso.reloginserver'} =
+                     $r->dir_config('lonSSOReloginServer');
+             }
  	    $r->internal_redirect('/adm/switchserver');
  	    $r->set_handlers('PerlHandler'=> undef);
  	} else {
- Line 175  sub sso_login {
+ Line 302  sub sso_login {
  		      'server'    => $r->dir_config('lonHostID'),
  		      'sso.login' => 1
  		      );
+             if ($r->dir_config("ssodirecturl") == 1) {
+                 $info{'origurl'} = $r->uri;
+             }
+             if (defined($r->dir_config("lonSSOReloginServer"))) {
+                 $info{'sso.reloginserver'} =
+                     $r->dir_config('lonSSOReloginServer');
+             }
  	    my $token =
  		&Apache::lonnet::tmpput(\%info,
  					$r->dir_config('lonHostID'));
- Line 184  sub sso_login {
+ Line 318  sub sso_login {
  	}
  	return OK;
      } elsif (defined($r->dir_config('lonSSOUserUnknownRedirect'))) {
- 	$r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));
+ 	&Apache::lonnet::logthis(" SSO authorized unknown user $user ");
+         $r->subprocess_env->set('SSOUserUnknown' => $user);
+         $r->subprocess_env->set('SSOUserDomain' => $domain);
+         my @cancreate;
+         my %domconfig =
+             &Apache::lonnet::get_dom('configuration',['usercreation'],$domain);
+         if (ref($domconfig{'usercreation'}) eq 'HASH') {
+             if (ref($domconfig{'usercreation'}{'cancreate'}) eq 'HASH') {
+                 if (ref($domconfig{'usercreation'}{'cancreate'}{'selfcreate'}) eq 'ARRAY') {
+                     @cancreate = @{$domconfig{'usercreation'}{'cancreate'}{'selfcreate'}};
+                 } elsif (($domconfig{'usercreation'}{'cancreate'}{'selfcreate'} ne 'none') &&
+                          ($domconfig{'usercreation'}{'cancreate'}{'selfcreate'} ne '')) {
+                     @cancreate = ($domconfig{'usercreation'}{'cancreate'}{'selfcreate'});
+                 }
+             }
+         }
+         if (grep(/^sso$/,@cancreate)) {
+             $r->internal_redirect('/adm/createaccount');
+         } else {
+ 	    $r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));
+         }
  	$r->set_handlers('PerlHandler'=> undef);
  	return OK;
      }
- Line 194  sub sso_login {
+ Line 348  sub sso_login {
  sub handler {
      my $r = shift;
      my $requrl=$r->uri;
-     my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
+     if (&Apache::lonnet::is_domainimage($requrl)) {
-     my $lonid=$cookies{'lonID'};
+         return OK;
-     my $cookie;
-     my $lonidsdir=$r->dir_config('lonIDsDir');
-     my $handle;
-     if ($lonid) {
- 	$handle=&LONCAPA::clean_handle($lonid->value);
      }
-     my $result = &sso_login($r,$lonid,$handle);
+     my $handle = &Apache::lonnet::check_for_valid_session($r);
+     my $result = &sso_login($r,$handle);
      if (defined($result)) {
- 	return $result
+ 	return $result;
      }
- Line 217  sub handler {
+ Line 367  sub handler {
      if ($handle eq '') {
  	$r->log_reason("Cookie $handle not valid", $r->filename);
-     } elsif ((-e "$lonidsdir/$handle.id") && ($handle ne '')) {
+     } elsif ($handle ne '') {
  # ------------------------------------------------------ Initialize Environment
+ 	my $lonidsdir=$r->dir_config('lonIDsDir');
  	&Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
  # --------------------------------------------------------- Initialize Language
- Line 274  sub handler {
+ Line 424  sub handler {
  		return HTTP_NOT_ACCEPTABLE;
  	    }
  	}
+ 	if ($requrl =~ m|^/zipspool/|) {
+ 	    my $start='/zipspool/zipout/'.$env{'user.name'}.":".
+ 		$env{'user.domain'};
+ 	    if ($requrl !~ /^\Q$start\E/) {
+ 		$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
+ 		return HTTP_NOT_ACCEPTABLE;
+ 	    }
+ 	}
  	if ($env{'user.name'} eq 'public' &&
  	    $env{'user.domain'} eq 'public' &&
  	    $requrl !~ m{^/+(res|public|uploaded)/} &&
- Line 379  sub handler {
+ Line 537  sub handler {
 ;
  __END__
- =head1 NAME
+ =pod
- Apache::lonacc - Cookie Based Access Handler
- =head1 SYNOPSIS
- Invoked (for various locations) by /etc/httpd/conf/srm.conf:
-  PerlAccessHandler       Apache::lonacc
- =head1 INTRODUCTION
- This module enables cookie based authentication and is used
- to control access for many different LON-CAPA URIs.
- Whenever the client sends the cookie back to the server,
- this cookie is handled by either lonacc.pm or loncacc.pm
- (see srm.conf for what is invoked when).  If
- the cookie is missing or invalid, the user is re-challenged
- for login information.
- This is part of the LearningOnline Network with CAPA project
- described at http://www.lon-capa.org.
- =head1 HANDLER SUBROUTINE
- This routine is called by Apache and mod_perl.
- =over 4
- =item *
- transfer profile into environment
- =item *
- load POST parameters
- =item *
- check access
- =item *
- if allowed, get symb, log, generate course statistics if applicable
- =item *
- otherwise return error
- =item *
- see if public resource
- =item *
- store attempted access
  =back
  =cut

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.103
changed lines
	Added in v.1.123