loncom/auth/lonacc.pm - diff

Return to lonacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonacc.pm between versions 1.132 and 1.158

version 1.132, 2010/03/17 00:06:14	version 1.158, 2014/10/04 02:59:32
Line 89 store attempted access	Line 89 store attempted access

=head1 NOTABLE SUBROUTINES	=head1 NOTABLE SUBROUTINES

=over

=cut	=cut


Line 103 use Apache::lonnet;	Line 101 use Apache::lonnet;
use Apache::loncommon();	use Apache::loncommon();
use Apache::lonlocal;	use Apache::lonlocal;
use Apache::restrictedaccess();	use Apache::restrictedaccess();
use Apache::blockedaccess();	use Apache::blockedaccess();
use Fcntl qw(:flock);	use Fcntl qw(:flock);
use LONCAPA;	use LONCAPA qw(:DEFAULT :match);

sub cleanup {	sub cleanup {
my ($r)=@_;	my ($r)=@_;
Line 156 sub get_posted_cgi {	Line 154 sub get_posted_cgi {
for ($i=0;$i<=$#lines;$i++) {	for ($i=0;$i<=$#lines;$i++) {
if ($lines[$i]=~/^--\Q$contentsep\E/) {	if ($lines[$i]=~/^--\Q$contentsep\E/) {
if ($name) {	if ($name) {
chomp($value);	chomp($value);
	if (($r->uri eq '/adm/portfolio') &&
	($name eq 'uploaddoc')) {
	if (length($value) == 1) {
	$value=~s/[\r\n]$//;
	}
	} elsif ($fname =~ /\.(xls\|doc\|ppt)x$/i) {
	$value=~s/[\r\n]$//;
	}
if (ref($fields) eq 'ARRAY') {	if (ref($fields) eq 'ARRAY') {
next if (!grep(/^\Q$name\E$/,@{$fields}));	next if (!grep(/^\Q$name\E$/,@{$fields}));
}	}
Line 224 sub get_posted_cgi {	Line 230 sub get_posted_cgi {

=pod	=pod

	=over

=item upload_size_allowed()	=item upload_size_allowed()

Perform size checks for file uploads to essayresponse items in course context.	Perform size checks for file uploads to essayresponse items in course context.
Line 258 sub upload_size_allowed {	Line 266 sub upload_size_allowed {
=item sso_login()	=item sso_login()

handle the case of the single sign on user, at this point $r->user	handle the case of the single sign on user, at this point $r->user
will be set and valid now need to find the loncapa user info and possibly	will be set and valid; now need to find the loncapa user info, and possibly
balance them	balance them. If $r->user() is set this means either it was either set by
returns OK if it was a SSO and user was handled	SSO or by checkauthen.pm, if a valid cookie was found. The latter case can
undef if not SSO or no means to hanle the user	be identified by the third arg ($usename), except when lonacc is called in
	an internal redirect to /adm/switchserver (e.g., load-balancing following
	successful authentication) -- no cookie set yet. For that particular case
	simply skip the call to sso_login().

	returns OK if it was SSO and user was handled.
	returns undef if not SSO or no means to handle the user.

=cut	=cut

sub sso_login {	sub sso_login {
my ($r,$handle) = @_;	my ($r,$handle,$username) = @_;

my $lonidsdir=$r->dir_config('lonIDsDir');	my $lonidsdir=$r->dir_config('lonIDsDir');
if (!($r->user	if (($r->user eq '') \|\| ($username ne '') \|\| ($r->user eq 'public:public') \|\|
&& (!defined($env{'user.name'}) && !defined($env{'user.domain'}))	(defined($env{'user.name'}) && (defined($env{'user.domain'}))
&& ($handle eq ''))) {	&& ($handle ne ''))) {
# not an SSO case or already logged in	# not an SSO case or already logged in
return undef;	return undef;
}	}
Line 281 sub sso_login {	Line 295 sub sso_login {
my $query = $r->args;	my $query = $r->args;
my %form;	my %form;
if ($query) {	if ($query) {
my @items = ('role','symb');	my @items = ('role','symb','iptoken');
&Apache::loncommon::get_unprocessed_cgi($query,\@items);	&Apache::loncommon::get_unprocessed_cgi($query,\@items);
foreach my $item (@items) {	foreach my $item (@items) {
if (defined($env{'form.'.$item})) {	if (defined($env{'form.'.$item})) {
Line 290 sub sso_login {	Line 304 sub sso_login {
}	}
}	}

my $domain = $r->dir_config('lonDefDomain');	my %sessiondata;
	if ($form{'iptoken'}) {
	%sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
	my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
	unless ($sessiondata{'sessionserver'}) {
	delete($form{'iptoken'});
	}
	}

	my $domain = $r->dir_config('lonSSOUserDomain');
	if ($domain eq '') {
	$domain = $r->dir_config('lonDefDomain');
	}
my $home=&Apache::lonnet::homeserver($user,$domain);	my $home=&Apache::lonnet::homeserver($user,$domain);
if ($home !~ /(con_lost\|no_host\|no_such_host)/) {	if ($home !~ /(con_lost\|no_host\|no_such_host)/) {
&Apache::lonnet::logthis(" SSO authorized user $user ");	&Apache::lonnet::logthis(" SSO authorized user $user ");
if ($r->dir_config("lonBalancer") eq 'yes') {	my ($is_balancer,$otherserver,$hosthere);
# login but immeaditly go to switch server to find us a new	if ($form{'iptoken'}) {
	if (($sessiondata{'domain'} eq $domain) &&
	($sessiondata{'username'} eq $user)) {
	$hosthere = 1;
	}
	}
	unless ($hosthere) {
	($is_balancer,$otherserver) =
	&Apache::lonnet::check_loadbalancing($user,$domain);
	}

	if ($is_balancer) {
	# login but immediately go to switch server to find us a new
# machine	# machine
&Apache::lonauth::success($r,$user,$domain,$home,'noredirect');	&Apache::lonauth::success($r,$user,$domain,$home,'noredirect');
$env{'request.sso.login'} = 1;	$env{'request.sso.login'} = 1;
Line 303 sub sso_login {	Line 341 sub sso_login {
$env{'request.sso.reloginserver'} =	$env{'request.sso.reloginserver'} =
$r->dir_config('lonSSOReloginServer');	$r->dir_config('lonSSOReloginServer');
}	}
$r->internal_redirect('/adm/switchserver');	my $redirecturl = '/adm/switchserver';
	if ($otherserver ne '') {
	$redirecturl .= '?otherserver='.$otherserver;
	}
	$r->internal_redirect($redirecturl);
$r->set_handlers('PerlHandler'=> undef);	$r->set_handlers('PerlHandler'=> undef);
} else {	} else {
# need to login them in, so generate the need data that	# need to login them in, so generate the need data that
# migrate expects to do login	# migrate expects to do login
my %info=('ip' => $r->connection->remote_ip(),	my $ip;
	my $c = $r->connection;
	eval {
	$ip = $c->remote_ip();
	};
	if ($@) {
	$ip = $c->client_ip();
	}
	my %info=('ip' => $ip,
'domain' => $domain,	'domain' => $domain,
'username' => $user,	'username' => $user,
'server' => $r->dir_config('lonHostID'),	'server' => $r->dir_config('lonHostID'),
'sso.login' => 1	'sso.login' => 1
);	);
foreach my $item ('role','symb') {	foreach my $item ('role','symb','iptoken') {
if (exists($form{$item})) {	if (exists($form{$item})) {
$info{$item} = $form{$item};	$info{$item} = $form{$item};
}	}
}	}
	unless ($info{'symb'}) {
	unless (($r->uri eq '/adm/roles') \|\| ($r->uri eq '/adm/sso')) {
	$info{'origurl'} = $r->uri;
	}
	}
if ($r->dir_config("ssodirecturl") == 1) {	if ($r->dir_config("ssodirecturl") == 1) {
$info{'origurl'} = $r->uri;	$info{'origurl'} = $r->uri;
}	}
Line 334 sub sso_login {	Line 389 sub sso_login {
$r->set_handlers('PerlHandler'=> undef);	$r->set_handlers('PerlHandler'=> undef);
}	}
return OK;	return OK;
} elsif (defined($r->dir_config('lonSSOUserUnknownRedirect'))) {	} else {
&Apache::lonnet::logthis(" SSO authorized unknown user $user ");	&Apache::lonnet::logthis(" SSO authorized unknown user $user ");
$r->subprocess_env->set('SSOUserUnknown' => $user);
$r->subprocess_env->set('SSOUserDomain' => $domain);
my @cancreate;	my @cancreate;
my %domconfig =	my %domconfig =
&Apache::lonnet::get_dom('configuration',['usercreation'],$domain);	&Apache::lonnet::get_dom('configuration',['usercreation'],$domain);
Line 351 sub sso_login {	Line 404 sub sso_login {
}	}
}	}
}	}
if (grep(/^sso$/,@cancreate)) {	if ((grep(/^sso$/,@cancreate)) \|\| (defined($r->dir_config('lonSSOUserUnknownRedirect')))) {
$r->internal_redirect('/adm/createaccount');	$r->subprocess_env->set('SSOUserUnknown' => $user);
} else {	$r->subprocess_env->set('SSOUserDomain' => $domain);
$r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));	if (grep(/^sso$/,@cancreate)) {
	$r->set_handlers('PerlHandler'=> [\&Apache::createaccount::handler]);
	$r->handler('perl-script');
	} else {
	$r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));
	$r->set_handlers('PerlHandler'=> undef);
	}
	return OK;
}	}
$r->set_handlers('PerlHandler'=> undef);
return OK;
}	}
return undef;	return undef;
}	}
Line 365 sub sso_login {	Line 423 sub sso_login {
sub handler {	sub handler {
my $r = shift;	my $r = shift;
my $requrl=$r->uri;	my $requrl=$r->uri;
if (&Apache::lonnet::is_domainimage($requrl)) {
	if ($requrl =~ m{^/res/adm/pages/[^/]+\.(gif\|png)$}) {
return OK;	return OK;
}	}

if ($requrl =~ m{^/res/adm/pages/[^/]+\.(gif\|png)$}) {	if (&Apache::lonnet::is_domainimage($requrl)) {
return OK;	return OK;
}	}

my $handle = &Apache::lonnet::check_for_valid_session($r);	my %user;
	my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\%user);

my $result = &sso_login($r,$handle);	unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {
if (defined($result)) {	my $result = &sso_login($r,$handle,$user{'name'});
return $result;	if (defined($result)) {
	return $result;
	}
}	}

	my ($is_balancer,$otherserver);

if ($r->dir_config("lonBalancer") eq 'yes') {
$r->set_handlers('PerlResponseHandler'=>
[\&Apache::switchserver::handler]);
}

if ($handle eq '') {	if ($handle eq '') {
$r->log_reason("Cookie $handle not valid", $r->filename);	unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {
	$r->log_reason("Cookie not valid", $r->filename);
	}
} elsif ($handle ne '') {	} elsif ($handle ne '') {

# ------------------------------------------------------ Initialize Environment	# ------------------------------------------------------ Initialize Environment
Line 404 sub handler {	Line 464 sub handler {
if ($env{'user.name'} ne '' && $env{'user.domain'} ne '') {	if ($env{'user.name'} ne '' && $env{'user.domain'} ne '') {
# -------------------------------------------------------------- Resource State	# -------------------------------------------------------------- Resource State

	my ($cdom,$cnum);
	if ($env{'request.course.id'}) {
	$cdom = $env{'course.'.$env{'request.course.id'}.'.domain'};
	$cnum = $env{'course.'.$env{'request.course.id'}.'.num'};
	}
if ($requrl=~/^\/+(res\|uploaded)\//) {	if ($requrl=~/^\/+(res\|uploaded)\//) {
$env{'request.state'} = "published";	$env{'request.state'} = "published";
} else {	} else {
Line 411 sub handler {	Line 476 sub handler {
}	}
$env{'request.filename'} = $r->filename;	$env{'request.filename'} = $r->filename;
$env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl);	$env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl);
	my ($suppext,$checkabsolute);
if ($requrl =~ m{^/adm/wrapper/ext/}) {	if ($requrl =~ m{^/adm/wrapper/ext/}) {
my $query = $r->args;	my $query = $r->args;
if ($query) {	if ($query) {
Line 420 sub handler {	Line 486 sub handler {
unless ($name eq 'symb') {	unless ($name eq 'symb') {
$preserved .= $pair.'&';	$preserved .= $pair.'&';
}	}
	if (($env{'request.course.id'}) && ($name eq 'folderpath')) {
	if ($value =~ /^supplemental/) {
	$suppext = 1;
	}
	}
}	}
$preserved =~ s/\&$//;	$preserved =~ s/\&$//;
if ($preserved) {	if ($preserved) {
$env{'request.external.querystring'} = $preserved;	$env{'request.external.querystring'} = $preserved;
}	}
}	}
	if ($env{'request.course.id'}) {
	$checkabsolute = 1;
	}
	} elsif ($env{'request.course.id'} &&
	(($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) \|\|
	($requrl =~ m{^/public/$cdom/$cnum/syllabus$}))) {
	my $query = $r->args;
	if ($query) {
	foreach my $pair (split(/&/,$query)) {
	my ($name, $value) = split(/=/,$pair);
	if ($name eq 'folderpath') {
	if ($value =~ /^supplemental/) {
	$suppext = 1;
	}
	}
	}
	}
	if ($requrl =~ m{^/public/$cdom/$cnum/syllabus$}) {
	$checkabsolute = 1;
	}
	}
	if ($checkabsolute) {
	my $hostname = $r->hostname();
	my $lonhost = &Apache::lonnet::host_from_dns($hostname);
	if ($lonhost) {
	my $actual = &Apache::lonnet::absolute_url($hostname);
	my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;
	unless ($actual eq $expected) {
	$env{'request.use_absolute'} = $expected;
	}
	}
}	}
# -------------------------------------------------------- Load POST parameters	# -------------------------------------------------------- Load POST parameters

&Apache::lonacc::get_posted_cgi($r);	&Apache::lonacc::get_posted_cgi($r);

	# ------------------------------------------------------ Check if load balancer

	my $checkexempt;
	if ($env{'user.loadbalexempt'} eq $r->dir_config('lonHostID')) {
	if ($env{'user.loadbalcheck.time'} + 600 > time) {
	$checkexempt = 1;
	}
	}
	if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) {
	$checkexempt = 1;
	}
	unless ($checkexempt) {
	($is_balancer,$otherserver) =
	&Apache::lonnet::check_loadbalancing($env{'user.name'},
	$env{'user.domain'});
	}
	if ($is_balancer) {
	$r->set_handlers('PerlResponseHandler'=>
	[\&Apache::switchserver::handler]);
	if ($otherserver ne '') {
	$env{'form.otherserver'} = $otherserver;
	}
	unless (($env{'form.origurl'}) \|\| ($r->uri eq '/adm/roles') \|\|
	($r->uri eq '/adm/switchserver') \|\| ($r->uri eq '/adm/sso')) {
	$env{'form.origurl'} = $r->uri;
	}
	}

# ---------------------------------------------------------------- Check access	# ---------------------------------------------------------------- Check access
my $now = time;	my $now = time;
if ($requrl !~ m{^/(?:adm\|public\|prtspool)/}	if ($requrl !~ m{^/(?:adm\|public\|prtspool)/}
Line 501 sub handler {	Line 631 sub handler {
$requrl=~/\.(\w+)$/;	$requrl=~/\.(\w+)$/;
my $query=$r->args;	my $query=$r->args;
if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') \|\|	if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') \|\|
($requrl=~/^\/adm\/.*\/(aboutme\|navmaps\|smppg\|bulletinboard)(\?\|$ )/x) \|\|	($requrl=~/^\/adm\/.*\/(aboutme\|smppg\|bulletinboard)(\?\|$ )/x) \|\|
($requrl=~/^\/adm\/wrapper\//) \|\|	($requrl=~/^\/adm\/wrapper\//) \|\|
($requrl=~m\|^/adm/coursedocs/showdoc/\|) \|\|	($requrl=~m\|^/adm/coursedocs/showdoc/\|) \|\|
($requrl=~m\|\.problem/smpedit$\|) \|\|	($requrl=~m\|\.problem/smpedit$\|) \|\|
($requrl=~/^\/public\/.*\/syllabus$/)) {	($requrl=~/^\/public\/.*\/syllabus$/) \|\|
	($requrl=~/^\/adm\/(viewclasslist\|navmaps)$/) \|\|
	($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?\|$)/)) {
# ------------------------------------- This is serious stuff, get symb and log	# ------------------------------------- This is serious stuff, get symb and log
my $symb;	my $symb;
if ($query) {	if ($query) {
&Apache::loncommon::get_unprocessed_cgi($query,['symb']);	&Apache::loncommon::get_unprocessed_cgi($query,['symb','folderpath']);
}	}
if ($env{'form.symb'}) {	if ($env{'form.symb'}) {
$symb=&Apache::lonnet::symbclean($env{'form.symb'});	$symb=&Apache::lonnet::symbclean($env{'form.symb'});
Line 520 sub handler {	Line 652 sub handler {
'last_known' =>[$murl,$mid]);	'last_known' =>[$murl,$mid]);
} elsif ((&Apache::lonnet::symbverify($symb,$requrl)) \|\|	} elsif ((&Apache::lonnet::symbverify($symb,$requrl)) \|\|
(($requrl=~m\|(.*)/smpedit$\|) &&	(($requrl=~m\|(.*)/smpedit$\|) &&
&Apache::lonnet::symbverify($symb,$1))) {	&Apache::lonnet::symbverify($symb,$1)) \|\|
	(($requrl=~m\|(.*/aboutme)/portfolio$\|) &&
	&Apache::lonnet::symbverify($symb,$1))) {
my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);	my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
&Apache::lonnet::symblist($map,$murl => [$murl,$mid],	&Apache::lonnet::symblist($map,$murl => [$murl,$mid],
'last_known' =>[$murl,$mid]);	'last_known' =>[$murl,$mid]);
Line 532 sub handler {	Line 666 sub handler {
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
}	}
} else {	} else {
$symb=&Apache::lonnet::symbread($requrl);	if ($requrl=~m{^(/adm/.*/aboutme)/portfolio$}) {
if (&Apache::lonnet::is_on_map($requrl) && $symb &&	$requrl = $1;
!&Apache::lonnet::symbverify($symb,$requrl)) {	}
$r->log_reason('Invalid symb for '.$requrl.': '.$symb);	unless ($suppext) {
$env{'user.error.msg'}=	$symb=&Apache::lonnet::symbread($requrl);
"$requrl:bre:1:1:Invalid Access";	if (&Apache::lonnet::is_on_map($requrl) && $symb &&
return HTTP_NOT_ACCEPTABLE;	!&Apache::lonnet::symbverify($symb,$requrl)) {
}	$r->log_reason('Invalid symb for '.$requrl.': '.$symb);
if ($symb) {	$env{'user.error.msg'}=
my ($map,$mid,$murl)=	"$requrl:bre:1:1:Invalid Access";
&Apache::lonnet::decode_symb($symb);	return HTTP_NOT_ACCEPTABLE;
&Apache::lonnet::symblist($map,$murl =>[$murl,$mid],	}
'last_known' =>[$murl,$mid]);	if ($symb) {
	my ($map,$mid,$murl)=
	&Apache::lonnet::decode_symb($symb);
	&Apache::lonnet::symblist($map,$murl =>[$murl,$mid],
	'last_known' =>[$murl,$mid]);
	}
}	}
}	}
$env{'request.symb'}=$symb;	$env{'request.symb'}=$symb;
Line 553 sub handler {	Line 692 sub handler {
# ------------------------------------------------------- This is other content	# ------------------------------------------------------- This is other content
&Apache::lonnet::courseacclog($requrl);	&Apache::lonnet::courseacclog($requrl);
}	}
my $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'};;	if ($requrl =~ m{^/+uploaded/\Q$cdom\E/\Q$cnum\E/(docs\|supplemental)/.+\.html?$}) {
my $cnum = $env{'course.'.$env{'request.course.id'}.'.num'};;
if ($requrl =~ m{^/+uploaded/\Q$cdom\E/\Q$cnum\E/docs/.+\.html?$}) {
if (&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) {	if (&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) {
if ($query) {	if ($query) {
&Apache::loncommon::get_unprocessed_cgi($query,['forceedit']);	&Apache::loncommon::get_unprocessed_cgi($query,['forceedit']);
Line 564 sub handler {	Line 701 sub handler {
}	}
}	}
}	}
	} elsif ($requrl =~ m{^/+uploaded/\Q$cdom\E/\Q$cnum\E/portfolio/syllabus/.+\.html?$}) {
	if (&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) {
	if ($query) {
	&Apache::loncommon::get_unprocessed_cgi($query,['forceedit','editmode']);
	if (($env{'form.forceedit'}) \|\| ($env{'form.editmode'})) {
	$env{'request.state'} = 'edit';
	}
	}
	}
}	}
}	}
return OK;	return OK;
	} else {
	my $defdom=$r->dir_config('lonDefDomain');
	($is_balancer,$otherserver) =
	&Apache::lonnet::check_loadbalancing(undef,$defdom);
	if ($is_balancer) {
	$r->set_handlers('PerlResponseHandler'=>
	[\&Apache::switchserver::handler]);
	if ($otherserver ne '') {
	$env{'form.otherserver'} = $otherserver;
	}
	}
}	}
# -------------------------------------------- See if this is a public resource	# -------------------------------------------- See if this is a public resource
if ($requrl=~m\|^/+adm/+help/+\|) {	if ($requrl=~m\|^/+adm/+help/+\|) {

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.132
changed lines
	Added in v.1.158