--- loncom/auth/lonacc.pm	2013/12/13 01:41:08	1.148
+++ loncom/auth/lonacc.pm	2014/05/05 23:17:12	1.155
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Cookie Based Access Handler
 #
-# $Id: lonacc.pm,v 1.148 2013/12/13 01:41:08 raeburn Exp $
+# $Id: lonacc.pm,v 1.155 2014/05/05 23:17:12 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -160,6 +160,8 @@ sub get_posted_cgi {
                         if (length($value) == 1) {
                             $value=~s/[\r\n]$//;
                         }
+                    } elsif ($fname =~ /\.(xls|doc|ppt)x$/i) {
+                        $value=~s/[\r\n]$//;
                     }
                     if (ref($fields) eq 'ARRAY') {
                         next if (!grep(/^\Q$name\E$/,@{$fields}));
@@ -264,19 +266,24 @@ sub upload_size_allowed {
 =item sso_login()
 
 	handle the case of the single sign on user, at this point $r->user 
-	will be set and valia;d now need to find the loncapa user info, and possibly
-	balance them. If Apache >= 2.4, $r->user() will also have been set so 
-        $curruser is checked, and if null, this is an SSO case.
-	returns OK if it was a SSO and user was handled
-        undef if not SSO or no means to hanle the user
+	will be set and valid; now need to find the loncapa user info, and possibly
+	balance them. If $r->user() is set this means either it was either set by
+        SSO or by checkauthen.pm, if a valid cookie was found. The latter case can
+        be identified by the third arg ($usename), except when lonacc is called in 
+        an internal redirect to /adm/switchserver (e.g., load-balancing following
+        successful authentication) -- no cookie set yet.  For that particular case
+        simply skip the call to sso_login(). 
+
+	returns OK if it was SSO and user was handled.
+        returns undef if not SSO or no means to handle the user.
         
 =cut
 
 sub sso_login {
-    my ($r,$handle,$curruser) = @_;
+    my ($r,$handle,$username) = @_;
 
     my $lonidsdir=$r->dir_config('lonIDsDir');
-    if (($r->user eq '') || ($curruser ne '') ||
+    if (($r->user eq '') || ($username ne '') ||
         (defined($env{'user.name'}) && (defined($env{'user.domain'}))
 	  && ($handle ne ''))) {
 	# not an SSO case or already logged in
@@ -359,6 +366,11 @@ sub sso_login {
                     $info{$item} = $form{$item};
                 }
             }
+            unless ($info{'symb'}) {
+                unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/sso')) {
+                    $info{'origurl'} = $r->uri; 
+                }
+            }
             if ($r->dir_config("ssodirecturl") == 1) {
                 $info{'origurl'} = $r->uri;
             }
@@ -374,10 +386,8 @@ sub sso_login {
 	    $r->set_handlers('PerlHandler'=> undef);
 	}
 	return OK;
-    } elsif (defined($r->dir_config('lonSSOUserUnknownRedirect'))) {
+    } else {
 	&Apache::lonnet::logthis(" SSO authorized unknown user $user ");
-        $r->subprocess_env->set('SSOUserUnknown' => $user);
-        $r->subprocess_env->set('SSOUserDomain' => $domain);
         my @cancreate;
         my %domconfig =
             &Apache::lonnet::get_dom('configuration',['usercreation'],$domain);
@@ -391,13 +401,18 @@ sub sso_login {
                 }
             }
         }
-        if (grep(/^sso$/,@cancreate)) {
-            $r->internal_redirect('/adm/createaccount');
-        } else {
-	    $r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));
+        if ((grep(/^sso$/,@cancreate)) || (defined($r->dir_config('lonSSOUserUnknownRedirect')))) {
+            $r->subprocess_env->set('SSOUserUnknown' => $user);
+            $r->subprocess_env->set('SSOUserDomain' => $domain);
+            if (grep(/^sso$/,@cancreate)) {
+                $r->set_handlers('PerlHandler'=> [\&Apache::createaccount::handler]);
+                $r->handler('perl-script');
+            } else {
+	        $r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));
+                $r->set_handlers('PerlHandler'=> undef);
+            }
+	    return OK;
         }
-	$r->set_handlers('PerlHandler'=> undef);
-	return OK;
     }
     return undef;
 }
@@ -405,27 +420,30 @@ sub sso_login {
 sub handler {
     my $r = shift;
     my $requrl=$r->uri;
-    if (&Apache::lonnet::is_domainimage($requrl)) {
+
+    if ($requrl =~ m{^/res/adm/pages/[^/]+\.(gif|png)$}) {
         return OK;
     }
 
-    if ($requrl =~ m{^/res/adm/pages/[^/]+\.(gif|png)$}) {
+    if (&Apache::lonnet::is_domainimage($requrl)) {
         return OK;
     }
 
-    my $curruser;
-    my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\$curruser);
+    my %user;
+    my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\%user);
 
-    my $result = &sso_login($r,$handle,$curruser);
-    if (defined($result)) {
-	return $result;
+    unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {
+        my $result = &sso_login($r,$handle,$user{'name'});
+        if (defined($result)) {
+	    return $result;
+        }
     }
 
     my ($is_balancer,$otherserver);
 
     if ($handle eq '') {
         unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {
-	    $r->log_reason("Cookie $handle not valid", $r->filename);
+	    $r->log_reason("Cookie not valid", $r->filename);
         }
     } elsif ($handle ne '') {
 
@@ -517,6 +535,10 @@ sub handler {
             if ($otherserver ne '') {
                 $env{'form.otherserver'} = $otherserver;
             }
+            unless (($env{'form.origurl'}) || ($r->uri eq '/adm/roles') ||
+                    ($r->uri eq '/adm/switchserver') || ($r->uri eq '/adm/sso')) {
+                $env{'form.origurl'} = $r->uri;
+            }
         }
 
 # ---------------------------------------------------------------- Check access