--- loncom/auth/lonacc.pm	2020/10/06 17:39:04	1.159.2.14
+++ loncom/auth/lonacc.pm	2020/09/30 19:25:16	1.180
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Cookie Based Access Handler
 #
-# $Id: lonacc.pm,v 1.159.2.14 2020/10/06 17:39:04 raeburn Exp $
+# $Id: lonacc.pm,v 1.180 2020/09/30 19:25:16 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -102,6 +102,7 @@ use Apache::loncommon();
 use Apache::lonlocal;
 use Apache::restrictedaccess();
 use Apache::blockedaccess();
+use Apache::lonprotected();
 use Fcntl qw(:flock);
 use LONCAPA qw(:DEFAULT :match);
 
@@ -202,6 +203,14 @@ sub get_posted_cgi {
 			$fname='';
 			$fmime='';
 		    }
+                    if ($i<$#lines && $lines[$i+1]=~/^Content\-Type\:\s*([\w\-\/]+)/i) {
+                        # TODO: something with $1 !
+                        $i++;
+                    }
+                    if ($i<$#lines && $lines[$i+1]=~/^Content\-transfer\-encoding\:\s*([\w\-\/]+)/i) {
+                        # TODO: something with $1 !
+                        $i++;
+                    }
 		    $i++;
 		}
 	    } else {
@@ -355,6 +364,14 @@ sub sso_login {
 	    # login but immediately go to switch server to find us a new 
 	    # machine
 	    &Apache::lonauth::success($r,$user,$domain,$home,'noredirect');
+            foreach my $item (keys(%form)) {
+                $env{'form.'.$item} = $form{$item};
+            }
+            unless ($form{'symb'}) {
+                unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/sso')) {
+                    $env{'form.origurl'} = $r->uri;
+                }
+            }
             $env{'request.sso.login'} = 1;
             if (defined($r->dir_config("lonSSOReloginServer"))) {
                 $env{'request.sso.reloginserver'} =
@@ -369,7 +386,7 @@ sub sso_login {
 	} else {
 	    # need to login them in, so generate the need data that
 	    # migrate expects to do login
-            my $ip = $r->get_remote_host();
+	    my $ip = $r->get_remote_host();
 	    my %info=('ip'        => $ip,
 		      'domain'    => $domain,
 		      'username'  => $user,
@@ -520,7 +537,8 @@ sub handler {
             }
         } elsif ($env{'request.course.id'} &&
                  (($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) ||
-                  ($requrl =~ m{^/public/$cdom/$cnum/syllabus$}))) {
+                  ($requrl eq "/public/$cdom/$cnum/syllabus") ||
+                  ($requrl =~ m{^/adm/$cdom/$cnum/\d+/ext\.tool$}))) {
             my $query = $r->args;
             if ($query) {
                 foreach my $pair (split(/&/,$query)) {
@@ -542,6 +560,7 @@ sub handler {
             my $lonhost = &Apache::lonnet::host_from_dns($hostname);
             if ($lonhost) {
                 my $actual = &Apache::lonnet::absolute_url($hostname);
+                my $exphostname = &Apache::lonnet::hostname($lonhost);
                 my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;
                 unless ($actual eq $expected) {
                     $env{'request.use_absolute'} = $expected;
@@ -590,7 +609,15 @@ sub handler {
                 $env{'form.origurl'} = $r->uri;
             }
         }
-
+        if ($requrl=~m{^/+tiny/+$match_domain/+\w+$}) {
+            if ($env{'user.name'} eq 'public' &&
+                $env{'user.domain'} eq 'public') {
+                $env{'request.firsturl'}=$requrl;
+                return FORBIDDEN;
+            } else {
+                return OK;
+            }
+        }
 # ---------------------------------------------------------------- Check access
 	my $now = time;
         my $check_symb;
@@ -617,9 +644,6 @@ sub handler {
                     my $query = $r->args;
                     foreach my $pair (split(/&/,$query)) {
                         my ($name, $value) = split(/=/,$pair);
-                        $name = &unescape($name);
-                        $value =~ tr/+/ /;
-                        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
                         if ($name eq 'symb') {
                             $poss_symb = &Apache::lonnet::symbclean($value);
                             last;
@@ -674,6 +698,10 @@ sub handler {
                 &Apache::blockedaccess::setup_handler($r);
                 return OK;
             }
+            if ($access eq 'D') {
+                &Apache::lonprotected::setup_handler($r);
+                return OK;
+            }
 	    if (($access ne '2') && ($access ne 'F')) {
                 if ($requrl =~ m{^/res/}) {
                     $access = &Apache::lonnet::allowed('bro',$requrl);
@@ -739,15 +767,15 @@ sub handler {
 		}
 		if ($env{'form.symb'}) {
 		    $symb=&Apache::lonnet::symbclean($env{'form.symb'});
-                    if ($requrl eq '/adm/navmaps') {
+		    if ($requrl eq '/adm/navmaps') {
                         my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
                         &Apache::lonnet::symblist($map,$murl => [$murl,$mid]);
-                    } elsif ($requrl =~ m|^/adm/wrapper/|
+		    } elsif ($requrl =~ m|^/adm/wrapper/|
 			|| $requrl =~ m|^/adm/coursedocs/showdoc/|) {
 			my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
                         if ($map =~ /\.page$/) {
                             my $mapsymb = &Apache::lonnet::symbread($map);
-                            ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
+                            ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb); 
                         }
 			&Apache::lonnet::symblist($map,$murl => [$murl,$mid],
 						  'last_known' =>[$murl,$mid]);
@@ -780,29 +808,19 @@ sub handler {
                         unless (&Apache::lonnet::symbverify($symb,$requrl,\$encstate)) {
                             $invalidsymb = 1;
                             #
-                            # If $env{'request.enc'} inconsistent with encryption expected for $symb
-                            # retrieved by lonnet::symbread(), call again to check for an instance of
-                            # $requrl in the course for which expected encryption matches request.enc.
-                            # If symb for different instance passes lonnet::symbverify(), use that as
-                            # the symb for $requrl and call &Apache::lonnet::allowed() for that symb.
-                            # Report invalid symb if there is no other symb. Redirect to /adm/ambiguous
-                            # if multiple possible symbs consistent with request.enc available for $requrl.
+                            # If $env{'request.enc'} is true, but no encryption for $symb retrieved
+                            # by original lonnet::symbread() call, call again to check for an instance
+                            # of $requrl in the course which has encryption, and set that as the symb.
+                            # If there is no such symb, or symbverify() fails for the new symb proceed
+                            # to report invalid symb.
                             #
-                            if (($env{'request.enc'} && !$encstate) || (!$env{'request.enc'} && $encstate)) {
+                            if ($env{'request.enc'} && !$encstate) {
                                 my %possibles;
                                 my $nocache = 1;
-                                my $oldsymb = $symb;
                                 $symb = &Apache::lonnet::symbread($requrl,'','','',\%possibles,$nocache);
-                                if (($symb) && ($symb ne $oldsymb)) {
+                                if ($symb) {
                                     if (&Apache::lonnet::symbverify($symb,$requrl)) {
-                                        my $access=&Apache::lonnet::allowed('bre',$requrl,$symb);
-                                        if ($access eq 'B') {
-                                            $env{'request.symb'} = $symb;
-                                            &Apache::blockedaccess::setup_handler($r);
-                                            return OK;
-                                        } elsif (($access eq '2') || ($access eq 'F')) {
-                                            $invalidsymb = '';
-                                        }
+                                        $invalidsymb = '';
                                     }
                                 } elsif (keys(%possibles) > 1) {
                                     $r->internal_redirect('/adm/ambiguous');
@@ -827,8 +845,8 @@ sub handler {
                                 my $mapsymb = &Apache::lonnet::symbread($map);
                                 ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
                             }
-                            &Apache::lonnet::symblist($map,$murl =>[$murl,$mid],
-                                                      'last_known' =>[$murl,$mid]);
+			    &Apache::lonnet::symblist($map,$murl =>[$murl,$mid],
+						      'last_known' =>[$murl,$mid]);
                         }
 		    }
 		}
@@ -881,7 +899,7 @@ sub handler {
 # ------------------------------------ See if this is a viewable portfolio file
     if (&Apache::lonnet::is_portfolio_url($requrl)) {
         my $clientip = $r->get_remote_host();
-	my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);
+        my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);
 	if ($access eq 'A') {
 	    &Apache::restrictedaccess::setup_handler($r);
 	    return OK;