--- loncom/auth/lonacc.pm	2020/10/01 12:43:10	1.159.2.8.2.5
+++ loncom/auth/lonacc.pm	2020/10/06 19:36:07	1.159.2.8.2.6
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Cookie Based Access Handler
 #
-# $Id: lonacc.pm,v 1.159.2.8.2.5 2020/10/01 12:43:10 raeburn Exp $
+# $Id: lonacc.pm,v 1.159.2.8.2.6 2020/10/06 19:36:07 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -624,7 +624,8 @@ sub handler {
                     ($requrl=~m|\.problem/smpedit$|) ||
                     ($requrl=~/^\/public\/.*\/syllabus$/) ||
                     ($requrl=~/^\/adm\/(viewclasslist|navmaps)$/) ||
-                    ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/)) {
+                    ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/) ||
+                    ($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) {
                     $check_symb = 1;
                 }
             }
@@ -798,19 +799,29 @@ sub handler {
                         unless (&Apache::lonnet::symbverify($symb,$requrl,\$encstate)) {
                             $invalidsymb = 1;
                             #
-                            # If $env{'request.enc'} is true, but no encryption for $symb retrieved
-                            # by original lonnet::symbread() call, call again to check for an instance
-                            # of $requrl in the course which has encryption, and set that as the symb.
-                            # If there is no such symb, or symbverify() fails for the new symb proceed
-                            # to report invalid symb.
+                            # If $env{'request.enc'} inconsistent with encryption expected for $symb
+                            # retrieved by lonnet::symbread(), call again to check for an instance of
+                            # $requrl in the course for which expected encryption matches request.enc.
+                            # If symb for different instance passes lonnet::symbverify(), use that as
+                            # the symb for $requrl and call &Apache::lonnet::allowed() for that symb.
+                            # Report invalid symb if there is no other symb. Redirect to /adm/ambiguous
+                            # if multiple possible symbs consistent with request.enc available for $requrl.
                             #
-                            if ($env{'request.enc'} && !$encstate) {
+                            if (($env{'request.enc'} && !$encstate) || (!$env{'request.enc'} && $encstate)) {
                                 my %possibles;
                                 my $nocache = 1;
+                                my $oldsymb = $symb;
                                 $symb = &Apache::lonnet::symbread($requrl,'','','',\%possibles,$nocache);
-                                if ($symb) {
+                                if (($symb) && ($symb ne $oldsymb)) {
                                     if (&Apache::lonnet::symbverify($symb,$requrl)) {
-                                        $invalidsymb = '';
+                                        my $access=&Apache::lonnet::allowed('bre',$requrl,$symb);
+                                        if ($access eq 'B') {
+                                            $env{'request.symb'} = $symb;
+                                            &Apache::blockedaccess::setup_handler($r);
+                                            return OK;
+                                        } elsif (($access eq '2') || ($access eq 'F')) {
+                                            $invalidsymb = '';
+                                        }
                                     }
                                 } elsif (keys(%possibles) > 1) {
                                     $r->internal_redirect('/adm/ambiguous');