loncom/auth/lonacc.pm - diff

Return to lonacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonacc.pm between versions 1.148 and 1.161

version 1.148, 2013/12/13 01:41:08	version 1.161, 2015/01/23 15:44:20
Line 160 sub get_posted_cgi {	Line 160 sub get_posted_cgi {
if (length($value) == 1) {	if (length($value) == 1) {
$value=~s/[\r\n]$//;	$value=~s/[\r\n]$//;
}	}
	} elsif ($fname =~ /\.(xls\|doc\|ppt)x$/i) {
	$value=~s/[\r\n]$//;
}	}
if (ref($fields) eq 'ARRAY') {	if (ref($fields) eq 'ARRAY') {
next if (!grep(/^\Q$name\E$/,@{$fields}));	next if (!grep(/^\Q$name\E$/,@{$fields}));
Line 264 sub upload_size_allowed {	Line 266 sub upload_size_allowed {
=item sso_login()	=item sso_login()

handle the case of the single sign on user, at this point $r->user	handle the case of the single sign on user, at this point $r->user
will be set and valia;d now need to find the loncapa user info, and possibly	will be set and valid; now need to find the loncapa user info, and possibly
balance them. If Apache >= 2.4, $r->user() will also have been set so	balance them. If $r->user() is set this means either it was either set by
$curruser is checked, and if null, this is an SSO case.	SSO or by checkauthen.pm, if a valid cookie was found. The latter case can
returns OK if it was a SSO and user was handled	be identified by the third arg ($usename), except when lonacc is called in
undef if not SSO or no means to hanle the user	an internal redirect to /adm/switchserver (e.g., load-balancing following
	successful authentication) -- no cookie set yet. For that particular case
	simply skip the call to sso_login().

	returns OK if it was SSO and user was handled.
	returns undef if not SSO or no means to handle the user.

=cut	=cut

sub sso_login {	sub sso_login {
my ($r,$handle,$curruser) = @_;	my ($r,$handle,$username) = @_;

my $lonidsdir=$r->dir_config('lonIDsDir');	my $lonidsdir=$r->dir_config('lonIDsDir');
if (($r->user eq '') \|\| ($curruser ne '') \|\|	if (($r->user eq '') \|\| ($username ne '') \|\| ($r->user eq 'public:public') \|\|
(defined($env{'user.name'}) && (defined($env{'user.domain'}))	(defined($env{'user.name'}) && (defined($env{'user.domain'}))
&& ($handle ne ''))) {	&& ($handle ne ''))) {
# not an SSO case or already logged in	# not an SSO case or already logged in
return undef;	return undef;
}	}

my ($user) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);	my ($user) = ($r->user =~ m/^($match_username)$/);
	if ($user eq '') {
	return undef;
	}

my $query = $r->args;	my $query = $r->args;
my %form;	my %form;
Line 300 sub sso_login {	Line 310 sub sso_login {
my %sessiondata;	my %sessiondata;
if ($form{'iptoken'}) {	if ($form{'iptoken'}) {
%sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});	%sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
my $delete = &Apache::lonnet::tmpdel($form{'token'});	my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
	unless ($sessiondata{'sessionserver'}) {
	delete($form{'iptoken'});
	}
}	}

my $domain = $r->dir_config('lonSSOUserDomain');	my $domain = $r->dir_config('lonSSOUserDomain');
Line 312 sub sso_login {	Line 325 sub sso_login {
&Apache::lonnet::logthis(" SSO authorized user $user ");	&Apache::lonnet::logthis(" SSO authorized user $user ");
my ($is_balancer,$otherserver,$hosthere);	my ($is_balancer,$otherserver,$hosthere);
if ($form{'iptoken'}) {	if ($form{'iptoken'}) {
if (($sessiondata{'domain'} eq $form{'udom'}) &&	if (($sessiondata{'domain'} eq $domain) &&
($sessiondata{'username'} eq $form{'uname'})) {	($sessiondata{'username'} eq $user)) {
$hosthere = 1;	$hosthere = 1;
}	}
}	}
Line 354 sub sso_login {	Line 367 sub sso_login {
'server' => $r->dir_config('lonHostID'),	'server' => $r->dir_config('lonHostID'),
'sso.login' => 1	'sso.login' => 1
);	);
foreach my $item ('role','symb') {	foreach my $item ('role','symb','iptoken') {
if (exists($form{$item})) {	if (exists($form{$item})) {
$info{$item} = $form{$item};	$info{$item} = $form{$item};
}	}
}	}
	unless ($info{'symb'}) {
	unless (($r->uri eq '/adm/roles') \|\| ($r->uri eq '/adm/sso')) {
	$info{'origurl'} = $r->uri;
	}
	}
if ($r->dir_config("ssodirecturl") == 1) {	if ($r->dir_config("ssodirecturl") == 1) {
$info{'origurl'} = $r->uri;	$info{'origurl'} = $r->uri;
}	}
Line 374 sub sso_login {	Line 392 sub sso_login {
$r->set_handlers('PerlHandler'=> undef);	$r->set_handlers('PerlHandler'=> undef);
}	}
return OK;	return OK;
} elsif (defined($r->dir_config('lonSSOUserUnknownRedirect'))) {	} else {
&Apache::lonnet::logthis(" SSO authorized unknown user $user ");	&Apache::lonnet::logthis(" SSO authorized unknown user $user ");
$r->subprocess_env->set('SSOUserUnknown' => $user);
$r->subprocess_env->set('SSOUserDomain' => $domain);
my @cancreate;	my @cancreate;
my %domconfig =	my %domconfig =
&Apache::lonnet::get_dom('configuration',['usercreation'],$domain);	&Apache::lonnet::get_dom('configuration',['usercreation'],$domain);
Line 391 sub sso_login {	Line 407 sub sso_login {
}	}
}	}
}	}
if (grep(/^sso$/,@cancreate)) {	if ((grep(/^sso$/,@cancreate)) \|\| (defined($r->dir_config('lonSSOUserUnknownRedirect')))) {
$r->internal_redirect('/adm/createaccount');	$r->subprocess_env->set('SSOUserUnknown' => $user);
} else {	$r->subprocess_env->set('SSOUserDomain' => $domain);
$r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));	if (grep(/^sso$/,@cancreate)) {
	$r->set_handlers('PerlHandler'=> [\&Apache::createaccount::handler]);
	$r->handler('perl-script');
	} else {
	$r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));
	$r->set_handlers('PerlHandler'=> undef);
	}
	return OK;
}	}
$r->set_handlers('PerlHandler'=> undef);
return OK;
}	}
return undef;	return undef;
}	}
Line 405 sub sso_login {	Line 426 sub sso_login {
sub handler {	sub handler {
my $r = shift;	my $r = shift;
my $requrl=$r->uri;	my $requrl=$r->uri;
if (&Apache::lonnet::is_domainimage($requrl)) {
	if ($requrl =~ m{^/res/adm/pages/[^/]+\.(gif\|png)$}) {
return OK;	return OK;
}	}

if ($requrl =~ m{^/res/adm/pages/[^/]+\.(gif\|png)$}) {	if (&Apache::lonnet::is_domainimage($requrl)) {
return OK;	return OK;
}	}

my $curruser;	my %user;
my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\$curruser);	my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\%user);

my $result = &sso_login($r,$handle,$curruser);	unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {
if (defined($result)) {	my $result = &sso_login($r,$handle,$user{'name'});
return $result;	if (defined($result)) {
	return $result;
	}
}	}

my ($is_balancer,$otherserver);	my ($is_balancer,$otherserver);

if ($handle eq '') {	if ($handle eq '') {
unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) {	unless ((($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) \|\|
$r->log_reason("Cookie $handle not valid", $r->filename);	($requrl =~ m{^/public/$match_domain/$match_courseid/syllabus}) \|\|
	($requrl =~ m{^/adm/help/}) \|\|
	($requrl =~ m{^/res/$match_domain/$match_username/})) {
	$r->log_reason("Cookie not valid", $r->filename);
}	}
} elsif ($handle ne '') {	} elsif ($handle ne '') {

Line 455 sub handler {	Line 482 sub handler {
}	}
$env{'request.filename'} = $r->filename;	$env{'request.filename'} = $r->filename;
$env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl);	$env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl);
my $suppext;	my ($suppext,$checkabsolute);
if ($requrl =~ m{^/adm/wrapper/ext/}) {	if ($requrl =~ m{^/adm/wrapper/ext/}) {
my $query = $r->args;	my $query = $r->args;
if ($query) {	if ($query) {
Line 476 sub handler {	Line 503 sub handler {
$env{'request.external.querystring'} = $preserved;	$env{'request.external.querystring'} = $preserved;
}	}
}	}
	if ($env{'request.course.id'}) {
	$checkabsolute = 1;
	}
} elsif ($env{'request.course.id'} &&	} elsif ($env{'request.course.id'} &&
(($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) \|\|	(($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) \|\|
($requrl =~ m{^/public/$cdom/$cnum/syllabus$}))) {	($requrl =~ m{^/public/$cdom/$cnum/syllabus$}))) {
Line 490 sub handler {	Line 520 sub handler {
}	}
}	}
}	}
	if ($requrl =~ m{^/public/$cdom/$cnum/syllabus$}) {
	$checkabsolute = 1;
	}
	}
	if ($checkabsolute) {
	my $hostname = $r->hostname();
	my $lonhost = &Apache::lonnet::host_from_dns($hostname);
	if ($lonhost) {
	my $actual = &Apache::lonnet::absolute_url($hostname);
	my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname;
	unless ($actual eq $expected) {
	$env{'request.use_absolute'} = $expected;
	}
	}
}	}
# -------------------------------------------------------- Load POST parameters	# -------------------------------------------------------- Load POST parameters

Line 517 sub handler {	Line 561 sub handler {
if ($otherserver ne '') {	if ($otherserver ne '') {
$env{'form.otherserver'} = $otherserver;	$env{'form.otherserver'} = $otherserver;
}	}
	unless (($env{'form.origurl'}) \|\| ($r->uri eq '/adm/roles') \|\|
	($r->uri eq '/adm/switchserver') \|\| ($r->uri eq '/adm/sso')) {
	$env{'form.origurl'} = $r->uri;
	}
}	}

# ---------------------------------------------------------------- Check access	# ---------------------------------------------------------------- Check access
Line 524 sub handler {	Line 572 sub handler {
if ($requrl !~ m{^/(?:adm\|public\|prtspool)/}	if ($requrl !~ m{^/(?:adm\|public\|prtspool)/}
\|\| $requrl =~ /^\/adm\/.*\/(smppg\|bulletinboard)(\?\|$ )/x) {	\|\| $requrl =~ /^\/adm\/.*\/(smppg\|bulletinboard)(\?\|$ )/x) {
my $access=&Apache::lonnet::allowed('bre',$requrl);	my $access=&Apache::lonnet::allowed('bre',$requrl);
	if ($handle eq '') {
	unless ($access eq 'F') {
	if ($requrl =~ m{^/res/$match_domain/$match_username/}) {
	$r->log_reason("Cookie not valid", $r->filename);
	}
	}
	}
if ($access eq '1') {	if ($access eq '1') {
$env{'user.error.msg'}="$requrl:bre:0:0:Choose Course";	$env{'user.error.msg'}="$requrl:bre:0:0:Choose Course";
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
Line 551 sub handler {	Line 606 sub handler {
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
}	}
}	}
	} elsif (($handle =~ /^publicuser_\d+$/) && (&Apache::lonnet::is_portfolio_url($requrl))) {
	my $clientip = $r->get_remote_host();
	if (&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip) ne 'F') {
	$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
	return HTTP_NOT_ACCEPTABLE;
	}
} else {	} else {
$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";	$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
Line 689 sub handler {	Line 750 sub handler {
}	}
# ------------------------------------ See if this is a viewable portfolio file	# ------------------------------------ See if this is a viewable portfolio file
if (&Apache::lonnet::is_portfolio_url($requrl)) {	if (&Apache::lonnet::is_portfolio_url($requrl)) {
my $access=&Apache::lonnet::allowed('bre',$requrl);	my $clientip = $r->get_remote_host();
	my $access=&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip);
if ($access eq 'A') {	if ($access eq 'A') {
&Apache::restrictedaccess::setup_handler($r);	&Apache::restrictedaccess::setup_handler($r);
return OK;	return OK;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.148
changed lines
	Added in v.1.161