--- loncom/auth/lonacc.pm	2006/09/07 20:57:04	1.97
+++ loncom/auth/lonacc.pm	2007/04/26 18:31:53	1.109
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Cookie Based Access Handler
 #
-# $Id: lonacc.pm,v 1.97 2006/09/07 20:57:04 albertel Exp $
+# $Id: lonacc.pm,v 1.109 2007/04/26 18:31:53 banghart Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -36,6 +36,7 @@ use Apache::lonnet;
 use Apache::loncommon();
 use Apache::lonlocal;
 use Apache::restrictedaccess();
+use Apache::blockedaccess(); 
 use CGI::Cookie();
 use Fcntl qw(:flock);
 use LONCAPA;
@@ -159,11 +160,18 @@ sub sso_login {
     my $domain = $r->dir_config('lonDefDomain');
     my $home=&Apache::lonnet::homeserver($user,$domain);
     if ($home !~ /(con_lost|no_host|no_such_host)/) {
+	&Apache::lonnet::logthis(" SSO authorized user $user ");
 	if ($r->dir_config("lonBalancer") eq 'yes') {
 	    # login but immeaditly go to switch server to find us a new 
 	    # machine
 	    &Apache::lonauth::success($r,$user,$domain,$home,'noredirect');
+            $env{'request.sso.login'} = 1;
+            if (defined($r->dir_config("lonSSOReloginServer"))) {
+                $env{'request.sso.reloginserver'} =
+                    $r->dir_config('lonSSOReloginServer');
+            }
 	    $r->internal_redirect('/adm/switchserver');
+	    $r->set_handlers('PerlHandler'=> undef);
 	} else {
 	    # need to login them in, so generate the need data that
 	    # migrate expects to do login
@@ -173,15 +181,24 @@ sub sso_login {
 		      'server'    => $r->dir_config('lonHostID'),
 		      'sso.login' => 1
 		      );
+            if (defined($r->dir_config("lonSSOReloginServer"))) {
+                $info{'sso.reloginserver'} = 
+                    $r->dir_config('lonSSOReloginServer'); 
+            }
 	    my $token = 
 		&Apache::lonnet::tmpput(\%info,
 					$r->dir_config('lonHostID'));
 	    $env{'form.token'} = $token;
 	    $r->internal_redirect('/adm/migrateuser');
+	    $r->set_handlers('PerlHandler'=> undef);
 	}
 	return OK;
-    } elsif (defined($r->dir_config('lonSSOUserUnkownRedirect'))) {
-	$r->internal_redirect($r->dir_config('lonSSOUserUnkownRedirect'));
+    } elsif (defined($r->dir_config('lonSSOUserUnknownRedirect'))) {
+	&Apache::lonnet::logthis(" SSO authorized unknown user $user ");
+        $r->subprocess_env->set('SSOUserUnknown' => $user);
+        $r->subprocess_env->set('SSOUserDomain' => $domain);
+	$r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect'));
+	$r->set_handlers('PerlHandler'=> undef);
 	return OK;
     }
     return undef;
@@ -190,6 +207,9 @@ sub sso_login {
 sub handler {
     my $r = shift;
     my $requrl=$r->uri;
+    if (&Apache::lonnet::is_domainimage($requrl)) {
+        return OK;
+    }
     my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
     my $lonid=$cookies{'lonID'};
     my $cookie;
@@ -197,11 +217,11 @@ sub handler {
 
     my $handle;
     if ($lonid) {
-	$handle=$lonid->value;
-        $handle=~s/\W//g;
+	$handle=&LONCAPA::clean_handle($lonid->value);
     }
 
-    if (my $result = &sso_login($r,$lonid,$handle)) {
+    my $result = &sso_login($r,$lonid,$handle);
+    if (defined($result)) {
 	return $result
     }
 
@@ -253,6 +273,10 @@ sub handler {
 		&Apache::restrictedaccess::setup_handler($r);
 		return OK;
 	    }
+            if ($access eq 'B') {
+                &Apache::blockedaccess::setup_handler($r);
+                return OK;
+            }
 	    if (($access ne '2') && ($access ne 'F')) {
 		$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
 		return HTTP_NOT_ACCEPTABLE; 
@@ -263,6 +287,14 @@ sub handler {
 		$env{'user.domain'};
 	    if ($requrl !~ /^\Q$start\E/) {
 		$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
+		return HTTP_NOT_ACCEPTABLE;
+	    }
+	}
+	if ($requrl =~ m|^/zipspool/|) {
+	    my $start='/zipspool/zipout/'.$env{'user.name'}.
+		$env{'user.domain'};
+	    if ($requrl !~ /^\Q$start\E/) {
+		$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
 		return HTTP_NOT_ACCEPTABLE;
 	    }
 	}