loncom/auth/lonacc.pm - view

File: [LON-CAPA] / loncom / auth / lonacc.pm
Revision 1.157: download - view: text, annotated - select for diffs
Tue Jun 17 23:22:10 2014 UTC (9 years, 11 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_11_0, HEAD

- On Apache/SSL servers syllabus should always be served by http:// to avoid
  "mixed content" issue when syllabus is an external resource on http:// server).
  - Set $env{'request.use_absolute'} and pass in args to start page so postdata
    is preserved. (bug 6662).
  - Code used for same purpose in rat/lonwrapper.pm rev. 1.44 for external
    resources moved to lonacc.pm to facilitate re-use.
- Detect if syllabus template replaced with uploaded PDF or link to external
  PDF file, and send as arg in call to lonwrapper.pm, to circumvent lack of
  scrolling for multi-page PDFs in iframes on iOS.

1: # The LearningOnline Network 2: # Cookie Based Access Handler 3: # 4: # $Id: lonacc.pm,v 1.157 2014/06/17 23:22:10 raeburn Exp $ 5: # 6: # Copyright Michigan State University Board of Trustees 7: # 8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA). 9: # 10: # LON-CAPA is free software; you can redistribute it and/or modify 11: # it under the terms of the GNU General Public License as published by 12: # the Free Software Foundation; either version 2 of the License, or 13: # (at your option) any later version. 14: # 15: # LON-CAPA is distributed in the hope that it will be useful, 16: # but WITHOUT ANY WARRANTY; without even the implied warranty of 17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18: # GNU General Public License for more details. 19: # 20: # You should have received a copy of the GNU General Public License 21: # along with LON-CAPA; if not, write to the Free Software 22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23: # 24: # /home/httpd/html/adm/gpl.txt 25: # 26: # http://www.lon-capa.org/ 27: # 28: ### 29: 30: =head1 NAME 31: 32: Apache::lonacc - Cookie Based Access Handler 33: 34: =head1 SYNOPSIS 35: 36: Invoked (for various locations) by /etc/httpd/conf/srm.conf: 37: 38: PerlAccessHandler Apache::lonacc 39: 40: =head1 INTRODUCTION 41: 42: This module enables cookie based authentication and is used 43: to control access for many different LON-CAPA URIs. 44: 45: Whenever the client sends the cookie back to the server, 46: this cookie is handled by either lonacc.pm or loncacc.pm 47: (see srm.conf for what is invoked when). If 48: the cookie is missing or invalid, the user is re-challenged 49: for login information. 50: 51: This is part of the LearningOnline Network with CAPA project 52: described at http://www.lon-capa.org. 53: 54: =head1 HANDLER SUBROUTINE 55: 56: This routine is called by Apache and mod_perl. 57: 58: =over 4 59: 60: =item * 61: 62: transfer profile into environment 63: 64: =item * 65: 66: load POST parameters 67: 68: =item * 69: 70: check access 71: 72: =item * 73: 74: if allowed, get symb, log, generate course statistics if applicable 75: 76: =item * 77: 78: otherwise return error 79: 80: =item * 81: 82: see if public resource 83: 84: =item * 85: 86: store attempted access 87: 88: =back 89: 90: =head1 NOTABLE SUBROUTINES 91: 92: =cut 93: 94: 95: package Apache::lonacc; 96: 97: use strict; 98: use Apache::Constants qw(:common :http :methods); 99: use Apache::File; 100: use Apache::lonnet; 101: use Apache::loncommon(); 102: use Apache::lonlocal; 103: use Apache::restrictedaccess(); 104: use Apache::blockedaccess(); 105: use Fcntl qw(:flock); 106: use LONCAPA qw(:DEFAULT :match); 107: 108: sub cleanup { 109: my ($r)=@_; 110: if (! $r->is_initial_req()) { return DECLINED; } 111: &Apache::lonnet::save_cache(); 112: &Apache::lontexconvert::jsMath_reset(); 113: return OK; 114: } 115: 116: sub goodbye { 117: my ($r)=@_; 118: &Apache::lonnet::goodbye(); 119: return DONE; 120: } 121: 122: ############################################### 123: 124: sub get_posted_cgi { 125: my ($r,$fields) = @_; 126: 127: my $buffer; 128: if ($r->header_in('Content-length')) { 129: $r->read($buffer,$r->header_in('Content-length'),0); 130: } 131: my $content_type = $r->header_in('Content-type'); 132: if ($content_type !~ m{^multipart/form-data}) { 133: my @pairs=split(/&/,$buffer); 134: my $pair; 135: foreach $pair (@pairs) { 136: my ($name,$value) = split(/=/,$pair); 137: $value =~ tr/+/ /; 138: $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg; 139: $name =~ tr/+/ /; 140: $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg; 141: if (ref($fields) eq 'ARRAY') { 142: next if (!grep(/^\Q$name\E$/,@{$fields})); 143: } 144: &Apache::loncommon::add_to_env("form.$name",$value); 145: } 146: } else { 147: my ($contentsep) = ($content_type =~ /boundary=\"?([^\";,]+)\"?/); 148: my @lines = split (/\n/,$buffer); 149: my $name=''; 150: my $value=''; 151: my $fname=''; 152: my $fmime=''; 153: my $i; 154: for ($i=0;$i<=$#lines;$i++) { 155: if ($lines[$i]=~/^--\Q$contentsep\E/) { 156: if ($name) { 157: chomp($value); 158: if (($r->uri eq '/adm/portfolio') && 159: ($name eq 'uploaddoc')) { 160: if (length($value) == 1) { 161: $value=~s/[\r\n]$//; 162: } 163: } elsif ($fname =~ /\.(xls|doc|ppt)x$/i) { 164: $value=~s/[\r\n]$//; 165: } 166: if (ref($fields) eq 'ARRAY') { 167: next if (!grep(/^\Q$name\E$/,@{$fields})); 168: } 169: if ($fname) { 170: if ($env{'form.symb'} ne '') { 171: my $size = (length($value))/(1024.0 * 1024.0); 172: if (&upload_size_allowed($name,$size,$fname) eq 'ok') { 173: $env{"form.$name.filename"}=$fname; 174: $env{"form.$name.mimetype"}=$fmime; 175: &Apache::loncommon::add_to_env("form.$name",$value); 176: } 177: } else { 178: $env{"form.$name.filename"}=$fname; 179: $env{"form.$name.mimetype"}=$fmime; 180: &Apache::loncommon::add_to_env("form.$name",$value); 181: } 182: } else { 183: $value=~s/\s+$//s; 184: &Apache::loncommon::add_to_env("form.$name",$value); 185: } 186: } 187: if ($i<$#lines) { 188: $i++; 189: $lines[$i]=~ 190: /Content\-Disposition\:\s*form\-data\;\s*name\=\"([^\"]+)\"/i; 191: $name=$1; 192: $value=''; 193: if ($lines[$i]=~/filename\=\"([^\"]+)\"/i) { 194: $fname=$1; 195: if 196: ($lines[$i+1]=~/Content\-Type\:\s*([\w\-\/]+)/i) { 197: $fmime=$1; 198: $i++; 199: } else { 200: $fmime=''; 201: } 202: } else { 203: $fname=''; 204: $fmime=''; 205: } 206: $i++; 207: } 208: } else { 209: $value.=$lines[$i]."\n"; 210: } 211: } 212: } 213: # 214: # Digested POSTed values 215: # 216: # Remember the way this was originally done (GET or POST) 217: # 218: $env{'request.method'}=$ENV{'REQUEST_METHOD'}; 219: # 220: # There may also be stuff in the query string 221: # Tell subsequent handlers that this was GET, not POST, so they can access query string. 222: # Also, unset POSTed content length to cover all tracks. 223: # 224: 225: $r->method_number(M_GET); 226: 227: $r->method('GET'); 228: $r->headers_in->unset('Content-length'); 229: } 230: 231: =pod 232: 233: =over 234: 235: =item upload_size_allowed() 236: 237: Perform size checks for file uploads to essayresponse items in course context. 238: 239: Add form.HWFILESIZE.$part_$id to %env with file size (MB) 240: If file exceeds maximum allowed size, add form.HWFILETOOBIG.$part_$id to %env. 241: 242: =cut 243: 244: sub upload_size_allowed { 245: my ($name,$size,$fname) = @_; 246: if ($name =~ /^HWFILE(\w+)$/) { 247: my $ident = $1; 248: my $item = 'HWFILESIZE'.$ident; 249: my $savesize = sprintf("%.6f",$size); 250: &Apache::loncommon::add_to_env("form.$item",$savesize); 251: my $maxsize= &Apache::lonnet::EXT("resource.$ident.maxfilesize"); 252: if (!$maxsize) { 253: $maxsize = 10.0; # FIXME This should become a domain configuration. 254: } 255: if ($size > $maxsize) { 256: my $warn = 'HWFILETOOBIG'.$ident; 257: &Apache::loncommon::add_to_env("form.$warn",$fname); 258: return; 259: } 260: } 261: return 'ok'; 262: } 263: 264: =pod 265: 266: =item sso_login() 267: 268: handle the case of the single sign on user, at this point $r->user 269: will be set and valid; now need to find the loncapa user info, and possibly 270: balance them. If $r->user() is set this means either it was either set by 271: SSO or by checkauthen.pm, if a valid cookie was found. The latter case can 272: be identified by the third arg ($usename), except when lonacc is called in 273: an internal redirect to /adm/switchserver (e.g., load-balancing following 274: successful authentication) -- no cookie set yet. For that particular case 275: simply skip the call to sso_login(). 276: 277: returns OK if it was SSO and user was handled. 278: returns undef if not SSO or no means to handle the user. 279: 280: =cut 281: 282: sub sso_login { 283: my ($r,$handle,$username) = @_; 284: 285: my $lonidsdir=$r->dir_config('lonIDsDir'); 286: if (($r->user eq '') || ($username ne '') || ($r->user eq 'public:public') || 287: (defined($env{'user.name'}) && (defined($env{'user.domain'})) 288: && ($handle ne ''))) { 289: # not an SSO case or already logged in 290: return undef; 291: } 292: 293: my ($user) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/); 294: 295: my $query = $r->args; 296: my %form; 297: if ($query) { 298: my @items = ('role','symb','iptoken'); 299: &Apache::loncommon::get_unprocessed_cgi($query,\@items); 300: foreach my $item (@items) { 301: if (defined($env{'form.'.$item})) { 302: $form{$item} = $env{'form.'.$item}; 303: } 304: } 305: } 306: 307: my %sessiondata; 308: if ($form{'iptoken'}) { 309: %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'}); 310: my $delete = &Apache::lonnet::tmpdel($form{'token'}); 311: } 312: 313: my $domain = $r->dir_config('lonSSOUserDomain'); 314: if ($domain eq '') { 315: $domain = $r->dir_config('lonDefDomain'); 316: } 317: my $home=&Apache::lonnet::homeserver($user,$domain); 318: if ($home !~ /(con_lost|no_host|no_such_host)/) { 319: &Apache::lonnet::logthis(" SSO authorized user $user "); 320: my ($is_balancer,$otherserver,$hosthere); 321: if ($form{'iptoken'}) { 322: if (($sessiondata{'domain'} eq $form{'udom'}) && 323: ($sessiondata{'username'} eq $form{'uname'})) { 324: $hosthere = 1; 325: } 326: } 327: unless ($hosthere) { 328: ($is_balancer,$otherserver) = 329: &Apache::lonnet::check_loadbalancing($user,$domain); 330: } 331: 332: if ($is_balancer) { 333: # login but immediately go to switch server to find us a new 334: # machine 335: &Apache::lonauth::success($r,$user,$domain,$home,'noredirect'); 336: $env{'request.sso.login'} = 1; 337: if (defined($r->dir_config("lonSSOReloginServer"))) { 338: $env{'request.sso.reloginserver'} = 339: $r->dir_config('lonSSOReloginServer'); 340: } 341: my $redirecturl = '/adm/switchserver'; 342: if ($otherserver ne '') { 343: $redirecturl .= '?otherserver='.$otherserver; 344: } 345: $r->internal_redirect($redirecturl); 346: $r->set_handlers('PerlHandler'=> undef); 347: } else { 348: # need to login them in, so generate the need data that 349: # migrate expects to do login 350: my $ip; 351: my $c = $r->connection; 352: eval { 353: $ip = $c->remote_ip(); 354: }; 355: if ($@) { 356: $ip = $c->client_ip(); 357: } 358: my %info=('ip' => $ip, 359: 'domain' => $domain, 360: 'username' => $user, 361: 'server' => $r->dir_config('lonHostID'), 362: 'sso.login' => 1 363: ); 364: foreach my $item ('role','symb') { 365: if (exists($form{$item})) { 366: $info{$item} = $form{$item}; 367: } 368: } 369: unless ($info{'symb'}) { 370: unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/sso')) { 371: $info{'origurl'} = $r->uri; 372: } 373: } 374: if ($r->dir_config("ssodirecturl") == 1) { 375: $info{'origurl'} = $r->uri; 376: } 377: if (defined($r->dir_config("lonSSOReloginServer"))) { 378: $info{'sso.reloginserver'} = 379: $r->dir_config('lonSSOReloginServer'); 380: } 381: my $token = 382: &Apache::lonnet::tmpput(\%info, 383: $r->dir_config('lonHostID')); 384: $env{'form.token'} = $token; 385: $r->internal_redirect('/adm/migrateuser'); 386: $r->set_handlers('PerlHandler'=> undef); 387: } 388: return OK; 389: } else { 390: &Apache::lonnet::logthis(" SSO authorized unknown user $user "); 391: my @cancreate; 392: my %domconfig = 393: &Apache::lonnet::get_dom('configuration',['usercreation'],$domain); 394: if (ref($domconfig{'usercreation'}) eq 'HASH') { 395: if (ref($domconfig{'usercreation'}{'cancreate'}) eq 'HASH') { 396: if (ref($domconfig{'usercreation'}{'cancreate'}{'selfcreate'}) eq 'ARRAY') { 397: @cancreate = @{$domconfig{'usercreation'}{'cancreate'}{'selfcreate'}}; 398: } elsif (($domconfig{'usercreation'}{'cancreate'}{'selfcreate'} ne 'none') && 399: ($domconfig{'usercreation'}{'cancreate'}{'selfcreate'} ne '')) { 400: @cancreate = ($domconfig{'usercreation'}{'cancreate'}{'selfcreate'}); 401: } 402: } 403: } 404: if ((grep(/^sso$/,@cancreate)) || (defined($r->dir_config('lonSSOUserUnknownRedirect')))) { 405: $r->subprocess_env->set('SSOUserUnknown' => $user); 406: $r->subprocess_env->set('SSOUserDomain' => $domain); 407: if (grep(/^sso$/,@cancreate)) { 408: $r->set_handlers('PerlHandler'=> [\&Apache::createaccount::handler]); 409: $r->handler('perl-script'); 410: } else { 411: $r->internal_redirect($r->dir_config('lonSSOUserUnknownRedirect')); 412: $r->set_handlers('PerlHandler'=> undef); 413: } 414: return OK; 415: } 416: } 417: return undef; 418: } 419: 420: sub handler { 421: my $r = shift; 422: my $requrl=$r->uri; 423: 424: if ($requrl =~ m{^/res/adm/pages/[^/]+\.(gif|png)$}) { 425: return OK; 426: } 427: 428: if (&Apache::lonnet::is_domainimage($requrl)) { 429: return OK; 430: } 431: 432: my %user; 433: my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\%user); 434: 435: unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) { 436: my $result = &sso_login($r,$handle,$user{'name'}); 437: if (defined($result)) { 438: return $result; 439: } 440: } 441: 442: my ($is_balancer,$otherserver); 443: 444: if ($handle eq '') { 445: unless (($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) { 446: $r->log_reason("Cookie not valid", $r->filename); 447: } 448: } elsif ($handle ne '') { 449: 450: # ------------------------------------------------------ Initialize Environment 451: my $lonidsdir=$r->dir_config('lonIDsDir'); 452: &Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle); 453: 454: # --------------------------------------------------------- Initialize Language 455: 456: &Apache::lonlocal::get_language_handle($r); 457: 458: } 459: 460: # -------------------------------------------------- Should be a valid user now 461: if ($env{'user.name'} ne '' && $env{'user.domain'} ne '') { 462: # -------------------------------------------------------------- Resource State 463: 464: my ($cdom,$cnum); 465: if ($env{'request.course.id'}) { 466: $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'}; 467: $cnum = $env{'course.'.$env{'request.course.id'}.'.num'}; 468: } 469: if ($requrl=~/^\/+(res|uploaded)\//) { 470: $env{'request.state'} = "published"; 471: } else { 472: $env{'request.state'} = 'unknown'; 473: } 474: $env{'request.filename'} = $r->filename; 475: $env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl); 476: my ($suppext,$checkabsolute); 477: if ($requrl =~ m{^/adm/wrapper/ext/}) { 478: my $query = $r->args; 479: if ($query) { 480: my $preserved; 481: foreach my $pair (split(/&/,$query)) { 482: my ($name, $value) = split(/=/,$pair); 483: unless ($name eq 'symb') { 484: $preserved .= $pair.'&'; 485: } 486: if (($env{'request.course.id'}) && ($name eq 'folderpath')) { 487: if ($value =~ /^supplemental/) { 488: $suppext = 1; 489: } 490: } 491: } 492: $preserved =~ s/\&$//; 493: if ($preserved) { 494: $env{'request.external.querystring'} = $preserved; 495: } 496: } 497: if ($env{'request.course.id'}) { 498: $checkabsolute = 1; 499: } 500: } elsif ($env{'request.course.id'} && 501: (($requrl =~ m{^/adm/$match_domain/$match_username/aboutme$}) || 502: ($requrl =~ m{^/public/$cdom/$cnum/syllabus$}))) { 503: my $query = $r->args; 504: if ($query) { 505: foreach my $pair (split(/&/,$query)) { 506: my ($name, $value) = split(/=/,$pair); 507: if ($name eq 'folderpath') { 508: if ($value =~ /^supplemental/) { 509: $suppext = 1; 510: } 511: } 512: } 513: } 514: if ($requrl =~ m{^/public/$cdom/$cnum/syllabus$}) { 515: $checkabsolute = 1; 516: } 517: } 518: if ($checkabsolute) { 519: my $hostname = $r->hostname(); 520: my $lonhost = &Apache::lonnet::host_from_dns($hostname); 521: if ($lonhost) { 522: my $actual = &Apache::lonnet::absolute_url($hostname); 523: my $expected = $Apache::lonnet::protocol{$lonhost}.'://'.$hostname; 524: unless ($actual eq $expected) { 525: $env{'request.use_absolute'} = $expected; 526: } 527: } 528: } 529: # -------------------------------------------------------- Load POST parameters 530: 531: &Apache::lonacc::get_posted_cgi($r); 532: 533: # ------------------------------------------------------ Check if load balancer 534: 535: my $checkexempt; 536: if ($env{'user.loadbalexempt'} eq $r->dir_config('lonHostID')) { 537: if ($env{'user.loadbalcheck.time'} + 600 > time) { 538: $checkexempt = 1; 539: } 540: } 541: if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) { 542: $checkexempt = 1; 543: } 544: unless ($checkexempt) { 545: ($is_balancer,$otherserver) = 546: &Apache::lonnet::check_loadbalancing($env{'user.name'}, 547: $env{'user.domain'}); 548: } 549: if ($is_balancer) { 550: $r->set_handlers('PerlResponseHandler'=> 551: [\&Apache::switchserver::handler]); 552: if ($otherserver ne '') { 553: $env{'form.otherserver'} = $otherserver; 554: } 555: unless (($env{'form.origurl'}) || ($r->uri eq '/adm/roles') || 556: ($r->uri eq '/adm/switchserver') || ($r->uri eq '/adm/sso')) { 557: $env{'form.origurl'} = $r->uri; 558: } 559: } 560: 561: # ---------------------------------------------------------------- Check access 562: my $now = time; 563: if ($requrl !~ m{^/(?:adm|public|prtspool)/} 564: || $requrl =~ /^\/adm\/.*\/(smppg|bulletinboard)(\?|$ )/x) { 565: my $access=&Apache::lonnet::allowed('bre',$requrl); 566: if ($access eq '1') { 567: $env{'user.error.msg'}="$requrl:bre:0:0:Choose Course"; 568: return HTTP_NOT_ACCEPTABLE; 569: } 570: if ($access eq 'A') { 571: &Apache::restrictedaccess::setup_handler($r); 572: return OK; 573: } 574: if ($access eq 'B') { 575: &Apache::blockedaccess::setup_handler($r); 576: return OK; 577: } 578: if (($access ne '2') && ($access ne 'F')) { 579: if ($requrl =~ m{^/res/}) { 580: $access = &Apache::lonnet::allowed('bro',$requrl); 581: if ($access ne 'F') { 582: if ($requrl eq '/res/lib/templates/simpleproblem.problem/smpedit') { 583: $access = &Apache::lonnet::allowed('bre','/res/lib/templates/simpleproblem.problem'); 584: if ($access ne 'F') { 585: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; 586: return HTTP_NOT_ACCEPTABLE; 587: } 588: } else { 589: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; 590: return HTTP_NOT_ACCEPTABLE; 591: } 592: } 593: } else { 594: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; 595: return HTTP_NOT_ACCEPTABLE; 596: } 597: } 598: } 599: if ($requrl =~ m|^/prtspool/|) { 600: my $start='/prtspool/'.$env{'user.name'}.'_'. 601: $env{'user.domain'}; 602: if ($requrl !~ /^\Q$start\E/) { 603: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; 604: return HTTP_NOT_ACCEPTABLE; 605: } 606: } 607: if ($requrl =~ m|^/zipspool/|) { 608: my $start='/zipspool/zipout/'.$env{'user.name'}.":". 609: $env{'user.domain'}; 610: if ($requrl !~ /^\Q$start\E/) { 611: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; 612: return HTTP_NOT_ACCEPTABLE; 613: } 614: } 615: if ($env{'user.name'} eq 'public' && 616: $env{'user.domain'} eq 'public' && 617: $requrl !~ m{^/+(res|public|uploaded)/} && 618: $requrl !~ m{^/adm/[^/]+/[^/]+/aboutme/portfolio$ }x && 619: $requrl !~ m{^/adm/blockingstatus/.*$} && 620: $requrl !~ m{^/+adm/(help|logout|restrictedaccess|randomlabel\.png)}) { 621: $env{'request.querystring'}=$r->args; 622: $env{'request.firsturl'}=$requrl; 623: return FORBIDDEN; 624: } 625: # ------------------------------------------------------------- This is allowed 626: if ($env{'request.course.id'}) { 627: &Apache::lonnet::countacc($requrl); 628: $requrl=~/\.(\w+)$/; 629: my $query=$r->args; 630: if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') || 631: ($requrl=~/^\/adm\/.*\/(aboutme|smppg|bulletinboard)(\?|$ )/x) || 632: ($requrl=~/^\/adm\/wrapper\//) || 633: ($requrl=~m|^/adm/coursedocs/showdoc/|) || 634: ($requrl=~m|\.problem/smpedit$|) || 635: ($requrl=~/^\/public\/.*\/syllabus$/) || 636: ($requrl=~/^\/adm\/(viewclasslist|navmaps)$/) || 637: ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/)) { 638: # ------------------------------------- This is serious stuff, get symb and log 639: my $symb; 640: if ($query) { 641: &Apache::loncommon::get_unprocessed_cgi($query,['symb','folderpath']); 642: } 643: if ($env{'form.symb'}) { 644: $symb=&Apache::lonnet::symbclean($env{'form.symb'}); 645: if ($requrl =~ m|^/adm/wrapper/| 646: || $requrl =~ m|^/adm/coursedocs/showdoc/|) { 647: my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb); 648: &Apache::lonnet::symblist($map,$murl => [$murl,$mid], 649: 'last_known' =>[$murl,$mid]); 650: } elsif ((&Apache::lonnet::symbverify($symb,$requrl)) || 651: (($requrl=~m|(.*)/smpedit$|) && 652: &Apache::lonnet::symbverify($symb,$1)) || 653: (($requrl=~m|(.*/aboutme)/portfolio$|) && 654: &Apache::lonnet::symbverify($symb,$1))) { 655: my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb); 656: &Apache::lonnet::symblist($map,$murl => [$murl,$mid], 657: 'last_known' =>[$murl,$mid]); 658: } else { 659: $r->log_reason('Invalid symb for '.$requrl.': '. 660: $symb); 661: $env{'user.error.msg'}= 662: "$requrl:bre:1:1:Invalid Access"; 663: return HTTP_NOT_ACCEPTABLE; 664: } 665: } else { 666: if ($requrl=~m{^(/adm/.*/aboutme)/portfolio$}) { 667: $requrl = $1; 668: } 669: unless ($suppext) { 670: $symb=&Apache::lonnet::symbread($requrl); 671: if (&Apache::lonnet::is_on_map($requrl) && $symb && 672: !&Apache::lonnet::symbverify($symb,$requrl)) { 673: $r->log_reason('Invalid symb for '.$requrl.': '.$symb); 674: $env{'user.error.msg'}= 675: "$requrl:bre:1:1:Invalid Access"; 676: return HTTP_NOT_ACCEPTABLE; 677: } 678: if ($symb) { 679: my ($map,$mid,$murl)= 680: &Apache::lonnet::decode_symb($symb); 681: &Apache::lonnet::symblist($map,$murl =>[$murl,$mid], 682: 'last_known' =>[$murl,$mid]); 683: } 684: } 685: } 686: $env{'request.symb'}=$symb; 687: &Apache::lonnet::courseacclog($symb); 688: } else { 689: # ------------------------------------------------------- This is other content 690: &Apache::lonnet::courseacclog($requrl); 691: } 692: if ($requrl =~ m{^/+uploaded/\Q$cdom\E/\Q$cnum\E/(docs|supplemental)/.+\.html?$}) { 693: if (&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) { 694: if ($query) { 695: &Apache::loncommon::get_unprocessed_cgi($query,['forceedit']); 696: if ($env{'form.forceedit'}) { 697: $env{'request.state'} = 'edit'; 698: } 699: } 700: } 701: } elsif ($requrl =~ m{^/+uploaded/\Q$cdom\E/\Q$cnum\E/portfolio/syllabus/.+\.html?$}) { 702: if (&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) { 703: if ($query) { 704: &Apache::loncommon::get_unprocessed_cgi($query,['forceedit','editmode']); 705: if (($env{'form.forceedit'}) || ($env{'form.editmode'})) { 706: $env{'request.state'} = 'edit'; 707: } 708: } 709: } 710: } 711: } 712: return OK; 713: } else { 714: my $defdom=$r->dir_config('lonDefDomain'); 715: ($is_balancer,$otherserver) = 716: &Apache::lonnet::check_loadbalancing(undef,$defdom); 717: if ($is_balancer) { 718: $r->set_handlers('PerlResponseHandler'=> 719: [\&Apache::switchserver::handler]); 720: if ($otherserver ne '') { 721: $env{'form.otherserver'} = $otherserver; 722: } 723: } 724: } 725: # -------------------------------------------- See if this is a public resource 726: if ($requrl=~m|^/+adm/+help/+|) { 727: return OK; 728: } 729: # ------------------------------------ See if this is a viewable portfolio file 730: if (&Apache::lonnet::is_portfolio_url($requrl)) { 731: my $access=&Apache::lonnet::allowed('bre',$requrl); 732: if ($access eq 'A') { 733: &Apache::restrictedaccess::setup_handler($r); 734: return OK; 735: } 736: if (($access ne '2') && ($access ne 'F')) { 737: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; 738: return HTTP_NOT_ACCEPTABLE; 739: } 740: } 741: 742: # -------------------------------------------------------------- Not authorized 743: $requrl=~/\.(\w+)$/; 744: # if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') || 745: # ($requrl=~/^\/adm\/(roles|logout|email|menu|remote)/) || 746: # ($requrl=~m|^/prtspool/|)) { 747: # -------------------------- Store where they wanted to go and get login screen 748: $env{'request.querystring'}=$r->args; 749: $env{'request.firsturl'}=$requrl; 750: return FORBIDDEN; 751: # } else { 752: # --------------------------------------------------------------------- Goodbye 753: # return HTTP_BAD_REQUEST; 754: # } 755: } 756: 757: 1; 758: __END__ 759: 760: =pod 761: 762: =back 763: 764: =cut 765: