loncom/auth/lonacc.pm - view

File: [LON-CAPA] / loncom / auth / lonacc.pm
Revision 1.79: download - view: text, annotated - select for diffs
Fri Jun 16 22:37:29 2006 UTC (17 years, 11 months ago) by raeburn
Branches: MAIN
CVS tags: HEAD

Enable users to set access controls on portfolio files to permit public viewing. Third iteration of data structure in file_permissions.db for storage of access contol records. Now uses key = value for individual access control records and a key = anonymous hash for fast look-ups of all records for a single file.   Use of a temporary lock record to prevent others modifying access control records for a specific portfolio file while the record for the same file is being updated. Additional argument added to call to lonhtmlcommon::datesetter() to optionally suppress display of calendar link.

1: # The LearningOnline Network 2: # Cookie Based Access Handler 3: # 4: # $Id: lonacc.pm,v 1.79 2006/06/16 22:37:29 raeburn Exp $ 5: # 6: # Copyright Michigan State University Board of Trustees 7: # 8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA). 9: # 10: # LON-CAPA is free software; you can redistribute it and/or modify 11: # it under the terms of the GNU General Public License as published by 12: # the Free Software Foundation; either version 2 of the License, or 13: # (at your option) any later version. 14: # 15: # LON-CAPA is distributed in the hope that it will be useful, 16: # but WITHOUT ANY WARRANTY; without even the implied warranty of 17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18: # GNU General Public License for more details. 19: # 20: # You should have received a copy of the GNU General Public License 21: # along with LON-CAPA; if not, write to the Free Software 22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23: # 24: # /home/httpd/html/adm/gpl.txt 25: # 26: # http://www.lon-capa.org/ 27: # 28: ### 29: 30: package Apache::lonacc; 31: 32: use strict; 33: use Apache::Constants qw(:common :http :methods); 34: use Apache::File; 35: use Apache::lonnet; 36: use Apache::loncommon(); 37: use Apache::lonlocal; 38: use CGI::Cookie(); 39: use Fcntl qw(:flock); 40: 41: sub cleanup { 42: my ($r)=@_; 43: if (! $r->is_initial_req()) { return DECLINED; } 44: &Apache::lonnet::save_cache(); 45: return OK; 46: } 47: 48: sub goodbye { 49: my ($r)=@_; 50: &Apache::lonnet::goodbye(); 51: return DONE; 52: } 53: 54: ############################################### 55: 56: sub get_posted_cgi { 57: my ($r) = @_; 58: 59: my $buffer; 60: if ($r->header_in('Content-length')) { 61: $r->read($buffer,$r->header_in('Content-length'),0); 62: } 63: unless ($buffer=~/^(\-+\w+)\s+Content\-Disposition\:\s*form\-data/si) { 64: my @pairs=split(/&/,$buffer); 65: my $pair; 66: foreach $pair (@pairs) { 67: my ($name,$value) = split(/=/,$pair); 68: $value =~ tr/+/ /; 69: $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg; 70: $name =~ tr/+/ /; 71: $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg; 72: &Apache::loncommon::add_to_env("form.$name",$value); 73: } 74: } else { 75: my $contentsep=$1; 76: my @lines = split (/\n/,$buffer); 77: my $name=''; 78: my $value=''; 79: my $fname=''; 80: my $fmime=''; 81: my $i; 82: for ($i=0;$i<=$#lines;$i++) { 83: if ($lines[$i]=~/^$contentsep/) { 84: if ($name) { 85: chomp($value); 86: if ($fname) { 87: $env{"form.$name.filename"}=$fname; 88: $env{"form.$name.mimetype"}=$fmime; 89: } else { 90: $value=~s/\s+$//s; 91: } 92: &Apache::loncommon::add_to_env("form.$name",$value); 93: } 94: if ($i<$#lines) { 95: $i++; 96: $lines[$i]=~ 97: /Content\-Disposition\:\s*form\-data\;\s*name\=\"([^\"]+)\"/i; 98: $name=$1; 99: $value=''; 100: if ($lines[$i]=~/filename\=\"([^\"]+)\"/i) { 101: $fname=$1; 102: if 103: ($lines[$i+1]=~/Content\-Type\:\s*([\w\-\/]+)/i) { 104: $fmime=$1; 105: $i++; 106: } else { 107: $fmime=''; 108: } 109: } else { 110: $fname=''; 111: $fmime=''; 112: } 113: $i++; 114: } 115: } else { 116: $value.=$lines[$i]."\n"; 117: } 118: } 119: } 120: # 121: # Digested POSTed values 122: # 123: # Remember the way this was originally done (GET or POST) 124: # 125: $env{'request.method'}=$ENV{'REQUEST_METHOD'}; 126: # 127: # There may also be stuff in the query string 128: # Tell subsequent handlers that this was GET, not POST, so they can access query string. 129: # Also, unset POSTed content length to cover all tracks. 130: # 131: 132: $r->method_number(M_GET); 133: 134: $r->method('GET'); 135: $r->headers_in->unset('Content-length'); 136: } 137: 138: sub portfolio_access { 139: my ($udom,$unum,$file_name,$group) = @_; 140: my $current_perms = &Apache::lonnet::get_portfile_permissions($udom,$unum); 141: my %access_controls = &Apache::lonnet::get_access_controls( 142: $current_perms,$group,$file_name); 143: my ($public); 144: my $now = time; 145: my $access_hash = $access_controls{$file_name}; 146: if (ref($access_hash) eq 'HASH') { 147: foreach my $key (keys(%{$access_hash})) { 148: my ($num,$scope,$end,$start) = ($key =~ /^([^:]+):([a-z]+)_(\d*)_?(\d*)$/); 149: if ($start > $now) { 150: next; 151: } 152: if ($end && $end<$now) { 153: next; 154: } 155: if ($scope eq 'public') { 156: $public = $key; 157: last; 158: } 159: } 160: if ($public) { 161: return 'ok'; 162: } 163: } 164: return; 165: } 166: 167: sub handler { 168: my $r = shift; 169: my $requrl=$r->uri; 170: my %cookies=CGI::Cookie->parse($r->header_in('Cookie')); 171: my $lonid=$cookies{'lonID'}; 172: my $cookie; 173: my $lonidsdir=$r->dir_config('lonIDsDir'); 174: 175: my $handle; 176: if ($lonid) { 177: $handle=$lonid->value; 178: $handle=~s/\W//g; 179: } 180: 181: my ($sso_login); 182: if ($r->user 183: && (!$lonid || !-e "$lonidsdir/$handle.id" || $handle eq '') ) { 184: $sso_login = 1; 185: my $domain = $r->dir_config('lonDefDomain'); 186: my $home=&Apache::lonnet::homeserver($r->user,$domain); 187: if ($home !~ /(con_lost|no_such_host)/) { 188: $handle=&Apache::lonauth::success($r,$r->user,$domain, 189: $home,'noredirect'); 190: $r->header_out('Set-cookie',"lonID=$handle; path=/"); 191: } 192: } 193: 194: if ($sso_login) { 195: &Apache::lonnet::appenv('request.sso.login' => 1); 196: } 197: 198: if ($r->dir_config("lonBalancer") eq 'yes') { 199: $r->set_handlers('PerlResponseHandler'=> 200: [\&Apache::switchserver::handler]); 201: } 202: 203: if ($handle ne '') { 204: if ((-e "$lonidsdir/$handle.id") && ($handle ne '')) { 205: 206: # ------------------------------------------------------ Initialize Environment 207: 208: &Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle); 209: 210: # --------------------------------------------------------- Initialize Language 211: 212: &Apache::lonlocal::get_language_handle($r); 213: 214: # -------------------------------------------------------------- Resource State 215: 216: if ($requrl=~/^\/+(res|uploaded)\//) { 217: $env{'request.state'} = "published"; 218: } else { 219: $env{'request.state'} = 'unknown'; 220: } 221: $env{'request.filename'} = $r->filename; 222: $env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl); 223: # -------------------------------------------------------- Load POST parameters 224: 225: &Apache::lonacc::get_posted_cgi($r); 226: 227: # ---------------------------------------------------------------- Check access 228: my $now = time; 229: if ($requrl =~ m#/+uploaded/([^/]+)/([^/]+)/portfolio(/.+)$#) { 230: my $result = &portfolio_access($1,$2,$3); 231: if ($result eq 'ok') { 232: return OK; 233: } 234: } elsif ($requrl =~ m#/+uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$#) { 235: my $result = &portfolio_access($1,$2,$4.'/'.$3,$3); 236: if ($result eq 'ok') { 237: return OK; 238: } 239: } 240: if ($requrl!~/^\/adm|public|prtspool\//) { 241: my $access=&Apache::lonnet::allowed('bre',$requrl); 242: if ($access eq '1') { 243: $env{'user.error.msg'}="$requrl:bre:0:0:Choose Course"; 244: return HTTP_NOT_ACCEPTABLE; 245: } 246: if (($access ne '2') && ($access ne 'F')) { 247: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; 248: return HTTP_NOT_ACCEPTABLE; 249: } 250: } 251: if ($requrl =~ m|^/prtspool/|) { 252: my $start='/prtspool/'.$env{'user.name'}.'_'. 253: $env{'user.domain'}; 254: if ($requrl !~ /^\Q$start\E/) { 255: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; 256: return HTTP_NOT_ACCEPTABLE; 257: } 258: } 259: if ($env{'user.name'} eq 'public' && 260: $env{'user.domain'} eq 'public' && 261: $requrl !~ m{^/+(res|public)/} && 262: $requrl !~ m{^/+adm/(help|logout|randomlabel\.png)}) { 263: $env{'request.querystring'}=$r->args; 264: $env{'request.firsturl'}=$requrl; 265: return FORBIDDEN; 266: } 267: # ------------------------------------------------------------- This is allowed 268: if ($env{'request.course.id'}) { 269: &Apache::lonnet::countacc($requrl); 270: $requrl=~/\.(\w+)$/; 271: if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') || 272: ($requrl=~/^\/adm\/.*\/(aboutme|navmaps|smppg|bulletinboard)(\?|$)/) || 273: ($requrl=~/^\/adm\/wrapper\//) || 274: ($requrl=~m|^/adm/coursedocs/showdoc/|) || 275: ($requrl=~m|\.problem/smpedit$|) || 276: ($requrl=~/^\/public\/.*\/syllabus$/)) { 277: # ------------------------------------- This is serious stuff, get symb and log 278: my $query=$r->args; 279: my $symb; 280: if ($query) { 281: &Apache::loncommon::get_unprocessed_cgi($query,['symb']); 282: } 283: if ($env{'form.symb'}) { 284: $symb=&Apache::lonnet::symbclean($env{'form.symb'}); 285: if ($requrl =~ m|^/adm/wrapper/| 286: || $requrl =~ m|^/adm/coursedocs/showdoc/|) { 287: my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb); 288: &Apache::lonnet::symblist($map,$murl => [$murl,$mid], 289: 'last_known' =>[$murl,$mid]); 290: } elsif ((&Apache::lonnet::symbverify($symb,$requrl)) || 291: (($requrl=~m|(.*)/smpedit$|) && 292: &Apache::lonnet::symbverify($symb,$1))) { 293: my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb); 294: &Apache::lonnet::symblist($map,$murl => [$murl,$mid], 295: 'last_known' =>[$murl,$mid]); 296: } else { 297: $r->log_reason('Invalid symb for '.$requrl.': '. 298: $symb); 299: $env{'user.error.msg'}= 300: "$requrl:bre:1:1:Invalid Access"; 301: return HTTP_NOT_ACCEPTABLE; 302: } 303: } else { 304: $symb=&Apache::lonnet::symbread($requrl); 305: if (&Apache::lonnet::is_on_map($requrl) && $symb && 306: !&Apache::lonnet::symbverify($symb,$requrl)) { 307: $r->log_reason('Invalid symb for '.$requrl.': '.$symb); 308: $env{'user.error.msg'}= 309: "$requrl:bre:1:1:Invalid Access"; 310: return HTTP_NOT_ACCEPTABLE; 311: } 312: if ($symb) { 313: my ($map,$mid,$murl)= 314: &Apache::lonnet::decode_symb($symb); 315: &Apache::lonnet::symblist($map,$murl =>[$murl,$mid], 316: 'last_known' =>[$murl,$mid]); 317: } 318: } 319: $env{'request.symb'}=$symb; 320: &Apache::lonnet::courseacclog($symb); 321: } else { 322: # ------------------------------------------------------- This is other content 323: &Apache::lonnet::courseacclog($requrl); 324: } 325: } 326: return OK; 327: } else { 328: $r->log_reason("Cookie $handle not valid", $r->filename); 329: } 330: } 331: 332: # -------------------------------------------- See if this is a public resource 333: if ($requrl=~m|^/public/| 334: || (&Apache::lonnet::metadata($requrl,'copyright') eq 'public')) { 335: &Apache::lonnet::logthis('Granting public access: '.$requrl); 336: &Apache::lonlocal::get_language_handle($r); 337: my $cookie= 338: &Apache::lonauth::success($r,'public','public','public'); 339: my $lonidsdir=$r->dir_config('lonIDsDir'); 340: &Apache::lonnet::transfer_profile_to_env($lonidsdir,$cookie); 341: &Apache::lonacc::get_posted_cgi($r); 342: $env{'request.state'} = "published"; 343: $env{'request.publicaccess'} = 1; 344: $env{'request.filename'} = $r->filename; 345: 346: $r->header_out('Set-cookie',"lonID=$cookie; path=/"); 347: return OK; 348: } 349: if ($requrl=~m|^/+adm/+help/+|) { 350: return OK; 351: } 352: # ------------------------------------- See if this is a viewable portfolio file 353: if ($requrl =~ m#/+uploaded/([^/]+)/([^/]+)/portfolio(/.+)$#) { 354: my $result = &portfolio_access($1,$2,$3); 355: if ($result eq 'ok') { 356: return OK; 357: } 358: } elsif ($requrl =~ m#/+uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$#) { 359: my $result = &portfolio_access($1,$2,$4.'/'.$3,$3); 360: if ($result eq 'ok') { 361: return OK; 362: } 363: } 364: # -------------------------------------------------------------- Not authorized 365: $requrl=~/\.(\w+)$/; 366: # if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') || 367: # ($requrl=~/^\/adm\/(roles|logout|email|menu|remote)/) || 368: # ($requrl=~m|^/prtspool/|)) { 369: # -------------------------- Store where they wanted to go and get login screen 370: $env{'request.querystring'}=$r->args; 371: $env{'request.firsturl'}=$requrl; 372: return FORBIDDEN; 373: # } else { 374: # --------------------------------------------------------------------- Goodbye 375: # return HTTP_BAD_REQUEST; 376: # } 377: } 378: 379: 1; 380: __END__ 381: 382: =head1 NAME 383: 384: Apache::lonacc - Cookie Based Access Handler 385: 386: =head1 SYNOPSIS 387: 388: Invoked (for various locations) by /etc/httpd/conf/srm.conf: 389: 390: PerlAccessHandler Apache::lonacc 391: 392: =head1 INTRODUCTION 393: 394: This module enables cookie based authentication and is used 395: to control access for many different LON-CAPA URIs. 396: 397: Whenever the client sends the cookie back to the server, 398: this cookie is handled by either lonacc.pm or loncacc.pm 399: (see srm.conf for what is invoked when). If 400: the cookie is missing or invalid, the user is re-challenged 401: for login information. 402: 403: This is part of the LearningOnline Network with CAPA project 404: described at http://www.lon-capa.org. 405: 406: =head1 HANDLER SUBROUTINE 407: 408: This routine is called by Apache and mod_perl. 409: 410: =over 4 411: 412: =item * 413: 414: transfer profile into environment 415: 416: =item * 417: 418: load POST parameters 419: 420: =item * 421: 422: check access 423: 424: =item * 425: 426: if allowed, get symb, log, generate course statistics if applicable 427: 428: =item * 429: 430: otherwise return error 431: 432: =item * 433: 434: see if public resource 435: 436: =item * 437: 438: store attempted access 439: 440: =back 441: 442: =cut