File:
[LON-CAPA] /
loncom /
auth /
lonacc.pm
Revision
1.81:
download - view:
text,
annotated -
select for diffs
Thu Jun 22 13:20:46 2006 UTC (17 years, 10 months ago) by
raeburn
Branches:
MAIN
CVS tags:
HEAD
Portfolio file access control now allows for domain-based, user-based, and course/group-based controls. Passphrase-protected access (without login) yet to be enabled.
1: # The LearningOnline Network
2: # Cookie Based Access Handler
3: #
4: # $Id: lonacc.pm,v 1.81 2006/06/22 13:20:46 raeburn Exp $
5: #
6: # Copyright Michigan State University Board of Trustees
7: #
8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
9: #
10: # LON-CAPA is free software; you can redistribute it and/or modify
11: # it under the terms of the GNU General Public License as published by
12: # the Free Software Foundation; either version 2 of the License, or
13: # (at your option) any later version.
14: #
15: # LON-CAPA is distributed in the hope that it will be useful,
16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18: # GNU General Public License for more details.
19: #
20: # You should have received a copy of the GNU General Public License
21: # along with LON-CAPA; if not, write to the Free Software
22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23: #
24: # /home/httpd/html/adm/gpl.txt
25: #
26: # http://www.lon-capa.org/
27: #
28: ###
29:
30: package Apache::lonacc;
31:
32: use strict;
33: use Apache::Constants qw(:common :http :methods);
34: use Apache::File;
35: use Apache::lonnet;
36: use Apache::loncommon();
37: use Apache::lonlocal;
38: use CGI::Cookie();
39: use Fcntl qw(:flock);
40:
41: sub cleanup {
42: my ($r)=@_;
43: if (! $r->is_initial_req()) { return DECLINED; }
44: &Apache::lonnet::save_cache();
45: return OK;
46: }
47:
48: sub goodbye {
49: my ($r)=@_;
50: &Apache::lonnet::goodbye();
51: return DONE;
52: }
53:
54: ###############################################
55:
56: sub get_posted_cgi {
57: my ($r) = @_;
58:
59: my $buffer;
60: if ($r->header_in('Content-length')) {
61: $r->read($buffer,$r->header_in('Content-length'),0);
62: }
63: unless ($buffer=~/^(\-+\w+)\s+Content\-Disposition\:\s*form\-data/si) {
64: my @pairs=split(/&/,$buffer);
65: my $pair;
66: foreach $pair (@pairs) {
67: my ($name,$value) = split(/=/,$pair);
68: $value =~ tr/+/ /;
69: $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
70: $name =~ tr/+/ /;
71: $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
72: &Apache::loncommon::add_to_env("form.$name",$value);
73: }
74: } else {
75: my $contentsep=$1;
76: my @lines = split (/\n/,$buffer);
77: my $name='';
78: my $value='';
79: my $fname='';
80: my $fmime='';
81: my $i;
82: for ($i=0;$i<=$#lines;$i++) {
83: if ($lines[$i]=~/^$contentsep/) {
84: if ($name) {
85: chomp($value);
86: if ($fname) {
87: $env{"form.$name.filename"}=$fname;
88: $env{"form.$name.mimetype"}=$fmime;
89: } else {
90: $value=~s/\s+$//s;
91: }
92: &Apache::loncommon::add_to_env("form.$name",$value);
93: }
94: if ($i<$#lines) {
95: $i++;
96: $lines[$i]=~
97: /Content\-Disposition\:\s*form\-data\;\s*name\=\"([^\"]+)\"/i;
98: $name=$1;
99: $value='';
100: if ($lines[$i]=~/filename\=\"([^\"]+)\"/i) {
101: $fname=$1;
102: if
103: ($lines[$i+1]=~/Content\-Type\:\s*([\w\-\/]+)/i) {
104: $fmime=$1;
105: $i++;
106: } else {
107: $fmime='';
108: }
109: } else {
110: $fname='';
111: $fmime='';
112: }
113: $i++;
114: }
115: } else {
116: $value.=$lines[$i]."\n";
117: }
118: }
119: }
120: #
121: # Digested POSTed values
122: #
123: # Remember the way this was originally done (GET or POST)
124: #
125: $env{'request.method'}=$ENV{'REQUEST_METHOD'};
126: #
127: # There may also be stuff in the query string
128: # Tell subsequent handlers that this was GET, not POST, so they can access query string.
129: # Also, unset POSTed content length to cover all tracks.
130: #
131:
132: $r->method_number(M_GET);
133:
134: $r->method('GET');
135: $r->headers_in->unset('Content-length');
136: }
137:
138: sub portfolio_access {
139: my ($udom,$unum,$file_name,$group) = @_;
140: my $current_perms = &Apache::lonnet::get_portfile_permissions($udom,$unum);
141: my %access_controls = &Apache::lonnet::get_access_controls(
142: $current_perms,$group,$file_name);
143: my ($public,$guest,@domains,@users,@courses,@groups);
144: my $now = time;
145: my $access_hash = $access_controls{$file_name};
146: if (ref($access_hash) eq 'HASH') {
147: foreach my $key (keys(%{$access_hash})) {
148: my ($num,$scope,$end,$start) = ($key =~ /^([^:]+):([a-z]+)_(\d*)_?(\d*)$/);
149: if ($start > $now) {
150: next;
151: }
152: if ($end && $end<$now) {
153: next;
154: }
155: if ($scope eq 'public') {
156: $public = $key;
157: last;
158: } elsif ($scope eq 'guest') {
159: $guest = $key;
160: } elsif ($scope eq 'domains') {
161: push(@domains,$key);
162: } elsif ($scope eq 'users') {
163: push(@users,$key);
164: } elsif ($scope eq 'course') {
165: push(@courses,$key);
166: } elsif ($scope eq 'group') {
167: push(@groups,$key);
168: }
169: }
170: if ($public) {
171: return 'ok';
172: }
173: if ($env{'user.name'} eq 'public' && $env{'user.domain'} eq 'public') {
174: if ($guest) {
175: return 'guest:'.$guest;
176: }
177: } else {
178: if (@domains > 0) {
179: foreach my $domkey (@domains) {
180: my %content = &Apache::lonnet::parse_access_controls($$access_hash{$domkey});
181: if (ref($content{'dom'}) eq 'ARRAY') {
182: if (grep(/^\Q$env{'user.domain'}\E$/,@{$content{'dom'}})) {
183: return 'ok';
184: }
185: }
186: }
187: }
188: if (@users > 0) {
189: foreach my $userkey (@users) {
190: my %content = &Apache::lonnet::parse_access_controls($$access_hash{$userkey});
191: if (exists($content{'users'}{$env{'user.name'}.':'.$env{'user.domain'}})) {
192: return 'ok';
193: }
194: }
195: }
196: my %roleshash;
197: my @courses_and_groups = @courses;
198: push(@courses_and_groups,@groups);
199: if (@courses_and_groups > 0) {
200: my (%allgroups,%allroles);
201: my ($start,$end,$role,$sec,$group);
202: foreach my $envkey (%env) {
203: if ($envkey =~ m-^user\.role\.(gr|cc|in|ta|ep|st)\./([^/]+)/([^/]+)/?([^/]*)$-) {
204: my $cid = $2.'_'.$3;
205: if ($1 eq 'gr') {
206: $group = $4;
207: $allgroups{$cid}{$group} = $env{$envkey};
208: } else {
209: if ($4 eq '') {
210: $sec = 'none';
211: } else {
212: $sec = $4;
213: }
214: $allroles{$cid}{$1}{$sec} = $env{$envkey};
215: }
216: } elsif ($envkey =~ m-^user\.role\./cr/(\w+/\w+/\w*)./([^/]+)/([^/]+)/?([^/]*)$-) {
217: my $cid = $2.'_'.$3;
218: if ($4 eq '') {
219: $sec = 'none';
220: } else {
221: $sec = $4;
222: }
223: $allroles{$cid}{$1}{$sec} = $env{$envkey};
224: }
225: }
226: if (keys(%allroles) == 0) {
227: return;
228: }
229: foreach my $key (@courses_and_groups) {
230: my %content = &Apache::lonnet::parse_access_controls($$access_hash{$key});
231: my $cnum = $content{'number'};
232: my $cdom = $content{'domain'};
233: my $cid = $cdom.'_'.$cnum;
234: if (!exists($allroles{$cid})) {
235: next;
236: }
237: foreach my $role_id (keys(%{$content{'roles'}})) {
238: my @sections = @{$content{'roles'}{$role_id}{'section'}};
239: my @groups = @{$content{'roles'}{$role_id}{'group'}};
240: my @status = @{$content{'roles'}{$role_id}{'access'}};
241: my @roles = @{$content{'roles'}{$role_id}{'role'}};
242: foreach my $role (keys(%{$allroles{$cid}})) {
243: if ((grep/^all$/,@roles) || (grep/^\Q$role\E$/,@roles)) {
244: foreach my $sec (keys(%{$allroles{$cid}{$role}})) {
245: if (&course_group_datechecker($allroles{$cid}{$role}{$sec},$now,\@status) eq 'ok') {
246: if (grep/^all$/,@sections) {
247: return 'ok';
248: } else {
249: if (grep/^$sec$/,@sections) {
250: return 'ok'
251: }
252: }
253: }
254: }
255: if (keys(%{$allgroups{$cid}}) == 0) {
256: if (grep/^none$/,@groups) {
257: return 'ok';
258: }
259: } else {
260: if (grep/^all$/,@groups) {
261: return 'ok';
262: }
263: foreach my $group (keys(%{$allgroups{$cid}})) {
264: if (grep/^$group$/,@groups) {
265: return 'ok';
266: }
267: }
268: }
269: }
270: }
271: }
272: }
273: }
274: if ($guest) {
275: return 'guest:'.$guest;
276: }
277: }
278: }
279: return;
280: }
281:
282: sub course_group_datechecker {
283: my ($dates,$now,$status) = @_;
284: my ($start,$end) = split(/\./,$dates);
285: if (!$start && !$end) {
286: return 'ok';
287: }
288: if (grep/^active$/,@{$status}) {
289: if (((!$start) || ($start && $start <= $now)) && ((!$end) || ($end && $end >= $now))) {
290: return 'ok';
291: }
292: }
293: if (grep/^previous$/,@{$status}) {
294: if ($end > $now ) {
295: return 'ok';
296: }
297: }
298: if (grep/^future$/,@{$status}) {
299: if ($start > $now) {
300: return 'ok';
301: }
302: }
303: return;
304: }
305:
306: sub handler {
307: my $r = shift;
308: my $requrl=$r->uri;
309: my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
310: my $lonid=$cookies{'lonID'};
311: my $cookie;
312: my $lonidsdir=$r->dir_config('lonIDsDir');
313:
314: my $handle;
315: if ($lonid) {
316: $handle=$lonid->value;
317: $handle=~s/\W//g;
318: }
319:
320: my ($sso_login);
321: if ($r->user
322: && (!$lonid || !-e "$lonidsdir/$handle.id" || $handle eq '') ) {
323: $sso_login = 1;
324: my $domain = $r->dir_config('lonDefDomain');
325: my $home=&Apache::lonnet::homeserver($r->user,$domain);
326: if ($home !~ /(con_lost|no_such_host)/) {
327: $handle=&Apache::lonauth::success($r,$r->user,$domain,
328: $home,'noredirect');
329: $r->header_out('Set-cookie',"lonID=$handle; path=/");
330: }
331: }
332:
333: if ($sso_login) {
334: &Apache::lonnet::appenv('request.sso.login' => 1);
335: }
336:
337: if ($r->dir_config("lonBalancer") eq 'yes') {
338: $r->set_handlers('PerlResponseHandler'=>
339: [\&Apache::switchserver::handler]);
340: }
341:
342: if ($handle ne '') {
343: if ((-e "$lonidsdir/$handle.id") && ($handle ne '')) {
344:
345: # ------------------------------------------------------ Initialize Environment
346:
347: &Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
348:
349: # --------------------------------------------------------- Initialize Language
350:
351: &Apache::lonlocal::get_language_handle($r);
352:
353: # -------------------------------------------------------------- Resource State
354:
355: if ($requrl=~/^\/+(res|uploaded)\//) {
356: $env{'request.state'} = "published";
357: } else {
358: $env{'request.state'} = 'unknown';
359: }
360: $env{'request.filename'} = $r->filename;
361: $env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl);
362: # -------------------------------------------------------- Load POST parameters
363:
364: &Apache::lonacc::get_posted_cgi($r);
365:
366: # ---------------------------------------------------------------- Check access
367: my $now = time;
368: if ($requrl =~ m|/+uploaded/([^/]+)/([^/]+)/portfolio(/.+)$|) {
369: my $result = &portfolio_access($1,$2,$3);
370: if ($result eq 'ok') {
371: return OK;
372: } elsif ($result =~ /^guest:(\w+)$/) {
373: my $guestkey = $1;
374: #FIXME need to cause generation of an intermediate page
375: }
376: } elsif ($requrl =~ m|/+uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$|) {
377: my $result = &portfolio_access($1,$2,$3.'/'.$4,$3);
378: if ($result eq 'ok') {
379: return OK;
380: } elsif ($result =~ /^guest:(\w+)$/) {
381: my $guestkey = $1;
382: #FIXME need to cause generation of an intermediate page
383: }
384: }
385: if ($requrl!~/^\/adm|public|prtspool\//) {
386: my $access=&Apache::lonnet::allowed('bre',$requrl);
387: if ($access eq '1') {
388: $env{'user.error.msg'}="$requrl:bre:0:0:Choose Course";
389: return HTTP_NOT_ACCEPTABLE;
390: }
391: if (($access ne '2') && ($access ne 'F')) {
392: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
393: return HTTP_NOT_ACCEPTABLE;
394: }
395: }
396: if ($requrl =~ m|^/prtspool/|) {
397: my $start='/prtspool/'.$env{'user.name'}.'_'.
398: $env{'user.domain'};
399: if ($requrl !~ /^\Q$start\E/) {
400: $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
401: return HTTP_NOT_ACCEPTABLE;
402: }
403: }
404: if ($env{'user.name'} eq 'public' &&
405: $env{'user.domain'} eq 'public' &&
406: $requrl !~ m{^/+(res|public)/} &&
407: $requrl !~ m{^/+adm/(help|logout|randomlabel\.png)}) {
408: $env{'request.querystring'}=$r->args;
409: $env{'request.firsturl'}=$requrl;
410: return FORBIDDEN;
411: }
412: # ------------------------------------------------------------- This is allowed
413: if ($env{'request.course.id'}) {
414: &Apache::lonnet::countacc($requrl);
415: $requrl=~/\.(\w+)$/;
416: if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
417: ($requrl=~/^\/adm\/.*\/(aboutme|navmaps|smppg|bulletinboard)(\?|$)/) ||
418: ($requrl=~/^\/adm\/wrapper\//) ||
419: ($requrl=~m|^/adm/coursedocs/showdoc/|) ||
420: ($requrl=~m|\.problem/smpedit$|) ||
421: ($requrl=~/^\/public\/.*\/syllabus$/)) {
422: # ------------------------------------- This is serious stuff, get symb and log
423: my $query=$r->args;
424: my $symb;
425: if ($query) {
426: &Apache::loncommon::get_unprocessed_cgi($query,['symb']);
427: }
428: if ($env{'form.symb'}) {
429: $symb=&Apache::lonnet::symbclean($env{'form.symb'});
430: if ($requrl =~ m|^/adm/wrapper/|
431: || $requrl =~ m|^/adm/coursedocs/showdoc/|) {
432: my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
433: &Apache::lonnet::symblist($map,$murl => [$murl,$mid],
434: 'last_known' =>[$murl,$mid]);
435: } elsif ((&Apache::lonnet::symbverify($symb,$requrl)) ||
436: (($requrl=~m|(.*)/smpedit$|) &&
437: &Apache::lonnet::symbverify($symb,$1))) {
438: my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
439: &Apache::lonnet::symblist($map,$murl => [$murl,$mid],
440: 'last_known' =>[$murl,$mid]);
441: } else {
442: $r->log_reason('Invalid symb for '.$requrl.': '.
443: $symb);
444: $env{'user.error.msg'}=
445: "$requrl:bre:1:1:Invalid Access";
446: return HTTP_NOT_ACCEPTABLE;
447: }
448: } else {
449: $symb=&Apache::lonnet::symbread($requrl);
450: if (&Apache::lonnet::is_on_map($requrl) && $symb &&
451: !&Apache::lonnet::symbverify($symb,$requrl)) {
452: $r->log_reason('Invalid symb for '.$requrl.': '.$symb);
453: $env{'user.error.msg'}=
454: "$requrl:bre:1:1:Invalid Access";
455: return HTTP_NOT_ACCEPTABLE;
456: }
457: if ($symb) {
458: my ($map,$mid,$murl)=
459: &Apache::lonnet::decode_symb($symb);
460: &Apache::lonnet::symblist($map,$murl =>[$murl,$mid],
461: 'last_known' =>[$murl,$mid]);
462: }
463: }
464: $env{'request.symb'}=$symb;
465: &Apache::lonnet::courseacclog($symb);
466: } else {
467: # ------------------------------------------------------- This is other content
468: &Apache::lonnet::courseacclog($requrl);
469: }
470: }
471: return OK;
472: } else {
473: $r->log_reason("Cookie $handle not valid", $r->filename);
474: }
475: }
476:
477: # -------------------------------------------- See if this is a public resource
478: if ($requrl=~m|^/public/|
479: || (&Apache::lonnet::metadata($requrl,'copyright') eq 'public')) {
480: &Apache::lonnet::logthis('Granting public access: '.$requrl);
481: &Apache::lonlocal::get_language_handle($r);
482: my $cookie=
483: &Apache::lonauth::success($r,'public','public','public');
484: my $lonidsdir=$r->dir_config('lonIDsDir');
485: &Apache::lonnet::transfer_profile_to_env($lonidsdir,$cookie);
486: &Apache::lonacc::get_posted_cgi($r);
487: $env{'request.state'} = "published";
488: $env{'request.publicaccess'} = 1;
489: $env{'request.filename'} = $r->filename;
490:
491: $r->header_out('Set-cookie',"lonID=$cookie; path=/");
492: return OK;
493: }
494: if ($requrl=~m|^/+adm/+help/+|) {
495: return OK;
496: }
497: # ------------------------------------- See if this is a viewable portfolio file
498: if ($requrl =~ m|/+uploaded/([^/]+)/([^/]+)/portfolio(/.+)$|) {
499: my $result = &portfolio_access($1,$2,$3);
500: if ($result eq 'ok') {
501: return OK;
502: } elsif ($result =~ /^guest:(\w+)$/) {
503: my $guestkey = $1;
504: #FIXME need to cause generation of an intermediate page
505: }
506: } elsif ($requrl =~ m|/+uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$|) {
507: my $result = &portfolio_access($1,$2,$4.'/'.$3,$3);
508: if ($result eq 'ok') {
509: return OK;
510: } elsif ($result =~ /^guest:(\w+)$/) {
511: my $guestkey = $1;
512: #FIXME need to cause generation of an intermediate page
513: }
514: }
515: # -------------------------------------------------------------- Not authorized
516: $requrl=~/\.(\w+)$/;
517: # if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
518: # ($requrl=~/^\/adm\/(roles|logout|email|menu|remote)/) ||
519: # ($requrl=~m|^/prtspool/|)) {
520: # -------------------------- Store where they wanted to go and get login screen
521: $env{'request.querystring'}=$r->args;
522: $env{'request.firsturl'}=$requrl;
523: return FORBIDDEN;
524: # } else {
525: # --------------------------------------------------------------------- Goodbye
526: # return HTTP_BAD_REQUEST;
527: # }
528: }
529:
530: 1;
531: __END__
532:
533: =head1 NAME
534:
535: Apache::lonacc - Cookie Based Access Handler
536:
537: =head1 SYNOPSIS
538:
539: Invoked (for various locations) by /etc/httpd/conf/srm.conf:
540:
541: PerlAccessHandler Apache::lonacc
542:
543: =head1 INTRODUCTION
544:
545: This module enables cookie based authentication and is used
546: to control access for many different LON-CAPA URIs.
547:
548: Whenever the client sends the cookie back to the server,
549: this cookie is handled by either lonacc.pm or loncacc.pm
550: (see srm.conf for what is invoked when). If
551: the cookie is missing or invalid, the user is re-challenged
552: for login information.
553:
554: This is part of the LearningOnline Network with CAPA project
555: described at http://www.lon-capa.org.
556:
557: =head1 HANDLER SUBROUTINE
558:
559: This routine is called by Apache and mod_perl.
560:
561: =over 4
562:
563: =item *
564:
565: transfer profile into environment
566:
567: =item *
568:
569: load POST parameters
570:
571: =item *
572:
573: check access
574:
575: =item *
576:
577: if allowed, get symb, log, generate course statistics if applicable
578:
579: =item *
580:
581: otherwise return error
582:
583: =item *
584:
585: see if public resource
586:
587: =item *
588:
589: store attempted access
590:
591: =back
592:
593: =cut
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonacc.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / auth