--- loncom/auth/lonauth.pm 2017/06/06 22:34:37 1.121.2.16 +++ loncom/auth/lonauth.pm 2019/08/01 00:42:34 1.121.2.17 @@ -1,7 +1,7 @@ # The LearningOnline Network # User Authentication Module # -# $Id: lonauth.pm,v 1.121.2.16 2017/06/06 22:34:37 raeburn Exp $ +# $Id: lonauth.pm,v 1.121.2.17 2019/08/01 00:42:34 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -32,8 +32,6 @@ use strict; use LONCAPA; use Apache::Constants qw(:common); use CGI qw(:standard); -use DynaLoader; # for Crypt::DES version -use Crypt::DES; use Apache::loncommon(); use Apache::lonnet; use Apache::lonmenu(); @@ -301,10 +299,11 @@ sub handler { # split user logging in and "su"-user - ($form{'uname'},$form{'suname'})=split(/\:/,$form{'uname'}); + ($form{'uname'},$form{'suname'},$form{'sudom'})=split(/\:/,$form{'uname'}); $form{'uname'} = &LONCAPA::clean_username($form{'uname'}); $form{'suname'}= &LONCAPA::clean_username($form{'suname'}); - $form{'udom'} = &LONCAPA::clean_domain( $form{'udom'}); + $form{'udom'} = &LONCAPA::clean_domain($form{'udom'}); + $form{'sudom'} = &LONCAPA::clean_domain($form{'sudom'}); my $role = $r->dir_config('lonRole'); my $domain = $r->dir_config('lonDefDomain'); @@ -429,20 +428,68 @@ sub handler { # --------------------------------- Are we attempting to login as somebody else? if ($form{'suname'}) { + my ($suname,$sudom,$sudomref); + $suname = $form{'suname'}; + $sudom = $form{'udom'}; + if ($form{'sudom'}) { + unless ($sudom eq $form{'sudom'}) { + if (&Apache::lonnet::domain($form{'sudom'})) { + $sudomref = [$form{'sudom'}]; + $sudom = $form{'sudom'}; + } + } + } # ------------ see if the original user has enough privileges to pull this stunt - if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'})) { + if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'},$sudomref)) { # ---------------------------------------------------- see if the su-user exists - unless (&Apache::lonnet::homeserver($form{'suname'},$form{'udom'}) - eq 'no_host') { - &Apache::lonnet::logthis(&Apache::lonnet::homeserver($form{'suname'},$form{'udom'})); + unless (&Apache::lonnet::homeserver($suname,$sudom) eq 'no_host') { # ------------------------------ see if the su-user is not too highly privileged - unless (&Apache::lonnet::privileged($form{'suname'},$form{'udom'})) { + if (&Apache::lonnet::privileged($suname,$sudom)) { + &Apache::lonnet::logthis('Attempted switch user to privileged user'); + } else { + my $noprivswitch; +# +# su-user's home server and user's home server must have one of: +# (a) same domain +# (b) same primary library server for the two domains +# (c) same "internet domain" for primary library server(s) for home servers' domains +# + my $suprim = &Apache::lonnet::domain($sudom,'primary'); + my $suintdom = &Apache::lonnet::internet_dom($suprim); + unless ($sudom eq $form{'udom'}) { + my $uprim = &Apache::lonnet::domain($form{'udom'},'primary'); + my $uintdom = &Apache::lonnet::internet_dom($uprim); + unless ($suprim eq $uprim) { + unless ($suintdom eq $uintdom) { + &Apache::lonnet::logthis('Attempted switch user ' + .'to user with different "internet domain".'); + $noprivswitch = 1; + } + } + } + + unless ($noprivswitch) { +# +# server where log-in occurs must have same "internet domain" as su-user's home +# server +# + my $lonhost = $r->dir_config('lonHostID'); + my $hostintdom = &Apache::lonnet::internet_dom($lonhost); + if ($hostintdom ne $suintdom) { + &Apache::lonnet::logthis('Attempted switch user on a ' + .'server with a different "internet domain".'); + } else { + # -------------------------------------------------------- actually switch users - &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}. - ' logging in as '.$form{'suname'}); - $form{'uname'}=$form{'suname'}; - } else { - &Apache::lonnet::logthis('Attempted switch user to privileged user'); + + &Apache::lonnet::logperm('User '.$form{'uname'}.' at '. + $form{'udom'}.' logging in as '.$suname.':'.$sudom); + $form{'uname'}=$suname; + if ($form{'udom'} ne $sudom) { + $form{'udom'}=$sudom; + } + } + } } } } else {