--- loncom/auth/lonauth.pm	2022/02/27 02:57:35	1.121.2.24.2.3
+++ loncom/auth/lonauth.pm	2022/08/30 12:10:43	1.121.2.24.2.5
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.121.2.24.2.3 2022/02/27 02:57:35 raeburn Exp $
+# $Id: lonauth.pm,v 1.121.2.24.2.5 2022/08/30 12:10:43 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -46,7 +46,7 @@ use CGI::Cookie();
 # ------------------------------------------------------------ Successful login
 sub success {
     my ($r, $username, $domain, $authhost, $lowerurl, $extra_env,
-	$form,$cid,$expirepub) = @_;
+	$form,$cid,$expirepub,$write_to_opener) = @_;
 
 # ------------------------------------------------------------ Get cookie ready
     my $cookie =
@@ -148,11 +148,21 @@ sub success {
         $destination .= 'source=login';
     }
 
+    my $brcrum = [{'href' => '',
+                   'text' => 'Successful Login'},];
+    my $args = {'no_inline_link' => 1,
+                'bread_crumbs' => $brcrum,};
     if (($env{'request.deeplink.login'} eq $lowerurl) &&
         (($env{'request.linkprot'}) || ($env{'request.linkkey'} ne ''))) {
         my %info;
         if ($env{'request.linkprot'}) {
             $info{'linkprot'} = $env{'request.linkprot'};
+            foreach my $item ('linkprotuser','linkprotexit') {
+                if ($form->{$item}) {
+                    $info{$item} = $form->{$item};
+                }
+            }
+            $args = {'only_body' => 1,};
         } elsif ($env{'request.linkkey'} ne '') {
             $info{'linkkey'} = $env{'request.linkkey'};
         }
@@ -168,23 +178,29 @@ sub success {
             &Apache::lonnet::appenv({'environment.remote' => 'off'});
         }
     }
+    my $startupremote;
+    if ($write_to_opener) {
+        if ($env{'environment.remote'} eq 'on') {
+            &Apache::lonnet::appenv({'environment.remote' => 'off'});
+        }
+        $args->{'redirect'} = [0,$destination,'',$write_to_opener];
+    } else {
+        $startupremote=&Apache::lonmenu::startupremote($destination);
+    }
 
     my $windowinfo=&Apache::lonmenu::open($env{'browser.os'});
-    my $startupremote=&Apache::lonmenu::startupremote($destination);
     my $remoteinfo=&Apache::lonmenu::load_remote_msg($lowerurl);
     my $setflags=&Apache::lonmenu::setflags();
     my $maincall=&Apache::lonmenu::maincall();
-    my $brcrum = [{'href' => '',
-                   'text' => 'Successful Login'},];
     my $start_page=&Apache::loncommon::start_page('Successful Login',
-                                                  $startupremote,
-                                                  {'no_inline_link' => 1,
-                                                   'bread_crumbs' => $brcrum,});
+                                                  $startupremote,$args);
     my $end_page  =&Apache::loncommon::end_page();
 
     my $continuelink;
     if ($env{'environment.remote'} eq 'off') {
-	$continuelink='<a href="'.$destination.'">'.&mt('Continue').'</a>';
+        unless ($write_to_opener) {
+	    $continuelink='<a href="'.$destination.'">'.&mt('Continue').'</a>';
+        }
     }
 # ------------------------------------------------- Output for successful login
 
@@ -203,17 +219,24 @@ sub success {
     }
     $r->send_http_header;
 
-    my %lt=&Apache::lonlocal::texthash(
-				       'wel' => 'Welcome',
-				       'pro' => 'Login problems?',
-				       );
-    my $loginhelp = &loginhelpdisplay($domain);
-    if ($loginhelp) {
-        $loginhelp = '<p><a href="'.$loginhelp.'">'.$lt{'pro'}.'</a></p>';
-    }
+    if ($env{'request.linkprot'}) {
+        $r->print(<<END);
+$start_page
+<br />$continuelink
+$end_page
+END
+    } else {
+        my %lt=&Apache::lonlocal::texthash(
+				           'wel' => 'Welcome',
+				           'pro' => 'Login problems?',
+				          );
+        my $loginhelp = &loginhelpdisplay($domain);
+        if ($loginhelp) {
+            $loginhelp = '<p><a href="'.$loginhelp.'">'.$lt{'pro'}.'</a></p>';
+        }
 
-    my $welcome = &mt('Welcome to the Learning[_1]Online[_2] Network with CAPA. Please wait while your session is being set up.','<i>','</i>'); 
-    $r->print(<<ENDSUCCESS);
+        my $welcome = &mt('Welcome to the Learning[_1]Online[_2] Network with CAPA. Please wait while your session is being set up.','<i>','</i>'); 
+        $r->print(<<ENDSUCCESS);
 $start_page
 $setflags
 $windowinfo
@@ -225,6 +248,7 @@ $maincall
 $continuelink
 $end_page
 ENDSUCCESS
+    }
     return;
 }
 
@@ -238,6 +262,11 @@ sub failed {
     if ($clientunicode && !$clientmathml) {
         $args = {'browser.unicode' => 1};
     }
+    if ($form->{firsturl} =~ m{^/tiny/$match_domain/\w+$}) {
+        if ($form->{linkprot}) {
+            $args->{only_body} = 1;
+        }
+    }
 
     my $start_page = &Apache::loncommon::start_page('Unsuccessful Login',undef,$args);
     my $uname = &Apache::loncommon::cleanup_html($form->{'uname'});
@@ -282,7 +311,15 @@ sub failed {
             }
         }
         if (exists($form->{linkprot})) {
-            my $ltoken = &Apache::lonnet::tmpput({linkprot => $form->{'linkprot'}},
+            my %info = (
+                         'linkprot' => $form->{'linkprot'},
+                       );
+            foreach my $item ('linkprotuser','linkprotexit') {
+                if ($form->{$item} ne '') {
+                    $info{$item} = $form->{$item};
+                }
+            }
+            my $ltoken = &Apache::lonnet::tmpput(\%info,
                                                  $r->dir_config('lonHostID'),'retry');
             if ($ltoken) {
                 $retry .= (($retry =~ /\?/) ? '&' : '?').'ltoken='.$ltoken;
@@ -390,6 +427,19 @@ sub handler {
                                      .$end_page);
                             } else {
                                 if (($info{'linkprot'}) || ($info{'linkkey'} ne '')) {
+                                    if (($info{'linkprot'}) && ($info{'linkprotuser'} ne '')) {
+                                        unless ($info{'linkprotuser'} eq $env{'user.name'}.':'.$env{'user.domain'}) {
+                                            $r->print(
+                                                      $start_page
+                                                      .'<p class="LC_warning">'.&mt('You are already logged in, but as a different user from the one expected for the link you followed from another system').'</p>'
+                                                      .'<p>'.&mt('Please [_1]log out[_2] first, and then try following the link again from the other system',
+                                                                 '<a href="/adm/logout">','</a>')
+
+                                                      .'</p>'
+                                                      .$end_page);
+                                            return OK;
+                                        }
+                                    }
                                     my $token = &Apache::lonnet::tmpput(\%info,$r->dir_config('lonHostID'),'link');
                                     unless (($token eq 'con_lost') || ($token eq 'refused') ||
                                             ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
@@ -644,6 +694,18 @@ sub handler {
 	}
     }
 
+    if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+        if (($form{'linkprot'}) && ($form{'linkprotuser'} ne '')) {
+            unless($form{'linkprotuser'} eq $form{'uname'}.':'.$form{'udom'}) {
+                delete($form{'udom'});
+                delete($form{'uname'});
+                &failed($r,'Username and/or domain are different to that expected for the link you followed from another system',
+                        \%form,$authhost);
+                return OK;
+            }
+        }
+    }
+
     my ($is_balancer,$otherserver);
 
     unless ($hosthere) {
@@ -687,6 +749,11 @@ sub handler {
             }
             if ($form{'linkprot'}) {
                 $env{'request.linkprot'} = $form{'linkprot'};
+                foreach my $item ('linkprotuser','linkprotexit') {
+                    if ($form{$item}) {
+                        $env{'request.'.$item} = $form{$item};
+                    }
+                }
             } elsif ($form{'linkkey'} ne '') {
                 $env{'request.linkkey'} = $form{'linkkey'};
             }
@@ -718,6 +785,11 @@ sub handler {
                 }
                 if ($form{'linkprot'}) {
                     $env{'request.linkprot'} = $form{'linkprot'};
+                    foreach my $item ('linkprotuser','linkprotexit') {
+                        if ($form{$item}) {
+                            $env{'request.'.$item} = $form{$item};
+                        }
+                    }
                 } elsif ($form{'linkkey'} ne '') {
                     $env{'request.linkkey'} = $form{'linkkey'};
                 }
@@ -801,6 +873,9 @@ sub handler {
                 } else {
                     $extra_env = {'request.linkprot' => $form{'linkprot'}};
                 }
+                if ($form{'linkprotexit'}) {
+                    $extra_env->{'request.linkprotexit'} = $form{'linkprotexit'};
+                }
             } elsif ($form{'linkkey'} ne '') {
                 if (ref($extra_env) eq 'HASH') {
                     %{$extra_env} = ( %{$extra_env}, 'request.linkkey' => $form{'linkkey'} );
@@ -889,7 +964,7 @@ sub set_retry_token {
     my ($form,$lonhost,$querystr) = @_;
     if (ref($form) eq 'HASH') {
         my ($firsturl,$token,$extras,@names);
-        @names = ('role','symb','linkprot','linkkey','iptoken');
+        @names = ('role','symb','linkprotuser','linkprotexit','linkprot','linkkey','iptoken');
         foreach my $name (@names) {
             if ($form->{$name} ne '') {
                 $extras .= '&'.$name.'='.&escape($form->{$name});