loncom/auth/lonauth.pm - diff

Return to lonauth.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonauth.pm between versions 1.144 and 1.145

-version 1.144, 2017/08/08 16:43:54
+version 1.145, 2017/08/08 17:01:25
  Line 334  sub handler {
  # split user logging in and "su"-user
-     ($form{'uname'},$form{'suname'})=split(/\:/,$form{'uname'});
+     ($form{'uname'},$form{'suname'},$form{'sudom'})=split(/\:/,$form{'uname'});
      $form{'uname'} = &LONCAPA::clean_username($form{'uname'});
      $form{'suname'}= &LONCAPA::clean_username($form{'suname'});
-     $form{'udom'}  = &LONCAPA::clean_domain(  $form{'udom'});
+     $form{'udom'}  = &LONCAPA::clean_domain($form{'udom'});
+     $form{'sudom'} = &LONCAPA::clean_domain($form{'sudom'});
      my $role   = $r->dir_config('lonRole');
      my $domain = $r->dir_config('lonDefDomain');
- Line 462  sub handler {
+ Line 463  sub handler {
  # --------------------------------- Are we attempting to login as somebody else?
      if ($form{'suname'}) {
+         my ($suname,$sudom,$sudomref);
+         $suname = $form{'suname'};
+         $sudom = $form{'udom'};
+         if ($form{'sudom'}) {
+             unless ($sudom eq $form{'sudom'}) {
+                 if (&Apache::lonnet::domain($form{'sudom'})) {
+                     $sudomref = [$form{'sudom'}];
+                     $sudom = $form{'sudom'};
+                 }
+             }
+         }
  # ------------ see if the original user has enough privileges to pull this stunt
- 	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'})) {
+ 	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'},$sudomref)) {
  # ---------------------------------------------------- see if the su-user exists
- 	    unless (&Apache::lonnet::homeserver($form{'suname'},$form{'udom'})
+ 	    unless (&Apache::lonnet::homeserver($suname,$sudom) eq 'no_host') {
- 		eq 'no_host') {
+ 		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($suname,$sudom));
- 		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($form{'suname'},$form{'udom'}));
  # ------------------------------ see if the su-user is not too highly privileged
- 		unless (&Apache::lonnet::privileged($form{'suname'},$form{'udom'})) {
+ 		unless (&Apache::lonnet::privileged($suname,$sudom)) {
+ #
+ # su-user's home server and user's home server must have one of:
+ # (a) same internet dom
+ # (b) same primary library server for home server's domain
+ # (c) same "internet domain" for primary library server for home server's domain
+ #
+                     unless ($sudom eq $form{'udom'}) {
+                         my $suprim = &Apache::lonnet::domain($sudom,'primary');
+                         my $uprim = &Apache::lonnet::domain($sudom,'primary');
+                         unless ($suprim eq $uprim) {
+                             my $suintdom = &Apache::lonnet::internet_dom($suprim);
+                             my $uintdom = &Apache::lonnet::internet_dom($uprim);
+                             unless ($suintdom eq $uintdom) {
+                                 &Apache::lonnet::logthis('Attempted switch user '
+                                                          .'to privileged user');
+                             }
+                         }
+                     }
  # -------------------------------------------------------- actually switch users
  		    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}.
- 			' logging in as '.$form{'suname'});
+ 			' logging in as '.$suname.':'.$sudom);
- 		    $form{'uname'}=$form{'suname'};
+ 		    $form{'uname'}=$suname;
+                     if ($form{'udom'} ne $sudom) {
+                         $form{'udom'}=$sudom;
+                     }
  		} else {
  		    &Apache::lonnet::logthis('Attempted switch user to privileged user');
  		}

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.144
changed lines
	Added in v.1.145