loncom/auth/loncacc.pm - diff

Return to loncacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/loncacc.pm between versions 1.56 and 1.59

version 1.56, 2011/10/25 18:37:11	version 1.59, 2011/11/12 19:37:40
Line 42 Invoked (for various locations) by /etc/	Line 42 Invoked (for various locations) by /etc/
=head1 INTRODUCTION	=head1 INTRODUCTION

This module enables cookie based authentication for construction area	This module enables cookie based authentication for construction area
and is used to control access for three (essentially equivalent) URIs.	and is used to control access for the following two types of URI
	(one for files, and one for directories):

<LocationMatch "^/priv.*">	<LocationMatch "^/priv.*">
<LocationMatch "^/\~.*">	<LocationMatch "^/priv.*/$">
<LocationMatch "^/\~.*/$">

Whenever the client sends the cookie back to the server,	Whenever the client sends the cookie back to the server,
if the cookie is missing or invalid, the user is re-challenged	if the cookie is missing or invalid, the user is re-challenged
Line 79 store where they wanted to go (first url	Line 79 store where they wanted to go (first url

See if the owner domain and name	See if the owner domain and name
in the URL match those in the expected environment. If so, return	in the URL match those in the expected environment. If so, return
two element list ($ownername,$ownerdomain). Else, return null string.	three element list ($ownername,$ownerdomain,$ownerhome).
If 'setpriv' is set to 'setpriv', it actually assigns the privileges.
	Otherwise return the null string.

	If second argument 'setpriv' is true, it assigns the privileges,
	and returns the same three element list, unless the owner has
	blocked "ad hoc" Domain Coordinator access to the Author Space,
	in which case the null string is returned.

=back	=back

=cut	=cut
Line 103 sub constructaccess {	Line 110 sub constructaccess {
if ($url=~/\.(\d+)\.(\w+)$/) { return ''; }	if ($url=~/\.(\d+)\.(\w+)$/) { return ''; }

# Get username and domain from URL	# Get username and domain from URL
my ($ownerdomain,$ownername)=($url=~/^(?:\/home\/httpd\/html\/\|\/)priv\/($match_domain)\/($match_username)\//);	my $londocroot = $Apache::lonnet::perlvar{'lonDocRoot'};
	my ($ownername,$ownerdomain,$ownerhome);

	($ownerdomain,$ownername) =
	($url=~ m{^(?:\Q$londocroot\E\|)/priv/($match_domain)/($match_username)/});

# The URL does not really point to any authorspace, forget it	# The URL does not really point to any authorspace, forget it
unless (($ownername) && ($ownerdomain)) { return ''; }	unless (($ownername) && ($ownerdomain)) { return ''; }

# Now we need to see if the user has access to the authorspace of	# Now we need to see if the user has access to the authorspace of
# $ownername at $ownerdomain	# $ownername at $ownerdomain

if (($ownername eq $env{'user.name'}) && ($ownerdomain eq $env{'user.domain'})) {	if (($ownername eq $env{'user.name'}) && ($ownerdomain eq $env{'user.domain'})) {
# Real author for this?	# Real author for this?
	$ownerhome = $env{'user.home'};
if (exists($env{'user.priv.au./'.$ownerdomain.'/./'})) {	if (exists($env{'user.priv.au./'.$ownerdomain.'/./'})) {
return ($ownername,$ownerdomain);	return ($ownername,$ownerdomain,$ownerhome);
}	}
} else {	} else {
# Co-author for this?	# Co-author for this?
if (exists($env{'user.priv.ca./'.$ownerdomain.'/'.$ownername.'./'}) \|\|	if (exists($env{'user.priv.ca./'.$ownerdomain.'/'.$ownername.'./'}) \|\|
exists($env{'user.priv.aa./'.$ownerdomain.'/'.$ownername.'./'}) ) {	exists($env{'user.priv.aa./'.$ownerdomain.'/'.$ownername.'./'}) ) {
return ($ownername,$ownerdomain);	$ownerhome = &Apache::lonnet::homeserver($ownername,$ownerdomain);
	return ($ownername,$ownerdomain,$ownerhome);
}	}
}	}
# We don't have any access right now. If we are not possibly going to do anything about this,	# We don't have any access right now. If we are not possibly going to do anything about this,
Line 149 sub constructaccess {	Line 162 sub constructaccess {
&Apache::lonnet::check_adhoc_privs($ownerdomain,$ownername,	&Apache::lonnet::check_adhoc_privs($ownerdomain,$ownername,
$update,$refresh,$now,'ca',	$update,$refresh,$now,'ca',
'constructaccess');	'constructaccess');
return($ownername,$ownerdomain);	$ownerhome = &Apache::lonnet::homeserver($ownername,$ownerdomain);
	return($ownername,$ownerdomain,$ownerhome);
}	}
# No business here	# No business here
return '';	return '';
Line 176 sub handler {	Line 190 sub handler {
$env{'request.state'} = "construct";	$env{'request.state'} = "construct";
$env{'request.filename'} = $r->filename;	$env{'request.filename'} = $r->filename;

unless (&constructaccess($requrl,'setpriv')) {	my $allowed;
	my ($ownername,$ownerdom,$ownerhome) = &constructaccess($requrl,'setpriv');
	if (($ownername ne '') && ($ownerdom ne '') && ($ownerhome ne '')) {
	unless ($ownerhome eq 'no_host') {
	my @hosts = &Apache::lonnet::current_machine_ids();
	if (grep(/^\Q$ownerhome\E$/,@hosts)) {
	$allowed = 1;
	}
	}
	}

	unless ($allowed) {
$r->log_reason("Unauthorized $requrl", $r->filename);	$r->log_reason("Unauthorized $requrl", $r->filename);
return HTTP_NOT_ACCEPTABLE;	return HTTP_NOT_ACCEPTABLE;
}	}
Line 186 sub handler {	Line 211 sub handler {
&Apache::lonacc::get_posted_cgi($r);	&Apache::lonacc::get_posted_cgi($r);

return OK;	return OK;
} else {	} else {
$r->log_reason("Cookie $handle not valid", $r->filename)	$r->log_reason("Cookie $handle not valid", $r->filename)
}	}

Line 199 sub handler {	Line 224 sub handler {
1;	1;
__END__	__END__

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.56
changed lines
	Added in v.1.59