loncom/auth/loncacc.pm - diff

Return to loncacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/loncacc.pm between versions 1.44 and 1.51

-version 1.44, 2007/02/01 07:13:04
+version 1.51, 2010/09/30 16:42:30
  Line 27
  # http://www.lon-capa.org/
  #
+ =pod
+ =head1 NAME
+ Apache::lonacc - Cookie Based Access Handler for Construction Area
+ =head1 SYNOPSIS
+ Invoked (for various locations) by /etc/httpd/conf/loncapa_apache.conf:
+  PerlAccessHandler       Apache::loncacc
+ =head1 INTRODUCTION
+ This module enables cookie based authentication for construction area
+ and is used to control access for three (essentially equivalent) URIs.
+  <LocationMatch "^/priv.*">
+  <LocationMatch "^/\~.*">
+  <LocationMatch "^/\~.*/$">
+ Whenever the client sends the cookie back to the server,
+ if the cookie is missing or invalid, the user is re-challenged
+ for login information.
+ This is part of the LearningOnline Network with CAPA project
+ described at http://www.lon-capa.org.
+ =head1 HANDLER SUBROUTINE
+ This routine is called by Apache and mod_perl.
+ =over 4
+ =item *
+ load POST parameters
+ =item *
+ store where they wanted to go (first url entered)
+ =back
+ =head1 OTHERSUBROUTINES
+ =over
+ =item constructaccess($url,$ownerdomain)
+ See if the owner domain and name
+ in the URL match those in the expected environment.  If so, return
+ two element list ($ownername,$ownerdomain).  Else, return null string.
+ =back
+ =cut
  package Apache::loncacc;
  use strict;
  use Apache::Constants qw(:common :http :methods REDIRECT);
- use CGI::Cookie();
+ use Fcntl qw(:flock);
  use Apache::lonlocal;
  use Apache::lonnet;
- use Apache::lonacc();
+ use Apache::lonacc;
  use LONCAPA qw(:DEFAULT :match);
  sub constructaccess {
-     my ($url,$ownerdomain)=@_;
+     my ($url,$ownerdomain,$setpriv)=@_;
-     my ($ownername)=($url=~m{/(?:\~|priv/|home/)($match_username)/});
+     my ($ownername)=($url=~/\/(?:\~|priv\/|home\/)($match_username)\//);
      unless (($ownername) && ($ownerdomain)) { return ''; }
      # We do not allow editing of previous versions of files.
      if ($url=~/\.(\d+)\.(\w+)$/) { return ''; }
- Line 47  sub constructaccess {
+ Line 106  sub constructaccess {
      if ($ownername eq $env{'user.name'}) {
  	foreach my $domain (@possibledomains) {
  	    if ($domain eq $env{'user.domain'}) {
-     &Apache::lonnet::logthis("good1!");
  		return ($ownername,$domain);
  	    }
  	}
      }
      foreach my $domain (@possibledomains) {
  	if (exists($env{'user.priv.ca./'.$domain.'/'.$ownername.'./'}) ||
  	    exists($env{'user.priv.aa./'.$domain.'/'.$ownername.'./'}) ) {
-     &Apache::lonnet::logthis("good2!");
  	    return ($ownername,$domain);
  	}
      }
-     &Apache::lonnet::logthis("boo! hiss!");
+     my $then=$env{'user.login.time'};
+     my %dcroles = ();
+     if (&is_active_dc($ownerdomain,$then)) {
+         my %blocked=&Apache::lonnet::get('environment',['domcoord.author'],
+                                          $ownerdomain,$ownername);
+         unless ($blocked{'domcoord.author'} eq 'blocked') {
+             if (grep(/^$ownerdomain$/,@possibledomains)) {
+                 if ($setpriv) {
+                     my $refresh=$env{'user.refresh.time'};
+                     if (!$refresh) {
+                         $refresh = $then;
+                     }
+                     my $now = time;
+                     &Apache::lonnet::check_adhoc_privs($ownerdomain,$ownername,
+                                                        $then,$refresh,$now,'ca',
+                                                        'constructaccess');
+                 }
+                 return($ownername,$ownerdomain);
+             }
+         }
+     }
      return '';
  }
+ sub is_active_dc {
+     my ($ownerdomain,$then) = @_;
+     my $livedc;
+     if ($env{'user.adv'}) {
+         my $domrole = $env{'user.role.dc./'.$ownerdomain.'/'};
+         if ($domrole) {
+             my ($tstart,$tend)=split(/\./,$domrole);
+             $livedc = 1;
+             if ($tstart && $tstart>$then) { undef($livedc); }
+             if ($tend   && $tend  <$then) { undef($livedc); }
+         }
+     }
+     return $livedc;
+ }
  sub handler {
      my $r = shift;
      my $requrl=$r->uri;
      $env{'request.editurl'}=$requrl;
-     my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
-     my $lonid=$cookies{'lonID'};
-     my $cookie;
-     if ($lonid) {
-       	my $handle=&LONCAPA::clean_handle($lonid->value);
-         my $lonidsdir=$r->dir_config('lonIDsDir');
-         if ((-e "$lonidsdir/$handle.id") && ($handle ne '')) {
- # ------------------------------------------------------ Initialize Environment
+     my $handle =  &Apache::lonnet::check_for_valid_session($r);
+     if ($handle ne '') {
-             &Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
+ # ------------------------------------------------------ Initialize Environment
+         my $lonidsdir=$r->dir_config('lonIDsDir');
+ 	&Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
  # --------------------------------------------------------- Initialize Language
-  	    &Apache::lonlocal::get_language_handle($r);
+ 	&Apache::lonlocal::get_language_handle($r);
  # -------------------------------------------------------------- Resource State
-             $env{'request.state'}    = "construct";
+ 	$env{'request.state'}    = "construct";
-             $env{'request.filename'} = $r->filename;
+ 	$env{'request.filename'} = $r->filename;
-             unless (&constructaccess($requrl,$r->dir_config('lonDefDomain'))) {
+ 	unless (&constructaccess($requrl,$r->dir_config('lonDefDomain'),'setpriv')) {
-                 $r->log_reason("Unauthorized $requrl", $r->filename);
+ 	    $r->log_reason("Unauthorized $requrl", $r->filename);
- 	        return HTTP_NOT_ACCEPTABLE;
+ 	    return HTTP_NOT_ACCEPTABLE;
-             }
+ 	}
  # -------------------------------------------------------- Load POST parameters
- 	    &Apache::lonacc::get_posted_cgi($r);
+ 	&Apache::lonacc::get_posted_cgi($r);
-             return OK;
+ 	return OK;
-         } else {
+     } else {
-             $r->log_reason("Cookie $handle not valid", $r->filename)
+ 	$r->log_reason("Cookie $handle not valid", $r->filename)
-         };
      }
  # ----------------------------------------------- Store where they wanted to go
- Line 113  sub handler {
+ Line 202  sub handler {
 ;
  __END__
- =head1 NAME
- Apache::lonacc - Cookie Based Access Handler for Construction Area
- =head1 SYNOPSIS
- Invoked (for various locations) by /etc/httpd/conf/loncapa_apache.conf:
-  PerlAccessHandler       Apache::loncacc
- =head1 INTRODUCTION
- This module enables cookie based authentication for construction area
- and is used to control access for three (essentially equivalent) URIs.
-  <LocationMatch "^/priv.*">
-  <LocationMatch "^/\~.*">
-  <LocationMatch "^/\~.*/$">
- Whenever the client sends the cookie back to the server,
- if the cookie is missing or invalid, the user is re-challenged
- for login information.
- This is part of the LearningOnline Network with CAPA project
- described at http://www.lon-capa.org.
- =head1 HANDLER SUBROUTINE
- This routine is called by Apache and mod_perl.
- =over 4
- =item *
- load POST parameters
- =item *
- store where they wanted to go (first url entered)
- =back
- =head1 OTHERSUBROUTINES
- =over 4
- =item *
- constructaccess($url,$ownerdomain) : See if the owner domain and name
- in the URL match those in the expected environment.  If so, return
- two element list ($ownername,$ownerdomain).  Else, return null string.
- =back
- =cut

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.44
changed lines
	Added in v.1.51