--- loncom/auth/loncacc.pm	2011/09/27 20:28:38	1.53
+++ loncom/auth/loncacc.pm	2011/10/21 16:03:11	1.54
@@ -2,7 +2,7 @@
 # Cookie Based Access Handler for Construction Area
 # (lonacc: 5/21/99,5/22,5/29,5/31 Gerd Kortemeyer)
 #
-# $Id: loncacc.pm,v 1.53 2011/09/27 20:28:38 raeburn Exp $
+# $Id: loncacc.pm,v 1.54 2011/10/21 16:03:11 www Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -97,71 +97,64 @@ use Apache::lonacc;
 use LONCAPA qw(:DEFAULT :match);
 
 sub constructaccess {
-    my ($url,$ownerdomain,$setpriv)=@_;
-    my ($ownername)=($url=~/\/(?:\~|priv\/|home\/)($match_username)\//);
-    unless (($ownername) && ($ownerdomain)) { return ''; }
-    # We do not allow editing of previous versions of files.
+    my ($url,$setpriv)=@_;
+
+# We do not allow editing of previous versions of files
     if ($url=~/\.(\d+)\.(\w+)$/) { return ''; }
-    my @possibledomains = &Apache::lonnet::current_machine_domains();
-    if ($ownername eq $env{'user.name'}) {
-	foreach my $domain (@possibledomains) {
-	    if ($domain eq $env{'user.domain'}) {
-		return ($ownername,$domain);
-	    }
-	}
-    }
-    
-    foreach my $domain (@possibledomains) {
-	if (exists($env{'user.priv.ca./'.$domain.'/'.$ownername.'./'}) ||
-	    exists($env{'user.priv.aa./'.$domain.'/'.$ownername.'./'}) ) {
-	    return ($ownername,$domain);
-	}
-    }
 
-    my $then=$env{'user.login.time'};
-    my $update==$env{'user.update.time'};
-    if (!$update) {
-        $update = $then;
+# Get username and domain from URL
+    my ($ownerdomain,$ownername)=($url=~/^\/priv\/($match_domain)\/($match_username)\//);
+
+# The URL does not really point to any authorspace, forget it
+    unless (($ownername) && ($ownerdomain)) { return ''; }
+  
+# Now we need to see if the user has access to the authorspace of
+# $ownername at $ownerdomain
+
+    if (($ownername eq $env{'user.name'}) && ($ownerdomain eq $env{'user.domain'})) {
+# Real author for this?
+       if (exists($env{'user.priv.au./'.$ownerdomain.'/./'})) {
+          return ($ownername,$ownerdomain);
+       }
+    } else {
+# Co-author for this?
+	if (exists($env{'user.priv.ca./'.$ownerdomain.'/'.$ownername.'./'}) ||
+	    exists($env{'user.priv.aa./'.$ownerdomain.'/'.$ownername.'./'}) ) {
+	    return ($ownername,$ownerdomain);
+	}
     }
-    my %dcroles = ();
-    if (&is_active_dc($ownerdomain,$update)) {
+# We don't have any access right now. If we are not possibly going to do anything about this,
+# we might as well leave
+   unless ($setpriv) { return ''; }
+
+# Backdoor access?
+    my $allowed=&Apache::lonnet::allowed('eco',$ownerdomain);
+# Nope
+    unless ($allowed) { return ''; }
+# Looks like we may have access, but could be locked by the owner of the construction space
+    if ($allowed eq 'U') {
         my %blocked=&Apache::lonnet::get('environment',['domcoord.author'],
                                          $ownerdomain,$ownername);
-        unless ($blocked{'domcoord.author'} eq 'blocked') {
-            if (grep(/^$ownerdomain$/,@possibledomains)) {
-                if ($setpriv) {
-                    my $refresh=$env{'user.refresh.time'};
-                    if (!$refresh) {
-                        $refresh = $update;
-                    }
-                    my $now = time;
-                    &Apache::lonnet::check_adhoc_privs($ownerdomain,$ownername,
-                                                       $update,$refresh,$now,'ca',
-                                                       'constructaccess');
-                }
-                return($ownername,$ownerdomain);
-            }
-        }
+# Is blocked by owner
+        if ($blocked{'domcoord.author'} eq 'blocked') { return ''; }
     }
-    return '';
-}
-
-sub is_active_dc {
-    my ($ownerdomain,$update) = @_;
-    my $livedc;
-    if ($env{'user.adv'}) {
-        my $domrole = $env{'user.role.dc./'.$ownerdomain.'/'};
-        if ($domrole) {
-            my ($tstart,$tend)=split(/\./,$domrole);
-            $livedc = 1;
-            if ($tstart && $tstart>$update) { undef($livedc); }
-            if ($tend   && $tend  <$update) { undef($livedc); }
-        }
+    if (($allowed eq 'F') || ($allowed eq 'U')) {
+# Grant temporary access
+        my $then=$env{'user.login.time'};
+        my $update==$env{'user.update.time'};
+        if (!$update) { $update = $then; }
+        my $refresh=$env{'user.refresh.time'};
+        if (!$refresh) { $refresh = $update; }
+        my $now = time;
+        &Apache::lonnet::check_adhoc_privs($ownerdomain,$ownername,
+                                           $update,$refresh,$now,'ca',
+                                           'constructaccess');
+        return($ownername,$ownerdomain);
     }
-    return $livedc;
+# No business here
+    return '';
 }
 
-
 sub handler {
     my $r = shift;
     my $requrl=$r->uri;
@@ -183,7 +176,7 @@ sub handler {
 	$env{'request.state'}    = "construct";
 	$env{'request.filename'} = $r->filename;
 
-	unless (&constructaccess($requrl,$r->dir_config('lonDefDomain'),'setpriv')) {
+	unless (&constructaccess($requrl,'setpriv')) {
 	    $r->log_reason("Unauthorized $requrl", $r->filename); 
 	    return HTTP_NOT_ACCEPTABLE;
 	}