[BACK]Return to loncacc.pm CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/loncacc.pm between versions 1.20 and 1.57

version 1.20, 2002/01/04 15:10:54 version 1.57, 2011/10/30 20:31:02
Line 26 Line 26
 #  #
 # http://www.lon-capa.org/  # http://www.lon-capa.org/
 #  #
 # YEAR=2000  
 # 6/15,16/11,22/11,  
 # YEAR=2001  
 # 01/06,01/11,6/1,9/25,9/28,11/22,12/25,12/26,  
 # 01/06/01,05/04,05/05,05/09 Gerd Kortemeyer  
 # 12/21 Scott Harrison  
 # YEAR=2002  
 # 1/4 Gerd Kortemeyer  
 ###  
   
 package Apache::loncacc;  =pod
   
 use strict;  
 use Apache::Constants qw(:common :http :methods);  
 use Apache::File;  
 use CGI::Cookie();  
 use Fcntl qw(:flock);  
   
 sub constructaccess {  
     my ($url,$ownerdomain)=@_;  
     my ($ownername)=($url=~/\/(?:\~|priv\/|home\/)(\w+)/);  
     unless (($ownername) && ($ownerdomain)) { return ''; }  
   
     if (($ownername eq $ENV{'user.name'}) &&  
         ($ownerdomain eq $ENV{'user.domain'})) {  
  return ($ownername,$ownerdomain);  
     }  
   
     my $capriv='user.priv.ca./'.  
                $ownerdomain.'/'.$ownername.'./'.  
        $ownerdomain.'/'.$ownername;  
     foreach (keys %ENV) {  
         if ($_ eq $capriv) {  
            return ($ownername,$ownerdomain);  
         }  
     }  
   
     return '';  
 }  
   
 sub handler {  
     my $r = shift;  
     my $requrl=$r->uri;  
     my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));  
     my $lonid=$cookies{'lonID'};  
     my $cookie;  
     if ($lonid) {  
  my $handle=$lonid->value;  
         $handle=~s/\W//g;  
         my $lonidsdir=$r->dir_config('lonIDsDir');  
         if ((-e "$lonidsdir/$handle.id") && ($handle ne '')) {  
             my @profile;  
     {  
              my $idf=Apache::File->new("$lonidsdir/$handle.id");  
              flock($idf,LOCK_SH);  
              @profile=<$idf>;  
              $idf->close();  
     }  
             my $envi;  
             for ($envi=0;$envi<=$#profile;$envi++) {  
  chomp($profile[$envi]);  
  my ($envname,$envvalue)=split(/=/,$profile[$envi]);  
                 $ENV{$envname} = $envvalue;  
             }  
             $ENV{'user.environment'} = "$lonidsdir/$handle.id";  
             $ENV{'request.state'}    = "construct";  
             $ENV{'request.filename'} = $r->filename;  
   
             unless (&constructaccess($requrl,$r->dir_config('lonDefDomain'))) {  
                 $r->log_reason("Unauthorized $requrl", $r->filename);   
         return HTTP_NOT_ACCEPTABLE;  
             }  
   
 # -------------------------------------------------------- Load POST parameters  
   
   
         my $buffer;  
   
         $r->read($buffer,$r->header_in('Content-length'));  
   
  unless ($buffer=~/^(\-+\w+)\s+Content\-Disposition\:\s*form\-data/si) {  
             my @pairs=split(/&/,$buffer);  
             my $pair;  
             foreach $pair (@pairs) {  
                my ($name,$value) = split(/=/,$pair);  
                $value =~ tr/+/ /;  
                $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;  
                $name  =~ tr/+/ /;  
                $name  =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;  
                $ENV{"form.$name"}=$value;  
             }   
         } else {  
     my $contentsep=$1;  
             my @lines = split (/\n/,$buffer);  
             my $name='';  
             my $value='';  
             my $fname='';  
             my $fmime='';  
             my $i;  
             for ($i=0;$i<=$#lines;$i++) {  
  if ($lines[$i]=~/^$contentsep/) {  
     if ($name) {  
                         chomp($value);  
  if ($fname) {  
     $ENV{"form.$name.filename"}=$fname;  
                             $ENV{"form.$name.mimetype"}=$fmime;  
                         } else {  
                             $value=~s/\s+$//s;  
                         }  
                         $ENV{"form.$name"}=$value;  
                     }  
                     if ($i<$#lines) {  
  $i++;  
                         $lines[$i]=~  
  /Content\-Disposition\:\s*form\-data\;\s*name\=\"([^\"]+)\"/i;  
                         $name=$1;  
                         $value='';  
                         if ($lines[$i]=~/filename\=\"([^\"]+)\"/i) {  
    $fname=$1;  
                            if   
                             ($lines[$i+1]=~/Content\-Type\:\s*([\w\-\/]+)/i) {  
       $fmime=$1;  
                               $i++;  
    } else {  
                               $fmime='';  
                            }  
                         } else {  
     $fname='';  
                             $fmime='';  
                         }  
                         $i++;  
                     }  
                 } else {  
     $value.=$lines[$i]."\n";  
                 }  
             }  
  }  
             $ENV{'request.method'}=$ENV{'REQUEST_METHOD'};  
             $r->method_number(M_GET);  
     $r->method('GET');  
             $r->headers_in->unset('Content-length');  
   
             return OK;   
         } else {   
             $r->log_reason("Cookie $handle not valid", $r->filename)   
         };  
     }  
   
 # ----------------------------------------------- Store where they wanted to go  
   
     $ENV{'request.firsturl'}=$requrl;  
     return FORBIDDEN;  
 }  
   
 1;  
 __END__  
   
 =head1 NAME  =head1 NAME
   
Line 189  Apache::lonacc - Cookie Based Access Han Line 35  Apache::lonacc - Cookie Based Access Han
   
 =head1 SYNOPSIS  =head1 SYNOPSIS
   
 Invoked (for various locations) by /etc/httpd/conf/srm.conf:  Invoked (for various locations) by /etc/httpd/conf/loncapa_apache.conf:
   
  PerlAccessHandler       Apache::loncacc   PerlAccessHandler       Apache::loncacc
   
 =head1 INTRODUCTION  =head1 INTRODUCTION
   
 This module enables cookie based authentication for construction area  This module enables cookie based authentication for construction area
 and is used to control access for three (essentially equivalent) URIs.  and is used to control access for the following two types of URI 
   (one for files, and one for directories):
   
  <LocationMatch "^/priv.*">   <LocationMatch "^/priv.*">
  <LocationMatch "^/\~.*">   <LocationMatch "^/priv.*/$">
  <LocationMatch "^/\~.*/$">  
   
 Whenever the client sends the cookie back to the server,   Whenever the client sends the cookie back to the server, 
 if the cookie is missing or invalid, the user is re-challenged  if the cookie is missing or invalid, the user is re-challenged
Line 227  store where they wanted to go (first url Line 73  store where they wanted to go (first url
   
 =head1 OTHERSUBROUTINES  =head1 OTHERSUBROUTINES
   
 =over 4  =over
   
 =item *  =item constructaccess($url,$setpriv)
   
 constructaccess($url,$ownerdomain) : See if the owner domain and name  See if the owner domain and name
 in the URL match those in the expected environment.  If so, return   in the URL match those in the expected environment.  If so, return 
 two element list ($ownername,$ownerdomain).  Else, return null string.  two element list ($ownername,$ownerdomain).  Else, return null string.
   If 'setpriv' is set to 'setpriv', it actually assigns the privileges.
 =back  =back
   
 =cut  =cut
   
   
   package Apache::loncacc;
   
   use strict;
   use Apache::Constants qw(:common :http :methods REDIRECT);
   use Fcntl qw(:flock);
   use Apache::lonlocal;
   use Apache::lonnet;
   use Apache::lonacc;
   use LONCAPA qw(:DEFAULT :match);
   
   sub constructaccess {
       my ($url,$setpriv)=@_;
   
   # We do not allow editing of previous versions of files
       if ($url=~/\.(\d+)\.(\w+)$/) { return ''; }
   
   # Get username and domain from URL
       my $londocroot = $Apache::lonnet::perlvar{'lonDocRoot'};
       my ($ownerdomain,$ownername)=($url=~ m{^(?:\Q$londocroot\E|)/priv/($match_domain)/($match_username)/});
   
   # The URL does not really point to any authorspace, forget it
       unless (($ownername) && ($ownerdomain)) { return ''; }
     
   # Now we need to see if the user has access to the authorspace of
   # $ownername at $ownerdomain
   
       if (($ownername eq $env{'user.name'}) && ($ownerdomain eq $env{'user.domain'})) {
   # Real author for this?
          if (exists($env{'user.priv.au./'.$ownerdomain.'/./'})) {
             return ($ownername,$ownerdomain);
          }
       } else {
   # Co-author for this?
    if (exists($env{'user.priv.ca./'.$ownerdomain.'/'.$ownername.'./'}) ||
       exists($env{'user.priv.aa./'.$ownerdomain.'/'.$ownername.'./'}) ) {
       return ($ownername,$ownerdomain);
    }
       }
   # We don't have any access right now. If we are not possibly going to do anything about this,
   # we might as well leave
      unless ($setpriv) { return ''; }
   
   # Backdoor access?
       my $allowed=&Apache::lonnet::allowed('eco',$ownerdomain);
   # Nope
       unless ($allowed) { return ''; }
   # Looks like we may have access, but could be locked by the owner of the construction space
       if ($allowed eq 'U') {
           my %blocked=&Apache::lonnet::get('environment',['domcoord.author'],
                                            $ownerdomain,$ownername);
   # Is blocked by owner
           if ($blocked{'domcoord.author'} eq 'blocked') { return ''; }
       }
       if (($allowed eq 'F') || ($allowed eq 'U')) {
   # Grant temporary access
           my $then=$env{'user.login.time'};
           my $update==$env{'user.update.time'};
           if (!$update) { $update = $then; }
           my $refresh=$env{'user.refresh.time'};
           if (!$refresh) { $refresh = $update; }
           my $now = time;
           &Apache::lonnet::check_adhoc_privs($ownerdomain,$ownername,
                                              $update,$refresh,$now,'ca',
                                              'constructaccess');
           return($ownername,$ownerdomain);
       }
   # No business here
       return '';
   }
   
   sub handler {
       my $r = shift;
       my $requrl=$r->uri;
       $env{'request.editurl'}=$requrl;
   
       my $handle =  &Apache::lonnet::check_for_valid_session($r);
       if ($handle ne '') {
   
   # ------------------------------------------------------ Initialize Environment
           my $lonidsdir=$r->dir_config('lonIDsDir');
    &Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
   
   # --------------------------------------------------------- Initialize Language
    
    &Apache::lonlocal::get_language_handle($r);
   
   # -------------------------------------------------------------- Resource State
   
    $env{'request.state'}    = "construct";
    $env{'request.filename'} = $r->filename;
   
    unless (&constructaccess($requrl,'setpriv')) {
       $r->log_reason("Unauthorized $requrl", $r->filename); 
       return HTTP_NOT_ACCEPTABLE;
    }
   
   # -------------------------------------------------------- Load POST parameters
   
    &Apache::lonacc::get_posted_cgi($r);
   
    return OK; 
       } else { 
    $r->log_reason("Cookie $handle not valid", $r->filename) 
       }
   
   # ----------------------------------------------- Store where they wanted to go
   
       $env{'request.firsturl'}=$requrl;
       return FORBIDDEN;
   }
   
   1;
   __END__
   
   
   
   
   
   
Removed from v.1.20  
changed lines
  Added in v.1.57

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>