Return to lonstatusacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

- Add a page with a list of links to available server status utilities, accessible from Main Menu for Domain Coordinators.
- lonstatusacc.pm modified to perform AccessHandler duties for this new page.
  - appropriate HTTP responses returned if access to /adm/domainstatus or /adm/test is unavailable for current user/IP address.
- Include missing identifier numbers for "Modify" and "Course" in mydesk.tab.

    1: #
    2: # LON-CAPA authorization for pages generated by server-status reports 
    3: #
    4: # $Id: lonstatusacc.pm,v 1.3 2008/12/22 21:13:19 raeburn Exp $
    5: #
    6: # Copyright Michigan State University Board of Trustees
    7: #
    8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
    9: #
   10: # LON-CAPA is free software; you can redistribute it and/or modify
   11: # it under the terms of the GNU General Public License as published by
   12: # the Free Software Foundation; either version 2 of the License, or
   13: # (at your option) any later version.
   14: #
   15: # LON-CAPA is distributed in the hope that it will be useful,
   16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   18: # GNU General Public License for more details.
   19: #
   20: # You should have received a copy of the GNU General Public License
   21: # along with LON-CAPA; if not, write to the Free Software
   22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   23: #
   24: # /home/httpd/html/adm/gpl.txt
   25: #
   26: # http://www.lon-capa.org/
   27: #
   28: #############################################
   29: #############################################
   30: 
   31: package Apache::lonstatusacc;
   32: 
   33: use strict;
   34: use Apache::Constants qw(:common :http :remotehost);
   35: use Apache::lonnet;
   36: use LONCAPA::loncgi;
   37: 
   38: sub handler {
   39:     my $r = shift;
   40:     my $reqhost = $r->get_remote_host(REMOTE_NOLOOKUP);
   41:     my $page = 'serverstatus';
   42:     if (($r->uri eq '/adm/domainstatus') ||
   43:         ($r->uri eq '/adm/test')) {
   44:         if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
   45:             if ($r->uri eq '/adm/domainstatus') {
   46:                 return OK;
   47:             } elsif ($r->uri eq '/adm/test') { 
   48:                 $page = 'showenv'; 
   49:                 if (&LONCAPA::loncgi::can_view($page)) {
   50:                     return OK; 
   51:                 } elsif (&LONCAPA::loncgi::check_ipbased_access($page,$reqhost)) {
   52:                     return OK;
   53:                 } else {
   54:                     $Apache::lonnet::env{'user.error.msg'} =
   55:                         $r->uri.":bre:1:1:Access Denied";
   56:                     return HTTP_NOT_ACCEPTABLE;
   57:                 }
   58:             }
   59:         } else {
   60:             return FORBIDDEN;
   61:         }
   62:     } elsif ($r->uri ne '/server-status') {
   63:         $page = 'lonstatus';
   64:         if (!-e $r->filename) {
   65:             return NOT_FOUND;
   66:         }
   67:     }
   68:     if ($reqhost eq '127.0.0.1') {
   69:         return OK;
   70:     }
   71:     my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
   72:     my @poss_domains = &Apache::lonnet::current_machine_domains();
   73:     if (@hostids > 0) {
   74:         foreach my $id (@hostids) {
   75:             if ($id ne '') {
   76:                 my $dom = &Apache::lonnet::host_domain($id);
   77:                 if ($dom ne '') {
   78:                     if (grep(/^\Q$dom\E$/,@poss_domains)) {
   79:                         return OK;
   80:                     }
   81:                 }
   82:             }
   83:         }
   84:     } elsif (&LONCAPA::loncgi::check_ipbased_access($page,$reqhost)) {
   85:         return OK;
   86:     } else {
   87:         if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
   88:             if (&LONCAPA::loncgi::can_view($page)) {
   89:                 return OK;
   90:             }
   91:         }
   92:     }
   93:     $r->log_reason("Invalid request for server status from $reqhost",
   94:                    $r->uri);
   95:     return FORBIDDEN;
   96: }
   97: 
   98: 1;
   99: 
  100: __END__
  101: 
  102: =head1 NAME
  103: 
  104: Apache::lonstatusacc - Access Handler for Apache's server-status page 
  105: and also pages in lon-status directory.
  106: 
  107: =head1 SYNOPSIS
  108: 
  109: Invoked (for appropriate locations) by /etc/httpd/conf/loncapa_apache.conf
  110: 
  111:  PerlAccessHandler       Apache::lonstatusacc
  112: 
  113: =head1 INTRODUCTION
  114: 
  115: This module can support access control based on IP 
  116: address, or based on Domain Configuration settings 
  117: for authenticated users (via cookie).
  118: 
  119: The module is used for control of access to
  120: (a) Apache's server-status page
  121: (b) Status pages in the /home/httpd/html/lon-status directory
  122:     which were generated as follows:
  123:     (i) when loncron was last run 
  124:         (index.html, loncron_simple.txt, loncstatus.txt, and londstatus.txt),
  125:     (ii) when lonsql was last started 
  126:          (mysql.txt - only on connection failure),
  127:     (iii) when /usr/local/loncapa/bin/CHECKRPMS was last run 
  128:          (checkrpms.txt),
  129:     (iv) when ./UPDATE was run to install/update 
  130:          (version.txt). 
  131: (c) User environment information reported by /adm/test
  132:  
  133: This is part of the LearningOnline Network with CAPA project
  134: described at http://www.lon-capa.org.
  135: 
  136: =head1 HANDLER SUBROUTINE
  137: 
  138: This routine is called by Apache and mod_perl.
  139: 
  140: The check for whether access is allowed for a specific page proceeds as follows:
  141: 
  142: (a) Access allowed for request from loopback address for any page.
  143: 
  144: (b) For any page except /adm/test, access allowed if at least one of the following applies:
  145:     (a) If request is from a LON-CAPA server, if at least one domain hosted on 
  146:         requesting machine is also a domain hosted on this server. 
  147:     (b) IP address of requesting server is listed in domain configuration list
  148:         of allowed machines for any of the domains hosted on this server
  149:     (c) If requestor has an active LON-CAPA session -- checked using
  150:         LONCAPA::loncgi::check_cookie_and_load_env() -- access allowed 
  151:         AND one of the following is true:
  152:         (i) Requestor has LON-CAPA superuser role
  153:         (ii) Requestor's role is Domain Coordinator in one of the domains
  154:              hosted on this server
  155:         (iii) Domain configurations for domains hosted on this server include
  156:               the requestor as one of the named users (username:domain) with access
  157:               to the page.
  158: 
  159: (c) /adm/test
  160:     Access requires a valid session - checked using 
  161:     LONCAPA::loncgi::check_cookie_and_load_env(). 
  162:     If so, access is allowed if one of the following is true:
  163:     (i) Requestor has LON-CAPA superuser role, or
  164:     (ii) Requestor's role is Domain Coordinator in one of the domains
  165:          hosted on this server
  166:     (iii) Domain configurations for domains hosted on this server include
  167:           the requestor as one of the named users (username:domain) with access
  168:           to the page.
  169:     (iv) IP address of requestor is listed in domain configuration list
  170:          of allowed machines for any of the domains hosted on this server
  171: 
  172: =cut 
  173: