Annotation of loncom/interface/lonexturlcheck.pm, revision 1.2

1.1       raeburn     1: # The LearningOnline Network with CAPA
                      2: # Handler to check if external resource can be shown in iframe
                      3: #
1.2     ! raeburn     4: # $Id: lonexturlcheck.pm,v 1.1 2019/05/02 02:12:19 raeburn Exp $
1.1       raeburn     5: #
                      6: # Copyright Michigan State University Board of Trustees
                      7: #
                      8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                      9: #
                     10: # LON-CAPA is free software; you can redistribute it and/or modify
                     11: # it under the terms of the GNU General Public License as published by
                     12: # the Free Software Foundation; either version 2 of the License, or
                     13: # (at your option) any later version.
                     14: #
                     15: # LON-CAPA is distributed in the hope that it will be useful,
                     16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     18: # GNU General Public License for more details.
                     19: #
                     20: # You should have received a copy of the GNU General Public License
                     21: # along with LON-CAPA; if not, write to the Free Software
                     22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
                     23: #
                     24: # /home/httpd/html/adm/gpl.txt
                     25: #
                     26: # http://www.lon-capa.org/
                     27: #
                     28: #
                     29: ###############################################################
                     30: ###############################################################
                     31: 
                     32: =pod
                     33: 
                     34: =head1 NAME
                     35: 
                     36: Apache::lonexturlcheck - External Resource URL checker
                     37: 
                     38: =head1 SYNOPSIS
                     39: 
                     40: Called in course context by course personnel either with the course editing
                     41: privilege or with view-only access to course editing tools.
                     42: 
                     43: Query string contains one item: name=exturl, value=URL of external resource
1.2     ! raeburn    44: (format: http://hostname/path or https://hostname/path).
1.1       raeburn    45:  
                     46: The resource URL is sent to &loncommon::is_nonframeable() to check whether
1.2     ! raeburn    47: it can be displayed in an iframe in a page served by the current host.
1.1       raeburn    48: 
                     49: =head1 OVERVIEW
                     50: 
                     51: Input: external resource URL (from query string passed to /adm/exturlcheck).
                     52: 
                     53: Hostname, lonHostID, and IP address for this node are retrieved from Apache.
                     54: 
                     55: Dependencies: calls &loncommon::is_nonframeable() to check if server where
1.2     ! raeburn    56: external resource is hosted is configured with a Content-Security-Policy or
1.1       raeburn    57: with X-Frame-options settings which prohibit display of the resource within
1.2     ! raeburn    58: an iframe in a LON-CAPA page served from this node.
1.1       raeburn    59: 
                     60: Output to print buffer: (content-type: text/plain):  1, 0, -1 or empty string.
                     61: '' -- display in iframe is allowed
1.2     ! raeburn    62: 1  -- display in iframe not allowed
1.1       raeburn    63: 0  -- invalid URL
1.2     ! raeburn    64: -1 -- could not verify course editing privilege or view-only access to
1.1       raeburn    65:       course editing tools
                     66: 
1.2     ! raeburn    67: HTTP Return codes:
1.1       raeburn    68: 406 -- if user is not in a course
                     69: 200 -- otherwise
                     70: 
                     71: =cut
                     72: 
                     73: package Apache::lonexturlcheck;
                     74: 
                     75: use strict;
                     76: use Apache::Constants qw(:common :http);
                     77: use Apache::lonnet;
                     78: use Apache::loncommon;
                     79: use LONCAPA::LWPReq;
                     80: use HTTP::Request;
                     81: 
                     82: sub handler {
                     83:     my $r=shift;
                     84:     if ($r->header_only) {
                     85:         &Apache::loncommon::content_type($r,'text/html');
                     86:         $r->send_http_header;
                     87:         return OK;
                     88:     }
                     89:     if (!$env{'request.course.fn'}) {
                     90:         # Not in a course.
                     91:         $env{'user.error.msg'}="/adm/lonexturlcheck:bre:0:0:Not in a course";
                     92:         return HTTP_NOT_ACCEPTABLE;
                     93:     }
                     94:     &Apache::loncommon::content_type($r,'text/plain');
                     95:     $r->send_http_header;
                     96:     my $uselink;
                     97:     if (($env{'request.course.id'}) &&
                     98:         ((&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) ||
                     99:          (&Apache::lonnet::allowed('cev',$env{'request.course.id'})))) {
                    100:         &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['exturl']);
                    101:         if ($env{'form.exturl'} =~ m{^https?\://[^/]+}) {
                    102:             my $hostname = $r->hostname();
                    103:             my $lonhost = $r->dir_config('lonHostID');
                    104:             my $ip = &Apache::lonnet::get_host_ip($lonhost);
                    105:             $r->print(&Apache::loncommon::is_nonframeable($env{'form.exturl'},'',$hostname,$ip));
                    106:         } else {
                    107:             $r->print(0);
                    108:         }
                    109:     } else {
                    110:         $r->print(-1);
                    111:     }
                    112:     return OK;
                    113: }
                    114: 
                    115: 1;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>