--- loncom/publisher/loncfile.pm 2010/11/27 23:20:46 1.104 +++ loncom/publisher/loncfile.pm 2011/10/23 23:46:07 1.110 @@ -9,7 +9,7 @@ # and displays a page showing the results of the action. # # -# $Id: loncfile.pm,v 1.104 2010/11/27 23:20:46 raeburn Exp $ +# $Id: loncfile.pm,v 1.110 2011/10/23 23:46:07 www Exp $ # # Copyright Michigan State University Board of Trustees # @@ -161,21 +161,23 @@ sub URLToPath { $Url=~ s/\/+/\//g; $Url=~ s/^https?\:\/\/[^\/]+//; $Url=~ s/^\///; - $Url=~ s/(\~|priv\/)($match_username)\//\/home\/$2\/public_html\//; + $Url='/home/httpd/html/'.$Url; &Debug($r, "Returning $Url \n"); return $Url; } sub url { my $fn=shift; - $fn=~s/^\/home\/($match_username)\/public\_html/\/priv\/$1/; + $fn=~s/^\/home\/httpd\/html//; + $fn=~s/\/\.\//\//g; $fn=&HTML::Entities::encode($fn,'<>"&'); return $fn; } sub display { my $fn=shift; - $fn=~s-^/home/($match_username)/public_html-/priv/$1-; + $fn=~s/^\/home\/httpd\/html//; + $fn=~s/\/\.\//\//g; return ''.$fn.''; } @@ -270,8 +272,7 @@ sub exists { $creating ||= 'file'; my $published=$construct; - $published=~ - s{^/home/$user/public_html/}{/home/httpd/html/res/$domain/$user/}; + $published=~s{^/home/httpd/html/priv/}{/home/httpd/html/res/}; my ($type,$result); if ( -d $construct ) { return ('error','
'.&mt('Error: destination for operation is an existing directory.').'
'); @@ -345,9 +346,10 @@ sub checksuffix { } sub cleanDest { - my ($request,$dest,$subdir,$fn,$uname)=@_; + my ($request,$dest,$subdir,$fn,$uname,$udom)=@_; #remove bad characters my $foundbad=0; + my $error=''; if ($subdir && $dest =~/\./) { $foundbad=1; $dest=~s/\.//g; @@ -359,7 +361,7 @@ sub cleanDest { } if ($dest=~m|/|) { my ($newpath)=($dest=~m|(.*)/|); - $newpath=&relativeDest($fn,$newpath,$uname); + ($newpath,$error)=&relativeDest($fn,$newpath,$uname,$udom); if (! -d "$newpath") { $request->print('' .&mt("You have requested to create file in directory [_1] which doesn't exist. The requested directory path has been removed from the requested file name." @@ -384,14 +386,15 @@ sub cleanDest { .'
' ); } - return $dest; + return ($dest,$error); } sub relativeDest { - my ($fn,$newfilename,$uname)=@_; + my ($fn,$newfilename,$uname,$udom)=@_; + my $error = ''; if ($newfilename=~/^\//) { # absolute, simply add path - $newfilename='/home/'.$uname.'/public_html/'; + $newfilename='/home/httpd/html/res/'.$udom.'/'.$uname.'/'; } else { my $dir=$fn; $dir=~s/\/[^\/]+$//; @@ -401,7 +404,18 @@ sub relativeDest { while ($newfilename=~m:/\.\./:) { $newfilename=~ s:/[^/]+/\.\./:/:g; #remove dir/.. } - return $newfilename; + if ($newfilename =~ m{^/home/($match_username)/(?:public\_html|priv)/}) { + my $otheruname = $1; + unless ($otheruname eq $uname) { + my ($authorname,$authordom)= + &Apache::loncacc::constructaccess($newfilename,$env{'request.role.domain'}); + unless (($authorname eq $otheruname) && ($authordom ne '')) { + my $otherdir = &display($newfilename); + $error = &mt('Access denied to [_1]',$otherdir); + } + } + } + return ($newfilename,$error); } =pod @@ -936,8 +950,23 @@ sub phaseone { my $doingdir=0; if ($env{'form.action'} eq 'newdir') { $doingdir=1; } - my $newfilename=&cleanDest($r,$env{'form.newfilename'},$doingdir,$fn,$uname); - $newfilename=&relativeDest($fn,$newfilename,$uname); + my ($newfilename,$error) = + &cleanDest($r,$env{'form.newfilename'},$doingdir,$fn,$uname,$udom); + unless ($error) { + ($newfilename,$error)=&relativeDest($fn,$newfilename,$uname,$udom); + } + if ($error) { + my $dirlist; + if ($fn=~m{^(.*/)[^/]+$}) { + $dirlist=$1; + } else { + $dirlist=$fn; + } + $r->print('