[LON-CAPA-admin] Issues with zipspool

Lucas, Mark lucasm at ohio.edu
Mon Apr 13 17:46:58 EDT 2020 

Hi,

I’m trying to figure out if there is a hidden  permission for the “Download All Submitted Documents”
feature or if I somehow have the system misconfigured for directory permissions.

As many people probably are doing, we have students uploading work more.

We have lab course set up with the TAs as true TAs for grading purposes.
In the system they would like to “Download All Submitted Documents” from students,
and the link is available. They click on the link on the link, the zip file is created, but then
when they click on the zipspool link, the system chokes: “This action is currently not authorized”.
.

LON-CAPA Access Control
Access  : 
Resource: /zipspool/zipout/wolfman
Action  : 1
Sorry ...
This action is currently not authorized.

This does work if the user has CC privileges in the course, but not instructor or TA as far
as I can tell.

In loncapa-apache, zipspool is referenced:
# Allow serving of files in zipspool

<Directory "/home/httpd/zipspool/">
Options FollowSymLinks
AllowOverride None
<IfModule mod_authz_core.c>
  Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
  order allow,deny
  allow from all
</IfModule>
</Directory>

and 
<LocationMatch "/zipspool">
AuthType LONCAPA
Require valid-user
PerlAuthzHandler Apache::lonacc
ErrorDocument     403 /adm/login
ErrorDocument     404 /adm/notfound.html
ErrorDocument     406 /adm/roles
ErrorDocument     413 /adm/overloaded.txt
ErrorDocument     500 /adm/errorhandler
</LocationMatch>


The only reference I found in lib/perl/Apache was:
lonacc.pm:
        if ($requrl =~ m|^/zipspool/|) {
            my $start='/zipspool/zipout/'.$env{'user.name'}.":".
                $env{'user.domain'};
            if ($requrl !~ /^\Q$start\E/) {
                $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
                return HTTP_NOT_ACCEPTABLE;
            }
        }
 
Which seems to only care that the file belongs to the appropriate username and domain.

I cannot find any other explicit place that this file is mentioned, though I can believe I’m missing
some other generic handler.



On the filesystem end:
/home/httpd:
drwxrwxr-x+  4 www    www          4096 May 17  2019 zipspool

ls -larct zipspool:
drwxrwxr-x+  4 www  www  4096 May 17  2019 .
drwxrwxr-x+ 19 root root 4096 Mar 22 01:41 ..
drwxrwx---+  8 www  www  4096 Apr 10 09:15 zipdir
drwxrwx---+  8 www  www  4096 Apr 10 09:15 zipout

ls -larct zipdir:
drwxrwxr-x+ 4 www www 4096 May 17  2019 ..
drwxrwx---+ 8 www www 4096 Apr 10 09:15 .
drwx------+ 2 www www 4096 Apr 10 09:19 jm443918:ohiou
drwx------+ 2 www www 4096 Apr 10 14:01 bf071017:ohiou
drwxrwx---+ 2 www www 4096 Apr 12 23:39 tees:ohiou
drwxrwx---+ 2 www www 4096 Apr 13 14:10 ingram:ohiou
drwx------+ 2 www www 4096 Apr 13 16:35 lucas:ohiou
drwx------+ 2 www www 4096 Apr 13 17:11 wolfman:ohiou

(I am not sure why some users have different permissions)

ls -larct zipout:
drwxrwxr-x+ 4 www www 4096 May 17  2019 ..
drwxrwx---+ 8 www www 4096 Apr 10 09:15 .
drwx------+ 2 www www 4096 Apr 11 01:05 bf071017:ohiou
drwx------+ 2 www www 4096 Apr 11 01:05 jm443918:ohiou
drwxrwx---+ 2 www www 4096 Apr 13 01:05 tees:ohiou
drwxrwx---+ 2 www www 4096 Apr 13 14:10 ingram:ohiou
drwx------+ 2 www www 4096 Apr 13 16:35 lucas:ohiou
drwx------+ 2 www www 4096 Apr 13 17:11 wolfman:ohiou

zipout/wolfman:
drwxrwx---+ 8 www www     4096 Apr 10 09:15 ..
-rw-rw----+ 1 www www 12038970 Apr 13 16:06 DropBox011586808383_54146_1.zip
-rw-rw----+ 1 www www 12038969 Apr 13 16:11 DropBox011586808660_61888_1.zip
-rw-rw----+ 1 www www  4957076 Apr 13 16:36 DropBox011586810196_55286_1.zip
-rw-rw----+ 1 www www 29549256 Apr 13 16:39 DropBox011586810337_21222_1.zip
-rw-rw----+ 1 www www 29549255 Apr 13 16:43 DropBox011586810582_50602_1.zip
-rw-rw----+ 1 www www   476593 Apr 13 17:11 DropBox011586812263_16535_1.zip
drwx------+ 2 www www     4096 Apr 13 17:11 .

So my question is, what am I missing?  Is this a file permission issue, in which case, why
does it work for wolfman’s role as CC but not instructor or TA?
Or is there an internal LC extra check I’m not seeing?

Thanks!
Mark

-- 
Mark Lucas 								email: lucasm at ohio.edu
252D Clippinger Lab						phone: (740)597-2984
Department of Physics and Astronomy			fax: (740)593-0433
Ohio University
Athens, OH 45701

More information about the LON-CAPA-admin mailing list