[LON-CAPA-cvs] cvs: loncom /auth lonauth.pm /lonnet/perl lonnet.pm

Tue, 13 Jan 2004 16:29:41 -0000

www		Tue Jan 13 11:29:41 2004 EDT

  Modified files:              
    /loncom/auth	lonauth.pm 
    /loncom/lonnet/perl	lonnet.pm 
  Log:
  Bug #876: logging in as somebody else.
  Username: (realname):(su-name)
  
  
Index: loncom/auth/lonauth.pm
diff -u loncom/auth/lonauth.pm:1.60 loncom/auth/lonauth.pm:1.61

--- loncom/auth/lonauth.pm:1.60	Fri Nov 21 17:10:25 2003
+++ loncom/auth/lonauth.pm	Tue Jan 13 11:29:40 2004
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.60 2003/11/21 22:10:25 www Exp $
+# $Id: lonauth.pm,v 1.61 2004/01/13 16:29:40 www Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -344,7 +344,12 @@
 	failed($r,'Username, password and domain need to be specified.');
         return OK;
     }
+
+# split user logging in and "su"-user
+
+    ($FORM{'uname'},$FORM{'suname'})=split(/\:/,$FORM{'uname'});
     $FORM{'uname'} =~ s/\W//g;
+    $FORM{'suname'} =~ s/\W//g;
     $FORM{'udom'}  =~ s/\W//g;
 
     my $role   = $r->dir_config('lonRole');
@@ -401,8 +406,29 @@
 	($firsturl=~/^\/adm\/(logout|remote)/)) {
 	$firsturl='/adm/roles';
     }
-
-    success($r,$FORM{'uname'},$FORM{'udom'},$authhost,$firsturl);
+# --------------------------------- Are we attempting to login as somebody else?
+    if ($FORM{'suname'}) {
+# ------------ see if the original user has enough privileges to pull this stunt
+	if (&Apache::lonnet::privileged($FORM{'uname'},$FORM{'udom'})) {
+# ---------------------------------------------------- see if the su-user exists
+	    unless (&Apache::lonnet::homeserver($FORM{'suname'},$FORM{'udom'})
+		eq 'no_host') {
+		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($FORM{'suname'},$FORM{'udom'}));
+# ------------------------------ see if the su-user is not too highly privileged
+		unless (&Apache::lonnet::privileged($FORM{'suname'},$FORM{'udom'})) {
+# -------------------------------------------------------- actually switch users
+		    &Apache::lonnet::logperm('User '.$FORM{'uname'}.' at '.$FORM{'udom'}.
+			' logging in as '.$FORM{'suname'});
+		    $FORM{'uname'}=$FORM{'suname'};
+		} else {
+		    &Apache::lonnet::logthis('Attempted switch user to privileged user');
+		}
+	    }
+	} else {
+	    &Apache::lonnet::logthis('Non-privileged user attempting switch user');
+	}
+    }
+    &success($r,$FORM{'uname'},$FORM{'udom'},$authhost,$firsturl);
     return OK;
 }
 
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.460 loncom/lonnet/perl/lonnet.pm:1.461
--- loncom/lonnet/perl/lonnet.pm:1.460	Mon Jan 12 14:53:54 2004
+++ loncom/lonnet/perl/lonnet.pm	Tue Jan 13 11:29:41 2004
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # TCP networking package
 #
-# $Id: lonnet.pm,v 1.460 2004/01/12 19:53:54 albertel Exp $
+# $Id: lonnet.pm,v 1.461 2004/01/13 16:29:41 www Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -2125,6 +2125,36 @@
     }
     &appenv(%envhash);
     return %returnhash;
+}
+
+# -------------------------------------------------See if a user is privileged
+
+sub privileged {
+    my ($username,$domain)=@_;
+    my $rolesdump=&reply("dump:$domain:$username:roles",
+			&homeserver($username,$domain));
+    if (($rolesdump eq 'con_lost') || ($rolesdump eq '')) { return 0; }
+    my $now=time;
+    if ($rolesdump ne '') {
+        foreach (split(/&/,$rolesdump)) {
+	    if ($_!~/^rolesdef\&/) {
+		my ($area,$role)=split(/=/,$_);
+		$area=~s/\_\w\w$//;
+		my ($trole,$tend,$tstart)=split(/_/,$role);
+		if (($trole eq 'dc') || ($trole eq 'su')) {
+		    my $active=1;
+		    if ($tend) {
+			if ($tend<$now) { $active=0; }
+		    }
+		    if ($tstart) {
+			if ($tstart>$now) { $active=0; }
+		    }
+		    if ($active) { return 1; }
+		}
+	    }
+	}
+    }
+    return 0;
 }
 
 # -------------------------------------------------------- Get user privileges



