[LON-CAPA-cvs] cvs: loncom /auth lonacc.pm /lonnet/perl lonnet.pm

[albertel]

albertel		Mon Dec 20 15:51:24 2004 EDT

  Modified files:              
    /loncom/auth	lonacc.pm 
    /loncom/lonnet/perl	lonnet.pm 
  Log:
  - more of BUG#3714
  
  
Index: loncom/auth/lonacc.pm
diff -u loncom/auth/lonacc.pm:1.54 loncom/auth/lonacc.pm:1.55
--- loncom/auth/lonacc.pm:1.54	Fri Dec 17 14:43:19 2004
+++ loncom/auth/lonacc.pm	Mon Dec 20 15:51:23 2004
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Cookie Based Access Handler
 #
-# $Id: lonacc.pm,v 1.54 2004/12/17 19:43:19 albertel Exp $
+# $Id: lonacc.pm,v 1.55 2004/12/20 20:51:23 albertel Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -138,6 +138,13 @@
                     }
                 } else {
 	            $symb=&Apache::lonnet::symbread($requrl);
+		    if (!&Apache::lonnet::symbverify($symb,$requrl)) {
+			$r->log_reason('Invalid symb for '.$requrl.': '.
+                                       $symb);
+		        $ENV{'user.error.msg'}=
+                                "$requrl:bre:1:1:Invalid Access";
+  	                return HTTP_NOT_ACCEPTABLE; 
+		    }
                     my ($map,$mid,$murl)=split(/\_\_\_/,$symb);
 		    &Apache::lonnet::symblist($map,$murl => $mid,
                                               'last_known' => $murl);
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.581 loncom/lonnet/perl/lonnet.pm:1.582
--- loncom/lonnet/perl/lonnet.pm:1.581	Mon Dec 20 15:47:23 2004
+++ loncom/lonnet/perl/lonnet.pm	Mon Dec 20 15:51:24 2004
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # TCP networking package
 #
-# $Id: lonnet.pm,v 1.581 2004/12/20 20:47:23 matthew Exp $
+# $Id: lonnet.pm,v 1.582 2004/12/20 20:51:24 albertel Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -4790,8 +4790,11 @@
                if (
   &symbclean(&declutter($bighash{'map_id_'.$mapid}).'___'.$resid.'___'.$thisfn)
    eq $symb) { 
-                  $okay=1; 
-               }
+		   if (($ENV{'request.role.adv'}) ||
+		       $bighash{'encrypted_'.$_} eq $ENV{'request.enc'}) {
+		       $okay=1; 
+		   }
+	       }
 	   }
         }
 	untie(%bighash);
@@ -6218,9 +6221,10 @@
 =item *
 
 symbverify($symb,$thisfn) : verifies that $symb actually exists and is
-a possible symb for the URL in $thisfn, returns a 1 on success, 0 on
-failure, user must be in a course, as it assumes the existance of the
-course initi hash, and uses $ENV('request.course.id'}
+a possible symb for the URL in $thisfn, and if is an encryypted
+resource that the user accessed using /enc/ returns a 1 on success, 0
+on failure, user must be in a course, as it assumes the existance of
+the course initial hash, and uses $ENV('request.course.id'}
 
 
 =item *