[LON-CAPA-cvs] cvs: loncom /auth lonacc.pm publiccheck.pm restrictedaccess.pm doc/loncapafiles loncapafiles.lpml
raeburn
lon-capa-cvs@mail.lon-capa.org
Mon, 10 Jul 2006 03:58:46 -0000
This is a MIME encoded message
--raeburn1152503926
Content-Type: text/plain
raeburn Sun Jul 9 23:58:46 2006 EDT
Added files:
/loncom/auth restrictedaccess.pm
Modified files:
/doc/loncapafiles loncapafiles.lpml
/loncom/auth lonacc.pm publiccheck.pm
Log:
Mechanism for user to provide passphrase, and for the server to validate it when user attempts to access a passphrase-protected portfolio file.
--raeburn1152503926
Content-Type: text/plain
Content-Disposition: attachment; filename="raeburn-20060709235846.txt"
Index: doc/loncapafiles/loncapafiles.lpml
diff -u doc/loncapafiles/loncapafiles.lpml:1.491 doc/loncapafiles/loncapafiles.lpml:1.492
--- doc/loncapafiles/loncapafiles.lpml:1.491 Wed Jul 5 18:24:21 2006
+++ doc/loncapafiles/loncapafiles.lpml Sun Jul 9 23:58:38 2006
@@ -2,7 +2,7 @@
"http://lpml.sourceforge.net/DTD/lpml.dtd">
<!-- loncapafiles.lpml -->
-<!-- $Id: loncapafiles.lpml,v 1.491 2006/07/05 22:24:21 albertel Exp $ -->
+<!-- $Id: loncapafiles.lpml,v 1.492 2006/07/10 03:58:38 raeburn Exp $ -->
<!--
@@ -4763,6 +4763,13 @@
<status>works/unverified</status>
</file>
<file>
+<source>loncom/auth/restrictedaccess.pm</source>
+<target dist='default'>home/httpd/lib/perl/Apache/restrictedaccess.pm</target>
+<categoryname>handler</categoryname>
+<description>Passphrase entry form and verification for access to passphrase-protected portfolio files</description>
+<status>works/unverified</status>
+</file>
+<file>
<source>loncom/auth/londatecheck.pm</source>
<target dist='default'>home/httpd/lib/perl/Apache/londatecheck.pm</target>
<categoryname>handler</categoryname>
Index: loncom/auth/lonacc.pm
diff -u loncom/auth/lonacc.pm:1.84 loncom/auth/lonacc.pm:1.85
--- loncom/auth/lonacc.pm:1.84 Fri Jul 7 18:01:52 2006
+++ loncom/auth/lonacc.pm Sun Jul 9 23:58:45 2006
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: lonacc.pm,v 1.84 2006/07/07 22:01:52 raeburn Exp $
+# $Id: lonacc.pm,v 1.85 2006/07/10 03:58:45 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -37,6 +37,7 @@
use Apache::lonlocal;
use CGI::Cookie();
use Fcntl qw(:flock);
+use LONCAPA;
sub cleanup {
my ($r)=@_;
@@ -172,7 +173,7 @@
}
if ($env{'user.name'} eq 'public' && $env{'user.domain'} eq 'public') {
if ($guest) {
- return 'guest:'.$guest;
+ return $guest;
}
} else {
if (@domains > 0) {
@@ -247,7 +248,7 @@
return 'ok';
} else {
if (grep/^$sec$/,@sections) {
- return 'ok'
+ return 'ok';
}
}
}
@@ -272,13 +273,31 @@
}
}
if ($guest) {
- return 'guest:'.$guest;
+ return $guest;
}
}
}
return;
}
+sub passphrase_access_checker {
+ my ($r,$guestkey,$requrl) = @_;
+ my ($num,$scope,$end,$start) = ($guestkey =~ /^([^:]+):([a-z]+)_(\d*)_?(\d*)$/);
+ if ($scope eq 'guest') {
+ if (exists($env{'user.passphrase_access_'.$requrl})) {
+ if (($env{'user.passphrase_access_'.$requrl} == 0) ||
+ ($env{'user.passphrase_access_'.$requrl} > time)) {
+ $env{'request.publicaccess'} = 1;
+ return 'ok';
+ }
+ }
+ }
+ my $login = $r->dir_config('Login');
+ $login .= '?origurl='.&escape($requrl);
+ $r->custom_response(FORBIDDEN,$login);
+ return;
+}
+
sub course_group_datechecker {
my ($dates,$now,$status) = @_;
my ($start,$end) = split(/\./,$dates);
@@ -369,18 +388,24 @@
my $result = &portfolio_access($1,$2,$3);
if ($result eq 'ok') {
return OK;
- } elsif ($result =~ /^guest:(\w+)$/) {
- my $guestkey = $1;
- #FIXME need to cause generation of an intermediate page
+ } elsif ($result =~ /^[^:]+:guest_/) {
+ if (&passphrase_access_checker($r,$result,$requrl) eq 'ok') {
+ return OK;
+ } else {
+ return FORBIDDEN;
+ }
}
} elsif ($requrl =~ m|/+uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$|) {
my $result = &portfolio_access($1,$2,$3.'/'.$4,$3);
if ($result eq 'ok') {
return OK;
- } elsif ($result =~ /^guest:(\w+)$/) {
- my $guestkey = $1;
- #FIXME need to cause generation of an intermediate page
-}
+ } elsif ($result =~ /^[^:]+:guest_/) {
+ if (&passphrase_access_checker($r,$result,$requrl) eq 'ok') {
+ return OK;
+ } else {
+ return FORBIDDEN;
+ }
+ }
}
if ($requrl!~/^\/adm|public|prtspool\//) {
my $access=&Apache::lonnet::allowed('bre',$requrl);
@@ -499,17 +524,23 @@
my $result = &portfolio_access($1,$2,$3);
if ($result eq 'ok') {
return OK;
- } elsif ($result =~ /^guest:(\w+)$/) {
- my $guestkey = $1;
- #FIXME need to cause generation of an intermediate page
+ } elsif ($result =~ /^[^:]+:guest_/) {
+ if (&passphrase_access_checker($r,$result,$requrl) eq 'ok') {
+ return OK;
+ } else {
+ return FORBIDDEN;
+ }
}
} elsif ($requrl =~ m|/+uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$|) {
my $result = &portfolio_access($1,$2,$3.'/'.$4,$3);
if ($result eq 'ok') {
return OK;
- } elsif ($result =~ /^guest:(\w+)$/) {
- my $guestkey = $1;
- #FIXME need to cause generation of an intermediate page
+ } elsif ($result =~ /^[^:]+:guest_/) {
+ if (&passphrase_access_checker($r,$result,$requrl) eq 'ok') {
+ return OK;
+ } else {
+ return FORBIDDEN;
+ }
}
}
# -------------------------------------------------------------- Not authorized
Index: loncom/auth/publiccheck.pm
diff -u loncom/auth/publiccheck.pm:1.4 loncom/auth/publiccheck.pm:1.5
--- loncom/auth/publiccheck.pm:1.4 Mon Jun 26 16:23:33 2006
+++ loncom/auth/publiccheck.pm Sun Jul 9 23:58:45 2006
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: publiccheck.pm,v 1.4 2006/06/26 20:23:33 albertel Exp $
+# $Id: publiccheck.pm,v 1.5 2006/07/10 03:58:45 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -61,27 +61,35 @@
&process_public($r,$requrl);
return OK;
} elsif ($requrl =~ m|/+uploaded/([^/]+)/([^/]+)/portfolio(/.+)$|) {
- if (&process_portfolio($1,$2,$3)) {
- &process_public($r,$requrl);
+ my $access = &process_portfolio($1,$2,$3);
+ if ($access) {
+ &process_public($r,$requrl,$access);
return OK;
}
} elsif ($requrl =~ m|/+uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$|) {
- if (&process_portfolio($1,$2,$3.'/'.$4,$3)) {
- &process_public($r,$requrl);
+ my $access = &process_portfolio($1,$2,$3.'/'.$4,$3);
+ if ($access) {
+ &process_public($r,$requrl,$access);
return OK;
}
- }
+ } elsif ($requrl eq '/adm/restrictedaccess') {
+ &process_public($r,$requrl);
+ }
return DECLINED;
}
sub process_public {
- my ($r,$requrl) = @_;
+ my ($r,$requrl,$access) = @_;
&Apache::lonnet::logthis('Granting public access: '.$requrl);
if ($env{'user.name'} ne 'public' && $env{'user.domain'} ne 'public') {
my $cookie=&Apache::lonauth::success($r,'public','public','public');
my $lonidsdir=$r->dir_config('lonIDsDir');
&Apache::lonnet::transfer_profile_to_env($lonidsdir,$cookie);
- $r->header_out('Set-cookie',"lonID=$cookie; path=/");
+ if ($access eq 'guest') {
+ $r->err_headers_out('Set-cookie',"lonID=$cookie; path=/");
+ } else {
+ $r->header_out('Set-cookie',"lonID=$cookie; path=/");
+ }
}
&Apache::lonacc::get_posted_cgi($r);
$env{'request.state'} = "published";
@@ -94,7 +102,7 @@
my ($udom,$unum,$file_name,$group) = @_;
my $current_perms = &Apache::lonnet::get_portfile_permissions($udom,$unum);
my %access_controls = &Apache::lonnet::get_access_controls($current_perms,$group,$file_name);
- my $public_access = 0;
+ my $access = '';
my $now = time;
foreach my $key (keys(%{$access_controls{$file_name}})) {
my ($num,$scope,$end,$start) = ($key =~ /^([^:]+):([a-z]+)_(\d*)_?(\d*)$/);
@@ -105,11 +113,14 @@
next;
}
if ($scope eq 'public') {
- $public_access = 1;
+ $access = 'public';
last;
}
+ if ($scope eq 'guest') {
+ $access = 'guest';
+ }
}
- return $public_access;
+ return $access;
}
1;
Index: loncom/auth/restrictedaccess.pm
+++ loncom/auth/restrictedaccess.pm
# The LearningOnline Network
# Passphrase Entry and Validation for Portfolio files
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
package Apache::restrictedaccess;
use strict;
use lib '/home/httpd/lib/perl/';
use Apache::Constants qw(:common :http REDIRECT);
use CGI::Cookie();
use Apache::File ();
use Apache::lonnet;
use Apache::loncommon();
use Apache::lonauth();
use Apache::lonlocal;
use Apache::lonacc;
use Fcntl qw(:flock);
use LONCAPA;
sub handler {
my $r = shift;
&Apache::loncommon::get_unprocessed_cgi
($ENV{'QUERY_STRING'}.'&'.$env{'request.querystring'},
['origurl']);
&Apache::lonacc::get_posted_cgi($r);
my $origurl = &unescape($env{'form.origurl'});
my $msg;
if (exists($env{'form.pass1'})) {
my ($result,$end) = &check_pass($r,$origurl);
if ($result eq 'ok') {
my $cookie_check = &print_redirect($r,$end,$origurl);
if ($cookie_check eq 'ok') {
$env{'request.state'} = "published";
$env{'request.filename'} = $origurl;
$r->header_out(Location => 'http://'.$ENV{'HTTP_HOST'}.$origurl);
return REDIRECT;
} else {
&print_entryform($r,$origurl,$cookie_check);
}
} else {
$msg = "Invalid passphrase";
&print_entryform($r,$origurl,$msg);
}
} else {
&print_entryform($r,$origurl);
}
return OK;
}
sub print_entryform {
my ($r,$origurl,$msg) = @_;
&Apache::lonlocal::get_language_handle($r);
&Apache::loncommon::content_type($r,'text/html');
$r->send_http_header;
return OK if $r->header_only;
$r->print(&Apache::loncommon::start_page('Passphrase protected file'));
$r->print('<script type="text/javascript">
function verify() {
if (document.passform.pass1.value == "") {
alert("You must enter a passphrase");
return;
}
if (document.passform.pass1.value != document.passform.pass2.value) {
alert("Passphrases do not match");
return;
}
document.passform.submit();
}
</script>');
$r->print('<b>'.$msg.'</b>');
$r->print('<div align="center"><form name="passform" method="post" '.
'action="/adm/restrictedaccess">');
$r->print('<br /><br /><br />');
$r->print(&Apache::loncommon::start_data_table());
$r->print(&Apache::loncommon::start_data_table_row());
$r->print('<td><nobr>'.&mt('Passphrase: ').'</nobr></td>'.
'<td><input type="password" size="20" name="pass1"></td>');
$r->print(&Apache::loncommon::end_data_table_row());
$r->print(&Apache::loncommon::start_data_table_row());
$r->print('<td><nobr>'.&mt('Confirm passphrase: ').'</nobr></td>');
$r->print('<td><input type="password" size="20" name="pass2" /></td>');
$r->print(&Apache::loncommon::end_data_table_row());
$r->print(&Apache::loncommon::start_data_table_row());
$r->print('<td align="center" colspan="2"><br />'.
'<input type="button" name="sendpass" value="'.
&mt('Submit passphrase').'" onClick="verify()" /></td>');
$r->print(&Apache::loncommon::end_data_table_row());
$r->print(&Apache::loncommon::end_data_table());
$r->print('<input type="hidden" name="origurl" value="'.
&escape($origurl).'" /></form></div>');
$r->print(&Apache::loncommon::end_page());
}
sub print_redirect {
my ($r,$end,$requrl) = @_;
my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
my $lonid=$cookies{'lonID'};
my $lonidsdir=$r->dir_config('lonIDsDir');
my $cookie;
if ($lonid) {
$cookie=$lonid->value;
$cookie=~s/\W//g;
}
if ($cookie) {
my $envkey = 'user.passphrase_access_'.$requrl;
open(my $idf,">>$lonidsdir/$cookie.id");
if (!flock($idf,LOCK_EX)) {
&Apache::lonnet::logthis("<font color=blue>WARNING: ".
'Could not obtain exclusive lock in restrictedaccess: '.$!);
close($idf);
return 'error: '.$!;
} else {
print $idf (&escape($envkey).'='.&escape($end)."\n");
close($idf);
return 'ok';
}
} else {
return 'error: no cookie set';
}
}
sub check_pass {
my ($r,$origurl) = @_;
my $password = $env{'form.pass1'};
my ($udom,$unum,$group,$file_name,$result,$end);
if ($origurl =~ m-/+uploaded/([^/]+)/([^/]+)/portfolio(/.+)$-) {
$udom = $1;
$unum = $2;
$file_name = $3;
} elsif ($origurl =~ m-/+uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$-) {
$udom = $1;
$unum = $2;
$group = $3;
$file_name = $3.'/'.$4;
}
my $curr_perms = &Apache::lonnet::get_portfile_permissions($udom,$unum);
my %acc_controls = &Apache::lonnet::get_access_controls($curr_perms,
$group,$file_name);
my $access_hash = $acc_controls{$file_name};
foreach my $key (sort(keys(%{$access_hash}))) {
if ($key =~ /^[^:]+:guest_(\d+)/) {
$end = $1;
my $content = $$access_hash{$key};
my $passwd = $content->{'password'};
if ($password eq $passwd) {
$result = 'ok';
} else {
$result = 'fail';
}
last;
}
}
return ($result,$end);
}
1;
--raeburn1152503926--