[LON-CAPA-cvs] cvs: loncom / loncapa_apache.conf /auth lonacc.pm publiccheck.pm restrictedaccess.pm /lonnet/perl lonnet.pm
albertel
lon-capa-cvs@mail.lon-capa.org
Fri, 21 Jul 2006 18:52:36 -0000
This is a MIME encoded message
--albertel1153507956
Content-Type: text/plain
albertel Fri Jul 21 14:52:36 2006 EDT
Modified files:
/loncom loncapa_apache.conf
/loncom/auth publiccheck.pm lonacc.pm restrictedaccess.pm
/loncom/lonnet/perl lonnet.pm
Log:
- move portfolio access restriction checking code into lonnet.pm
- some changes to take care of public users access passphrase files
--albertel1153507956
Content-Type: text/plain
Content-Disposition: attachment; filename="albertel-20060721145236.txt"
Index: loncom/loncapa_apache.conf
diff -u loncom/loncapa_apache.conf:1.151 loncom/loncapa_apache.conf:1.152
--- loncom/loncapa_apache.conf:1.151 Mon Jul 17 13:46:53 2006
+++ loncom/loncapa_apache.conf Fri Jul 21 14:52:26 2006
@@ -1,7 +1,7 @@
##
## loncapa_apache.conf -- Apache HTTP LON-CAPA configuration file
##
-## $Id: loncapa_apache.conf,v 1.151 2006/07/17 17:46:53 albertel Exp $
+## $Id: loncapa_apache.conf,v 1.152 2006/07/21 18:52:26 albertel Exp $
##
#
@@ -497,6 +497,7 @@
<Location /adm/restrictedaccess>
PerlAccessHandler Apache::publiccheck
AuthType LONCAPA
+Require valid-user
SetHandler perl-script
PerlAuthzHandler Apache::lonacc
PerlHandler Apache::restrictedaccess
Index: loncom/auth/publiccheck.pm
diff -u loncom/auth/publiccheck.pm:1.7 loncom/auth/publiccheck.pm:1.8
--- loncom/auth/publiccheck.pm:1.7 Mon Jul 17 15:49:14 2006
+++ loncom/auth/publiccheck.pm Fri Jul 21 14:52:32 2006
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: publiccheck.pm,v 1.7 2006/07/17 19:49:14 albertel Exp $
+# $Id: publiccheck.pm,v 1.8 2006/07/21 18:52:32 albertel Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -40,6 +40,7 @@
sub handler {
my $r = shift;
+
my $requrl=$r->uri;
my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
my $lonid=$cookies{'lonID'};
@@ -60,9 +61,9 @@
|| (&Apache::lonnet::metadata($requrl,'copyright') eq 'public')) {
&process_public($r,$requrl);
return OK;
- } elsif (&Apache::lonacc::is_portfolio_url($requrl)) {
+ } elsif (&Apache::lonnet::is_portfolio_url($requrl)) {
my (undef,$udom,$unum,$file_name,$group) =
- &Apache::lonacc::parse_portfolio_url($requrl);
+ &Apache::lonnet::parse_portfolio_url($requrl);
my $access = &process_portfolio($udom,$unum,$file_name,$group);
if ($access) {
&process_public($r,$requrl,$access);
@@ -70,6 +71,7 @@
}
} elsif ($requrl eq '/adm/restrictedaccess') {
&process_public($r,$requrl);
+ return OK;
}
return DECLINED;
}
Index: loncom/auth/lonacc.pm
diff -u loncom/auth/lonacc.pm:1.88 loncom/auth/lonacc.pm:1.89
--- loncom/auth/lonacc.pm:1.88 Fri Jul 21 12:07:48 2006
+++ loncom/auth/lonacc.pm Fri Jul 21 14:52:32 2006
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: lonacc.pm,v 1.88 2006/07/21 16:07:48 albertel Exp $
+# $Id: lonacc.pm,v 1.89 2006/07/21 18:52:32 albertel Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -137,168 +137,6 @@
$r->headers_in->unset('Content-length');
}
-sub portfolio_access {
- my ($r,$requrl) = @_;
- my $access=&Apache::lonnet::allowed('bre',$requrl);
- if ($access eq '2' || $access eq 'F') {
- return OK;
- }
- my (undef,$udom,$unum,$file_name,$group) = &parse_portfolio_url($requrl);
- my $result = &get_portfolio_access($udom,$unum,$file_name,$group);
- &Apache::lonnet::logthis("got pa of $result");
- if ($result eq 'ok') {
- return OK;
- } elsif ($result =~ /^[^:]+:guest_/) {
- &Apache::lonnet::logthis("doign pac $result");
- &passphrase_access_checker($r,$result,$requrl);
- return OK;
- }
- return undef;
-}
-
-sub get_portfolio_access {
- my ($udom,$unum,$file_name,$group) = @_;
-
- my $current_perms = &Apache::lonnet::get_portfile_permissions($udom,$unum);
- my %access_controls = &Apache::lonnet::get_access_controls(
- $current_perms,$group,$file_name);
- my ($public,$guest,@domains,@users,@courses,@groups);
- my $now = time;
- my $access_hash = $access_controls{$file_name};
- if (ref($access_hash) eq 'HASH') {
- foreach my $key (keys(%{$access_hash})) {
- my ($num,$scope,$end,$start) = ($key =~ /^([^:]+):([a-z]+)_(\d*)_?(\d*)$/);
- if ($start > $now) {
- next;
- }
- if ($end && $end<$now) {
- next;
- }
- if ($scope eq 'public') {
- $public = $key;
- last;
- } elsif ($scope eq 'guest') {
- $guest = $key;
- } elsif ($scope eq 'domains') {
- push(@domains,$key);
- } elsif ($scope eq 'users') {
- push(@users,$key);
- } elsif ($scope eq 'course') {
- push(@courses,$key);
- } elsif ($scope eq 'group') {
- push(@groups,$key);
- }
- }
- if ($public) {
- return 'ok';
- }
- if ($env{'user.name'} eq 'public' && $env{'user.domain'} eq 'public') {
- if ($guest) {
- return $guest;
- }
- } else {
- if (@domains > 0) {
- foreach my $domkey (@domains) {
- if (ref($access_hash->{$domkey}{'dom'}) eq 'ARRAY') {
- if (grep(/^\Q$env{'user.domain'}\E$/,@{$access_hash->{$domkey}{'dom'}})) {
- return 'ok';
- }
- }
- }
- }
- if (@users > 0) {
- foreach my $userkey (@users) {
- if (exists($access_hash->{$userkey}{'users'}{$env{'user.name'}.':'.$env{'user.domain'}})) {
- return 'ok';
- }
- }
- }
- my %roleshash;
- my @courses_and_groups = @courses;
- push(@courses_and_groups,@groups);
- if (@courses_and_groups > 0) {
- my (%allgroups,%allroles);
- my ($start,$end,$role,$sec,$group);
- foreach my $envkey (%env) {
- if ($envkey =~ m-^user\.role\.(gr|cc|in|ta|ep|st)\./([^/]+)/([^/]+)/?([^/]*)$-) {
- my $cid = $2.'_'.$3;
- if ($1 eq 'gr') {
- $group = $4;
- $allgroups{$cid}{$group} = $env{$envkey};
- } else {
- if ($4 eq '') {
- $sec = 'none';
- } else {
- $sec = $4;
- }
- $allroles{$cid}{$1}{$sec} = $env{$envkey};
- }
- } elsif ($envkey =~ m-^user\.role\./cr/(\w+/\w+/\w*)./([^/]+)/([^/]+)/?([^/]*)$-) {
- my $cid = $2.'_'.$3;
- if ($4 eq '') {
- $sec = 'none';
- } else {
- $sec = $4;
- }
- $allroles{$cid}{$1}{$sec} = $env{$envkey};
- }
- }
- if (keys(%allroles) == 0) {
- return;
- }
- foreach my $key (@courses_and_groups) {
- my %content = %{$$access_hash{$key}};
- my $cnum = $content{'number'};
- my $cdom = $content{'domain'};
- my $cid = $cdom.'_'.$cnum;
- if (!exists($allroles{$cid})) {
- next;
- }
- foreach my $role_id (keys(%{$content{'roles'}})) {
- my @sections = @{$content{'roles'}{$role_id}{'section'}};
- my @groups = @{$content{'roles'}{$role_id}{'group'}};
- my @status = @{$content{'roles'}{$role_id}{'access'}};
- my @roles = @{$content{'roles'}{$role_id}{'role'}};
- foreach my $role (keys(%{$allroles{$cid}})) {
- if ((grep/^all$/,@roles) || (grep/^\Q$role\E$/,@roles)) {
- foreach my $sec (keys(%{$allroles{$cid}{$role}})) {
- if (&course_group_datechecker($allroles{$cid}{$role}{$sec},$now,\@status) eq 'ok') {
- if (grep/^all$/,@sections) {
- return 'ok';
- } else {
- if (grep/^$sec$/,@sections) {
- return 'ok';
- }
- }
- }
- }
- if (keys(%{$allgroups{$cid}}) == 0) {
- if (grep/^none$/,@groups) {
- return 'ok';
- }
- } else {
- if (grep/^all$/,@groups) {
- return 'ok';
- }
- foreach my $group (keys(%{$allgroups{$cid}})) {
- if (grep/^$group$/,@groups) {
- return 'ok';
- }
- }
- }
- }
- }
- }
- }
- }
- if ($guest) {
- return $guest;
- }
- }
- }
- return;
-}
-
sub passphrase_access_checker {
my ($r,$guestkey,$requrl) = @_;
my ($num,$scope,$end,$start) = ($guestkey =~ /^([^:]+):([a-z]+)_(\d*)_?(\d*)$/);
@@ -316,58 +154,6 @@
return;
}
-sub course_group_datechecker {
- my ($dates,$now,$status) = @_;
- my ($start,$end) = split(/\./,$dates);
- if (!$start && !$end) {
- return 'ok';
- }
- if (grep/^active$/,@{$status}) {
- if (((!$start) || ($start && $start <= $now)) && ((!$end) || ($end && $end >= $now))) {
- return 'ok';
- }
- }
- if (grep/^previous$/,@{$status}) {
- if ($end > $now ) {
- return 'ok';
- }
- }
- if (grep/^future$/,@{$status}) {
- if ($start > $now) {
- return 'ok';
- }
- }
- return;
-}
-
-sub parse_portfolio_url {
- my ($url) = @_;
-
- my ($type,$udom,$unum,$group,$file_name);
-
- if ($url =~ m-/+uploaded/([^/]+)/([^/]+)/portfolio(/.+)$-) {
- $type = 1;
- $udom = $1;
- $unum = $2;
- $file_name = $3;
- } elsif ($url =~ m-/+uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$-) {
- $type = 2;
- $udom = $1;
- $unum = $2;
- $group = $3;
- $file_name = $3.'/'.$4;
- }
- if (wantarray) {
- return ($type,$udom,$unum,$file_name,$group);
- }
- return $type;
-}
-
-sub is_portfolio_url {
- my ($url) = @_;
- return scalar(&parse_portfolio_url($url));
-}
-
sub handler {
my $r = shift;
my $requrl=$r->uri;
@@ -430,9 +216,9 @@
# ---------------------------------------------------------------- Check access
my $now = time;
- if (&is_portfolio_url($requrl)) {
- my $result = &portfolio_access($r,$requrl);
- if (defined($result)) { return $result; }
+ if (&Apache::lonnet::is_portfolio_url($requrl)) {
+ my $result = &Apache::lonnet::portfolio_access($r,$requrl);
+ if ($result eq 'ok') { return OK; }
}
if ($requrl!~/^\/adm|public|prtspool\//) {
my $access=&Apache::lonnet::allowed('bre',$requrl);
@@ -456,7 +242,7 @@
if ($env{'user.name'} eq 'public' &&
$env{'user.domain'} eq 'public' &&
$requrl !~ m{^/+(res|public)/} &&
- $requrl !~ m{^/+adm/(help|logout|randomlabel\.png)}) {
+ $requrl !~ m{^/+adm/(help|logout|restrictedaccess|randomlabel\.png)}) {
$env{'request.querystring'}=$r->args;
$env{'request.firsturl'}=$requrl;
return FORBIDDEN;
@@ -544,12 +330,12 @@
return OK;
}
if ($requrl=~m|^/+adm/+help/+|) {
- return OK;
+ return OK;
}
# ------------------------------------- See if this is a viewable portfolio file
- if (&is_portfolio_url($requrl)) {
- my $result = &portfolio_access($r,$requrl);
- if (defined($result)) { return $result; }
+ if (&Apache::lonnet::is_portfolio_url($requrl)) {
+ my $result = &Apache::lonnet::portfolio_access($r,$requrl);
+ if ($result eq 'ok' ) { return OK; }
}
# -------------------------------------------------------------- Not authorized
Index: loncom/auth/restrictedaccess.pm
diff -u loncom/auth/restrictedaccess.pm:1.3 loncom/auth/restrictedaccess.pm:1.4
--- loncom/auth/restrictedaccess.pm:1.3 Mon Jul 17 15:49:14 2006
+++ loncom/auth/restrictedaccess.pm Fri Jul 21 14:52:32 2006
@@ -103,7 +103,7 @@
sub check_pass {
my ($r,$origurl) = @_;
my (undef,$udom,$unum,$file_name,$group) =
- &Apache::lonacc::parse_portfolio_url($origurl);
+ &Apache::lonnet::parse_portfolio_url($origurl);
my $curr_perms = &Apache::lonnet::get_portfile_permissions($udom,$unum);
my %acc_controls = &Apache::lonnet::get_access_controls($curr_perms,
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.764 loncom/lonnet/perl/lonnet.pm:1.765
--- loncom/lonnet/perl/lonnet.pm:1.764 Wed Jul 19 23:00:45 2006
+++ loncom/lonnet/perl/lonnet.pm Fri Jul 21 14:52:35 2006
@@ -1,7 +1,7 @@
# The LearningOnline Network
# TCP networking package
#
-# $Id: lonnet.pm,v 1.764 2006/07/20 03:00:45 albertel Exp $
+# $Id: lonnet.pm,v 1.765 2006/07/21 18:52:35 albertel Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -3217,6 +3217,220 @@
return &reply("tmpdel:$token",$server);
}
+# -------------------------------------------------- portfolio access checking
+
+sub portfolio_access {
+ my ($r,$requrl) = @_;
+ my $access=&allowed('bre',$requrl);
+ if ($access eq '2' || $access eq 'F') {
+ return 'ok';
+ }
+ my (undef,$udom,$unum,$file_name,$group) = &parse_portfolio_url($requrl);
+ my $result = &get_portfolio_access($udom,$unum,$file_name,$group);
+ if ($result eq 'ok') {
+ return 'ok';
+ } elsif ($result =~ /^[^:]+:guest_/) {
+ &Apache::lonacc::passphrase_access_checker($r,$result,$requrl);
+ return 'ok';
+ }
+ return undef;
+}
+
+sub get_portfolio_access {
+ my ($udom,$unum,$file_name,$group) = @_;
+
+ my $current_perms = &get_portfile_permissions($udom,$unum);
+ my %access_controls = &get_access_controls($current_perms,$group,
+ $file_name);
+ my ($public,$guest,@domains,@users,@courses,@groups);
+ my $now = time;
+ my $access_hash = $access_controls{$file_name};
+ if (ref($access_hash) eq 'HASH') {
+ foreach my $key (keys(%{$access_hash})) {
+ my ($num,$scope,$end,$start) = ($key =~ /^([^:]+):([a-z]+)_(\d*)_?(\d*)$/);
+ if ($start > $now) {
+ next;
+ }
+ if ($end && $end<$now) {
+ next;
+ }
+ if ($scope eq 'public') {
+ $public = $key;
+ last;
+ } elsif ($scope eq 'guest') {
+ $guest = $key;
+ } elsif ($scope eq 'domains') {
+ push(@domains,$key);
+ } elsif ($scope eq 'users') {
+ push(@users,$key);
+ } elsif ($scope eq 'course') {
+ push(@courses,$key);
+ } elsif ($scope eq 'group') {
+ push(@groups,$key);
+ }
+ }
+ if ($public) {
+ return 'ok';
+ }
+ if ($env{'user.name'} eq 'public' && $env{'user.domain'} eq 'public') {
+ if ($guest) {
+ return $guest;
+ }
+ } else {
+ if (@domains > 0) {
+ foreach my $domkey (@domains) {
+ if (ref($access_hash->{$domkey}{'dom'}) eq 'ARRAY') {
+ if (grep(/^\Q$env{'user.domain'}\E$/,@{$access_hash->{$domkey}{'dom'}})) {
+ return 'ok';
+ }
+ }
+ }
+ }
+ if (@users > 0) {
+ foreach my $userkey (@users) {
+ if (exists($access_hash->{$userkey}{'users'}{$env{'user.name'}.':'.$env{'user.domain'}})) {
+ return 'ok';
+ }
+ }
+ }
+ my %roleshash;
+ my @courses_and_groups = @courses;
+ push(@courses_and_groups,@groups);
+ if (@courses_and_groups > 0) {
+ my (%allgroups,%allroles);
+ my ($start,$end,$role,$sec,$group);
+ foreach my $envkey (%env) {
+ if ($envkey =~ m-^user\.role\.(gr|cc|in|ta|ep|st)\./([^/]+)/([^/]+)/?([^/]*)$-) {
+ my $cid = $2.'_'.$3;
+ if ($1 eq 'gr') {
+ $group = $4;
+ $allgroups{$cid}{$group} = $env{$envkey};
+ } else {
+ if ($4 eq '') {
+ $sec = 'none';
+ } else {
+ $sec = $4;
+ }
+ $allroles{$cid}{$1}{$sec} = $env{$envkey};
+ }
+ } elsif ($envkey =~ m-^user\.role\./cr/(\w+/\w+/\w*)./([^/]+)/([^/]+)/?([^/]*)$-) {
+ my $cid = $2.'_'.$3;
+ if ($4 eq '') {
+ $sec = 'none';
+ } else {
+ $sec = $4;
+ }
+ $allroles{$cid}{$1}{$sec} = $env{$envkey};
+ }
+ }
+ if (keys(%allroles) == 0) {
+ return;
+ }
+ foreach my $key (@courses_and_groups) {
+ my %content = %{$$access_hash{$key}};
+ my $cnum = $content{'number'};
+ my $cdom = $content{'domain'};
+ my $cid = $cdom.'_'.$cnum;
+ if (!exists($allroles{$cid})) {
+ next;
+ }
+ foreach my $role_id (keys(%{$content{'roles'}})) {
+ my @sections = @{$content{'roles'}{$role_id}{'section'}};
+ my @groups = @{$content{'roles'}{$role_id}{'group'}};
+ my @status = @{$content{'roles'}{$role_id}{'access'}};
+ my @roles = @{$content{'roles'}{$role_id}{'role'}};
+ foreach my $role (keys(%{$allroles{$cid}})) {
+ if ((grep/^all$/,@roles) || (grep/^\Q$role\E$/,@roles)) {
+ foreach my $sec (keys(%{$allroles{$cid}{$role}})) {
+ if (&course_group_datechecker($allroles{$cid}{$role}{$sec},$now,\@status) eq 'ok') {
+ if (grep/^all$/,@sections) {
+ return 'ok';
+ } else {
+ if (grep/^$sec$/,@sections) {
+ return 'ok';
+ }
+ }
+ }
+ }
+ if (keys(%{$allgroups{$cid}}) == 0) {
+ if (grep/^none$/,@groups) {
+ return 'ok';
+ }
+ } else {
+ if (grep/^all$/,@groups) {
+ return 'ok';
+ }
+ foreach my $group (keys(%{$allgroups{$cid}})) {
+ if (grep/^$group$/,@groups) {
+ return 'ok';
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ if ($guest) {
+ return $guest;
+ }
+ }
+ }
+ return;
+}
+
+sub course_group_datechecker {
+ my ($dates,$now,$status) = @_;
+ my ($start,$end) = split(/\./,$dates);
+ if (!$start && !$end) {
+ return 'ok';
+ }
+ if (grep/^active$/,@{$status}) {
+ if (((!$start) || ($start && $start <= $now)) && ((!$end) || ($end && $end >= $now))) {
+ return 'ok';
+ }
+ }
+ if (grep/^previous$/,@{$status}) {
+ if ($end > $now ) {
+ return 'ok';
+ }
+ }
+ if (grep/^future$/,@{$status}) {
+ if ($start > $now) {
+ return 'ok';
+ }
+ }
+ return;
+}
+
+sub parse_portfolio_url {
+ my ($url) = @_;
+
+ my ($type,$udom,$unum,$group,$file_name);
+
+ if ($url =~ m-^/*uploaded/([^/]+)/([^/]+)/portfolio(/.+)$-) {
+ $type = 1;
+ $udom = $1;
+ $unum = $2;
+ $file_name = $3;
+ } elsif ($url =~ m-^/*uploaded/([^/]+)/([^/]+)/groups/([^/]+)/portfolio/(.+)$-) {
+ $type = 2;
+ $udom = $1;
+ $unum = $2;
+ $group = $3;
+ $file_name = $3.'/'.$4;
+ }
+ if (wantarray) {
+ return ($type,$udom,$unum,$file_name,$group);
+ }
+ return $type;
+}
+
+sub is_portfolio_url {
+ my ($url) = @_;
+ return scalar(&parse_portfolio_url($url));
+}
+
# ---------------------------------------------- Custom access rule evaluation
sub customaccess {
--albertel1153507956--