[LON-CAPA-cvs] cvs: loncom /auth lonstatusacc.pm /cgi lonauthcgi.pm
raeburn
raeburn@source.lon-capa.org
Sat, 13 Jun 2009 20:28:56 -0000
raeburn Sat Jun 13 20:28:56 2009 EDT
Modified files:
/loncom/cgi lonauthcgi.pm
/loncom/auth lonstatusacc.pm
Log:
Changes to access control for /adm/test
- Access to /adm/test allowed if requestor has a DC role in requestor's domain,
regardless of current role.
- For /adm/test, domain checked is requestor's domain, not domain(s) hosted on server.
- Update documentation.
Index: loncom/cgi/lonauthcgi.pm
diff -u loncom/cgi/lonauthcgi.pm:1.2 loncom/cgi/lonauthcgi.pm:1.3
--- loncom/cgi/lonauthcgi.pm:1.2 Thu Dec 25 05:10:14 2008
+++ loncom/cgi/lonauthcgi.pm Sat Jun 13 20:28:51 2009
@@ -1,7 +1,7 @@
#
# LON-CAPA authorization for cgi-bin scripts
#
-# $Id: lonauthcgi.pm,v 1.2 2008/12/25 05:10:14 raeburn Exp $
+# $Id: lonauthcgi.pm,v 1.3 2009/06/13 20:28:51 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -133,9 +133,14 @@
the requestor as one of the named users (username:domain) with access
to the page.
- In the case of requests for the 'ping' page, and access is also allowed if
+ In the case of requests for the 'ping' page, access is also allowed if
at least one domain hosted on requestor's server is also hosted on this server.
+ In the case of requests for the 'showenv' page (/adm/test), the domains tested
+ are not the domains hosted on the server, but instead are a single domain -
+ the domain of the requestor. In addition, if the requestor has an active
+ Domain Coordinator role for that domain, access is permitted, regardless of
+ the requestor's current role.
=cut
#############################################
@@ -156,17 +161,36 @@
}
}
} else {
- my @poss_domains = &Apache::lonnet::current_machine_domains();
- foreach my $dom (@poss_domains) {
- my %domconfig = &Apache::lonnet::get_dom('configuration',['serverstatuses'],$dom);
- if ($Apache::lonnet::env{'request.role'} eq "dc./$dom/") {
- $allowed = 1;
- } elsif (ref($domconfig{'serverstatuses'}) eq 'HASH') {
- if (ref($domconfig{'serverstatuses'}{$page}) eq 'HASH') {
- if ($domconfig{'serverstatuses'}{$page}{'namedusers'} ne '') {
- my @okusers = split(/,/,$domconfig{'serverstatuses'}{$page}{'namedusers'});
- if (grep(/^\Q$Apache::lonnet::env{'user.name'}:$Apache::lonnet::env{'user.domain'}\E$/,@okusers)) {
- $allowed = 1;
+ my @poss_domains;
+ if ($page eq 'showenv') {
+ @poss_domains = ($env{'user.domain'});
+ my $envkey = 'user.role.dc./'.$poss_domains[0].'/';
+ if (exists($Apache::lonnet::env{$envkey})) {
+ my $livedc = 1;
+ my $then = $Apache::lonnet::env{'user.login.time'};
+ my ($tstart,$tend)=split(/\./,$Apache::lonnet::env{$envkey});
+ if ($tstart && $tstart>$then) { $livedc = 0; }
+ if ($tend && $tend <$then) { $livedc = 0; }
+ if ($livedc) {
+ $allowed = 1;
+ }
+ }
+ } else {
+ @poss_domains = &Apache::lonnet::current_machine_domains();
+ }
+ unless ($allowed) {
+ foreach my $dom (@poss_domains) {
+ my %domconfig = &Apache::lonnet::get_dom('configuration',['serverstatuses'],
+ $dom);
+ if ($Apache::lonnet::env{'request.role'} eq "dc./$dom/") {
+ $allowed = 1;
+ } elsif (ref($domconfig{'serverstatuses'}) eq 'HASH') {
+ if (ref($domconfig{'serverstatuses'}{$page}) eq 'HASH') {
+ if ($domconfig{'serverstatuses'}{$page}{'namedusers'} ne '') {
+ my @okusers = split(/,/,$domconfig{'serverstatuses'}{$page}{'namedusers'});
+ if (grep(/^\Q$Apache::lonnet::env{'user.name'}:$Apache::lonnet::env{'user.domain'}\E$/,@okusers)) {
+ $allowed = 1;
+ }
}
}
}
Index: loncom/auth/lonstatusacc.pm
diff -u loncom/auth/lonstatusacc.pm:1.6 loncom/auth/lonstatusacc.pm:1.7
--- loncom/auth/lonstatusacc.pm:1.6 Thu Jan 15 21:01:37 2009
+++ loncom/auth/lonstatusacc.pm Sat Jun 13 20:28:56 2009
@@ -1,7 +1,7 @@
#
# LON-CAPA authorization for pages generated by server-status reports
#
-# $Id: lonstatusacc.pm,v 1.6 2009/01/15 21:01:37 raeburn Exp $
+# $Id: lonstatusacc.pm,v 1.7 2009/06/13 20:28:56 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -161,14 +161,14 @@
Access requires a valid session - checked using
LONCAPA::loncgi::check_cookie_and_load_env().
If so, access is allowed if one of the following is true:
- (i) Requestor has LON-CAPA superuser role, or
- (ii) Requestor's role is Domain Coordinator in one of the domains
- hosted on this server
- (iii) Domain configurations for domains hosted on this server include
+ (i) Requestor's role is LON-CAPA superuser role.
+ (ii) Requestor has a Domain Coordinator role in the domain of the
+ requestor ($env{'user.domain'}), regardless of requestor's role.
+ (iii) Domain configurations for the domain of the current user include
the requestor as one of the named users (username:domain) with access
to the page.
(iv) IP address of requestor is listed in domain configuration list
- of allowed machines for any of the domains hosted on this server
+ of allowed IPs for the domain of the current user.
=cut