[LON-CAPA-cvs] cvs: loncom /publisher loncfile.pm

Tue, 01 Mar 2011 01:36:55 -0000

raeburn		Tue Mar  1 01:36:55 2011 EDT

  Modified files:              
    /loncom/publisher	loncfile.pm 
  Log:
  - access checking.
  
  
Index: loncom/publisher/loncfile.pm
diff -u loncom/publisher/loncfile.pm:1.105 loncom/publisher/loncfile.pm:1.106

--- loncom/publisher/loncfile.pm:1.105	Tue Dec 14 16:26:04 2010
+++ loncom/publisher/loncfile.pm	Tue Mar  1 01:36:55 2011
@@ -9,7 +9,7 @@
 #  and displays a page showing the results of the action.
 #
 #
-# $Id: loncfile.pm,v 1.105 2010/12/14 16:26:04 www Exp $
+# $Id: loncfile.pm,v 1.106 2011/03/01 01:36:55 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -348,6 +348,7 @@
     my ($request,$dest,$subdir,$fn,$uname)=@_;
     #remove bad characters
     my $foundbad=0;
+    my $error='';
     if ($subdir && $dest =~/\./) {
 	$foundbad=1;
 	$dest=~s/\.//g;
@@ -359,7 +360,7 @@
     }
     if ($dest=~m|/|) {
 	my ($newpath)=($dest=~m|(.*)/|);
-	$newpath=&relativeDest($fn,$newpath,$uname);
+	($newpath,$error)=&relativeDest($fn,$newpath,$uname);
 	if (! -d "$newpath") {
 	    $request->print('<p><span class="LC_warning">'
                            .&mt("You have requested to create file in directory [_1] which doesn't exist. The requested directory path has been removed from the requested file name."
@@ -384,11 +385,12 @@
                         .'</span></p>'
         );
     }
-    return $dest;
+    return ($dest,$error);
 }
 
 sub relativeDest {
     my ($fn,$newfilename,$uname)=@_;
+    my $error = '';
     if ($newfilename=~/^\//) {
 # absolute, simply add path
 	$newfilename='/home/'.$uname.'/public_html/';
@@ -401,7 +403,18 @@
     while ($newfilename=~m:/\.\./:) {
 	$newfilename=~ s:/[^/]+/\.\./:/:g; #remove dir/..
     }
-    return $newfilename;
+    if ($newfilename =~ m{^/home/($match_username)/(?:public\_html|priv)/}) {
+        my $otheruname = $1;
+        unless ($otheruname eq $uname) {
+            my ($authorname,$authordom)=
+                &Apache::loncacc::constructaccess($newfilename,$env{'request.role.domain'});
+            unless (($authorname eq $otheruname) && ($authordom ne '')) {
+                my $otherdir = &display($newfilename);
+                $error = &mt('Access denied to [_1]',$otherdir);
+            }
+        }
+    }
+    return ($newfilename,$error);
 }
 
 =pod
@@ -936,8 +949,23 @@
   
     my $doingdir=0;
     if ($env{'form.action'} eq 'newdir') { $doingdir=1; }
-    my $newfilename=&cleanDest($r,$env{'form.newfilename'},$doingdir,$fn,$uname);
-    $newfilename=&relativeDest($fn,$newfilename,$uname);
+    my ($newfilename,$error) = 
+        &cleanDest($r,$env{'form.newfilename'},$doingdir,$fn,$uname);
+    unless ($error) {
+        ($newfilename,$error)=&relativeDest($fn,$newfilename,$uname);
+    }
+    if ($error) {
+        my $dirlist;
+        if ($fn=~m{^(.*/)[^/]+$}) {
+            $dirlist=$1;
+        } else {
+            $dirlist=$fn; 
+        }
+        $r->print('<div class="LC_error">'.$error.'</div>'.
+                  '<h3><a href="'.&url($dirlist).'">'.&mt('Return to Directory').
+                  '</a></h3>');
+        return;
+    }
     $r->print('<form action="/adm/cfile" method="post">'.
 	      '<input type="hidden" name="qualifiedfilename" value="'.$fn.'" />'.
 	      '<input type="hidden" name="phase" value="two" />'.



