[LON-CAPA-cvs] cvs: loncom(version_2_11_X) /auth lonauth.pm

raeburn raeburn at source.lon-capa.org
Wed Jul 31 20:42:34 EDT 2019


raeburn		Thu Aug  1 00:42:34 2019 EDT

  Modified files:              (Branch: version_2_11_X)
    /loncom/auth	lonauth.pm 
  Log:
  - For 2.11
    Backport 1.144, 1.145, 1.146, 1.147, 1.148
  
  
Index: loncom/auth/lonauth.pm
diff -u loncom/auth/lonauth.pm:1.121.2.16 loncom/auth/lonauth.pm:1.121.2.17
--- loncom/auth/lonauth.pm:1.121.2.16	Tue Jun  6 22:34:37 2017
+++ loncom/auth/lonauth.pm	Thu Aug  1 00:42:34 2019
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.121.2.16 2017/06/06 22:34:37 raeburn Exp $
+# $Id: lonauth.pm,v 1.121.2.17 2019/08/01 00:42:34 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -32,8 +32,6 @@
 use LONCAPA;
 use Apache::Constants qw(:common);
 use CGI qw(:standard);
-use DynaLoader; # for Crypt::DES version
-use Crypt::DES;
 use Apache::loncommon();
 use Apache::lonnet;
 use Apache::lonmenu();
@@ -301,10 +299,11 @@
 
 # split user logging in and "su"-user
 
-    ($form{'uname'},$form{'suname'})=split(/\:/,$form{'uname'});
+    ($form{'uname'},$form{'suname'},$form{'sudom'})=split(/\:/,$form{'uname'});
     $form{'uname'} = &LONCAPA::clean_username($form{'uname'});
     $form{'suname'}= &LONCAPA::clean_username($form{'suname'});
-    $form{'udom'}  = &LONCAPA::clean_domain(  $form{'udom'});
+    $form{'udom'}  = &LONCAPA::clean_domain($form{'udom'});
+    $form{'sudom'} = &LONCAPA::clean_domain($form{'sudom'});
 
     my $role   = $r->dir_config('lonRole');
     my $domain = $r->dir_config('lonDefDomain');
@@ -429,20 +428,68 @@
 
 # --------------------------------- Are we attempting to login as somebody else?
     if ($form{'suname'}) {
+        my ($suname,$sudom,$sudomref);
+        $suname = $form{'suname'};
+        $sudom = $form{'udom'};
+        if ($form{'sudom'}) {
+            unless ($sudom eq $form{'sudom'}) {
+                if (&Apache::lonnet::domain($form{'sudom'})) {
+                    $sudomref = [$form{'sudom'}];
+                    $sudom = $form{'sudom'};
+                }
+            }
+        }
 # ------------ see if the original user has enough privileges to pull this stunt
-	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'})) {
+	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'},$sudomref)) {
 # ---------------------------------------------------- see if the su-user exists
-	    unless (&Apache::lonnet::homeserver($form{'suname'},$form{'udom'})
-		eq 'no_host') {
-		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($form{'suname'},$form{'udom'}));
+	    unless (&Apache::lonnet::homeserver($suname,$sudom) eq 'no_host') {
 # ------------------------------ see if the su-user is not too highly privileged
-		unless (&Apache::lonnet::privileged($form{'suname'},$form{'udom'})) {
+		if (&Apache::lonnet::privileged($suname,$sudom)) {
+                    &Apache::lonnet::logthis('Attempted switch user to privileged user');
+                } else {
+                    my $noprivswitch;
+#
+# su-user's home server and user's home server must have one of:
+# (a) same domain
+# (b) same primary library server for the two domains
+# (c) same "internet domain" for primary library server(s) for home servers' domains
+#
+                    my $suprim = &Apache::lonnet::domain($sudom,'primary');
+                    my $suintdom = &Apache::lonnet::internet_dom($suprim);
+                    unless ($sudom eq $form{'udom'}) {
+                        my $uprim = &Apache::lonnet::domain($form{'udom'},'primary');
+                        my $uintdom = &Apache::lonnet::internet_dom($uprim);
+                        unless ($suprim eq $uprim) {
+                            unless ($suintdom eq $uintdom) {
+                                &Apache::lonnet::logthis('Attempted switch user '
+                                   .'to user with different "internet domain".');
+                                $noprivswitch = 1;
+                            }
+                        }
+                    }
+
+                    unless ($noprivswitch) {
+#
+# server where log-in occurs must have same "internet domain" as su-user's home
+# server
+#
+                        my $lonhost = $r->dir_config('lonHostID');
+                        my $hostintdom = &Apache::lonnet::internet_dom($lonhost);
+                        if ($hostintdom ne $suintdom) {
+                            &Apache::lonnet::logthis('Attempted switch user on a '
+                                .'server with a different "internet domain".');
+                        } else {
+
 # -------------------------------------------------------- actually switch users
-		    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}.
-			' logging in as '.$form{'suname'});
-		    $form{'uname'}=$form{'suname'};
-		} else {
-		    &Apache::lonnet::logthis('Attempted switch user to privileged user');
+
+			    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.
+				$form{'udom'}.' logging in as '.$suname.':'.$sudom);
+			    $form{'uname'}=$suname;
+                            if ($form{'udom'} ne $sudom) {
+                                $form{'udom'}=$sudom;
+                            }
+                        }
+                    }
 		}
 	    }
 	} else {




More information about the LON-CAPA-cvs mailing list