[LON-CAPA-cvs] cvs: loncom(version_2_11_X) /auth lonacc.pm
raeburn
raeburn at source.lon-capa.org
Sun Sep 27 21:31:42 EDT 2020
raeburn Mon Sep 28 01:31:42 2020 EDT
Modified files: (Branch: version_2_11_X)
/loncom/auth lonacc.pm
Log:
- For 2.11
Backport 1.179
Index: loncom/auth/lonacc.pm
diff -u loncom/auth/lonacc.pm:1.159.2.10 loncom/auth/lonacc.pm:1.159.2.11
--- loncom/auth/lonacc.pm:1.159.2.10 Sat May 2 20:39:07 2020
+++ loncom/auth/lonacc.pm Mon Sep 28 01:31:42 2020
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: lonacc.pm,v 1.159.2.10 2020/05/02 20:39:07 raeburn Exp $
+# $Id: lonacc.pm,v 1.159.2.11 2020/09/28 01:31:42 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -435,6 +435,22 @@
return undef;
}
+sub needs_symb_check {
+ my ($requrl) = @_;
+ $requrl=~/\.(\w+)$/;
+ if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
+ ($requrl=~/^\/adm\/.*\/(aboutme|smppg|bulletinboard)(\?|$ )/x) ||
+ ($requrl=~/^\/adm\/wrapper\//) ||
+ ($requrl=~m|^/adm/coursedocs/showdoc/|) ||
+ ($requrl=~m|\.problem/smpedit$|) ||
+ ($requrl=~/^\/public\/.*\/syllabus$/) ||
+ ($requrl=~/^\/adm\/(viewclasslist|navmaps)$/) ||
+ ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/)) {
+ return 1;
+ }
+ return;
+}
+
sub handler {
my $r = shift;
my $requrl=$r->uri;
@@ -594,7 +610,37 @@
my $now = time;
if ($requrl !~ m{^/(?:adm|public|(?:prt|zip)spool)/}
|| $requrl =~ /^\/adm\/.*\/(smppg|bulletinboard)(\?|$ )/x) {
- my $access=&Apache::lonnet::allowed('bre',$requrl);
+ my ($access,$poss_symb);
+ if (($env{'request.course.id'}) && (!$suppext) && (&needs_symb_check($requrl))) {
+ unless ($env{'form.symb'}) {
+ if ($r->args) {
+ &Apache::loncommon::get_unprocessed_cgi($r->args,['symb']);
+ }
+ }
+ if ($env{'form.symb'}) {
+ $poss_symb=&Apache::lonnet::symbclean($env{'form.symb'});
+ }
+ if ($poss_symb) {
+ my ($possmap,$resid,$url)=&Apache::lonnet::decode_symb($poss_symb);
+ $url = &Apache::lonnet::clutter($url);
+ unless (($url eq $requrl) && (&Apache::lonnet::is_on_map($possmap))) {
+ undef($poss_symb);
+ }
+ if ($poss_symb) {
+ if ((!$env{'request.role.adv'}) && ($env{'acc.randomout'}) &&
+ ($env{'acc.randomout'}=~/\&\Q$poss_symb\E\&/)) {
+ undef($poss_symb);
+ }
+ }
+ }
+ if ($poss_symb) {
+ $access=&Apache::lonnet::allowed('bre',$requrl,$poss_symb);
+ } else {
+ $access=&Apache::lonnet::allowed('bre',$requrl,'','','','',1);
+ }
+ } else {
+ $access=&Apache::lonnet::allowed('bre',$requrl);
+ }
if ($handle eq '') {
unless ($access eq 'F') {
if ($requrl =~ m{^/res/$match_domain/$match_username/}) {
@@ -611,6 +657,14 @@
return OK;
}
if ($access eq 'B') {
+ if ($poss_symb) {
+ if ($requrl=~m{^(/adm/.*/aboutme)/portfolio$}) {
+ $requrl = $1;
+ }
+ if (&Apache::lonnet::symbverify($poss_symb,$requrl)) {
+ $env{'request.symb'} = $poss_symb;
+ }
+ }
&Apache::blockedaccess::setup_handler($r);
return OK;
}
@@ -670,16 +724,8 @@
# ------------------------------------------------------------- This is allowed
if ($env{'request.course.id'}) {
&Apache::lonnet::countacc($requrl);
- $requrl=~/\.(\w+)$/;
my $query=$r->args;
- if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
- ($requrl=~/^\/adm\/.*\/(aboutme|smppg|bulletinboard)(\?|$ )/x) ||
- ($requrl=~/^\/adm\/wrapper\//) ||
- ($requrl=~m|^/adm/coursedocs/showdoc/|) ||
- ($requrl=~m|\.problem/smpedit$|) ||
- ($requrl=~/^\/public\/.*\/syllabus$/) ||
- ($requrl=~/^\/adm\/(viewclasslist|navmaps)$/) ||
- ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/)) {
+ if (&needs_symb_check($requrl)) {
# ------------------------------------- This is serious stuff, get symb and log
my $symb;
if ($query) {
@@ -724,13 +770,38 @@
}
unless ($suppext) {
$symb=&Apache::lonnet::symbread($requrl);
- if (&Apache::lonnet::is_on_map($requrl) && $symb &&
- !&Apache::lonnet::symbverify($symb,$requrl)) {
- $r->log_reason('Invalid symb for '.$requrl.': '.$symb);
- $env{'user.error.msg'}=
- "$requrl:bre:1:1:Invalid Access";
- return HTTP_NOT_ACCEPTABLE;
- }
+ if (&Apache::lonnet::is_on_map($requrl) && $symb) {
+ my ($encstate,$invalidsymb);
+ unless (&Apache::lonnet::symbverify($symb,$requrl,\$encstate)) {
+ $invalidsymb = 1;
+ #
+ # If $env{'request.enc'} is true, but no encryption for $symb retrieved
+ # by original lonnet::symbread() call, call again to check for an instance
+ # of $requrl in the course which has encryption, and set that as the symb.
+ # If there is no such symb, or symbverify() fails for the new symb proceed
+ # to report invalid symb.
+ #
+ if ($env{'request.enc'} && !$encstate) {
+ my %possibles;
+ my $nocache = 1;
+ $symb = &Apache::lonnet::symbread($requrl,'','','',\%possibles,$nocache);
+ if ($symb) {
+ if (&Apache::lonnet::symbverify($symb,$requrl)) {
+ $invalidsymb = '';
+ }
+ } elsif (keys(%possibles) > 1) {
+ $r->internal_redirect('/adm/ambiguous');
+ return OK;
+ }
+ }
+ if ($invalidsymb) {
+ $r->log_reason('Invalid symb for '.$requrl.': '.$symb);
+ $env{'user.error.msg'}=
+ "$requrl:bre:1:1:Invalid Access";
+ return HTTP_NOT_ACCEPTABLE;
+ }
+ }
+ }
if ($symb) {
my ($map,$mid,$murl)=
&Apache::lonnet::decode_symb($symb);
@@ -748,6 +819,9 @@
}
}
$env{'request.symb'}=$symb;
+ if (($env{'request.symbread.cached.'}) && ($env{'request.symbread.cached.'} ne $symb)) {
+ $env{'request.symbread.cached.'} = $symb;
+ }
&Apache::lonnet::courseacclog($symb);
} else {
# ------------------------------------------------------- This is other content
More information about the LON-CAPA-cvs
mailing list