[LON-CAPA-cvs] cvs: loncom /auth lonlogin.pm

raeburn raeburn at source.lon-capa.org
Wed May 25 14:05:56 EDT 2022 

raeburn		Wed May 25 18:05:56 2022 EDT

  Modified files:              
    /loncom/auth	lonlogin.pm 
  Log:
  - Bug 6907
    Stop deep-linked items escaping iframe context, if LTI link protection in
    effect, but user needs to authenticate. 
  
  
Index: loncom/auth/lonlogin.pm
diff -u loncom/auth/lonlogin.pm:1.195 loncom/auth/lonlogin.pm:1.196
--- loncom/auth/lonlogin.pm:1.195	Thu Feb 24 15:51:28 2022
+++ loncom/auth/lonlogin.pm	Wed May 25 18:05:56 2022
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Login Screen
 #
-# $Id: lonlogin.pm,v 1.195 2022/02/24 15:51:28 raeburn Exp $
+# $Id: lonlogin.pm,v 1.196 2022/05/25 18:05:56 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -428,13 +428,14 @@
     if ($uextkey>2147483647) { $uextkey-=4294967296; }
 
 # -------------------------------------------------------- Store away log token
-    my ($tokenextras,$tokentype);
+    my ($tokenextras,$tokentype,$linkprot_for_login);
     my @names = ('role','symb','iptoken','ltoken','linkprot','linkkey');
     foreach my $name (@names) {
         if ($env{'form.'.$name} ne '') {
             if ($name eq 'ltoken') {
                 my %info = &Apache::lonnet::tmpget($env{'form.'.$name});
                 if ($info{'linkprot'}) {
+                    $linkprot_for_login = $info{'linkprot'};
                     $tokenextras .= '&linkprot='.&escape($info{'linkprot'});
                     $tokentype = 'link';
                     last;
@@ -442,6 +443,9 @@
             } else {
                 $tokenextras .= '&'.$name.'='.&escape($env{'form.'.$name});
                 if (($name eq 'linkkey') || ($name eq 'linkprot')) {
+                    if (($env{'form.retry'}) && (!$env{'form.ltoken'}) && ($name eq 'linkprot')) {
+                        $linkprot_for_login = $env{'form.linkprot'};
+                    }
                     $tokentype = 'link';
                 }
             }
@@ -898,6 +902,35 @@
             delete($env{'form.ltoken'});
         }
     }
+    my $in_frame_js;
+    if ($linkprot_for_login) {
+        my ($linkprotector,$linkproturi) = split(/:/,$linkprot_for_login,2);
+        if (($linkprotector =~ /^\d+(c|d)$/) && ($linkproturi =~ m{^/+tiny/+$LONCAPA::match_domain/+\w+$})) {
+            my $set_target;
+            if ($env{'form.retry'}) {
+                if ($linkproturi eq $env{'form.firsturl'}) {
+                    $set_target = "    document.server.target = '_self';";
+                }
+            } else {
+                $set_target = <<ENDTARG;
+    var linkproturi = '$linkproturi';
+    var path = document.location.pathname.replace( new RegExp('^/adm/launch'),'');
+    if (linkproturi == path) {
+        document.server.target = '_self';
+    }
+ENDTARG
+            }
+            $in_frame_js = <<ENDJS;
+<script type="text/javascript">
+// <![CDATA[
+if ((window.self !== window.top) && (document.server.target != '_self')) {
+    $set_target
+}
+// ]]>
+</script>
+ENDJS
+        }
+    }
 
     $r->print(<<ENDLOGIN);
 <div style="display:$stdauthformstyle;" id="LC_standard_login">

More information about the LON-CAPA-cvs mailing list