[LON-CAPA-cvs] cvs: loncom /auth lonacc.pm

[raeburn]

raeburn		Mon Jun 20 15:07:21 2022 EDT

  Modified files:              
    /loncom/auth	lonacc.pm 
  Log:
  - Bug 6907
    For LTI-protected deep links in which username is included in launch payload
    compare username in payload with username for any existing LON-CAPA session
    in current web browser and expire old session, if different user.
  
  
Index: loncom/auth/lonacc.pm
diff -u loncom/auth/lonacc.pm:1.203 loncom/auth/lonacc.pm:1.204
--- loncom/auth/lonacc.pm:1.203	Sat Jun 18 02:10:18 2022
+++ loncom/auth/lonacc.pm	Mon Jun 20 15:07:21 2022
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Cookie Based Access Handler
 #
-# $Id: lonacc.pm,v 1.203 2022/06/18 02:10:18 raeburn Exp $
+# $Id: lonacc.pm,v 1.204 2022/06/20 15:07:21 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -777,14 +777,31 @@
                 &Apache::loncommon::get_unprocessed_cgi($r->args,['ttoken']);
                 if (defined($env{'form.ttoken'})) {
                     my %info = &Apache::lonnet::tmpget($env{'form.ttoken'});
-                    if (($info{'linkprotuser'} ne '') && ($info{'origurl'} ne '')) {
-                        if (($info{'linkprot'}) && ($info{'origurl'} eq $requrl) &&
+                    if (($info{'origurl'} ne '') && ($info{'origurl'} eq $requrl)) {
+                        my %data;
+                        if (($info{'linkprotuser'} ne '') && ($info{'linkprot'}) &&
                             ($info{'linkprotuser'} ne $env{'user.name'}.':'.$env{'user.domain'})) {
-                            my %data = (
+                            %data = (
                                 origurl => $requrl,
                                 linkprot => $info{'linkprot'},
                                 linkprotuser => $info{'linkprotuser'},
                             );
+                        } elsif ($info{'ltoken'} ne '') {
+                            my %ltoken_info = &Apache::lonnet::tmpget($info{'ltoken'});
+                            if (($ltoken_info{'linkprotuser'} ne '') && ($ltoken_info{'linkprot'}) &&
+                                ($ltoken_info{'linkprotuser'} ne $env{'user.name'}.':'.$env{'user.domain'})) {
+                                %data = (
+                                    origurl => $requrl,
+                                    linkprot => $ltoken_info{'linkprot'},
+                                    linkprotuser => $ltoken_info{'linkprotuser'},
+                                );
+                            }
+                        }
+                        if (keys(%data)) {
+                            my $delete = &Apache::lonnet::tmpdel($env{'form.ttoken'});
+                            if ($info{'ltoken'} ne '') {
+                                my $delete = &Apache::lonnet::tmpdel($info{'ltoken'});
+                            }
                             my $token =
                                 &Apache::lonnet::tmpput(\%data,$r->dir_config('lonHostID'),'retry');
                             unless (($token eq 'con_lost') || ($token eq 'refused') || ($token =~ /^error:/) ||