[LON-CAPA-cvs] cvs: loncom /interface createaccount.pm

raeburn lon-capa-cvs-allow@mail.lon-capa.org
Fri, 04 Jul 2008 18:53:22 -0000


raeburn		Fri Jul  4 14:53:22 2008 EDT

  Modified files:              
    /loncom/interface	createaccount.pm 
  Log:
  - Token required on user information data entry page.
  - Token validation required for account creation.
  
  
Index: loncom/interface/createaccount.pm
diff -u loncom/interface/createaccount.pm:1.7 loncom/interface/createaccount.pm:1.8
--- loncom/interface/createaccount.pm:1.7	Tue Jul  1 12:41:57 2008
+++ loncom/interface/createaccount.pm	Fri Jul  4 14:53:22 2008
@@ -3,7 +3,7 @@
 # institutional log-in ID (institutional authentication required - localauth
 #  or kerberos) or an e-mail address.
 #
-# $Id: createaccount.pm,v 1.7 2008/07/01 16:41:57 bisitz Exp $
+# $Id: createaccount.pm,v 1.8 2008/07/04 18:53:22 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -42,6 +42,7 @@
 use DynaLoader; # for Crypt::DES version
 use Crypt::DES;
 use LONCAPA qw(:DEFAULT :match);
+use HTML::Entities;
 
 sub handler {
     my $r = shift;
@@ -122,9 +123,13 @@
         my ($output,$msg);
         if (grep(/^sso$/,@cancreate)) {
             $msg = &mt("Although your username and password were authenticated by your institution's Single Sign On system, you do not currently have a LON-CAPA account in this domain.");
-            ($output, my $checkfail) = &username_check($sso_username,$domain,$domdesc,$courseid);
-            if ($checkfail) {
+            ($output, my $checkfail) = &username_check($sso_username,$domain,
+                                                       $domdesc,$courseid,
+                                                       $lonhost,$contact_email); 
+            if ($checkfail eq 'username') {
                 $msg .= &mt('A LON-CAPA account may not be created with the username you use.');
+            } elsif ($checkfail eq 'authtoken') {
+                $msg .= &mt('Error creating token.');
             } else {
                 $msg .= &mt('To create one, use the table below to provide information about yourself (if appropriate), then click the "Create LON-CAPA account" button.');
             }
@@ -181,7 +186,8 @@
                                          $courseid);
     } elsif ($env{'form.phase'} eq 'username_validation') {
         $output = &username_validation($env{'form.uname'},$domain,$domdesc,
-                                       $contact_name,$contact_email,$courseid);
+                                       $contact_name,$contact_email,$courseid,
+                                       $lonhost);
     } elsif (!$token) {
         my $now=time;
         if (grep(/^login$/,@cancreate)) {
@@ -668,7 +674,7 @@
 }
 
 sub username_validation {
-    my ($username,$domain,$domdesc,$contact_name,$contact_email,$courseid) = @_;
+    my ($username,$domain,$domdesc,$contact_name,$contact_email,$courseid,$lonhost) = @_;
     my ($retrieved,$output,$upass);
 
     $username= &LONCAPA::clean_username($username);
@@ -694,7 +700,8 @@
             $authok = 'non_authorized';
         }
         if ($authok eq 'authorized') {
-            ($output,undef) = &username_check($username,$domain,$domdesc,$courseid);            
+            ($output,undef) = &username_check($username,$domain,$domdesc,
+                                              $courseid,$lonhost,$contact_email); 
         } else {
             $output = '<div class="LC_warning">'
                      .&mt('Username and/or password could not be authenticated.')
@@ -706,7 +713,7 @@
 }
 
 sub username_check {
-    my ($username,$domain,$domdesc,$courseid) = @_;
+    my ($username,$domain,$domdesc,$courseid,$lonhost,$contact_email) = @_;
     my (%rulematch,%inst_results,$newuser,%alerts,%curr_rules,%got_rules);
     $newuser = 1;
     my $checkhash;
@@ -724,7 +731,7 @@
                         &Apache::loncommon::user_rule_formats($domain,$domdesc,
                                 $curr_rules{$domain}{'username'},'username');
                     if ($userchkmsg) {
-                        $checkfail = 1;
+                        $checkfail = 'username';
                     }
                 }
                 return ($userchkmsg,$checkfail);
@@ -732,13 +739,26 @@
         }
     }
     my $submit_text = &mt('Create LON-CAPA account');
-    # FIXME need a cookie to confirm credentials were validated.
     my $output = '<form method="post" action="/adm/createaccount">'.
                  &Apache::loncreateuser::personal_data_display($username,$domain,1,
                                     undef,$inst_results{$username.':'.$domain}).
                 '<br /><br /><input type="hidden" name="uname" value="'.$username.'" />'."\n".
                 '<input type="hidden" name="udom" value="'.$domain.'" />'."\n".
                 '<input type="hidden" name="phase" value="username_activation" />';
+    my $now = time;
+    my %info = ('ip'         => $ENV{'REMOTE_ADDR'},
+                'time'       => $now,
+                'domain'     => $domain,
+                'username'   => $username);
+    my $authtoken = &Apache::lonnet::tmpput(\%info,$lonhost);
+    if ($authtoken !~ /^error/ && $authtoken ne 'no_such_host') {
+        $output .= '<input type="hidden" name="authtoken" value="'.&HTML::Entities::encode($authtoken,'&<>"').'" />';
+    } else {
+        $output = &mt('An error occurred when storing a token').'<br />'.
+                  &mt('You will not be able to proceed to the next stage of account creation').
+                  &linkto_email_help($contact_email,$domdesc);
+        return($output,'authtoken');
+    }
     if ($courseid ne '') {
         $output .= '<input type="hidden" name="courseid" value="'.$courseid.'" />';
     }
@@ -756,6 +776,27 @@
                     &mt('Return to previous page').'</a>'.
                     &Apache::loncommon::end_page();
     my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
+    my %data = &Apache::lonnet::tmpget($env{'form.authtoken'});
+    my $now = time;
+    my $earlyout;
+    my $timeout = 300;
+    if (keys(%data) == 0) {
+        $output = &mt('Sorry, your authentication has expired.');
+        $earlyout = 'fail';
+    }
+    if (($data{'time'} !~ /^\d+$/) ||
+        ($data{'domain'} ne $domain) || 
+        ($data{'username'} ne $username)) {
+        $earlyout = 'fail';
+        $output = &mt('The credentials you provided could not be verified.');   
+    } elsif ($now - $data{'time'} > $timeout) {
+        $earlyout = 'fail';
+        $output = &mt('Sorry, your authentication has expired.');
+    }
+    if ($earlyout ne '') {
+        $output .= '<br />'.&mt('Please [_1]start again[_2].','<a href="/adm/createaccount">','</a>');
+        return($earlyout,$output);
+    }
     if ((($domdefaults{'auth_def'} =~/^krb(4|5)$/) && 
          ($domdefaults{'auth_arg_def'} ne '')) || 
         ($domdefaults{'auth_def'} eq 'localauth')) {
@@ -776,6 +817,7 @@
                           $env{'form.cgeneration'},undef,undef,
                           $env{'form.cpermanentemail'});
         if ($result eq 'ok') {
+            my $delete = &Apache::lonnet::tmpdel($env{'form.authtoken'});
             $output = &mt('A LON-CAPA account has been created for username: [_1] in domain: [_2].',$username,$domain);
             my %form = &start_session($r,$username,$domain,$lonhost,$courseid);
             my $nostart = 1;
@@ -838,6 +880,13 @@
     if ($msgtext) {
         $msg .= '<br />'.$msgtext;
     }
+    $msg .= &linkto_email_help($contact_email,$domdesc);
+    return $msg;
+}
+
+sub linkto_email_help {
+    my ($contact_email,$domdesc) = @_;
+    my $msg;
     if ($contact_email ne '') {
         my $escuri = &HTML::Entities::encode('/adm/createaccount','&<>"');
         $msg .= '<br />'.&mt('You may wish to contact the [_1]LON-CAPA helpdesk[_2] for the [_3] domain.','<a href="/adm/helpdesk?origurl='.$escuri.'">','</a>',$domdesc);