--- loncom/auth/loncacc.pm	2011/10/21 16:03:11	1.54
+++ loncom/auth/loncacc.pm	2013/06/04 23:12:13	1.61
@@ -1,8 +1,8 @@
 # The LearningOnline Network
-# Cookie Based Access Handler for Construction Area
+# Cookie Based Access Handler for Authoring Spaces
 # (lonacc: 5/21/99,5/22,5/29,5/31 Gerd Kortemeyer)
 #
-# $Id: loncacc.pm,v 1.54 2011/10/21 16:03:11 www Exp $
+# $Id: loncacc.pm,v 1.61 2013/06/04 23:12:13 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -31,7 +31,7 @@
 
 =head1 NAME
 
-Apache::lonacc - Cookie Based Access Handler for Construction Area
+Apache::lonacc - Cookie Based Access Handler for Authoring Spaces 
 
 =head1 SYNOPSIS
 
@@ -42,11 +42,11 @@ Invoked (for various locations) by /etc/
 =head1 INTRODUCTION
 
 This module enables cookie based authentication for construction area
-and is used to control access for three (essentially equivalent) URIs.
+and is used to control access for the following two types of URI 
+(one for files, and one for directories):
 
  <LocationMatch "^/priv.*">
- <LocationMatch "^/\~.*">
- <LocationMatch "^/\~.*/$">
+ <LocationMatch "^/priv.*/$">
 
 Whenever the client sends the cookie back to the server, 
 if the cookie is missing or invalid, the user is re-challenged
@@ -71,18 +71,6 @@ store where they wanted to go (first url
 
 =back
 
-=head1 OTHERSUBROUTINES
-
-=over
-
-=item constructaccess($url,$ownerdomain)
-
-See if the owner domain and name
-in the URL match those in the expected environment.  If so, return 
-two element list ($ownername,$ownerdomain).  Else, return null string.
-
-=back
-
 =cut
 
 
@@ -96,65 +84,6 @@ use Apache::lonnet;
 use Apache::lonacc;
 use LONCAPA qw(:DEFAULT :match);
 
-sub constructaccess {
-    my ($url,$setpriv)=@_;
-
-# We do not allow editing of previous versions of files
-    if ($url=~/\.(\d+)\.(\w+)$/) { return ''; }
-
-# Get username and domain from URL
-    my ($ownerdomain,$ownername)=($url=~/^\/priv\/($match_domain)\/($match_username)\//);
-
-# The URL does not really point to any authorspace, forget it
-    unless (($ownername) && ($ownerdomain)) { return ''; }
-  
-# Now we need to see if the user has access to the authorspace of
-# $ownername at $ownerdomain
-
-    if (($ownername eq $env{'user.name'}) && ($ownerdomain eq $env{'user.domain'})) {
-# Real author for this?
-       if (exists($env{'user.priv.au./'.$ownerdomain.'/./'})) {
-          return ($ownername,$ownerdomain);
-       }
-    } else {
-# Co-author for this?
-	if (exists($env{'user.priv.ca./'.$ownerdomain.'/'.$ownername.'./'}) ||
-	    exists($env{'user.priv.aa./'.$ownerdomain.'/'.$ownername.'./'}) ) {
-	    return ($ownername,$ownerdomain);
-	}
-    }
-# We don't have any access right now. If we are not possibly going to do anything about this,
-# we might as well leave
-   unless ($setpriv) { return ''; }
-
-# Backdoor access?
-    my $allowed=&Apache::lonnet::allowed('eco',$ownerdomain);
-# Nope
-    unless ($allowed) { return ''; }
-# Looks like we may have access, but could be locked by the owner of the construction space
-    if ($allowed eq 'U') {
-        my %blocked=&Apache::lonnet::get('environment',['domcoord.author'],
-                                         $ownerdomain,$ownername);
-# Is blocked by owner
-        if ($blocked{'domcoord.author'} eq 'blocked') { return ''; }
-    }
-    if (($allowed eq 'F') || ($allowed eq 'U')) {
-# Grant temporary access
-        my $then=$env{'user.login.time'};
-        my $update==$env{'user.update.time'};
-        if (!$update) { $update = $then; }
-        my $refresh=$env{'user.refresh.time'};
-        if (!$refresh) { $refresh = $update; }
-        my $now = time;
-        &Apache::lonnet::check_adhoc_privs($ownerdomain,$ownername,
-                                           $update,$refresh,$now,'ca',
-                                           'constructaccess');
-        return($ownername,$ownerdomain);
-    }
-# No business here
-    return '';
-}
-
 sub handler {
     my $r = shift;
     my $requrl=$r->uri;
@@ -176,7 +105,19 @@ sub handler {
 	$env{'request.state'}    = "construct";
 	$env{'request.filename'} = $r->filename;
 
-	unless (&constructaccess($requrl,'setpriv')) {
+	my $allowed;
+	my ($ownername,$ownerdom,$ownerhome) = 
+            &Apache::lonnet::constructaccess($requrl,'setpriv');
+        if (($ownername ne '') && ($ownerdom ne '') && ($ownerhome ne '')) {
+            unless ($ownerhome eq 'no_host') {
+                my @hosts = &Apache::lonnet::current_machine_ids();
+                if (grep(/^\Q$ownerhome\E$/,@hosts)) {
+                    $allowed = 1;
+                }
+            }
+        }
+
+        unless ($allowed) {
 	    $r->log_reason("Unauthorized $requrl", $r->filename); 
 	    return HTTP_NOT_ACCEPTABLE;
 	}
@@ -186,7 +127,7 @@ sub handler {
 	&Apache::lonacc::get_posted_cgi($r);
 
 	return OK; 
-    } else { 
+    } else {
 	$r->log_reason("Cookie $handle not valid", $r->filename) 
     }
 
@@ -199,10 +140,3 @@ sub handler {
 1;
 __END__
 
-
-
-
-
-
-
-