--- loncom/auth/lonwebdavacc.pm	2015/03/16 12:13:34	1.3
+++ loncom/auth/lonwebdavacc.pm	2017/09/15 12:53:34	1.6
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Authorization Handler for webDAV access to Authoring Space. 
 #
-# $Id: lonwebdavacc.pm,v 1.3 2015/03/16 12:13:34 raeburn Exp $
+# $Id: lonwebdavacc.pm,v 1.6 2017/09/15 12:53:34 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -34,7 +34,7 @@ Apache::lonwebdavacc - webDAV Authorizat
 
 =head1 SYNOPSIS
 
-Invoked for /+webdav/[\w\-]+/[\w\-]+/ by
+Invoked for ^/+webdav/[\w\-.]+/\w[\w.\-\@]+/ by
 /etc/httpd/conf/loncapa_apache.conf:
 
 PerlAccessHandler       Apache::lonwebdavacc
@@ -44,20 +44,13 @@ PerlAccessHandler       Apache::lonwebda
 This module enables authorization for authoring space
 and is used to control access for the following type of URI:
 
- <LocationMatch "^/webdav/[\w\-]+/[\w\-]+>
+ <LocationMatch "^/+webdav/[\w\-.]+/\w[\w.\-\@]+/">
 
 This module is only called following successful authentication. 
-Unless lonOtherAuthen has been set, so Single Sign On can be used,
-successful authentication will have created a session file and
+Successful authentication will have created a session file and
 transferred the contents to the user's environment.
 
-In the case of SSO, there is no existing user environment, but  
-$r->user will have been set to the user's username, following 
-successful authentication.  For SSO, the webDAV session file
-and environment are set up by a call to 
-Apache::lonwebdavauth::init_webdav_env().
-
-Note: because Apache Basic Auth is used for authentication (unless SSO)
+Note: because Apache Basic Auth is used for authentication 
 webDAV access is only available for servers running Apache with SSL.
 
 This is part of the LearningOnline Network with CAPA project
@@ -75,14 +68,17 @@ Checks if $env{'user.environment'} is de
 
 =item *
 
-If no %env, this was SSO authentication so call to &sso_login() to
-create session, and return cookie. 
+If no %env, calls Apache::lonnet::check_for_valid_session() 
+to retrieve a valid sessionID (webDAV client needs to support
+cookies for session retrieval to be successful). If a session is
+found Apache::lonnet::transfer_profile_to_env() is called 
+to populate %env.
 
 =item *
 
 Checks if requested URL (of form /webdav/authordomain/authorname) is valid
 and whether authenticated user has an active author or co-author
-role in the corresonding Author Space. 
+role in the corresponding Authoring Space. 
 
 =back
 
@@ -96,7 +92,7 @@ role in the corresonding Author Space.
 
 =item *
 
-Called if no user.environment exists in %env.
+Not currently used.
 
 =item *
 
@@ -133,16 +129,14 @@ sub handler {
     my $now = time;
     my $sessiondir=$r->dir_config('lonDAVsessDir');
 
-    my ($adom,$aname);
+    my ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
+    my $author = "$aname:$adom";
     unless ($env{'user.environment'}) {
         my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
-        if ($handle eq '') {
-            $handle = &sso_login($r,$sessiondir,$now,$timetolive);
-            if ($handle eq '') {
-                return FORBIDDEN;
-            }
-        } else {
+        if ($handle ne '') {
             &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
+        } else {
+            return FORBIDDEN;
         }
     }
     my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
@@ -150,7 +144,6 @@ sub handler {
         return FORBIDDEN;
     }
 
-    ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
     my $docroot = $r->dir_config('lonDocRoot');
     if ($adom eq '' || $aname eq '') {
         return FORBIDDEN;
@@ -164,7 +157,7 @@ sub handler {
         }
     } else {
         if (($env{"user.role.ca./$adom/$aname"}) ||
-            (env{"user.role.aa./$adom/$aname"})) {
+            ($env{"user.role.aa./$adom/$aname"})) {
             $allowed = 1;
         }
     }
@@ -217,7 +210,7 @@ sub handler {
 }
 
 sub sso_login {
-    my ($r,$sessiondir,$now,$timetolive) = @_;
+    my ($r,$sessiondir,$now,$timetolive,$author) = @_;
     my ($uname,$udom);
     my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);
     unless ($uname =~ /^$match_username$/) {
@@ -235,12 +228,18 @@ sub sso_login {
         return;
     }
     my $handle = 
-        &Apache::lonwebdavauth::init_webdav_env($sessiondir,$uname,$udom,
-                                                $uhome,$now,$timetolive);
+        &Apache::lonwebdavauth::init_webdav_env($r,$sessiondir,$uname,$udom,
+                                                $uhome,$now,$timetolive,$author);
     if ($handle ne '') {
-        my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
-        $r->header_out('Set-cookie' => $cookie);
-        $r->send_http_header;
+        if (&Apache::lonnet::usertools_access($uname,$udom,'webdav')) {
+            my ($webdav) =
+                ($r->uri =~ m{^(/webdav/$match_domain/$match_username/)});
+            &Apache::lonnet::log($udom,$uname,$uhome,
+                                 "SSO log-in to $webdav from $ENV{'REMOTE_ADDR'}");
+            my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
+            $r->header_out('Set-cookie' => $cookie);
+            $r->send_http_header;
+        }
     }
     return ($handle);
 }