--- loncom/cgi/lonauthcgi.pm 2008/12/25 05:10:14 1.2 +++ loncom/cgi/lonauthcgi.pm 2011/10/14 20:50:54 1.7 @@ -1,7 +1,7 @@ # # LON-CAPA authorization for cgi-bin scripts # -# $Id: lonauthcgi.pm,v 1.2 2008/12/25 05:10:14 raeburn Exp $ +# $Id: lonauthcgi.pm,v 1.7 2011/10/14 20:50:54 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -55,9 +55,11 @@ package LONCAPA::lonauthcgi; use strict; use lib '/home/httpd/lib/perl'; +use Socket; use Apache::lonnet; use Apache::lonlocal; use LONCAPA; +use LONCAPA::Configuration(); ############################################# ############################################# @@ -94,6 +96,10 @@ sub check_ipbased_access { return $allowed; } } + if (&is_manager_ip($ip)) { + $allowed = 1; + return $allowed; + } if ($page ne 'ping') { my @poss_domains = &Apache::lonnet::current_machine_domains(); foreach my $dom (@poss_domains) { @@ -117,6 +123,45 @@ sub check_ipbased_access { ############################################# ############################################# +sub is_manager_ip { + my ($remote_ip) = @_; + return if ($remote_ip eq ''); + my ($directory,$is_manager); + my $config=LONCAPA::Configuration::read_conf(); + if (ref($config) eq 'HASH') { + $directory = $config->{'lonTabDir'}; + } + if (defined($directory)) { + if (open(MANAGERS, "$directory/managers.tab")) { + while(my $host = ) { + chomp($host); + next if ($host =~ /^\#/); + my $ip = &Apache::lonnet::get_host_ip($host); + if (defined($ip)) { + if ($remote_ip eq $ip) { + $is_manager = 1; + last; + } + } else { + my ($cluname,$dnsname) = split(/:/, $host); + $ip = gethostbyname($dnsname); + if (defined($ip)) { + my $hostip = inet_ntoa($ip); + if ($hostip = $remote_ip) { + $is_manager = 1; + } + } + } + } + close(MANAGERS); + } + } + return $is_manager; +} + +############################################# +############################################# + =pod =item can_view() @@ -133,9 +178,14 @@ Returns: 1 if access to the page is perm the requestor as one of the named users (username:domain) with access to the page. - In the case of requests for the 'ping' page, and access is also allowed if + In the case of requests for the 'ping' page, access is also allowed if at least one domain hosted on requestor's server is also hosted on this server. + In the case of requests for the 'showenv' page (/adm/test), the domains tested + are not the domains hosted on the server, but instead are a single domain - + the domain of the requestor. In addition, if the requestor has an active + Domain Coordinator role for that domain, access is permitted, regardless of + the requestor's current role. =cut ############################################# @@ -156,22 +206,41 @@ sub can_view { } } } else { - my @poss_domains = &Apache::lonnet::current_machine_domains(); - foreach my $dom (@poss_domains) { - my %domconfig = &Apache::lonnet::get_dom('configuration',['serverstatuses'],$dom); - if ($Apache::lonnet::env{'request.role'} eq "dc./$dom/") { - $allowed = 1; - } elsif (ref($domconfig{'serverstatuses'}) eq 'HASH') { - if (ref($domconfig{'serverstatuses'}{$page}) eq 'HASH') { - if ($domconfig{'serverstatuses'}{$page}{'namedusers'} ne '') { - my @okusers = split(/,/,$domconfig{'serverstatuses'}{$page}{'namedusers'}); - if (grep(/^\Q$Apache::lonnet::env{'user.name'}:$Apache::lonnet::env{'user.domain'}\E$/,@okusers)) { - $allowed = 1; + my @poss_domains; + if ($page eq 'showenv') { + @poss_domains = ($env{'user.domain'}); + my $envkey = 'user.role.dc./'.$poss_domains[0].'/'; + if (exists($Apache::lonnet::env{$envkey})) { + my $livedc = 1; + my $then = $Apache::lonnet::env{'user.login.time'}; + my ($tstart,$tend)=split(/\./,$Apache::lonnet::env{$envkey}); + if ($tstart && $tstart>$then) { $livedc = 0; } + if ($tend && $tend <$then) { $livedc = 0; } + if ($livedc) { + $allowed = 1; + } + } + } else { + @poss_domains = &Apache::lonnet::current_machine_domains(); + } + unless ($allowed) { + foreach my $dom (@poss_domains) { + my %domconfig = &Apache::lonnet::get_dom('configuration',['serverstatuses'], + $dom); + if ($Apache::lonnet::env{'request.role'} eq "dc./$dom/") { + $allowed = 1; + } elsif (ref($domconfig{'serverstatuses'}) eq 'HASH') { + if (ref($domconfig{'serverstatuses'}{$page}) eq 'HASH') { + if ($domconfig{'serverstatuses'}{$page}{'namedusers'} ne '') { + my @okusers = split(/,/,$domconfig{'serverstatuses'}{$page}{'namedusers'}); + if (grep(/^\Q$Apache::lonnet::env{'user.name'}:$Apache::lonnet::env{'user.domain'}\E$/,@okusers)) { + $allowed = 1; + } } } } + last if $allowed; } - last if $allowed; } } return $allowed; @@ -246,7 +315,8 @@ sub serverstatus_titles { 'metadata_harvest' => 'Harvest Metadata Searches', 'takeoffline' => 'Offline - replace Log-in page', 'takeonline' => 'Online - restore Log-in page', - 'showenv' => "Show user environment", + 'showenv' => 'Show user environment', + 'toggledebug' => 'Toggle debug messages', ); return \%titles; }