--- loncom/auth/lonroles.pm	2021/11/16 05:20:02	1.355
+++ loncom/auth/lonroles.pm	2022/05/24 16:23:04	1.363
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # User Roles Screen
 #
-# $Id: lonroles.pm,v 1.355 2021/11/16 05:20:02 raeburn Exp $
+# $Id: lonroles.pm,v 1.363 2022/05/24 16:23:04 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -181,7 +181,8 @@ ENDREDIR
 
 sub finish_loading_course {
     my ($r,$msg,$url) = @_;
-    my $link = '<div id="LC_course_loaded" style="display:none"><a href="'.$url.'">'.&mt('Continue').'</a></div>';
+    my $link = '<div id="LC_course_loaded" style="display:none"><a href="'.
+               &HTML::Entities::encode($url,'"<>&').'">'.&mt('Continue').'</a></div>';
     my $end_page = &Apache::loncommon::end_page();
     my $js_url = &js_escape($url);
     $r->print(<<END);
@@ -195,6 +196,7 @@ $msg
     var url = "$js_url";
     \$(location).attr('href',url);
 });
+// ]]>
 </script>
 $link
 $end_page
@@ -277,7 +279,8 @@ sub handler {
         $update = $then;
     }
 
-    my $norolelist;
+    my ($norolelist,$blocked_by_ip,$blocked_type,$clientip);
+    $clientip = &Apache::lonnet::get_requestor_ip($r);
     if (($env{'request.course.id'}) && ($env{'request.deeplink.login'})) {
         my $cnum = $env{'course.'.$env{'request.course.id'}.'.num'};
         my $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'};
@@ -314,6 +317,89 @@ sub handler {
         }
     }
 
+    if ($env{'form.selectrole'}) {
+        my ($role,$cdom,$cnum,$rest);
+        if ($env{'form.switchrole'} =~ m{^(co|cc|in|ta|ep|ad|st|cr).*?\./($match_domain)/($match_courseid)(/(\w+)|$)}) {
+            ($role,$cdom,$cnum,$rest) = ($1,$2,$3,$4);
+        } elsif ($env{'form.newrole'} =~ m{^(co|cc|in|ta|ep|ad|st|cr).*?\./($match_domain)/($match_courseid)(/(\w+)|$)}) {
+            ($role,$cdom,$cnum,$rest) = ($1,$2,$3,$4);
+        }
+        if ($cdom ne '') {
+            my ($has_evb,$check_ipaccess,$showrole);
+            $showrole = 1;
+            my $checkrole = "cm./$cdom/$cnum";
+            if ($rest ne '') {
+                $checkrole .= "/$rest";
+            }
+            if ((&Apache::lonnet::allowed('evb',undef,undef,$checkrole)) &&
+                ($role ne 'st')) {
+                $has_evb = 1;
+            }
+            unless ($has_evb) {
+                my @machinedoms = &Apache::lonnet::current_machine_domains();
+                my $udom = $env{'user.domain'};
+                if ($udom eq $cdom) {
+                    $check_ipaccess = 1;
+                } elsif (($udom ne '') && (grep(/^\Q$udom\E$/,@machinedoms))) {
+                    $check_ipaccess = 1;
+                } else {
+                    my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
+                    my $internet_names = &Apache::lonnet::get_internet_names($lonhost);
+                    my $cprim = &Apache::lonnet::domain($cdom,'primary');
+                    my $cintdom = &Apache::lonnet::internet_dom($cprim);
+                    if (($cintdom ne '') && (ref($internet_names) eq 'ARRAY')) {
+                        if (grep(/^\Q$cintdom\E$/,@{$internet_names})) {
+                            $check_ipaccess = 1;
+                        }
+                    }
+                }
+                if ($check_ipaccess) {
+                    my ($ipaccessref,$cached)=&Apache::lonnet::is_cached_new('ipaccess',$cdom);
+                    unless (defined($cached)) {
+                        my %domconfig =
+                            &Apache::lonnet::get_dom('configuration',['ipaccess'],$cdom);
+                        $ipaccessref = &Apache::lonnet::do_cache_new('ipaccess',$cdom,$domconfig{'ipaccess'},1800);
+                    }
+                    if (ref($ipaccessref) eq 'HASH') {
+                        foreach my $id (keys(%{$ipaccessref})) {
+                            if (ref($ipaccessref->{$id}) eq 'HASH') {
+                                my $range = $ipaccessref->{$id}->{'ip'};
+                                if ($range) {
+                                    my $type = 'exclude';
+                                    if (&Apache::lonnet::ip_match($clientip,$range)) {
+                                        $type = 'include';
+                                    }
+                                    if (ref($ipaccessref->{$id}->{'courses'}) eq 'HASH') {
+                                        if ($ipaccessref->{$id}->{'courses'}{$cdom.'_'.$cnum}) {
+                                            if ($type eq 'include') {
+                                                $showrole = 1;
+                                                last;
+                                            } else {
+                                                $showrole = 0;
+                                            }
+                                        } else {
+                                            if ($type eq 'include') {
+                                                $showrole = 0;
+                                            } else {
+                                                $showrole = 1;
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            unless ($showrole) {
+                $blocked_by_ip = 1;
+                $blocked_type = &Apache::loncommon::course_type($cdom.'_'.$cnum);
+                delete($env{'form.selectrole'});
+                delete($env{'form.newrole'});
+            }
+        }
+    }
+
     $registered_cleanup=0;
     @{$rosterupdates}=();
     &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'});
@@ -696,7 +782,7 @@ ENDCLOSE
                         $r->rflush();
                         my ($msg,$blockcrit,$critmsg_check);
                         $critmsg_check = 1;
-                        $blockcrit = &Apache::loncommon::blocking_status('alert',$cnum,$cdom,undef,1);
+                        $blockcrit = &Apache::loncommon::blocking_status('alert',$clientip,$cnum,$cdom,undef,1);
                         if ($blockcrit) {
                             my $checkrole = "cm./$cdom/$cnum";
                             if ($csec ne '') {
@@ -813,6 +899,9 @@ ENDCLOSE
                                         ($env{'request.lti.rosterid'} || $env{'request.lti.passbackid'})) {
                                         &process_lti($r,$cdom,$cnum);
                                     }
+                                    if ($env{'request.deeplink.login'}) {
+                                        &set_deeplink_target($cnum,$cdom);
+                                    }
                                     $msg = '<p>'.&mt('Entering [_1] ...',
                                                      $env{'course.'.$cdom.'_'.$cnum.'.description'}).
                                            '</p>';
@@ -844,6 +933,9 @@ ENDCLOSE
                                     ($env{'request.lti.rosterid'} || $env{'request.lti.passbackid'})) {
                                     &process_lti($r,$cdom,$cnum);
                                 }
+                                if ($env{'request.deeplink.login'}) {
+                                    &set_deeplink_target($cnum,$cdom);
+                                }
 				# Check to see if the user is a CC entering a course 
 				# for the first time
 				if ((($role eq 'cc') || ($role eq 'co')) 
@@ -1108,7 +1200,7 @@ ENDCLOSE
         $start_page=&Apache::loncommon::start_page($pagetitle,undef,
                                                   {bread_crumbs=>$brcrum,crstype=>'Placement'});
     } else {
-        my $crumbsright);
+        my $crumbsright;
         unless (($norolelist) && ((split(/:/,$env{'user.error.msg'}))[2])) {
             $funcs = &get_roles_functions($showcount,$cattype);
             if ($env{'browser.mobile'}) {
@@ -1260,6 +1352,16 @@ ENDHEADER
         $r->print('<input type="hidden" name="newrole" value="" />');
         $r->print('<input type="hidden" name="display" value="'.$display.'" />');
         $r->print('<input type="hidden" name="state" value="" />');
+        if ($blocked_by_ip) {
+            my $blocked_role = 'student';
+            if ($blocked_type eq 'Community') {
+                $blocked_role = 'member';
+            }
+            $r->print('<h3><span class="LC_error">'.
+                      &mt('The [_1] you selected is not available for access with a [_2] role from your current IP address: [_3].',
+                          lc($blocked_type),$blocked_role,$clientip).
+                      '</span></h3>');
+        }
     }
     $r->rflush();
 
@@ -1897,7 +1999,7 @@ sub findcourse_advice {
     } else {
         $r->print('<p>'.&mt('If you were expecting to see an active role listed for a particular course, that course may not have been created yet.').'</p>');
         if ($elapsed > 600) {
-            $r->print('<p>'.&mt('You may also have been assigned to a course in the time since you last logged-in, or checked for changes').
+            $r->print('<p>'.&mt('You may also have been assigned to a course in the time since you last logged-in, or checked for changes.').
                       '<br />'.
                       &mt('If that is the case you can use the "Check for changes" link in the gray Functions bar to update the list of your available course roles.').'</p>');
         }  
@@ -3452,6 +3554,32 @@ sub ltienroll {
     }
 }
 
+sub set_deeplink_target {
+    my ($cnum,$cdom) = @_;
+    if (($cnum ne '') && ($cdom ne '')) {
+        my $deeplink_symb = &Apache::loncommon::deeplink_login_symb($cnum,$cdom);
+        if ($deeplink_symb ne '') {
+            my $deeplink;
+            if ($deeplink_symb =~ /\.(page|sequence)$/) {
+                my $mapname = &Apache::lonnet::deversion((&Apache::lonnet::decode_symb($deeplink_symb))[2]);
+                my $navmap = Apache::lonnavmaps::navmap->new();
+                if (ref($navmap)) {
+                    $deeplink = $navmap->get_mapparam(undef,$mapname,'0.deeplink');
+                }
+            } elsif ($deeplink_symb ne '') {
+                $deeplink = &Apache::lonnet::EXT('resource.0.deeplink',$deeplink_symb);
+            }
+            if ($deeplink ne '') {
+                my ($state,$others,$listed,$scope,$protect,$display,$target) = split(/,/,$deeplink);
+                if ($target ne '') {
+                    &Apache::lonnet::appenv({'request.deeplink.target' => $target});
+                }
+            }
+        }
+    }
+    return;
+}
+
 1;
 __END__