File:
[LON-CAPA] /
loncom /
auth /
lonwebdavacc.pm
Revision
1.2:
download - view:
text,
annotated -
select for diffs
Mon Jun 23 20:27:46 2014 UTC (10 years ago) by
raeburn
Branches:
MAIN
CVS tags:
version_2_11_0,
HEAD
- Bug 6034
- Methods checking in webDAV:
- MKCOL/PUT disallowed for reserved filenames: *.meta, *.bak, *.save, *.log
- MOVE/DELETE disallowed for published files (unless marked obsolete).
- MOVE/DELETE disallowed for *.meta and *.log if corresponding file has
published status (unless marked obsolete).
- For MOVE/DELETE for a directory do (recursive) count of contained published
files (unless marked obsolete), and disallow if count > 0.
1: # The LearningOnline Network
2: # Authorization Handler for webDAV access to Authoring Space.
3: #
4: # $Id: lonwebdavacc.pm,v 1.2 2014/06/23 20:27:46 raeburn Exp $
5: #
6: # Copyright Michigan State University Board of Trustees
7: #
8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
9: #
10: # LON-CAPA is free software; you can redistribute it and/or modify
11: # it under the terms of the GNU General Public License as published by
12: # the Free Software Foundation; either version 2 of the License, or
13: # (at your option) any later version.
14: #
15: # LON-CAPA is distributed in the hope that it will be useful,
16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18: # GNU General Public License for more details.
19: #
20: # You should have received a copy of the GNU General Public License
21: # along with LON-CAPA; if not, write to the Free Software
22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23: #
24: # /home/httpd/html/adm/gpl.txt
25: #
26: # http://www.lon-capa.org/
27: #
28:
29: =pod
30:
31: =head1 NAME
32:
33: Apache::lonwebdavacc - webDAV Authorization Handler
34:
35: =head1 SYNOPSIS
36:
37: Invoked for /+webdav/[\w\-]+/[\w\-]+/ by
38: /etc/httpd/conf/loncapa_apache.conf:
39:
40: PerlAccessHandler Apache::lonwebdavacc
41:
42: =head1 INTRODUCTION
43:
44: This module enables authorization for authoring space
45: and is used to control access for the following type of URI:
46:
47: <LocationMatch "^/webdav/[\w\-]+/[\w\-]+>
48:
49: This module is only called following successful authentication.
50: Unless lonOtherAuthen has been set, so Single Sign On can be used,
51: successful authentication will have created a session file and
52: transferred the contents to the user's environment.
53:
54: In the case of SSO, there is no existing user environment, but
55: $r->user will have been set to the user's username, following
56: successful authentication. For SSO, the webDAV session file
57: and environment are set up by a call to
58: Apache::lonwebdavauth::init_webdav_env().
59:
60: Note: because Apache Basic Auth is used for authentication (unless SSO)
61: webDAV access is only available for servers running Apache with SSL.
62:
63: This is part of the LearningOnline Network with CAPA project
64: described at http://www.lon-capa.org.
65:
66: =head1 HANDLER SUBROUTINE
67:
68: This routine is called by Apache and mod_perl.
69:
70: =over 4
71:
72: =item *
73:
74: Checks if $env{'user.environment'} is defined.
75:
76: =item *
77:
78: If no %env, this was SSO authentication so call to &sso_login() to
79: create session, and return cookie.
80:
81: =item *
82:
83: Checks if requested URL (of form /webdav/authordomain/authorname) is valid
84: and whether authenticated user has an active author or co-author
85: role in the corresonding Author Space.
86:
87: =back
88:
89: =head1 NOTABLE SUBROUTINES
90:
91: =over
92:
93: =item * sso_login()
94:
95: =over
96:
97: =item *
98:
99: Called if no user.environment exists in %env.
100:
101: =item *
102:
103: Checks if $r->user contains a valid user.
104:
105: =item *
106:
107: Domain is set either from lonSSOUserDomain perlvar (if defined)
108: or from lonDefDomain perlvar.
109:
110: =item *
111:
112: For a valid user a new session file and is created, and the corresponding
113: cookie is returned to the client in an Apache response header.
114:
115: =back
116:
117: =back
118:
119: =cut
120:
121: package Apache::lonwebdavacc;
122:
123: use strict;
124: use GDBM_File;
125: use Apache::Constants qw(:common :http :methods);
126: use Apache::lonnet;
127: use Apache::londiff();
128: use LONCAPA qw(:DEFAULT :match);
129:
130: sub handler {
131: my $r = shift;
132: my $timetolive = 600;
133: my $now = time;
134: my $sessiondir=$r->dir_config('lonDAVsessDir');
135:
136: my ($adom,$aname);
137: unless ($env{'user.environment'}) {
138: my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
139: if ($handle eq '') {
140: $handle = &sso_login($r,$sessiondir,$now,$timetolive);
141: if ($handle eq '') {
142: return FORBIDDEN;
143: }
144: } else {
145: &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
146: }
147: }
148: my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
149: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
150: return FORBIDDEN;
151: }
152:
153: ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
154: my $docroot = $r->dir_config('lonDocRoot');
155: if ($adom eq '' || $aname eq '') {
156: return FORBIDDEN;
157: } elsif (!-d "$docroot/priv/$adom/$aname") {
158: return FORBIDDEN;
159: }
160: my $allowed;
161: if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) {
162: if ($env{"user.role.au./$adom/"}) {
163: $allowed = 1;
164: }
165: } else {
166: if (($env{"user.role.ca./$adom/$aname"}) ||
167: (env{"user.role.aa./$adom/$aname"})) {
168: $allowed = 1;
169: }
170: }
171: if ($allowed) {
172: my $method = $r->method();
173: if (($r->filename =~ /.+\.(log|bak|meta|save)$/) || ($r->filename =~ /\.\d+\.\w+$/) ||
174: ($r->filename =~ m{/\.+[^_/]+$})) {
175: if (($method eq 'MKCOL') || ($method eq 'PUT')) {
176: return FORBIDDEN;
177: } elsif ($method eq 'MOVE') {
178: if (($r->filename =~ /\.\d+\.\w+$/) || ($r->filename =~ m{/\.+[^_/]+$})) {
179: return FORBIDDEN;
180: }
181: }
182: }
183: if (($method eq 'DELETE') || ($method eq 'MOVE')) {
184: unless (($r->filename =~ m{/\._[^/]+$}) || ($r->filename =~ m{/\.DS_Store$})) {
185: my $dirptr=16384;
186: my ($cmode,$cmtime)=(stat($r->filename))[2,9];
187: if (($cmode&$dirptr)) {
188: my $numpub = 0;
189: $numpub = &recurse_dir($r->filename,$r->dir_config('lonDocRoot'),$numpub);
190: if ($numpub) {
191: return FORBIDDEN;
192: }
193: } else {
194: if ($r->filename =~ /^(.+)\.(log|bak|save|meta)$/) {
195: my $conjugate = $1;
196: my $type = $2;
197: if (($type eq 'log') || ($type eq 'meta')) {
198: if (-e $conjugate) {
199: my $conjstatus = &pubstatus($conjugate,$r->dir_config('lonDocRoot'));
200: unless (($conjstatus eq 'unpublished') || ($conjstatus eq 'obsolete')) {
201: return FORBIDDEN;
202: }
203: }
204: }
205: } else {
206: my $status = &pubstatus($r->filename,$r->dir_config('lonDocRoot'));
207: unless (($status eq 'unpublished') || ($status eq 'obsolete')) {
208: return FORBIDDEN;
209: }
210: }
211: }
212: }
213: }
214: return OK;
215: }
216: return FORBIDDEN;
217: }
218:
219: sub sso_login {
220: my ($r,$sessiondir,$now,$timetolive) = @_;
221: my ($uname,$udom);
222: my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);
223: unless ($uname =~ /^$match_username$/) {
224: return;
225: }
226: $udom = $r->dir_config('lonSSOUserDomain');
227: if ($udom eq '') {
228: $udom = $r->dir_config('lonDefDomain');
229: }
230: unless (($udom =~ /^$match_domain$/)) {
231: return;
232: }
233: my $uhome = &Apache::lonnet::homeserver($uname,$udom);
234: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
235: return;
236: }
237: my $handle =
238: &Apache::lonwebdavauth::init_webdav_env($sessiondir,$uname,$udom,
239: $uhome,$now,$timetolive);
240: if ($handle ne '') {
241: my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
242: $r->header_out('Set-cookie' => $cookie);
243: $r->send_http_header;
244: }
245: return ($handle);
246: }
247:
248: sub pubstatus {
249: my ($fn,$docroot,$cmtime) = @_;
250: my $privfn = $fn;
251: my $thisdisfn = $fn;
252: $thisdisfn=~s/^\Q$docroot\E\/priv//;
253: my $resfn=$docroot.'/res'.$thisdisfn;
254: my $targetfn = '/res'.$thisdisfn;
255: my $status = 'unpublished';
256: if (-e $resfn) {
257: $status = 'published';
258: my $same = 0;
259: if ((stat($resfn))[9] >= $cmtime) {
260: $same = 1;
261: } else {
262: if (&Apache::londiff::are_different_files($resfn,$privfn)) {
263: $same = 0;
264: } else {
265: $same = 1;
266: }
267: }
268: if ($same) {
269: if (&Apache::lonnet::metadata($targetfn,'obsolete')) {
270: $status = 'obsolete';
271: }
272: }
273: }
274: return $status;
275: }
276:
277: sub recurse_dir {
278: my ($dirname,$docroot,$numpub) = @_;
279: $dirname =~ s{/$}{};
280: my $dirptr=16384;
281: if (opendir(my $dirh,$dirname)) {
282: my @items = readdir($dirh);
283: closedir($dirh);
284: foreach my $item (@items) {
285: next if ($item =~ /.+\.(log|bak|save|meta)$/);
286: next if ($item =~ /^\.+/);
287: my ($cmode,$cmtime)=(stat("$dirname/$item"))[2,9];
288: if (!($cmode&$dirptr)) {
289: if (&pubstatus("$dirname/$item",$docroot,$cmtime) eq 'published') {
290: $numpub ++;
291: }
292: } else {
293: $numpub = &recursedir("$dirname/$item",$docroot,$numpub);
294: }
295: }
296: }
297: return $numpub;
298: }
299:
300: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonwebdavacc.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / auth