PageRenderTime 160ms CodeModel.GetById 20ms RepoModel.GetById 0ms app.codeStats 0ms

/login/index.php

https://github.com/websupport/moodle
PHP | 350 lines | 230 code | 61 blank | 59 comment | 82 complexity | a5e3e145bf3fc64db7461dcb3bfe771f MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. // This file is part of Moodle - http://moodle.org/
    4. 

  4. //
    5. 

  5. // Moodle is free software: you can redistribute it and/or modify
    6. 

  6. // it under the terms of the GNU General Public License as published by
    7. 

  7. // the Free Software Foundation, either version 3 of the License, or
    8. 

  8. // (at your option) any later version.
    9. 

  9. //
    10. 

  10. // Moodle is distributed in the hope that it will be useful,
    11. 

  11. // but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13. 

  13. // GNU General Public License for more details.
    14. 

  14. //
    15. 

  15. // You should have received a copy of the GNU General Public License
    16. 

  16. // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
    17. 

  17. 

  18. /**
    19. 

  19.  * Main login page.
    20. 

  20.  *
    21. 

  21.  * @package    core
    22. 

  22.  * @subpackage auth
    23. 

  23.  * @copyright  1999 onwards Martin Dougiamas  http://dougiamas.com
    24. 

  24.  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
    25. 

  25.  */
    26. 

  26. 

  27. require('../config.php');
    28. 

  28. 

  29. redirect_if_major_upgrade_required();
    30. 

  30. 

  31. $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
    32. 

  32. $cancel      = optional_param('cancel', 0, PARAM_BOOL);      // redirect to frontpage, needed for loginhttps
    33. 

  33. 

  34. if ($cancel) {
    35. 

  35.     redirect(new moodle_url('/'));
    36. 

  36. }
    37. 

  37. 

  38. //HTTPS is required in this page when $CFG->loginhttps enabled
    39. 

  39. $PAGE->https_required();
    40. 

  40. 

  41. $context = get_context_instance(CONTEXT_SYSTEM);
    42. 

  42. $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
    43. 

  43. $PAGE->set_context($context);
    44. 

  44. $PAGE->set_pagelayout('login');
    45. 

  45. 

  46. /// Initialize variables
    47. 

  47. $errormsg = '';
    48. 

  48. $errorcode = 0;
    49. 

  49. 

  50. // login page requested session test
    51. 

  51. if ($testsession) {
    52. 

  52.     if ($testsession == $USER->id) {
    53. 

  53.         if (isset($SESSION->wantsurl)) {
    54. 

  54.             $urltogo = $SESSION->wantsurl;
    55. 

  55.         } else {
    56. 

  56.             $urltogo = $CFG->wwwroot.'/';
    57. 

  57.         }
    58. 

  58.         unset($SESSION->wantsurl);
    59. 

  59.         redirect($urltogo);
    60. 

  60.     } else {
    61. 

  61.         // TODO: try to find out what is the exact reason why sessions do not work
    62. 

  62.         $errormsg = get_string("cookiesnotenabled");
    63. 

  63.         $errorcode = 1;
    64. 

  64.     }
    65. 

  65. }
    66. 

  66. 

  67. /// Check for timed out sessions
    68. 

  68. if (!empty($SESSION->has_timed_out)) {
    69. 

  69.     $session_has_timed_out = true;
    70. 

  70.     unset($SESSION->has_timed_out);
    71. 

  71. } else {
    72. 

  72.     $session_has_timed_out = false;
    73. 

  73. }
    74. 

  74. 

  75. /// auth plugins may override these - SSO anyone?
    76. 

  76. $frm  = false;
    77. 

  77. $user = false;
    78. 

  78. 

  79. $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
    80. 

  80. foreach($authsequence as $authname) {
    81. 

  81.     $authplugin = get_auth_plugin($authname);
    82. 

  82.     $authplugin->loginpage_hook();
    83. 

  83. }
    84. 

  84. 

  85. 

  86. /// Define variables used in page
    87. 

  87. $site = get_site();
    88. 

  88. 

  89. $loginsite = get_string("loginsite");
    90. 

  90. $PAGE->navbar->add($loginsite);
    91. 

  91. 

  92. if ($user !== false or $frm !== false or $errormsg !== '') {
    93. 

  93.     // some auth plugin already supplied full user, fake form data or prevented user login with error message
    94. 

  94. 

  95. } else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
    96. 

  96.     // Handles the case of another Moodle site linking into a page on this site
    97. 

  97.     //TODO: move weblink into own auth plugin
    98. 

  98.     include($CFG->dirroot.'/login/weblinkauth.php');
    99. 

  99.     if (function_exists('weblink_auth')) {
    100. 

  100.         $user = weblink_auth($SESSION->wantsurl);
    101. 

  101.     }
    102. 

  102.     if ($user) {
    103. 

  103.         $frm->username = $user->username;
    104. 

  104.     } else {
    105. 

  105.         $frm = data_submitted();
    106. 

  106.     }
    107. 

  107. 

  108. } else {
    109. 

  109.     $frm = data_submitted();
    110. 

  110. }
    111. 

  111. 

  112. /// Check if the user has actually submitted login data to us
    113. 

  113. 

  114. if ($frm and isset($frm->username)) {                             // Login WITH cookies
    115. 

  115. 

  116.     $frm->username = trim(moodle_strtolower($frm->username));
    117. 

  117. 

  118.     if (is_enabled_auth('none') ) {
    119. 

  119.         if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) {
    120. 

  120.             $errormsg = get_string('username').': '.get_string("invalidusername");
    121. 

  121.             $errorcode = 2;
    122. 

  122.             $user = null;
    123. 

  123.         }
    124. 

  124.     }
    125. 

  125. 

  126.     if ($user) {
    127. 

  127.         //user already supplied by aut plugin prelogin hook
    128. 

  128.     } else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
    129. 

  129.         $user = false;    /// Can't log in as guest if guest button is disabled
    130. 

  130.         $frm = false;
    131. 

  131.     } else {
    132. 

  132.         if (empty($errormsg)) {
    133. 

  133.             $user = authenticate_user_login($frm->username, $frm->password);
    134. 

  134.         }
    135. 

  135.     }
    136. 

  136. 

  137.     // Intercept 'restored' users to provide them with info & reset password
    138. 

  138.     if (!$user and $frm and is_restored_user($frm->username)) {
    139. 

  139.         $PAGE->set_title(get_string('restoredaccount'));
    140. 

  140.         $PAGE->set_heading($site->fullname);
    141. 

  141.         echo $OUTPUT->header();
    142. 

  142.         echo $OUTPUT->heading(get_string('restoredaccount'));
    143. 

  143.         echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
    144. 

  144.         require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
    145. 

  145.         $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
    146. 

  146.         $form->display();
    147. 

  147.         echo $OUTPUT->footer();
    148. 

  148.         die;
    149. 

  149.     }
    150. 

  150. 

  151.     update_login_count();
    152. 

  152. 

  153.     if ($user) {
    154. 

  154. 

  155.         // language setup
    156. 

  156.         if (isguestuser($user)) {
    157. 

  157.             // no predefined language for guests - use existing session or default site lang
    158. 

  158.             unset($user->lang);
    159. 

  159. 

  160.         } else if (!empty($user->lang)) {
    161. 

  161.             // unset previous session language - use user preference instead
    162. 

  162.             unset($SESSION->lang);
    163. 

  163.         }
    164. 

  164. 

  165.         if (empty($user->confirmed)) {       // This account was never confirmed
    166. 

  166.             $PAGE->set_title(get_string("mustconfirm"));
    167. 

  167.             $PAGE->set_heading($site->fullname);
    168. 

  168.             echo $OUTPUT->header();
    169. 

  169.             echo $OUTPUT->heading(get_string("mustconfirm"));
    170. 

  170.             echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
    171. 

  171.             echo $OUTPUT->footer();
    172. 

  172.             die;
    173. 

  173.         }
    174. 

  174. 

  175.     /// Let's get them all set up.
    176. 

  176.         add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID,
    177. 

  177.                    $user->id, 0, $user->id);
    178. 

  178.         complete_user_login($user);
    179. 

  179. 

  180.         // sets the username cookie
    181. 

  181.         if (!empty($CFG->nolastloggedin)) {
    182. 

  182.             // do not store last logged in user in cookie
    183. 

  183.             // auth plugins can temporarily override this from loginpage_hook()
    184. 

  184.             // do not save $CFG->nolastloggedin in database!
    185. 

  185. 

  186.         } else if (empty($CFG->rememberusername) or ($CFG->rememberusername == 2 and empty($frm->rememberusername))) {
    187. 

  187.             // no permanent cookies, delete old one if exists
    188. 

  188.             set_moodle_cookie('');
    189. 

  189. 

  190.         } else {
    191. 

  191.             set_moodle_cookie($USER->username);
    192. 

  192.         }
    193. 

  193. 

  194.     /// Prepare redirection
    195. 

  195.         if (user_not_fully_set_up($USER)) {
    196. 

  196.             $urltogo = $CFG->wwwroot.'/user/edit.php';
    197. 

  197.             // We don't delete $SESSION->wantsurl yet, so we get there later
    198. 

  198. 

  199.         } else if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0 or strpos($SESSION->wantsurl, str_replace('http://', 'https://', $CFG->wwwroot)) === 0)) {
    200. 

  200.             $urltogo = $SESSION->wantsurl;    /// Because it's an address in this site
    201. 

  201.             unset($SESSION->wantsurl);
    202. 

  202. 

  203.         } else {
    204. 

  204.             // no wantsurl stored or external - go to homepage
    205. 

  205.             $urltogo = $CFG->wwwroot.'/';
    206. 

  206.             unset($SESSION->wantsurl);
    207. 

  207.         }
    208. 

  208. 

  209.     /// Go to my-moodle page instead of site homepage if defaulthomepage set to homepage_my
    210. 

  210.         if (!empty($CFG->defaulthomepage) && $CFG->defaulthomepage == HOMEPAGE_MY && !is_siteadmin() && !isguestuser()) {
    211. 

  211.             if ($urltogo == $CFG->wwwroot or $urltogo == $CFG->wwwroot.'/' or $urltogo == $CFG->wwwroot.'/index.php') {
    212. 

  212.                 $urltogo = $CFG->wwwroot.'/my/';
    213. 

  213.             }
    214. 

  214.         }
    215. 

  215. 

  216. 

  217.     /// check if user password has expired
    218. 

  218.     /// Currently supported only for ldap-authentication module
    219. 

  219.         $userauth = get_auth_plugin($USER->auth);
    220. 

  220.         if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
    221. 

  221.             if ($userauth->can_change_password()) {
    222. 

  222.                 $passwordchangeurl = $userauth->change_password_url();
    223. 

  223.                 if (!$passwordchangeurl) {
    224. 

  224.                     $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
    225. 

  225.                 }
    226. 

  226.             } else {
    227. 

  227.                 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
    228. 

  228.             }
    229. 

  229.             $days2expire = $userauth->password_expire($USER->username);
    230. 

  230.             $PAGE->set_title("$site->fullname: $loginsite");
    231. 

  231.             $PAGE->set_heading("$site->fullname");
    232. 

  232.             if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
    233. 

  233.                 echo $OUTPUT->header();
    234. 

  234.                 echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
    235. 

  235.                 echo $OUTPUT->footer();
    236. 

  236.                 exit;
    237. 

  237.             } elseif (intval($days2expire) < 0 ) {
    238. 

  238.                 echo $OUTPUT->header();
    239. 

  239.                 echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
    240. 

  240.                 echo $OUTPUT->footer();
    241. 

  241.                 exit;
    242. 

  242.             }
    243. 

  243.         }
    244. 

  244. 

  245.         reset_login_count();
    246. 

  246. 

  247.         // test the session actually works by redirecting to self
    248. 

  248.         $SESSION->wantsurl = $urltogo;
    249. 

  249.         redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
    250. 

  250. 

  251.     } else {
    252. 

  252.         if (empty($errormsg)) {
    253. 

  253.             $errormsg = get_string("invalidlogin");
    254. 

  254.             $errorcode = 3;
    255. 

  255.         }
    256. 

  256.     }
    257. 

  257. }
    258. 

  258. 

  259. /// Detect problems with timedout sessions
    260. 

  260. if ($session_has_timed_out and !data_submitted()) {
    261. 

  261.     $errormsg = get_string('sessionerroruser', 'error');
    262. 

  262.     $errorcode = 4;
    263. 

  263. }
    264. 

  264. 

  265. /// First, let's remember where the user was trying to get to before they got here
    266. 

  266. 

  267. if (empty($SESSION->wantsurl)) {
    268. 

  268.     $SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
    269. 

  269.                           $_SERVER["HTTP_REFERER"] != $CFG->wwwroot &&
    270. 

  270.                           $_SERVER["HTTP_REFERER"] != $CFG->wwwroot.'/' &&
    271. 

  271.                           $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/' &&
    272. 

  272.                           $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/index.php')
    273. 

  273.         ? $_SERVER["HTTP_REFERER"] : NULL;
    274. 

  274. }
    275. 

  275. 

  276. /// Redirect to alternative login URL if needed
    277. 

  277. if (!empty($CFG->alternateloginurl)) {
    278. 

  278.     $loginurl = $CFG->alternateloginurl;
    279. 

  279. 

  280.     if (strpos($SESSION->wantsurl, $loginurl) === 0) {
    281. 

  281.         //we do not want to return to alternate url
    282. 

  282.         $SESSION->wantsurl = NULL;
    283. 

  283.     }
    284. 

  284. 

  285.     if ($errorcode) {
    286. 

  286.         if (strpos($loginurl, '?') === false) {
    287. 

  287.             $loginurl .= '?';
    288. 

  288.         } else {
    289. 

  289.             $loginurl .= '&';
    290. 

  290.         }
    291. 

  291.         $loginurl .= 'errorcode='.$errorcode;
    292. 

  292.     }
    293. 

  293. 

  294.     redirect($loginurl);
    295. 

  295. }
    296. 

  296. 

  297. // make sure we really are on the https page when https login required
    298. 

  298. $PAGE->verify_https_required();
    299. 

  299. 

  300. /// Generate the login page with forms
    301. 

  301. 

  302. if (empty($frm->username) && $authsequence[0] != 'shibboleth') {  // See bug 5184
    303. 

  303.     if (!empty($_GET["username"])) {
    304. 

  304.         $frm->username = clean_param($_GET["username"], PARAM_RAW); // we do not want data from _POST here
    305. 

  305.     } else {
    306. 

  306.         $frm->username = get_moodle_cookie();
    307. 

  307.     }
    308. 

  308. 

  309.     $frm->password = "";
    310. 

  310. }
    311. 

  311. 

  312. if (!empty($frm->username)) {
    313. 

  313.     $focus = "password";
    314. 

  314. } else {
    315. 

  315.     $focus = "username";
    316. 

  316. }
    317. 

  317. 

  318. if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
    319. 

  319.     $show_instructions = true;
    320. 

  320. } else {
    321. 

  321.     $show_instructions = false;
    322. 

  322. }
    323. 

  323. 

  324. $potentialidps = array();
    325. 

  325. foreach($authsequence as $authname) {
    326. 

  326.     $authplugin = get_auth_plugin($authname);
    327. 

  327.     $potentialidps = array_merge($potentialidps, $authplugin->loginpage_idp_list($SESSION->wantsurl));
    328. 

  328. }
    329. 

  329. 

  330. $PAGE->set_title("$site->fullname: $loginsite");
    331. 

  331. $PAGE->set_heading("$site->fullname");
    332. 

  332. 

  333. echo $OUTPUT->header();
    334. 

  334. 

  335. if (isloggedin() and !isguestuser()) {
    336. 

  336.     // prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
    337. 

  337.     echo $OUTPUT->box_start();
    338. 

  338.     $logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
    339. 

  339.     $continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
    340. 

  340.     echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
    341. 

  341.     echo $OUTPUT->box_end();
    342. 

  342. } else {
    343. 

  343.     include("index_form.html");
    344. 

  344.     if (!empty($CFG->loginpageautofocus)) {
    345. 

  345.         //focus username or password
    346. 

  346.         $PAGE->requires->js_init_call('M.util.focus_login_form', null, true);
    347. 

  347.     }
    348. 

  348. }
    349. 

  349. 

  350. echo $OUTPUT->footer();
    351. 

  351.