PageRenderTime 29ms CodeModel.GetById 17ms RepoModel.GetById 0ms app.codeStats 0ms

/login/index.php

https://github.com/websupport/moodle
PHP | 350 lines | 230 code | 61 blank | 59 comment | 82 complexity | a5e3e145bf3fc64db7461dcb3bfe771f MD5 | raw file
  1. <?php
  2. // This file is part of Moodle - http://moodle.org/
  3. //
  4. // Moodle is free software: you can redistribute it and/or modify
  5. // it under the terms of the GNU General Public License as published by
  6. // the Free Software Foundation, either version 3 of the License, or
  7. // (at your option) any later version.
  8. //
  9. // Moodle is distributed in the hope that it will be useful,
  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. // GNU General Public License for more details.
  13. //
  14. // You should have received a copy of the GNU General Public License
  15. // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
  16. /**
  17. * Main login page.
  18. *
  19. * @package core
  20. * @subpackage auth
  21. * @copyright 1999 onwards Martin Dougiamas http://dougiamas.com
  22. * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23. */
  24. require('../config.php');
  25. redirect_if_major_upgrade_required();
  26. $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
  27. $cancel = optional_param('cancel', 0, PARAM_BOOL); // redirect to frontpage, needed for loginhttps
  28. if ($cancel) {
  29. redirect(new moodle_url('/'));
  30. }
  31. //HTTPS is required in this page when $CFG->loginhttps enabled
  32. $PAGE->https_required();
  33. $context = get_context_instance(CONTEXT_SYSTEM);
  34. $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
  35. $PAGE->set_context($context);
  36. $PAGE->set_pagelayout('login');
  37. /// Initialize variables
  38. $errormsg = '';
  39. $errorcode = 0;
  40. // login page requested session test
  41. if ($testsession) {
  42. if ($testsession == $USER->id) {
  43. if (isset($SESSION->wantsurl)) {
  44. $urltogo = $SESSION->wantsurl;
  45. } else {
  46. $urltogo = $CFG->wwwroot.'/';
  47. }
  48. unset($SESSION->wantsurl);
  49. redirect($urltogo);
  50. } else {
  51. // TODO: try to find out what is the exact reason why sessions do not work
  52. $errormsg = get_string("cookiesnotenabled");
  53. $errorcode = 1;
  54. }
  55. }
  56. /// Check for timed out sessions
  57. if (!empty($SESSION->has_timed_out)) {
  58. $session_has_timed_out = true;
  59. unset($SESSION->has_timed_out);
  60. } else {
  61. $session_has_timed_out = false;
  62. }
  63. /// auth plugins may override these - SSO anyone?
  64. $frm = false;
  65. $user = false;
  66. $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
  67. foreach($authsequence as $authname) {
  68. $authplugin = get_auth_plugin($authname);
  69. $authplugin->loginpage_hook();
  70. }
  71. /// Define variables used in page
  72. $site = get_site();
  73. $loginsite = get_string("loginsite");
  74. $PAGE->navbar->add($loginsite);
  75. if ($user !== false or $frm !== false or $errormsg !== '') {
  76. // some auth plugin already supplied full user, fake form data or prevented user login with error message
  77. } else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
  78. // Handles the case of another Moodle site linking into a page on this site
  79. //TODO: move weblink into own auth plugin
  80. include($CFG->dirroot.'/login/weblinkauth.php');
  81. if (function_exists('weblink_auth')) {
  82. $user = weblink_auth($SESSION->wantsurl);
  83. }
  84. if ($user) {
  85. $frm->username = $user->username;
  86. } else {
  87. $frm = data_submitted();
  88. }
  89. } else {
  90. $frm = data_submitted();
  91. }
  92. /// Check if the user has actually submitted login data to us
  93. if ($frm and isset($frm->username)) { // Login WITH cookies
  94. $frm->username = trim(moodle_strtolower($frm->username));
  95. if (is_enabled_auth('none') ) {
  96. if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) {
  97. $errormsg = get_string('username').': '.get_string("invalidusername");
  98. $errorcode = 2;
  99. $user = null;
  100. }
  101. }
  102. if ($user) {
  103. //user already supplied by aut plugin prelogin hook
  104. } else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
  105. $user = false; /// Can't log in as guest if guest button is disabled
  106. $frm = false;
  107. } else {
  108. if (empty($errormsg)) {
  109. $user = authenticate_user_login($frm->username, $frm->password);
  110. }
  111. }
  112. // Intercept 'restored' users to provide them with info & reset password
  113. if (!$user and $frm and is_restored_user($frm->username)) {
  114. $PAGE->set_title(get_string('restoredaccount'));
  115. $PAGE->set_heading($site->fullname);
  116. echo $OUTPUT->header();
  117. echo $OUTPUT->heading(get_string('restoredaccount'));
  118. echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
  119. require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
  120. $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
  121. $form->display();
  122. echo $OUTPUT->footer();
  123. die;
  124. }
  125. update_login_count();
  126. if ($user) {
  127. // language setup
  128. if (isguestuser($user)) {
  129. // no predefined language for guests - use existing session or default site lang
  130. unset($user->lang);
  131. } else if (!empty($user->lang)) {
  132. // unset previous session language - use user preference instead
  133. unset($SESSION->lang);
  134. }
  135. if (empty($user->confirmed)) { // This account was never confirmed
  136. $PAGE->set_title(get_string("mustconfirm"));
  137. $PAGE->set_heading($site->fullname);
  138. echo $OUTPUT->header();
  139. echo $OUTPUT->heading(get_string("mustconfirm"));
  140. echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
  141. echo $OUTPUT->footer();
  142. die;
  143. }
  144. /// Let's get them all set up.
  145. add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID,
  146. $user->id, 0, $user->id);
  147. complete_user_login($user);
  148. // sets the username cookie
  149. if (!empty($CFG->nolastloggedin)) {
  150. // do not store last logged in user in cookie
  151. // auth plugins can temporarily override this from loginpage_hook()
  152. // do not save $CFG->nolastloggedin in database!
  153. } else if (empty($CFG->rememberusername) or ($CFG->rememberusername == 2 and empty($frm->rememberusername))) {
  154. // no permanent cookies, delete old one if exists
  155. set_moodle_cookie('');
  156. } else {
  157. set_moodle_cookie($USER->username);
  158. }
  159. /// Prepare redirection
  160. if (user_not_fully_set_up($USER)) {
  161. $urltogo = $CFG->wwwroot.'/user/edit.php';
  162. // We don't delete $SESSION->wantsurl yet, so we get there later
  163. } else if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0 or strpos($SESSION->wantsurl, str_replace('http://', 'https://', $CFG->wwwroot)) === 0)) {
  164. $urltogo = $SESSION->wantsurl; /// Because it's an address in this site
  165. unset($SESSION->wantsurl);
  166. } else {
  167. // no wantsurl stored or external - go to homepage
  168. $urltogo = $CFG->wwwroot.'/';
  169. unset($SESSION->wantsurl);
  170. }
  171. /// Go to my-moodle page instead of site homepage if defaulthomepage set to homepage_my
  172. if (!empty($CFG->defaulthomepage) && $CFG->defaulthomepage == HOMEPAGE_MY && !is_siteadmin() && !isguestuser()) {
  173. if ($urltogo == $CFG->wwwroot or $urltogo == $CFG->wwwroot.'/' or $urltogo == $CFG->wwwroot.'/index.php') {
  174. $urltogo = $CFG->wwwroot.'/my/';
  175. }
  176. }
  177. /// check if user password has expired
  178. /// Currently supported only for ldap-authentication module
  179. $userauth = get_auth_plugin($USER->auth);
  180. if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
  181. if ($userauth->can_change_password()) {
  182. $passwordchangeurl = $userauth->change_password_url();
  183. if (!$passwordchangeurl) {
  184. $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
  185. }
  186. } else {
  187. $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
  188. }
  189. $days2expire = $userauth->password_expire($USER->username);
  190. $PAGE->set_title("$site->fullname: $loginsite");
  191. $PAGE->set_heading("$site->fullname");
  192. if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
  193. echo $OUTPUT->header();
  194. echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
  195. echo $OUTPUT->footer();
  196. exit;
  197. } elseif (intval($days2expire) < 0 ) {
  198. echo $OUTPUT->header();
  199. echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
  200. echo $OUTPUT->footer();
  201. exit;
  202. }
  203. }
  204. reset_login_count();
  205. // test the session actually works by redirecting to self
  206. $SESSION->wantsurl = $urltogo;
  207. redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
  208. } else {
  209. if (empty($errormsg)) {
  210. $errormsg = get_string("invalidlogin");
  211. $errorcode = 3;
  212. }
  213. }
  214. }
  215. /// Detect problems with timedout sessions
  216. if ($session_has_timed_out and !data_submitted()) {
  217. $errormsg = get_string('sessionerroruser', 'error');
  218. $errorcode = 4;
  219. }
  220. /// First, let's remember where the user was trying to get to before they got here
  221. if (empty($SESSION->wantsurl)) {
  222. $SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
  223. $_SERVER["HTTP_REFERER"] != $CFG->wwwroot &&
  224. $_SERVER["HTTP_REFERER"] != $CFG->wwwroot.'/' &&
  225. $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/' &&
  226. $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/index.php')
  227. ? $_SERVER["HTTP_REFERER"] : NULL;
  228. }
  229. /// Redirect to alternative login URL if needed
  230. if (!empty($CFG->alternateloginurl)) {
  231. $loginurl = $CFG->alternateloginurl;
  232. if (strpos($SESSION->wantsurl, $loginurl) === 0) {
  233. //we do not want to return to alternate url
  234. $SESSION->wantsurl = NULL;
  235. }
  236. if ($errorcode) {
  237. if (strpos($loginurl, '?') === false) {
  238. $loginurl .= '?';
  239. } else {
  240. $loginurl .= '&';
  241. }
  242. $loginurl .= 'errorcode='.$errorcode;
  243. }
  244. redirect($loginurl);
  245. }
  246. // make sure we really are on the https page when https login required
  247. $PAGE->verify_https_required();
  248. /// Generate the login page with forms
  249. if (empty($frm->username) && $authsequence[0] != 'shibboleth') { // See bug 5184
  250. if (!empty($_GET["username"])) {
  251. $frm->username = clean_param($_GET["username"], PARAM_RAW); // we do not want data from _POST here
  252. } else {
  253. $frm->username = get_moodle_cookie();
  254. }
  255. $frm->password = "";
  256. }
  257. if (!empty($frm->username)) {
  258. $focus = "password";
  259. } else {
  260. $focus = "username";
  261. }
  262. if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
  263. $show_instructions = true;
  264. } else {
  265. $show_instructions = false;
  266. }
  267. $potentialidps = array();
  268. foreach($authsequence as $authname) {
  269. $authplugin = get_auth_plugin($authname);
  270. $potentialidps = array_merge($potentialidps, $authplugin->loginpage_idp_list($SESSION->wantsurl));
  271. }
  272. $PAGE->set_title("$site->fullname: $loginsite");
  273. $PAGE->set_heading("$site->fullname");
  274. echo $OUTPUT->header();
  275. if (isloggedin() and !isguestuser()) {
  276. // prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
  277. echo $OUTPUT->box_start();
  278. $logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
  279. $continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
  280. echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
  281. echo $OUTPUT->box_end();
  282. } else {
  283. include("index_form.html");
  284. if (!empty($CFG->loginpageautofocus)) {
  285. //focus username or password
  286. $PAGE->requires->js_init_call('M.util.focus_login_form', null, true);
  287. }
  288. }
  289. echo $OUTPUT->footer();