public function __fav_user_login($user)
{
global $CFG, $USER;
// regenerate session id and delete old session,
// this helps prevent session fixation attacks from the same domain
session_regenerate_id(true);
// let enrol plugins deal with new enrolments if necessary
enrol_check_plugins($user);
// check enrolments, load caps and setup $USER object
session_set_user($user);
// reload preferences from DB
unset($USER->preference);
check_user_preferences_loaded($USER);
// update login times
update_user_login_times();
// extra session prefs init
set_login_session_preferences();
if (isguestuser()) {
// no need to continue when user is THE guest
return $USER;
}
return $USER;
}
/**
* Call to complete the user login process after authenticate_user_login()
* has succeeded. It will setup the $USER variable and other required bits
* and pieces.
*
* NOTE:
* - It will NOT log anything -- up to the caller to decide what to log.
* - this function does not set any cookies any more!
*
* @param stdClass $user
* @return stdClass A {@link $USER} object - BC only, do not use
*/
function complete_user_login($user)
{
global $CFG, $USER, $SESSION;
\core\session\manager::login_user($user);
// Reload preferences from DB.
unset($USER->preference);
check_user_preferences_loaded($USER);
// Update login times.
update_user_login_times();
// Extra session prefs init.
set_login_session_preferences();
// Trigger login event.
$event = \core\event\user_loggedin::create(array('userid' => $USER->id, 'objectid' => $USER->id, 'other' => array('username' => $USER->username)));
$event->trigger();
if (isguestuser()) {
// No need to continue when user is THE guest.
return $USER;
}
if (CLI_SCRIPT) {
// We can redirect to password change URL only in browser.
return $USER;
}
// Select password change url.
$userauth = get_auth_plugin($USER->auth);
// Check whether the user should be changing password.
if (get_user_preferences('auth_forcepasswordchange', false)) {
if ($userauth->can_change_password()) {
if ($changeurl = $userauth->change_password_url()) {
redirect($changeurl);
} else {
$SESSION->wantsurl = core_login_get_return_url();
redirect($CFG->httpswwwroot . '/login/change_password.php');
}
} else {
print_error('nopasswordchangeforced', 'auth');
}
}
return $USER;
}
print_footer();
die;
}
/// Let's get them all set up.
$USER = $user;
add_to_log(SITEID, 'user', 'login', "view.php?id={$USER->id}&course=" . SITEID, $USER->id, 0, $USER->id);
update_user_login_times();
if (empty($CFG->nolastloggedin)) {
set_moodle_cookie($USER->username);
} else {
// do not store last logged in user in cookie
// auth plugins can temporarily override this from loginpage_hook()
// do not save $CFG->nolastloggedin in database!
set_moodle_cookie('nobody');
}
set_login_session_preferences();
/// This is what lets the user do anything on the site :-)
load_all_capabilities();
/// Select password change url
$userauth = get_auth_plugin($USER->auth);
if ($userauth->can_change_password()) {
if ($userauth->change_password_url()) {
$passwordchangeurl = $userauth->change_password_url();
} else {
$passwordchangeurl = $CFG->httpswwwroot . '/login/change_password.php';
}
} else {
$passwordchangeurl = '';
}
/// check whether the user should be changing password
if (get_user_preferences('auth_forcepasswordchange', false) || $frm->password == 'changeme') {
/**
* Call to complete the user login process after authenticate_user_login()
* has succeeded. It will setup the $USER variable and other required bits
* and pieces.
*
* NOTE:
* - It will NOT log anything -- up to the caller to decide what to log.
*
*
*
* @uses $CFG, $USER
* @param string $user obj
* @return user|flase A {@link $USER} object or false if error
*/
function complete_user_login($user)
{
global $CFG, $USER;
$USER = $user;
// this is required because we need to access preferences here!
if (!empty($CFG->regenloginsession)) {
// please note this setting may break some auth plugins
session_regenerate_id();
}
reload_user_preferences();
update_user_login_times();
if (empty($CFG->nolastloggedin)) {
set_moodle_cookie($USER->username);
} else {
// do not store last logged in user in cookie
// auth plugins can temporarily override this from loginpage_hook()
// do not save $CFG->nolastloggedin in database!
set_moodle_cookie('nobody');
}
set_login_session_preferences();
// Call enrolment plugins
check_enrolment_plugins($user);
/// This is what lets the user do anything on the site :-)
load_all_capabilities();
/// Select password change url
$userauth = get_auth_plugin($USER->auth);
/// check whether the user should be changing password
if (get_user_preferences('auth_forcepasswordchange', false)) {
if ($userauth->can_change_password()) {
if ($changeurl = $userauth->change_password_url()) {
redirect($changeurl);
} else {
redirect($CFG->httpswwwroot . '/login/change_password.php');
}
} else {
print_error('nopasswordchangeforced', 'auth');
}
}
return $USER;
}
/**
* Call to complete the user login process after authenticate_user_login()
* has succeeded. It will setup the $USER variable and other required bits
* and pieces.
*
* NOTE:
* - It will NOT log anything -- up to the caller to decide what to log.
*
* @param object $user
* @param bool $setcookie
* @return object A {@link $USER} object - BC only, do not use
*/
function complete_user_login($user, $setcookie = true)
{
global $CFG, $USER;
// regenerate session id and delete old session,
// this helps prevent session fixation attacks from the same domain
session_regenerate_id(true);
// check enrolments, load caps and setup $USER object
session_set_user($user);
// reload preferences from DB
unset($user->preference);
check_user_preferences_loaded($user);
// update login times
update_user_login_times();
// extra session prefs init
set_login_session_preferences();
if (isguestuser()) {
// no need to continue when user is THE guest
return $USER;
}
if ($setcookie) {
if (empty($CFG->nolastloggedin)) {
set_moodle_cookie($USER->username);
} else {
// do not store last logged in user in cookie
// auth plugins can temporarily override this from loginpage_hook()
// do not save $CFG->nolastloggedin in database!
set_moodle_cookie('');
}
}
/// Select password change url
$userauth = get_auth_plugin($USER->auth);
/// check whether the user should be changing password
if (get_user_preferences('auth_forcepasswordchange', false)) {
if ($userauth->can_change_password()) {
if ($changeurl = $userauth->change_password_url()) {
redirect($changeurl);
} else {
redirect($CFG->httpswwwroot . '/login/change_password.php');
}
} else {
print_error('nopasswordchangeforced', 'auth');
}
}
return $USER;
}
/**
* Call to complete the user login process after authenticate_user_login()
* has succeeded. It will setup the $USER variable and other required bits
* and pieces.
*
* NOTE:
* - It will NOT log anything -- up to the caller to decide what to log.
* - this function does not set any cookies any more!
*
* @param object $user
* @return object A {@link $USER} object - BC only, do not use
*/
function complete_user_login($user)
{
global $CFG, $USER;
// regenerate session id and delete old session,
// this helps prevent session fixation attacks from the same domain
session_regenerate_id(true);
// let enrol plugins deal with new enrolments if necessary
enrol_check_plugins($user);
// check enrolments, load caps and setup $USER object
session_set_user($user);
// reload preferences from DB
unset($USER->preference);
check_user_preferences_loaded($USER);
// update login times
update_user_login_times();
// extra session prefs init
set_login_session_preferences();
if (isguestuser()) {
// no need to continue when user is THE guest
return $USER;
}
/// Select password change url
$userauth = get_auth_plugin($USER->auth);
/// check whether the user should be changing password
if (get_user_preferences('auth_forcepasswordchange', false)) {
if ($userauth->can_change_password()) {
if ($changeurl = $userauth->change_password_url()) {
redirect($changeurl);
} else {
redirect($CFG->httpswwwroot . '/login/change_password.php');
}
} else {
print_error('nopasswordchangeforced', 'auth');
}
}
return $USER;
}
function teosso_authenticate_user()
{
global $CFG, $USER, $SESSION;
$pluginconfig = get_config('auth/teosso');
// retrieve the login data from the HTTP Headers
$attributes = auth_plugin_teosso::get_sso_attributes();
// check to see if we got any authentication data
if (empty($attributes)) {
redirect($pluginconfig->signin_url);
}
// get the http headers for error reporting
$headers = apache_request_headers();
$attr_hdrs = array();
foreach ($headers as $key => $value) {
if (preg_match('/^HTTP_/', $key)) {
$attr_hdrs[] = $key . ': ' . $value;
}
}
$headers = implode(' | ', $attr_hdrs);
// FIND THE VALIDIDTY OF THE HTTP HEADER
$attrmap = auth_plugin_teosso::get_attributes();
if (empty($attrmap['idnumber'])) {
// serious misdemeanour
print_error('missingidnumber', 'auth_teosso');
}
if (empty($attributes[$attrmap['idnumber']])) {
#
// not valid session. Ship user off to Federation Manager
add_to_log(0, 'login', 'error', '/auth/teosso/index.php', get_string('idnumber_error', 'auth_teosso', $headers));
redirect($pluginconfig->signin_error_url);
} else {
// in theory we only need acct_id at this point - we should retrieve the user record to get the username via idnumber
if (!($user = get_record('user', 'idnumber', $attributes[$attrmap['idnumber']]))) {
// must be a new user
if (!empty($attributes[$attrmap['username']])) {
$attributes['username'] = $attributes[$attrmap['username']];
} else {
add_to_log(0, 'login', 'error', '/auth/teosso/index.php', get_string('username_error', 'auth_teosso', $headers));
redirect($pluginconfig->signin_error_url);
}
} else {
// user must use the auth type teosso or authenticate_user_login() will fail
if ($user->auth != 'teosso') {
add_to_log(0, 'login', 'error', '/auth/teosso/index.php', get_string('user_auth_type_error', 'auth_teosso', $headers));
redirect($pluginconfig->signin_error_url);
}
// because we want to retain acct_id as the master ID
// we need to modify idnumber on mdl_user NOW - so it all lines up later
if (isset($attributes[$attrmap['username']]) && $user->username != $attributes[$attrmap['username']]) {
if (!set_field('user', 'username', $attributes[$attrmap['username']], 'id', $user->id)) {
print_error('usernameupdatefailed', 'auth_teosso');
}
$attributes['username'] = $attributes[$attrmap['username']];
} else {
$attributes['username'] = $user->username;
}
}
// Valid session. Register or update user in Moodle, log him on, and redirect to Moodle front
// we require the plugin to know that we are now doing a teosso login in hook puser_login
$GLOBALS['teosso_login'] = TRUE;
// make variables accessible to teosso->get_userinfo. Information will be requested from authenticate_user_login -> create_user_record / update_user_record
$GLOBALS['teosso_login_attributes'] = $attributes;
// just passes time as a password. User will never log in directly to moodle with this password anyway or so we hope?
$USER = authenticate_user_login($attributes['username'], time());
$USER->loggedin = true;
$USER->site = $CFG->wwwroot;
update_user_login_times();
if ($pluginconfig->notshowusername) {
// Don't show username on login page
set_moodle_cookie('nobody');
}
set_login_session_preferences();
add_to_log(SITEID, 'user', 'login', "view.php?id={$USER->id}&course=" . SITEID, $USER->id, 0, $USER->id);
check_enrolment_plugins($USER);
load_all_capabilities();
// just fast copied this from some other module - might not work...
if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) {
$urltogo = $SESSION->wantsurl;
} else {
$urltogo = $CFG->wwwroot . '/';
}
unset($SESSION->wantsurl);
redirect($urltogo);
}
}
/**
* Call to complete the user login process after authenticate_user_login()
* has succeeded. It will setup the $USER variable and other required bits
* and pieces.
*
* NOTE:
* - It will NOT log anything -- up to the caller to decide what to log.
*
* @uses $CFG, $USER
* @param string $user obj
* @return object A {@link $USER} object - BC only, do not use
*/
function complete_user_login($user, $setcookie = true)
{
global $CFG, $USER, $SESSION;
// check enrolments, load caps and setup $USER object
session_set_user($user);
update_user_login_times();
set_login_session_preferences();
if ($setcookie) {
if (empty($CFG->nolastloggedin)) {
set_moodle_cookie($USER->username);
} else {
// do not store last logged in user in cookie
// auth plugins can temporarily override this from loginpage_hook()
// do not save $CFG->nolastloggedin in database!
set_moodle_cookie('nobody');
}
}
/// Select password change url
$userauth = get_auth_plugin($USER->auth);
/// check whether the user should be changing password
if (get_user_preferences('auth_forcepasswordchange', false)) {
if ($userauth->can_change_password()) {
if ($changeurl = $userauth->change_password_url()) {
redirect($changeurl);
} else {
redirect($CFG->httpswwwroot . '/login/change_password.php');
}
} else {
print_error('nopasswordchangeforced', 'auth');
}
}
return $USER;
}
/**
* Authenticate user using username+password or token.
* This function sets up $USER global.
* It is safe to use has_capability() after this.
* This method also verifies user is allowed to use this
* server.
*/
protected function authenticate_user()
{
global $CFG, $DB;
if (!NO_MOODLE_COOKIES) {
throw new coding_exception('Cookies must be disabled in WS servers!');
}
$loginfaileddefaultparams = array('context' => context_system::instance(), 'other' => array('method' => $this->authmethod, 'reason' => null));
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) {
//we check that authentication plugin is enabled
//it is only required by simple authentication
if (!is_enabled_auth('webservice')) {
throw new webservice_access_exception('The web service authentication plugin is disabled.');
}
if (!($auth = get_auth_plugin('webservice'))) {
throw new webservice_access_exception('The web service authentication plugin is missing.');
}
$this->restricted_context = context_system::instance();
if (!$this->username) {
throw new moodle_exception('missingusername', 'webservice');
}
if (!$this->password) {
throw new moodle_exception('missingpassword', 'webservice');
}
if (!$auth->user_login_webservice($this->username, $this->password)) {
// Log failed login attempts.
$params = $loginfaileddefaultparams;
$params['other']['reason'] = 'password';
$params['other']['username'] = $this->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, 'webservice', get_string('simpleauthlog', 'webservice'), '', get_string('failedtolog', 'webservice') . ": " . $this->username . "/" . $this->password . " - " . getremoteaddr(), 0));
$event->trigger();
throw new moodle_exception('wrongusernamepassword', 'webservice');
}
$user = $DB->get_record('user', array('username' => $this->username, 'mnethostid' => $CFG->mnet_localhost_id), '*', MUST_EXIST);
} else {
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT);
} else {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED);
}
}
// Cannot authenticate unless maintenance access is granted.
$hasmaintenanceaccess = has_capability('moodle/site:maintenanceaccess', context_system::instance(), $user);
if (!empty($CFG->maintenance_enabled) and !$hasmaintenanceaccess) {
throw new moodle_exception('sitemaintenance', 'admin');
}
//only confirmed user should be able to call web service
if (!empty($user->deleted)) {
$params = $loginfaileddefaultparams;
$params['other']['reason'] = 'user_deleted';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new webservice_access_exception('Refused web service access for deleted username: '******'other']['reason'] = 'user_unconfirmed';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new moodle_exception('wsaccessuserunconfirmed', 'webservice', '', $user->username);
}
//check the user is suspended
if (!empty($user->suspended)) {
$params = $loginfaileddefaultparams;
$params['other']['reason'] = 'user_unconfirmed';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new webservice_access_exception('Refused web service access for suspended username: '******'other']['reason'] = 'password_expired';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new webservice_access_exception('Refused web service access for password expired username: '******'nologin') {
$params = $loginfaileddefaultparams;
$params['other']['reason'] = 'login';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new webservice_access_exception('Refused web service access for nologin authentication username: '******'You are not allowed to use the {$a} protocol (missing capability: webservice/' . $this->wsname . ':use)');
}
external_api::set_context_restriction($this->restricted_context);
}
