/** * Create a Shibboleth session for the user ID * * @param string $uid - The user ID * @return $_user (array) - The user infos array created when the user logs in */ function login($uid) { /* This must be set for local.inc.php to register correctly the global variables in session * This is BAD. Logic should be migrated into a function and stop relying on global variables. */ global $_uid, $is_allowedCreateCourse, $is_platformAdmin, $_real_cid, $is_courseAdmin; global $is_courseMember, $is_courseTutor, $is_courseCoach, $is_allowed_in_course, $is_sessionAdmin, $_gid; $_uid = $uid; //is_allowedCreateCourse $user = User::store()->get_by_user_id($uid); if (empty($user)) { return; } $this->logout(); Session::instance(); Session::write('_uid', $_uid); global $_user; $_user = (array) $user; $_SESSION['_user'] = $_user; $_SESSION['_user']['user_id'] = $_uid; $_SESSION['noredirection'] = true; //must be called before 'init_local.inc.php' Event::event_login($_uid); //used in 'init_local.inc.php' this is BAD but and should be changed $loginFailed = false; $uidReset = true; $gidReset = true; $cidReset = false; //FALSE !! $mainDbName = Database::get_main_database(); $includePath = api_get_path(SYS_INC_PATH); $no_redirection = true; require "{$includePath}/local.inc.php"; return $_user; }
* @package chamilo.auth.ldap */ /** * An external authentification module needs to set * - $loginFailed * - $uidReset * - $_user['user_id'] * - register the $_user['user_id'] in the session * * As the LDAP code shows, this is not as difficult as you might think. * LDAP authentification module * this calls the loginWithLdap function * from the LDAP library, and sets a few * variables based on the result. */ //require_once('../../inc/global.inc.php'); - this script should be loaded by the /index.php script anyway, so global is already loaded use ChamiloSession as Session; require_once 'authldap.php'; $loginLdapSucces = ldap_login($login, $password); if ($loginLdapSucces) { $loginFailed = false; $uidReset = true; $_user['user_id'] = $uData['user_id']; Session::write('_uid', $_uid); // Jand: copied from event_login in events.lib.php to enable login statistics: Event::event_login($uData['user_id']); } else { $loginFailed = true; unset($_user['user_id']); $uidReset = false; }
} $values = api_get_user_info($user_id); } /* SESSION REGISTERING */ /* @todo move this in a function */ $_user['firstName'] = stripslashes($values['firstname']); $_user['lastName'] = stripslashes($values['lastname']); $_user['mail'] = $values['email']; $_user['language'] = $values['language']; $_user['user_id'] = $user_id; $is_allowedCreateCourse = isset($values['status']) && $values['status'] == 1; $usersCanCreateCourse = api_get_setting('course.allow_users_to_create_courses') == 'true'; Session::write('_user', $_user); Session::write('is_allowedCreateCourse', $is_allowedCreateCourse); // Stats Event::event_login($user_id); // last user login date is now $user_last_login_datetime = 0; // used as a unix timestamp it will correspond to : 1 1 1970 Session::write('user_last_login_datetime', $user_last_login_datetime); $recipient_name = api_get_person_name($values['firstname'], $values['lastname']); $text_after_registration = '<p>' . get_lang('Dear', null, $_user['language']) . ' ' . stripslashes(Security::remove_XSS($recipient_name)) . ',<br /><br />' . get_lang('PersonalSettings', null, $_user['language']) . ".</p>"; $form_data = array('button' => Display::button('next', get_lang('Next', null, $_user['language']), array('class' => 'btn btn-primary btn-large')), 'message' => null, 'action' => api_get_path(WEB_PATH) . 'user_portal.php'); if (api_get_setting('registration.allow_terms_conditions') == 'true' && $user_already_registered_show_terms) { $form_data['action'] = api_get_path(WEB_PATH) . 'user_portal.php'; } else { if (!empty($values['email'])) { $text_after_registration .= '<p>' . get_lang('MailHasBeenSent', null, $_user['language']) . '.</p>'; } if ($is_allowedCreateCourse) { if ($usersCanCreateCourse) {
* - index.php?loginFailed=1&error=user_password_incorrect * - index.php?loginFailed=1&error=unrecognize_sso_origin'); * */ use ChamiloSession as Session; require_once dirname(__FILE__) . '/ldap.inc.php'; require_once dirname(__FILE__) . '/functions.inc.php'; $ldap_user = extldap_authenticate($login, $password); if ($ldap_user !== false) { $chamilo_user = extldap_get_chamilo_user($ldap_user); //username is not on the ldap, we have to use $login variable $chamilo_user['username'] = $login; $chamilo_uid = external_add_user($chamilo_user); if ($chamilo_uid !== false) { $loginFailed = false; $_user['user_id'] = $chamilo_uid; $_user['status'] = isset($chamilo_user['status']) ? $chamilo_user['status'] : 5; $_user['uidReset'] = true; Session::write('_user', $_user); $uidReset = true; // Is user admin? if ($chamilo_user['admin'] === true) { $is_platformAdmin = true; Database::query("INSERT INTO admin values ('{$chamilo_uid}')"); } Event::event_login($chamilo_uid); } } else { $loginFailed = true; $uidReset = false; unset($_user['user_id']); }
// include common authentication functions require_once dirname(__FILE__) . '/functions.inc.php'; // call the login checker (defined below) $isValid = loginWSAuthenticate($login, $password, $wsUrl); // if the authentication was successful, proceed if ($isValid === 1) { //error_log('WS authentication worked'); $chamiloUser = UserManager::get_user_info($login); $loginFailed = false; $_user['user_id'] = $chamiloUser['user_id']; $_user['status'] = isset($chamiloUser['status']) ? $chamiloUser['status'] : 5; $_user['uidReset'] = true; Session::write('_user', $_user); $uidReset = true; $logging_in = true; Event::event_login($_user['user_id']); } else { //error_log('WS authentication error - user not approved by external WS'); $loginFailed = true; $uidReset = false; if (isset($_user) && isset($_user['user_id'])) { unset($_user['user_id']); } } /** * Checks whether a user has the right to enter on the platform or not * @param string The username, as provided in form * @param string The cleartext password, as provided in form * @param string The WS URL, as provided at the beginning of this script */ function loginWSAuthenticate($username, $password, $wsUrl)
/** * Validates the received active connection data with the database * @return bool Return the loginFailed variable value to local.inc.php */ public function check_user() { global $_user; $loginFailed = false; //change the way we recover the cookie depending on how it is formed $sso = $this->decode_cookie($_GET['sso_cookie']); //get token that should have been used and delete it //from session since it can only be used once $sso_challenge = ''; if (isset($_SESSION['sso_challenge'])) { $sso_challenge = $_SESSION['sso_challenge']; unset($_SESSION['sso_challenge']); } //lookup the user in the main database $user_table = Database::get_main_table(TABLE_MAIN_USER); $sql = "SELECT id, username, password, auth_source, active, expiration_date, status\n FROM {$user_table}\n WHERE username = '******'username'])) . "'"; $result = Database::query($sql); if (Database::num_rows($result) > 0) { $uData = Database::fetch_array($result); //Check the user's password if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE) { if ($sso['secret'] === sha1($uData['username'] . $sso_challenge . api_get_security_key()) && $sso['username'] == $uData['username']) { //Check if the account is active (not locked) if ($uData['active'] == '1') { // check if the expiration date has not been reached if (empty($uData['expiration_date']) or $uData['expiration_date'] > date('Y-m-d H:i:s') or $uData['expiration_date'] == '0000-00-00 00:00:00') { //If Multiple URL is enabled if (api_get_multiple_access_url()) { //Check the access_url configuration setting if the user is registered in the access_url_rel_user table //Getting the current access_url_id of the platform $current_access_url_id = api_get_current_access_url_id(); // my user is subscribed in these //sites: $my_url_list $my_url_list = api_get_access_url_from_user($uData['id']); } else { $current_access_url_id = 1; $my_url_list = array(1); } $my_user_is_admin = UserManager::is_admin($uData['id']); if ($my_user_is_admin === false) { if (is_array($my_url_list) && count($my_url_list) > 0) { if (in_array($current_access_url_id, $my_url_list)) { // the user has permission to enter at this site $_user['user_id'] = $uData['id']; $_user = api_get_user_info($_user['user_id']); $_user['uidReset'] = true; Session::write('_user', $_user); Event::event_login($_user['user_id']); // Redirect to homepage $sso_target = ''; if (!empty($sso['ruri'])) { //The referrer URI is *only* used if // the user credentials are OK, which // should be protection enough // against evil URL spoofing... $sso_target = api_get_path(WEB_PATH) . base64_decode($sso['ruri']); } else { $sso_target = isset($sso['target']) ? $sso['target'] : api_get_path(WEB_PATH) . 'index.php'; } header('Location: ' . $sso_target); exit; } else { // user does not have permission for this site $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive'); exit; } } else { // there is no URL in the multiple // urls list for this user $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive'); exit; } } else { //Only admins of the "main" (first) Chamilo // portal can login wherever they want if (in_array(1, $my_url_list)) { //Check if this admin is admin on the // principal portal $_user['user_id'] = $uData['id']; $_user = api_get_user_info($_user['user_id']); $is_platformAdmin = $uData['status'] == COURSEMANAGER; Session::write('is_platformAdmin', $is_platformAdmin); Session::write('_user', $_user); Event::event_login($_user['user_id']); } else { //Secondary URL admin wants to login // so we check as a normal user if (in_array($current_access_url_id, $my_url_list)) { $_user['user_id'] = $uData['user_id']; $_user = api_get_user_info($_user['user_id']); Session::write('_user', $_user); Event::event_login($_user['user_id']); } else { $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive'); exit; } } } } else { // user account expired $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_expired'); exit; } } else { //User not active $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_inactive'); exit; } } else { //SHA1 of password is wrong $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_password'); exit; } } else { //Auth_source is wrong $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_authentication_source'); exit; } } else { //No user by that login $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=user_not_found'); exit; } return $loginFailed; }