/**
* @todo add note: because the form select thing will eventually enforce
* that the result for $values['institution'] was in the original lot,
* and because that only allows authmethods that use 'internal' auth, we
* can guarantee that the auth method is internal
*/
function auth_register_validate(Pieform $form, $values)
{
global $SESSION;
$registerterms = get_config('registerterms');
$spamtrap = new_spam_trap(array(array('type' => 'name', 'value' => $values['firstname']), array('type' => 'name', 'value' => $values['lastname']), array('type' => 'email', 'value' => $values['email'])));
if ($form->spam_error() || $spamtrap->is_spam()) {
$msg = get_string('formerror');
$emailcontact = get_config('emailcontact');
if (!empty($emailcontact)) {
$msg .= ' ' . get_string('formerroremail', 'mahara', $emailcontact, $emailcontact);
}
$form->set_error(null, $msg);
return;
}
$institution = $values['institution'];
safe_require('auth', 'internal');
// First name and last name must contain at least one non whitespace
// character, so that there's something to read
if (!$form->get_error('firstname') && !preg_match('/\\S/', $values['firstname'])) {
$form->set_error('firstname', $form->i18n('required'));
}
if (!$form->get_error('lastname') && !preg_match('/\\S/', $values['lastname'])) {
$form->set_error('lastname', $form->i18n('required'));
}
// The e-mail address cannot already be in the system
if (!$form->get_error('email') && (record_exists('usr', 'email', $values['email']) || record_exists('artefact_internal_profile_email', 'email', $values['email']))) {
$form->set_error('email', get_string('emailalreadytaken', 'auth.internal'));
}
// If the user hasn't agreed to the terms and conditions, don't bother
if ($registerterms && $values['tandc'] != 'yes') {
$form->set_error('tandc', get_string('youmaynotregisterwithouttandc', 'auth.internal'), false);
}
$institution = get_record_sql('
SELECT
i.name, i.maxuseraccounts, i.registerallowed, COUNT(u.id) AS count
FROM {institution} i
LEFT OUTER JOIN {usr_institution} ui ON ui.institution = i.name
LEFT OUTER JOIN {usr} u ON (ui.usr = u.id AND u.deleted = 0)
WHERE
i.name = ?
GROUP BY
i.name, i.maxuseraccounts, i.registerallowed', array($institution));
if (!empty($institution->maxuseraccounts) && $institution->count >= $institution->maxuseraccounts) {
// the institution is full so we need to alert the admins of the institution to this fact so
// they can either increase the maxusers or turn off the public registration.
require_once get_config('docroot') . 'lib/institution.php';
$institutionobj = new Institution($institution->name);
$institutionobj->send_admin_institution_is_full_message();
$form->set_error('institution', get_string('institutionfull'));
}
if (!$institution || !$institution->registerallowed) {
$form->set_error('institution', get_string('registrationnotallowed'));
}
}
function adduser_validate(Pieform $form, $values)
{
global $USER, $TRANSPORTER;
$authobj = AuthFactory::create($values['authinstance']);
$institution = $authobj->institution;
// Institutional admins can only set their own institutions' authinstances
if (!$USER->get('admin') && !$USER->is_institutional_admin($authobj->institution)) {
$form->set_error('authinstance', get_string('notadminforinstitution', 'admin'));
return;
}
$institution = new Institution($authobj->institution);
// Don't exceed max user accounts for the institution
if ($institution->isFull()) {
$institution->send_admin_institution_is_full_message();
$form->set_error('authinstance', get_string('institutionmaxusersexceeded', 'admin'));
return;
}
$username = $values['username'];
$firstname = sanitize_firstname($values['firstname']);
$lastname = sanitize_lastname($values['lastname']);
$email = sanitize_email($values['email']);
$password = $values['password'];
if ($USER->get('admin') || get_config_plugin('artefact', 'file', 'institutionaloverride')) {
$maxquotaenabled = get_config_plugin('artefact', 'file', 'maxquotaenabled');
$maxquota = get_config_plugin('artefact', 'file', 'maxquota');
if ($maxquotaenabled && $values['quota'] > $maxquota) {
$form->set_error('quota', get_string('maxquotaexceededform', 'artefact.file', display_size($maxquota)));
}
}
if (method_exists($authobj, 'is_username_valid_admin')) {
if (!$authobj->is_username_valid_admin($username)) {
$form->set_error('username', get_string('usernameinvalidadminform', 'auth.internal'));
}
} else {
if (method_exists($authobj, 'is_username_valid')) {
if (!$authobj->is_username_valid($username)) {
$form->set_error('username', get_string('usernameinvalidform', 'auth.internal'));
}
}
}
if (!$form->get_error('username') && record_exists_select('usr', 'LOWER(username) = ?', array(strtolower($username)))) {
$form->set_error('username', get_string('usernamealreadytaken', 'auth.internal'));
}
if (method_exists($authobj, 'is_password_valid') && !$authobj->is_password_valid($password)) {
$form->set_error('password', get_string('passwordinvalidform', 'auth.' . $authobj->type));
}
if (isset($_POST['createmethod']) && $_POST['createmethod'] == 'leap2a') {
$form->set_error('firstname', null);
$form->set_error('lastname', null);
$form->set_error('email', null);
if (!$values['leap2afile'] && ($_FILES['leap2afile']['error'] == UPLOAD_ERR_INI_SIZE || $_FILES['leap2afile']['error'] == UPLOAD_ERR_FORM_SIZE)) {
$form->reply(PIEFORM_ERR, array('message' => get_string('uploadedfiletoobig'), 'goto' => '/admin/users/add.php'));
$form->set_error('leap2afile', get_string('uploadedfiletoobig'));
return;
} else {
if (!$values['leap2afile']) {
$form->set_error('leap2afile', $form->i18n('rule', 'required', 'required'));
return;
}
}
if ($values['leap2afile']['type'] == 'application/octet-stream') {
require_once 'file.php';
$mimetype = file_mime_type($values['leap2afile']['tmp_name']);
} else {
$mimetype = trim($values['leap2afile']['type'], '"');
}
$date = time();
$niceuser = preg_replace('/[^a-zA-Z0-9_-]/', '-', $values['username']);
safe_require('import', 'leap');
$fakeimportrecord = (object) array('data' => array('importfile' => $values['leap2afile']['tmp_name'], 'importfilename' => $values['leap2afile']['name'], 'importid' => $niceuser . '-' . $date, 'mimetype' => $mimetype));
$TRANSPORTER = new LocalImporterTransport($fakeimportrecord);
try {
$TRANSPORTER->extract_file();
PluginImportLeap::validate_transported_data($TRANSPORTER);
} catch (Exception $e) {
$form->set_error('leap2afile', $e->getMessage());
}
} else {
if (!$form->get_error('firstname') && empty($firstname)) {
$form->set_error('firstname', $form->i18n('rule', 'required', 'required'));
}
if (!$form->get_error('lastname') && empty($lastname)) {
$form->set_error('lastname', $form->i18n('rule', 'required', 'required'));
}
if (!$form->get_error('email')) {
if (!$form->get_error('email') && empty($email)) {
$form->set_error('email', get_string('invalidemailaddress', 'artefact.internal'));
}
if (record_exists('usr', 'email', $email) || record_exists('artefact_internal_profile_email', 'email', $email)) {
$form->set_error('email', get_string('emailalreadytaken', 'auth.internal'));
}
}
}
}
/**
* Grab a delegate object for auth stuff
*/
public function request_user_authorise($token, $remotewwwroot)
{
global $USER, $SESSION;
$this->must_be_ready();
$peer = get_peer($remotewwwroot);
if ($peer->deleted != 0 || $this->config['theyssoin'] != 1) {
throw new XmlrpcClientException('We don\'t accept SSO connections from ' . institution_display_name($peer->institution));
}
$client = new Client();
$client->set_method('auth/mnet/auth.php/user_authorise')->add_param($token)->add_param(sha1($_SERVER['HTTP_USER_AGENT']))->send($remotewwwroot);
$remoteuser = (object) $client->response;
if (empty($remoteuser) or !property_exists($remoteuser, 'username')) {
// Caught by land.php
throw new AccessDeniedException();
}
$create = false;
$update = false;
if ('1' == $this->config['updateuserinfoonlogin']) {
$update = true;
}
// Retrieve a $user object. If that fails, create a blank one.
try {
$user = new User();
if (get_config('usersuniquebyusername')) {
// When turned on, this setting means that it doesn't matter
// which other application the user SSOs from, they will be
// given the same account in Mahara.
//
// This setting is one that has security implications unless
// only turned on by people who know what they're doing. In
// particular, every system linked to Mahara should be making
// sure that same username == same person. This happens for
// example if two Moodles are using the same LDAP server for
// authentication.
//
// If this setting is on, it must NOT be possible to self
// register on the site for ANY institution - otherwise users
// could simply pick usernames of people's accounts they wished
// to steal.
if ($institutions = get_column('institution', 'name', 'registerallowed', '1')) {
log_warn("usersuniquebyusername is turned on but registration is allowed for an institution. " . "No institution can have registration allowed for it, for security reasons.\n" . "The following institutions have registration enabled:\n " . join("\n ", $institutions));
throw new AccessDeniedException();
}
if (!get_config('usersallowedmultipleinstitutions')) {
log_warn("usersuniquebyusername is turned on but usersallowedmultipleinstitutions is off. " . "This makes no sense, as users will then change institution every time they log in from " . "somewhere else. Please turn this setting on in Site Options");
throw new AccessDeniedException();
}
$user->find_by_username($remoteuser->username);
} else {
$user->find_by_instanceid_username($this->instanceid, $remoteuser->username, true);
}
if ($user->get('suspendedcusr')) {
die_info(get_string('accountsuspended', 'mahara', strftime(get_string('strftimedaydate'), $user->get('suspendedctime')), $user->get('suspendedreason')));
}
} catch (AuthUnknownUserException $e) {
if (!empty($this->config['weautocreateusers'])) {
$institution = new Institution($this->institution);
if ($institution->isFull()) {
$institution->send_admin_institution_is_full_message();
throw new XmlrpcClientException('SSO attempt from ' . $institution->displayname . ' failed - institution is full');
}
$user = new User();
$create = true;
} else {
log_debug("User authorisation request from {$remotewwwroot} failed - " . "remote user '{$remoteuser->username}' is unknown to us and auto creation of users is turned off");
return false;
}
}
/*******************************************/
if ($create) {
$user->passwordchange = 1;
$user->active = 1;
$user->deleted = 0;
//TODO: import institution's expiry?:
//$institution = new Institution($peer->institution);
$user->expiry = null;
$user->expirymailsent = 0;
$user->lastlogin = time();
$user->firstname = $remoteuser->firstname;
$user->lastname = $remoteuser->lastname;
$user->email = $remoteuser->email;
$imported = array('firstname', 'lastname', 'email');
//TODO: import institution's per-user-quota?:
//$user->quota = $userrecord->quota;
$user->authinstance = empty($this->config['parent']) ? $this->instanceid : $this->parent;
db_begin();
$user->username = get_new_username($remoteuser->username);
$user->id = create_user($user, array(), $this->institution, $this, $remoteuser->username);
$locked = $this->import_user_settings($user, $remoteuser);
$locked = array_merge($imported, $locked);
/*
* We need to convert the object to a stdclass with its own
* custom method because it uses overloaders in its implementation
* and its properties wouldn't be visible to a simple cast operation
* like (array)$user
*/
$userobj = $user->to_stdclass();
$userarray = (array) $userobj;
db_commit();
// Now we have fired the create event, we need to re-get the data
// for this user
$user = new User();
$user->find_by_id($userobj->id);
} elseif ($update) {
$imported = array('firstname', 'lastname', 'email');
foreach ($imported as $field) {
if ($user->{$field} != $remoteuser->{$field}) {
$user->{$field} = $remoteuser->{$field};
set_profile_field($user->id, $field, $user->{$field});
}
}
if (isset($remoteuser->idnumber)) {
if ($user->studentid != $remoteuser->idnumber) {
$user->studentid = $remoteuser->idnumber;
set_profile_field($user->id, 'studentid', $user->studentid);
}
$imported[] = 'studentid';
}
$locked = $this->import_user_settings($user, $remoteuser);
$locked = array_merge($imported, $locked);
$user->lastlastlogin = $user->lastlogin;
$user->lastlogin = time();
//TODO: import institution's per-user-quota?:
//$user->quota = $userrecord->quota;
$user->commit();
}
if (get_config('usersuniquebyusername')) {
// Add them to the institution they have SSOed in by
$user->join_institution($peer->institution);
}
// See if we need to create/update a profile Icon image
if ($create || $update) {
$client->set_method('auth/mnet/auth.php/fetch_user_image')->add_param($remoteuser->username)->send($remotewwwroot);
$imageobject = (object) $client->response;
$u = preg_replace('/[^A-Za-z0-9 ]/', '', $user->username);
$filename = get_config('dataroot') . 'temp/mpi_' . intval($this->instanceid) . '_' . $u;
if (array_key_exists('f1', $client->response)) {
$imagecontents = base64_decode($client->response['f1']);
if (file_put_contents($filename, $imagecontents)) {
$imageexists = false;
$icons = false;
if ($update) {
$newchecksum = sha1_file($filename);
$icons = get_records_select_array('artefact', 'artefacttype = \'profileicon\' AND owner = ? ', array($user->id), '', 'id');
if (false != $icons) {
foreach ($icons as $icon) {
$iconfile = get_config('dataroot') . 'artefact/file/profileicons/originals/' . $icon->id % 256 . '/' . $icon->id;
$checksum = sha1_file($iconfile);
if ($newchecksum == $checksum) {
$imageexists = true;
unlink($filename);
break;
}
}
}
}
if (false == $imageexists) {
$filesize = filesize($filename);
if (!$user->quota_allowed($filesize)) {
$error = get_string('profileiconuploadexceedsquota', 'artefact.file', get_config('wwwroot'));
}
require_once 'file.php';
$imagesize = getimagesize($filename);
if (!$imagesize || !is_image_type($imagesize[2])) {
$error = get_string('filenotimage');
}
$mime = $imagesize['mime'];
$width = $imagesize[0];
$height = $imagesize[1];
$imagemaxwidth = get_config('imagemaxwidth');
$imagemaxheight = get_config('imagemaxheight');
if ($width > $imagemaxwidth || $height > $imagemaxheight) {
$error = get_string('profileiconimagetoobig', 'artefact.file', $width, $height, $imagemaxwidth, $imagemaxheight);
}
try {
$user->quota_add($filesize);
} catch (QuotaException $qe) {
$error = get_string('profileiconuploadexceedsquota', 'artefact.file', get_config('wwwroot'));
}
require_once get_config('docroot') . '/artefact/lib.php';
require_once get_config('docroot') . '/artefact/file/lib.php';
// Entry in artefact table
$artefact = new ArtefactTypeProfileIcon();
$artefact->set('owner', $user->id);
$artefact->set('parent', ArtefactTypeFolder::get_folder_id(get_string('imagesdir', 'artefact.file'), get_string('imagesdirdesc', 'artefact.file'), null, true, $user->id));
$artefact->set('title', ArtefactTypeFileBase::get_new_file_title(get_string('profileicon', 'artefact.file'), (int) $artefact->get('parent'), $user->id));
// unique title
$artefact->set('description', get_string('uploadedprofileicon', 'artefact.file'));
$artefact->set('note', get_string('profileicon', 'artefact.file'));
$artefact->set('size', $filesize);
$artefact->set('filetype', $mime);
$artefact->set('width', $width);
$artefact->set('height', $height);
$artefact->commit();
$id = $artefact->get('id');
// Move the file into the correct place.
$directory = get_config('dataroot') . 'artefact/file/profileicons/originals/' . $id % 256 . '/';
check_dir_exists($directory);
rename($filename, $directory . $id);
if ($create || empty($icons)) {
$user->profileicon = $id;
}
}
$user->commit();
} else {
log_warn(get_string('cantcreatetempprofileiconfile', 'artefact.file', $filename));
}
}
if ($update) {
$locked[] = 'profileicon';
}
}
/*******************************************/
// We know who our user is now. Bring her back to life.
$USER->reanimate($user->id, $this->instanceid);
// Set session variables to let the application know this session was
// initiated by MNET. Don't forget that users could initiate their
// sessions without MNET sometimes, which is why this data is stored in
// the session object.
$SESSION->set('mnetuser', $user->id);
$SESSION->set('authinstance', $this->instanceid);
if (isset($_SERVER['HTTP_REFERER'])) {
$SESSION->set('mnetuserfrom', $_SERVER['HTTP_REFERER']);
}
if ($update && isset($locked)) {
$SESSION->set('lockedfields', $locked);
}
return true;
}
function edituser_institution_validate(Pieform $form, $values)
{
$user = new User();
if (!$user->find_by_id($values['id'])) {
return false;
}
global $USER;
$userinstitutions = $user->get('institutions');
if (isset($values['add']) && $USER->get('admin') && (empty($userinstitutions) || get_config('usersallowedmultipleinstitutions'))) {
// check if the institution is full
require_once get_config('docroot') . 'lib/institution.php';
$institution = new Institution($values['addinstitution']);
if ($institution->isFull()) {
$institution->send_admin_institution_is_full_message();
$form->set_error(null, get_string('institutionmaxusersexceeded', 'admin'));
}
}
}
/**
* Grab a delegate object for auth stuff
*/
public function request_user_authorise($attributes)
{
global $USER, $SESSION;
$this->must_be_ready();
if (empty($attributes) or !array_key_exists($this->config['user_attribute'], $attributes) or !array_key_exists($this->config['institutionattribute'], $attributes)) {
throw new AccessDeniedException();
}
$remoteuser = $attributes[$this->config['user_attribute']][0];
$firstname = isset($attributes[$this->config['firstnamefield']][0]) ? $attributes[$this->config['firstnamefield']][0] : null;
$lastname = isset($attributes[$this->config['surnamefield']][0]) ? $attributes[$this->config['surnamefield']][0] : null;
$email = isset($attributes[$this->config['emailfield']][0]) ? $attributes[$this->config['emailfield']][0] : null;
$institutionname = $this->institution;
$create = false;
$update = false;
// Retrieve a $user object. If that fails, create a blank one.
try {
$isremote = $this->config['remoteuser'] ? true : false;
$user = new User();
if (get_config('usersuniquebyusername')) {
// When turned on, this setting means that it doesn't matter
// which other application the user SSOs from, they will be
// given the same account in Mahara.
//
// This setting is one that has security implications unless
// only turned on by people who know what they're doing. In
// particular, every system linked to Mahara should be making
// sure that same username == same person. This happens for
// example if two Moodles are using the same LDAP server for
// authentication.
//
// If this setting is on, it must NOT be possible to self
// register on the site for ANY institution - otherwise users
// could simply pick usernames of people's accounts they wished
// to steal.
if ($institutions = get_column('institution', 'name', 'registerallowed', '1')) {
log_warn("usersuniquebyusername is turned on but registration is allowed for an institution. " . "No institution can have registration allowed for it, for security reasons.\n" . "The following institutions have registration enabled:\n " . join("\n ", $institutions));
throw new AccessDeniedException();
}
if (!get_config('usersallowedmultipleinstitutions')) {
log_warn("usersuniquebyusername is turned on but usersallowedmultipleinstitutions is off. " . "This makes no sense, as users will then change institution every time they log in from " . "somewhere else. Please turn this setting on in Site Options");
throw new AccessDeniedException();
}
} else {
if (!$isremote) {
log_warn("usersuniquebyusername is turned off but remoteuser has not been set on for this institution: {$institutionname}. " . "This is a security risk as users from different institutions with different IdPs can hijack " . "each others accounts. Fix this in the institution level auth/saml settings.");
throw new AccessDeniedException();
}
}
if ($isremote) {
$user->find_by_instanceid_username($this->instanceid, $remoteuser, $isremote);
} else {
$user->find_by_username($remoteuser);
}
if ($user->get('suspendedcusr')) {
die_info(get_string('accountsuspended', 'mahara', strftime(get_string('strftimedaydate'), $user->get('suspendedctime')), $user->get('suspendedreason')));
}
if ('1' == $this->config['updateuserinfoonlogin']) {
$update = true;
}
} catch (AuthUnknownUserException $e) {
if (!empty($this->config['weautocreateusers'])) {
$institution = new Institution($this->institution);
if ($institution->isFull()) {
$institution->send_admin_institution_is_full_message();
throw new XmlrpcClientException('SSO attempt from ' . $institution->displayname . ' failed - institution is full');
}
$user = new User();
$create = true;
} else {
log_debug("User authorisation request from SAML failed - " . "remote user '{$remoteuser}' is unknown to us and auto creation of users is turned off");
return false;
}
}
/*******************************************/
if ($create) {
$user->passwordchange = 1;
$user->active = 1;
$user->deleted = 0;
$user->expiry = null;
$user->expirymailsent = 0;
$user->lastlogin = time();
$user->firstname = $firstname;
$user->lastname = $lastname;
$user->email = $email;
// must have these values
if (empty($firstname) || empty($lastname) || empty($email)) {
throw new AccessDeniedException(get_string('errormissinguserattributes1', 'auth.saml', get_config('sitename')));
}
$user->authinstance = empty($this->config['parent']) ? $this->instanceid : $this->parent;
db_begin();
$user->username = get_new_username($remoteuser, 40);
$user->id = create_user($user, array(), $institutionname, $this, $remoteuser);
/*
* We need to convert the object to a stdclass with its own
* custom method because it uses overloaders in its implementation
* and its properties wouldn't be visible to a simple cast operation
* like (array)$user
*/
$userobj = $user->to_stdclass();
$userarray = (array) $userobj;
db_commit();
// Now we have fired the create event, we need to re-get the data
// for this user
$user = new User();
$user->find_by_id($userobj->id);
if (get_config('usersuniquebyusername')) {
// Add them to the institution they have SSOed in by
$user->join_institution($institutionname);
}
} elseif ($update) {
if (!empty($firstname)) {
set_profile_field($user->id, 'firstname', $firstname);
$user->firstname = $firstname;
}
if (!empty($lastname)) {
set_profile_field($user->id, 'lastname', $lastname);
$user->lastname = $lastname;
}
if (!empty($email)) {
set_profile_field($user->id, 'email', $email);
$user->email = $email;
}
$user->lastlastlogin = $user->lastlogin;
$user->lastlogin = time();
}
$user->commit();
/*******************************************/
// We know who our user is now. Bring em back to life.
$result = $USER->reanimate($user->id, $this->instanceid);
log_debug("remote user '{$remoteuser}' is now reanimated as '{$USER->username}' ");
$SESSION->set('authinstance', $this->instanceid);
return true;
}
