UrlManager::add_user_to_url(api_get_user_id(), $my_url['id']); $url_str .= $my_url['url'] . ' <br />'; } } Display::display_normal_message(get_lang('AdminUserRegisteredToThisURL') . ': ' . $url_str . '<br />', false); } } break; } } Security::clear_token(); } $parameters['sec_token'] = Security::get_token(); // checking if the admin is registered in all sites $url_string = ''; $my_user_url_list = api_get_access_url_from_user(api_get_user_id()); foreach ($url_list as $my_url) { if (!in_array($my_url['id'], $my_user_url_list)) { $url_string .= $my_url['url'] . ' <br />'; } } if (!empty($url_string)) { Display::display_warning_message(get_lang('AdminShouldBeRegisterInSite') . '<br />' . $url_string, false); } // checking the current installation if ($current_access_url_id == -1) { Display::display_warning_message(get_lang('URLNotConfiguredPleaseChangedTo') . ': ' . api_get_path(WEB_PATH)); } elseif (api_is_platform_admin()) { $quant = UrlManager::relation_url_user_exist(api_get_user_id(), $current_access_url_id); if ($quant == 0) { Display::display_warning_message('<a href="' . api_get_self() . '?action=register&sec_token=' . $parameters['sec_token'] . '">' . get_lang('ClickToRegisterAdmin') . '</a>', false);
/** * Function used to protect a "global" admin script. * The function blocks access when the user has no global platform admin rights. * Global admins are the admins that are registered in the main.admin table * AND the users who have access to the "principal" portal. * That means that there is a record in the main.access_url_rel_user table * with his user id and the access_url_id=1 * * @author Julio Montoya */ function api_is_global_platform_admin($user_id = null) { $user_id = intval($user_id); if (empty($user_id)) { $user_id = api_get_user_id(); } if (api_is_platform_admin_by_id($user_id)) { $urlList = api_get_access_url_from_user($user_id); // The admin is registered in the first "main" site with access_url_id = 1 if (in_array(1, $urlList)) { return true; } else { return false; } } return false; }
/** * Validates the received active connection data with the database * @return bool Return the loginFailed variable value to local.inc.php */ public function check_user() { global $_user; $loginFailed = false; //change the way we recover the cookie depending on how it is formed $sso = $this->decode_cookie($_GET['sso_cookie']); //error_log('check_user'); //error_log('sso decode cookie: '.print_r($sso,1)); //lookup the user in the main database $user_table = Database::get_main_table(TABLE_MAIN_USER); $sql = "SELECT user_id, username, password, auth_source, active, expiration_date, status\n FROM {$user_table}\n WHERE username = '******'username'])) . "'"; $result = Database::query($sql); if (Database::num_rows($result) > 0) { //error_log('user exists'); $uData = Database::fetch_array($result); //Check the user's password if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE) { //This user's authentification is managed by Chamilo itself // check the user's password // password hash comes already parsed in sha1, md5 or none /* error_log($sso['secret']); error_log($uData['password']); error_log($sso['username']); error_log($uData['username']); */ global $_configuration; // Two possible authentication methods here: legacy using password // and new using a temporary, session-fixed, tempkey if ($sso['username'] == $uData['username'] && $sso['secret'] === sha1($uData['username'] . Session::read('tempkey') . $_configuration['security_key']) or $sso['secret'] === sha1($uData['password']) && $sso['username'] == $uData['username']) { //error_log('user n password are ok'); //Check if the account is active (not locked) if ($uData['active'] == '1') { // check if the expiration date has not been reached if ($uData['expiration_date'] > date('Y-m-d H:i:s') or $uData['expiration_date'] == '0000-00-00 00:00:00') { //If Multiple URL is enabled if (api_get_multiple_access_url()) { //Check the access_url configuration setting if // the user is registered in the access_url_rel_user table //Getting the current access_url_id of the platform $current_access_url_id = api_get_current_access_url_id(); // my user is subscribed in these //sites: $my_url_list $my_url_list = api_get_access_url_from_user($uData['user_id']); } else { $current_access_url_id = 1; $my_url_list = array(1); } $my_user_is_admin = UserManager::is_admin($uData['user_id']); if ($my_user_is_admin === false) { if (is_array($my_url_list) && count($my_url_list) > 0) { if (in_array($current_access_url_id, $my_url_list)) { // the user has permission to enter at this site $_user['user_id'] = $uData['user_id']; $_user = api_get_user_info($_user['user_id']); Session::write('_user', $_user); event_login(); // Redirect to homepage $sso_target = isset($sso['target']) ? $sso['target'] : api_get_path(WEB_PATH) . '.index.php'; header('Location: ' . $sso_target); exit; } else { // user does not have permission for this site $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive'); exit; } } else { // there is no URL in the multiple // urls list for this user $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive'); exit; } } else { //Only admins of the "main" (first) Chamilo // portal can login wherever they want if (in_array(1, $my_url_list)) { //Check if this admin is admin on the // principal portal $_user['user_id'] = $uData['user_id']; $_user = api_get_user_info($_user['user_id']); $is_platformAdmin = $uData['status'] == COURSEMANAGER; Session::write('is_platformAdmin', $is_platformAdmin); Session::write('_user', $_user); event_login(); } else { //Secondary URL admin wants to login // so we check as a normal user if (in_array($current_access_url_id, $my_url_list)) { $_user['user_id'] = $uData['user_id']; $_user = api_get_user_info($_user['user_id']); Session::write('_user', $_user); event_login(); } else { $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive'); exit; } } } } else { // user account expired $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_expired'); exit; } } else { //User not active $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_inactive'); exit; } } else { //SHA1 of password is wrong $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_password'); exit; } } else { //Auth_source is wrong $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_authentication_source'); exit; } } else { //No user by that login $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=user_not_found'); exit; } return $loginFailed; }
$extraFields = $uData['extra_fields']; // $update_type = UserManager::get_extra_user_data_by_field($uData['user_id'], 'update_type'); $update_type = isset($extraFields['extra_update_type']) ? $extraFields['extra_update_type'] : null; if (!empty($extAuthSource[$update_type]['updateUser']) && file_exists($extAuthSource[$update_type]['updateUser'])) { include_once $extAuthSource[$update_type]['updateUser']; } // Check if the account is active (not locked) if ($uData['active'] == '1') { // Check if the expiration date has not been reached if ($uData['expiration_date'] > date('Y-m-d H:i:s') or $uData['expiration_date'] == '0000-00-00 00:00:00') { global $_configuration; if (isset($_configuration['multiple_access_urls']) && $_configuration['multiple_access_urls']) { //Check if user is an admin $my_user_is_admin = UserManager::is_admin($uData['user_id']); // This user is subscribed in these sites => $my_url_list $my_url_list = api_get_access_url_from_user($uData['user_id']); //Check the access_url configuration setting if the user is registered in the access_url_rel_user table //Getting the current access_url_id of the platform $current_access_url_id = api_get_current_access_url_id(); if ($my_user_is_admin === false) { if (is_array($my_url_list) && count($my_url_list) > 0) { // the user have the permissions to enter at this site if (in_array($current_access_url_id, $my_url_list)) { ConditionalLogin::check_conditions($uData); Session::write('_user', $uData); $logging_in = true; } else { $loginFailed = true; Session::erase('_uid'); $errorMessage = 'access_url_inactive'; }
/** * Validates the received active connection data with the database * @return bool Return the loginFailed variable value to local.inc.php */ public function check_user() { global $_user; $loginFailed = false; //change the way we recover the cookie depending on how it is formed $sso = $this->decode_cookie($_GET['sso_cookie']); //get token that should have been used and delete it //from session since it can only be used once $sso_challenge = ''; if (isset($_SESSION['sso_challenge'])) { $sso_challenge = $_SESSION['sso_challenge']; unset($_SESSION['sso_challenge']); } //lookup the user in the main database $user_table = Database::get_main_table(TABLE_MAIN_USER); $sql = "SELECT id, username, password, auth_source, active, expiration_date, status\n FROM {$user_table}\n WHERE username = '******'username'])) . "'"; $result = Database::query($sql); if (Database::num_rows($result) > 0) { $uData = Database::fetch_array($result); //Check the user's password if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE) { if ($sso['secret'] === sha1($uData['username'] . $sso_challenge . api_get_security_key()) && $sso['username'] == $uData['username']) { //Check if the account is active (not locked) if ($uData['active'] == '1') { // check if the expiration date has not been reached if (empty($uData['expiration_date']) or $uData['expiration_date'] > date('Y-m-d H:i:s') or $uData['expiration_date'] == '0000-00-00 00:00:00') { //If Multiple URL is enabled if (api_get_multiple_access_url()) { //Check the access_url configuration setting if the user is registered in the access_url_rel_user table //Getting the current access_url_id of the platform $current_access_url_id = api_get_current_access_url_id(); // my user is subscribed in these //sites: $my_url_list $my_url_list = api_get_access_url_from_user($uData['id']); } else { $current_access_url_id = 1; $my_url_list = array(1); } $my_user_is_admin = UserManager::is_admin($uData['id']); if ($my_user_is_admin === false) { if (is_array($my_url_list) && count($my_url_list) > 0) { if (in_array($current_access_url_id, $my_url_list)) { // the user has permission to enter at this site $_user['user_id'] = $uData['id']; $_user = api_get_user_info($_user['user_id']); $_user['uidReset'] = true; Session::write('_user', $_user); Event::event_login($_user['user_id']); // Redirect to homepage $sso_target = ''; if (!empty($sso['ruri'])) { //The referrer URI is *only* used if // the user credentials are OK, which // should be protection enough // against evil URL spoofing... $sso_target = api_get_path(WEB_PATH) . base64_decode($sso['ruri']); } else { $sso_target = isset($sso['target']) ? $sso['target'] : api_get_path(WEB_PATH) . 'index.php'; } header('Location: ' . $sso_target); exit; } else { // user does not have permission for this site $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive'); exit; } } else { // there is no URL in the multiple // urls list for this user $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive'); exit; } } else { //Only admins of the "main" (first) Chamilo // portal can login wherever they want if (in_array(1, $my_url_list)) { //Check if this admin is admin on the // principal portal $_user['user_id'] = $uData['id']; $_user = api_get_user_info($_user['user_id']); $is_platformAdmin = $uData['status'] == COURSEMANAGER; Session::write('is_platformAdmin', $is_platformAdmin); Session::write('_user', $_user); Event::event_login($_user['user_id']); } else { //Secondary URL admin wants to login // so we check as a normal user if (in_array($current_access_url_id, $my_url_list)) { $_user['user_id'] = $uData['user_id']; $_user = api_get_user_info($_user['user_id']); Session::write('_user', $_user); Event::event_login($_user['user_id']); } else { $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive'); exit; } } } } else { // user account expired $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_expired'); exit; } } else { //User not active $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_inactive'); exit; } } else { //SHA1 of password is wrong $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_password'); exit; } } else { //Auth_source is wrong $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_authentication_source'); exit; } } else { //No user by that login $loginFailed = true; Session::erase('_uid'); header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=user_not_found'); exit; } return $loginFailed; }