!isset($_SERVER['PATH_INFO']) && ($_SERVER['PATH_INFO'] = null); // Now - what kind of OAuth interaction are we handling? if ($_SERVER['PATH_INFO'] == '/request_token') { $server->requestToken(); exit; } else { if ($_SERVER['PATH_INFO'] == '/access_token') { $server->accessToken(); exit; } else { if ($_SERVER['PATH_INFO'] == '/authorize') { # logon require_once 'pieforms/pieform.php'; if (!$USER->is_logged_in()) { $form = new Pieform(auth_get_login_form()); auth_draw_login_page(null, $form); exit; } $rs = null; try { $rs = $server->authorizeVerify(); } catch (OAuthException2 $e) { header('HTTP/1.1 400 Bad Request'); header('Content-Type: text/plain'); echo "Failed OAuth Request: " . $e->getMessage(); exit; } // XXX user must be logged in // display what is accessing and ask the user to confirm $form = array('renderer' => 'table', 'type' => 'div', 'id' => 'maintable', 'name' => 'authorise', 'jsform' => false, 'successcallback' => 'oauth_authorise_submit', 'elements' => array('application_uri' => array('title' => get_string('application_title', 'auth.webservice'), 'value' => '<a href="' . $rs['application_uri'] . '" target="_blank">' . $rs['application_title'] . '</a>', 'type' => 'html'), 'application_access' => array('value' => get_string('oauth_access', 'auth.webservice'), 'type' => 'html'), 'instructions' => array('value' => get_string('oauth_instructions', 'auth.webservice') . "<br/><br/>", 'type' => 'html'), 'submit' => array('type' => 'submitcancel', 'value' => array(get_string('authorise', 'auth.webservice'), get_string('cancel')), 'goto' => get_config('wwwroot')))); $form = pieform($form);
/** * Handles authentication by setting up a session for a user if they are logged * in. * * This function combined with the Session class is smart - if the user is not * logged in then they do not get a session, which prevents simple curl hits * or search engine crawls to a page from getting sessions they won't use. * * Once the user has a session, they keep it even if the log out, so it can * be reused. The session does expire, but the expiry time is typically a week * or more. * * If the user is not authenticated for this page, then this function will * exit, printing the login page. Therefore, after including init.php, you can * be sure that the user is logged in, or has a valid guest key. However, no * testing is done to make sure the user has the required permissions to see * the page. * */ function auth_setup() { global $SESSION, $USER; // If the system is not installed, let the user through in the hope that // they can fix this little problem :) if (!get_config('installed')) { $USER->logout(); return; } // Lock the site until core upgrades are done require get_config('libroot') . 'version.php'; $siteclosed = $config->version > get_config('version'); $disablelogin = $config->disablelogin; if (!$siteclosed && get_config('forcelocalupgrades')) { require get_config('docroot') . 'local/version.php'; $siteclosed = $config->version > get_config('localversion'); } $cfgsiteclosed = get_config('siteclosed'); if ($siteclosed && !$cfgsiteclosed || !$siteclosed && $cfgsiteclosed) { // If the admin closed the site manually, open it automatically // when an upgrade is successful. if ($cfgsiteclosed && get_config('siteclosedbyadmin')) { set_config('siteclosedbyadmin', false); } set_config('siteclosed', $siteclosed); set_config('disablelogin', $disablelogin); } // Check the time that the session is set to log out. If the user does // not have a session, this time will be 0. $sessionlogouttime = $USER->get('logout_time'); // Need to doublecheck that the User's sessionid still has a match the usr_session table // It can disappear if the current user has hacked the real user's account and the real user has // reset the password clearing the session from usr_session. $sessionexists = get_record('usr_session', 'usr', $USER->id, 'session', $USER->get('sessionid')); $parentuser = $USER->get('parentuser'); if ($sessionlogouttime && isset($_GET['logout']) || $sessionexists === false && $USER->get('sessionid') != '' && empty($parentuser)) { // Call the authinstance' logout hook $authinstance = $SESSION->get('authinstance'); if ($authinstance) { $authobj = AuthFactory::create($authinstance); $authobj->logout(); } else { log_debug("Strange: user " . $USER->get('username') . " had no authinstance set in their session"); } if (function_exists('local_logout')) { local_logout(); } $USER->logout(); $SESSION->add_ok_msg(get_string('loggedoutok')); redirect(); } if ($sessionlogouttime > time()) { // The session is still active, so continue it. // Make sure that if a user's admin status has changed, they're kicked // out of the admin section if (in_admin_section()) { // Reload site admin/staff permissions $realuser = get_record('usr', 'id', $USER->id, null, null, null, null, 'admin,staff'); if (!$USER->get('admin') && $realuser->admin) { // The user has been made into an admin $USER->admin = 1; } else { if ($USER->get('admin') && !$realuser->admin) { // The user's admin rights have been taken away $USER->admin = 0; } } if (!$USER->get('staff') && $realuser->staff) { $USER->staff = 1; } else { if ($USER->get('staff') && !$realuser->staff) { $USER->staff = 0; } } // Reload institutional admin/staff permissions $USER->reset_institutions(); auth_check_admin_section(); } $USER->renew(); auth_check_required_fields(); } else { if ($sessionlogouttime > 0) { // The session timed out $authinstance = $SESSION->get('authinstance'); if ($authinstance) { $authobj = AuthFactory::create($authinstance); $mnetuser = 0; if ($SESSION->get('mnetuser') && $authobj->parent) { // We wish to remember that the user is an MNET user - even though // they're using the local login form $mnetuser = $USER->get('id'); } $authobj->logout(); $USER->logout(); if ($mnetuser != 0) { $SESSION->set('mnetuser', $mnetuser); $SESSION->set('authinstance', $authinstance); } } else { log_debug("Strange: user " . $USER->get('username') . " had no authinstance set in their session"); } if (defined('JSON')) { json_reply('global', get_string('sessiontimedoutreload'), 1); } if (defined('IFRAME')) { header('Content-type: text/html'); print_auth_frame(); exit; } // If the page the user is viewing is public, inform them that they can // log in again if (defined('PUBLIC')) { // @todo this links to ?login - later it should do magic to make // sure that whatever GET string is made it includes the old data // correctly $loginurl = $_SERVER['REQUEST_URI']; $loginurl .= false === strpos($loginurl, '?') ? '?' : '&'; $loginurl .= 'login'; $SESSION->add_info_msg(get_string('sessiontimedoutpublic', 'mahara', hsc($loginurl)), false); return; } auth_draw_login_page(get_string('sessiontimedout')); } else { // There is no session, so we check to see if one needs to be started. // Build login form. If the form is submitted it will be handled here, // and set $USER for us (this will happen when users hit a page and // specify login data immediately require_once 'pieforms/pieform.php'; $form = new Pieform(auth_get_login_form()); $SESSION->loginform = $form; if ($USER->is_logged_in()) { return; } // Check if the page is public or the site is configured to be public. if (defined('PUBLIC') && !isset($_GET['login'])) { if ($lang = param_alphanumext('lang', null)) { $SESSION->set('lang', $lang); } return; } // No session and a json request if (defined('JSON')) { json_reply('global', get_string('nosessionreload'), 1); } auth_draw_login_page(null, $form); exit; } } }
/** * Handles authentication by setting up a session for a user if they are logged * in. * * This function combined with the Session class is smart - if the user is not * logged in then they do not get a session, which prevents simple curl hits * or search engine crawls to a page from getting sessions they won't use. * * Once the user has a session, they keep it even if the log out, so it can * be reused. The session does expire, but the expiry time is typically a week * or more. * * If the user is not authenticated for this page, then this function will * exit, printing the login page. Therefore, after including init.php, you can * be sure that the user is logged in, or has a valid guest key. However, no * testing is done to make sure the user has the required permissions to see * the page. * */ function auth_setup() { global $SESSION, $USER; // If the system is not installed, let the user through in the hope that // they can fix this little problem :) if (!get_config('installed')) { $USER->logout(); return; } // Lock the site until core upgrades are done require get_config('libroot') . 'version.php'; $siteclosed = $config->version > get_config('version'); $cfgsiteclosed = get_config('siteclosed'); if ($siteclosed && !$cfgsiteclosed || !$siteclosed && $cfgsiteclosed) { set_config('siteclosed', $siteclosed); if ($config->disablelogin && $siteclosed) { set_config('disablelogin', 1); } } // Check the time that the session is set to log out. If the user does // not have a session, this time will be 0. $sessionlogouttime = $USER->get('logout_time'); if ($sessionlogouttime && isset($_GET['logout'])) { // Call the authinstance' logout hook $authinstance = $SESSION->get('authinstance'); if ($authinstance) { $authobj = AuthFactory::create($authinstance); $authobj->logout(); } else { log_debug("Strange: user " . $USER->get('username') . " had no authinstance set in their session"); } $USER->logout(); $SESSION->add_ok_msg(get_string('loggedoutok')); redirect(); } if ($sessionlogouttime > time()) { // The session is still active, so continue it. // Make sure that if a user's admin status has changed, they're kicked // out of the admin section if (defined('ADMIN')) { $userreallyadmin = get_field('usr', 'admin', 'id', $USER->id); if (!$USER->get('admin') && $userreallyadmin) { // The user has been made into an admin $USER->admin = 1; } else { if ($USER->get('admin') && !$userreallyadmin) { // The user's admin rights have been taken away $USER->admin = 0; } } if (!$USER->get('admin')) { $SESSION->add_error_msg(get_string('accessforbiddentoadminsection')); redirect(); } } else { if (defined('INSTITUTIONALADMIN') && !$USER->get('admin')) { $userreallyadminfor = get_column('usr_institution', 'institution', 'usr', $USER->id, 'admin', 1); if (!$USER->is_institutional_admin() && !empty($userreallyadminfor)) { $USER->set_admin_institutions($userreallyadminfor); } else { if ($USER->is_institutional_admin() && empty($userreallyadminfor)) { $USER->set_admin_institutions(array()); } } if (!$USER->is_institutional_admin()) { $SESSION->add_error_msg(get_string('accessforbiddentoadminsection')); redirect(); } } } $USER->renew(); auth_check_password_change(); auth_check_required_fields(); } else { if ($sessionlogouttime > 0) { // The session timed out $authinstance = $SESSION->get('authinstance'); if ($authinstance) { $authobj = AuthFactory::create($authinstance); $mnetuser = 0; if ($SESSION->get('mnetuser') && $authobj->parent) { // We wish to remember that the user is an MNET user - even though // they're using the local login form $mnetuser = $USER->get('id'); } $authobj->logout(); $USER->logout(); if ($mnetuser != 0) { $SESSION->set('mnetuser', $mnetuser); $SESSION->set('authinstance', $authinstance); } } else { log_debug("Strange: user " . $USER->get('username') . " had no authinstance set in their session"); } if (defined('JSON')) { json_reply('global', get_string('sessiontimedoutreload'), 1); } if (defined('IFRAME')) { $frame = '<html><head></head><body onload="parent.show_login_form(\'ajaxlogin_iframe\')"></body></html>'; header('Content-type: text/html'); echo $frame; exit; } // If the page the user is viewing is public, inform them that they can // log in again if (defined('PUBLIC')) { // @todo this links to ?login - later it should do magic to make // sure that whatever GET string is made it includes the old data // correctly $loginurl = $_SERVER['REQUEST_URI']; $loginurl .= false === strpos($loginurl, '?') ? '?' : '&'; $loginurl .= 'login'; $SESSION->add_info_msg(get_string('sessiontimedoutpublic', 'mahara', hsc($loginurl)), false); return; } auth_draw_login_page(get_string('sessiontimedout')); } else { // There is no session, so we check to see if one needs to be started. // Build login form. If the form is submitted it will be handled here, // and set $USER for us (this will happen when users hit a page and // specify login data immediately require_once 'pieforms/pieform.php'; $form = new Pieform(auth_get_login_form()); if ($USER->is_logged_in()) { return; } // Check if the page is public or the site is configured to be public. if (defined('PUBLIC') && !isset($_GET['login'])) { return; } // No session and a json request if (defined('JSON')) { json_reply('global', get_string('nosessionreload'), 1); } auth_draw_login_page(null, $form); exit; } } }