!isset($_SERVER['PATH_INFO']) && ($_SERVER['PATH_INFO'] = null);
// Now - what kind of OAuth interaction are we handling?
if ($_SERVER['PATH_INFO'] == '/request_token') {
$server->requestToken();
exit;
} else {
if ($_SERVER['PATH_INFO'] == '/access_token') {
$server->accessToken();
exit;
} else {
if ($_SERVER['PATH_INFO'] == '/authorize') {
# logon
require_once 'pieforms/pieform.php';
if (!$USER->is_logged_in()) {
$form = new Pieform(auth_get_login_form());
auth_draw_login_page(null, $form);
exit;
}
$rs = null;
try {
$rs = $server->authorizeVerify();
} catch (OAuthException2 $e) {
header('HTTP/1.1 400 Bad Request');
header('Content-Type: text/plain');
echo "Failed OAuth Request: " . $e->getMessage();
exit;
}
// XXX user must be logged in
// display what is accessing and ask the user to confirm
$form = array('renderer' => 'table', 'type' => 'div', 'id' => 'maintable', 'name' => 'authorise', 'jsform' => false, 'successcallback' => 'oauth_authorise_submit', 'elements' => array('application_uri' => array('title' => get_string('application_title', 'auth.webservice'), 'value' => '<a href="' . $rs['application_uri'] . '" target="_blank">' . $rs['application_title'] . '</a>', 'type' => 'html'), 'application_access' => array('value' => get_string('oauth_access', 'auth.webservice'), 'type' => 'html'), 'instructions' => array('value' => get_string('oauth_instructions', 'auth.webservice') . "<br/><br/>", 'type' => 'html'), 'submit' => array('type' => 'submitcancel', 'value' => array(get_string('authorise', 'auth.webservice'), get_string('cancel')), 'goto' => get_config('wwwroot'))));
$form = pieform($form);
/**
* Handles authentication by setting up a session for a user if they are logged
* in.
*
* This function combined with the Session class is smart - if the user is not
* logged in then they do not get a session, which prevents simple curl hits
* or search engine crawls to a page from getting sessions they won't use.
*
* Once the user has a session, they keep it even if the log out, so it can
* be reused. The session does expire, but the expiry time is typically a week
* or more.
*
* If the user is not authenticated for this page, then this function will
* exit, printing the login page. Therefore, after including init.php, you can
* be sure that the user is logged in, or has a valid guest key. However, no
* testing is done to make sure the user has the required permissions to see
* the page.
*
*/
function auth_setup()
{
global $SESSION, $USER;
// If the system is not installed, let the user through in the hope that
// they can fix this little problem :)
if (!get_config('installed')) {
$USER->logout();
return;
}
// Lock the site until core upgrades are done
require get_config('libroot') . 'version.php';
$siteclosed = $config->version > get_config('version');
$disablelogin = $config->disablelogin;
if (!$siteclosed && get_config('forcelocalupgrades')) {
require get_config('docroot') . 'local/version.php';
$siteclosed = $config->version > get_config('localversion');
}
$cfgsiteclosed = get_config('siteclosed');
if ($siteclosed && !$cfgsiteclosed || !$siteclosed && $cfgsiteclosed) {
// If the admin closed the site manually, open it automatically
// when an upgrade is successful.
if ($cfgsiteclosed && get_config('siteclosedbyadmin')) {
set_config('siteclosedbyadmin', false);
}
set_config('siteclosed', $siteclosed);
set_config('disablelogin', $disablelogin);
}
// Check the time that the session is set to log out. If the user does
// not have a session, this time will be 0.
$sessionlogouttime = $USER->get('logout_time');
// Need to doublecheck that the User's sessionid still has a match the usr_session table
// It can disappear if the current user has hacked the real user's account and the real user has
// reset the password clearing the session from usr_session.
$sessionexists = get_record('usr_session', 'usr', $USER->id, 'session', $USER->get('sessionid'));
$parentuser = $USER->get('parentuser');
if ($sessionlogouttime && isset($_GET['logout']) || $sessionexists === false && $USER->get('sessionid') != '' && empty($parentuser)) {
// Call the authinstance' logout hook
$authinstance = $SESSION->get('authinstance');
if ($authinstance) {
$authobj = AuthFactory::create($authinstance);
$authobj->logout();
} else {
log_debug("Strange: user " . $USER->get('username') . " had no authinstance set in their session");
}
if (function_exists('local_logout')) {
local_logout();
}
$USER->logout();
$SESSION->add_ok_msg(get_string('loggedoutok'));
redirect();
}
if ($sessionlogouttime > time()) {
// The session is still active, so continue it.
// Make sure that if a user's admin status has changed, they're kicked
// out of the admin section
if (in_admin_section()) {
// Reload site admin/staff permissions
$realuser = get_record('usr', 'id', $USER->id, null, null, null, null, 'admin,staff');
if (!$USER->get('admin') && $realuser->admin) {
// The user has been made into an admin
$USER->admin = 1;
} else {
if ($USER->get('admin') && !$realuser->admin) {
// The user's admin rights have been taken away
$USER->admin = 0;
}
}
if (!$USER->get('staff') && $realuser->staff) {
$USER->staff = 1;
} else {
if ($USER->get('staff') && !$realuser->staff) {
$USER->staff = 0;
}
}
// Reload institutional admin/staff permissions
$USER->reset_institutions();
auth_check_admin_section();
}
$USER->renew();
auth_check_required_fields();
} else {
if ($sessionlogouttime > 0) {
// The session timed out
$authinstance = $SESSION->get('authinstance');
if ($authinstance) {
$authobj = AuthFactory::create($authinstance);
$mnetuser = 0;
if ($SESSION->get('mnetuser') && $authobj->parent) {
// We wish to remember that the user is an MNET user - even though
// they're using the local login form
$mnetuser = $USER->get('id');
}
$authobj->logout();
$USER->logout();
if ($mnetuser != 0) {
$SESSION->set('mnetuser', $mnetuser);
$SESSION->set('authinstance', $authinstance);
}
} else {
log_debug("Strange: user " . $USER->get('username') . " had no authinstance set in their session");
}
if (defined('JSON')) {
json_reply('global', get_string('sessiontimedoutreload'), 1);
}
if (defined('IFRAME')) {
header('Content-type: text/html');
print_auth_frame();
exit;
}
// If the page the user is viewing is public, inform them that they can
// log in again
if (defined('PUBLIC')) {
// @todo this links to ?login - later it should do magic to make
// sure that whatever GET string is made it includes the old data
// correctly
$loginurl = $_SERVER['REQUEST_URI'];
$loginurl .= false === strpos($loginurl, '?') ? '?' : '&';
$loginurl .= 'login';
$SESSION->add_info_msg(get_string('sessiontimedoutpublic', 'mahara', hsc($loginurl)), false);
return;
}
auth_draw_login_page(get_string('sessiontimedout'));
} else {
// There is no session, so we check to see if one needs to be started.
// Build login form. If the form is submitted it will be handled here,
// and set $USER for us (this will happen when users hit a page and
// specify login data immediately
require_once 'pieforms/pieform.php';
$form = new Pieform(auth_get_login_form());
$SESSION->loginform = $form;
if ($USER->is_logged_in()) {
return;
}
// Check if the page is public or the site is configured to be public.
if (defined('PUBLIC') && !isset($_GET['login'])) {
if ($lang = param_alphanumext('lang', null)) {
$SESSION->set('lang', $lang);
}
return;
}
// No session and a json request
if (defined('JSON')) {
json_reply('global', get_string('nosessionreload'), 1);
}
auth_draw_login_page(null, $form);
exit;
}
}
}
/**
* Handles authentication by setting up a session for a user if they are logged
* in.
*
* This function combined with the Session class is smart - if the user is not
* logged in then they do not get a session, which prevents simple curl hits
* or search engine crawls to a page from getting sessions they won't use.
*
* Once the user has a session, they keep it even if the log out, so it can
* be reused. The session does expire, but the expiry time is typically a week
* or more.
*
* If the user is not authenticated for this page, then this function will
* exit, printing the login page. Therefore, after including init.php, you can
* be sure that the user is logged in, or has a valid guest key. However, no
* testing is done to make sure the user has the required permissions to see
* the page.
*
*/
function auth_setup()
{
global $SESSION, $USER;
// If the system is not installed, let the user through in the hope that
// they can fix this little problem :)
if (!get_config('installed')) {
$USER->logout();
return;
}
// Lock the site until core upgrades are done
require get_config('libroot') . 'version.php';
$siteclosed = $config->version > get_config('version');
$cfgsiteclosed = get_config('siteclosed');
if ($siteclosed && !$cfgsiteclosed || !$siteclosed && $cfgsiteclosed) {
set_config('siteclosed', $siteclosed);
if ($config->disablelogin && $siteclosed) {
set_config('disablelogin', 1);
}
}
// Check the time that the session is set to log out. If the user does
// not have a session, this time will be 0.
$sessionlogouttime = $USER->get('logout_time');
if ($sessionlogouttime && isset($_GET['logout'])) {
// Call the authinstance' logout hook
$authinstance = $SESSION->get('authinstance');
if ($authinstance) {
$authobj = AuthFactory::create($authinstance);
$authobj->logout();
} else {
log_debug("Strange: user " . $USER->get('username') . " had no authinstance set in their session");
}
$USER->logout();
$SESSION->add_ok_msg(get_string('loggedoutok'));
redirect();
}
if ($sessionlogouttime > time()) {
// The session is still active, so continue it.
// Make sure that if a user's admin status has changed, they're kicked
// out of the admin section
if (defined('ADMIN')) {
$userreallyadmin = get_field('usr', 'admin', 'id', $USER->id);
if (!$USER->get('admin') && $userreallyadmin) {
// The user has been made into an admin
$USER->admin = 1;
} else {
if ($USER->get('admin') && !$userreallyadmin) {
// The user's admin rights have been taken away
$USER->admin = 0;
}
}
if (!$USER->get('admin')) {
$SESSION->add_error_msg(get_string('accessforbiddentoadminsection'));
redirect();
}
} else {
if (defined('INSTITUTIONALADMIN') && !$USER->get('admin')) {
$userreallyadminfor = get_column('usr_institution', 'institution', 'usr', $USER->id, 'admin', 1);
if (!$USER->is_institutional_admin() && !empty($userreallyadminfor)) {
$USER->set_admin_institutions($userreallyadminfor);
} else {
if ($USER->is_institutional_admin() && empty($userreallyadminfor)) {
$USER->set_admin_institutions(array());
}
}
if (!$USER->is_institutional_admin()) {
$SESSION->add_error_msg(get_string('accessforbiddentoadminsection'));
redirect();
}
}
}
$USER->renew();
auth_check_password_change();
auth_check_required_fields();
} else {
if ($sessionlogouttime > 0) {
// The session timed out
$authinstance = $SESSION->get('authinstance');
if ($authinstance) {
$authobj = AuthFactory::create($authinstance);
$mnetuser = 0;
if ($SESSION->get('mnetuser') && $authobj->parent) {
// We wish to remember that the user is an MNET user - even though
// they're using the local login form
$mnetuser = $USER->get('id');
}
$authobj->logout();
$USER->logout();
if ($mnetuser != 0) {
$SESSION->set('mnetuser', $mnetuser);
$SESSION->set('authinstance', $authinstance);
}
} else {
log_debug("Strange: user " . $USER->get('username') . " had no authinstance set in their session");
}
if (defined('JSON')) {
json_reply('global', get_string('sessiontimedoutreload'), 1);
}
if (defined('IFRAME')) {
$frame = '<html><head></head><body onload="parent.show_login_form(\'ajaxlogin_iframe\')"></body></html>';
header('Content-type: text/html');
echo $frame;
exit;
}
// If the page the user is viewing is public, inform them that they can
// log in again
if (defined('PUBLIC')) {
// @todo this links to ?login - later it should do magic to make
// sure that whatever GET string is made it includes the old data
// correctly
$loginurl = $_SERVER['REQUEST_URI'];
$loginurl .= false === strpos($loginurl, '?') ? '?' : '&';
$loginurl .= 'login';
$SESSION->add_info_msg(get_string('sessiontimedoutpublic', 'mahara', hsc($loginurl)), false);
return;
}
auth_draw_login_page(get_string('sessiontimedout'));
} else {
// There is no session, so we check to see if one needs to be started.
// Build login form. If the form is submitted it will be handled here,
// and set $USER for us (this will happen when users hit a page and
// specify login data immediately
require_once 'pieforms/pieform.php';
$form = new Pieform(auth_get_login_form());
if ($USER->is_logged_in()) {
return;
}
// Check if the page is public or the site is configured to be public.
if (defined('PUBLIC') && !isset($_GET['login'])) {
return;
}
// No session and a json request
if (defined('JSON')) {
json_reply('global', get_string('nosessionreload'), 1);
}
auth_draw_login_page(null, $form);
exit;
}
}
}
