/**
* Authenticate user using username+password or token.
* This function sets up $USER global.
* It is safe to use has_capability() after this.
* This method also verifies user is allowed to use this
* server.
* @return void
*/
protected function authenticate_user()
{
global $CFG, $DB;
if (!NO_MOODLE_COOKIES) {
throw new coding_exception('Cookies must be disabled in WS servers!');
}
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) {
//we check that authentication plugin is enabled
//it is only required by simple authentication
if (!is_enabled_auth('webservice')) {
throw new webservice_access_exception(get_string('wsauthnotenabled', 'webservice'));
}
if (!($auth = get_auth_plugin('webservice'))) {
throw new webservice_access_exception(get_string('wsauthmissing', 'webservice'));
}
$this->restricted_context = get_context_instance(CONTEXT_SYSTEM);
if (!$this->username) {
throw new webservice_access_exception(get_string('missingusername', 'webservice'));
}
if (!$this->password) {
throw new webservice_access_exception(get_string('missingpassword', 'webservice'));
}
if (!$auth->user_login_webservice($this->username, $this->password)) {
// log failed login attempts
add_to_log(SITEID, 'webservice', get_string('simpleauthlog', 'webservice'), '', get_string('failedtolog', 'webservice') . ": " . $this->username . "/" . $this->password . " - " . getremoteaddr(), 0);
throw new webservice_access_exception(get_string('wrongusernamepassword', 'webservice'));
}
$user = $DB->get_record('user', array('username' => $this->username, 'mnethostid' => $CFG->mnet_localhost_id, 'deleted' => 0), '*', MUST_EXIST);
} else {
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT);
} else {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED);
}
}
// now fake user login, the session is completely empty too
session_set_user($user);
$this->userid = $user->id;
if ($this->authmethod != WEBSERVICE_AUTHMETHOD_SESSION_TOKEN && !has_capability("webservice/{$this->wsname}:use", $this->restricted_context)) {
throw new webservice_access_exception(get_string('accessnotallowed', 'webservice'));
}
external_api::set_context_restriction($this->restricted_context);
}
/**
* Authenticate user using username+password or token.
* This function sets up $USER global.
* It is safe to use has_capability() after this.
* This method also verifies user is allowed to use this
* server.
*/
protected function authenticate_user()
{
global $CFG, $DB;
if (!NO_MOODLE_COOKIES) {
throw new coding_exception('Cookies must be disabled in WS servers!');
}
$loginfaileddefaultparams = array('context' => context_system::instance(), 'other' => array('method' => $this->authmethod, 'reason' => null));
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) {
//we check that authentication plugin is enabled
//it is only required by simple authentication
if (!is_enabled_auth('webservice')) {
throw new webservice_access_exception('The web service authentication plugin is disabled.');
}
if (!($auth = get_auth_plugin('webservice'))) {
throw new webservice_access_exception('The web service authentication plugin is missing.');
}
$this->restricted_context = context_system::instance();
if (!$this->username) {
throw new moodle_exception('missingusername', 'webservice');
}
if (!$this->password) {
throw new moodle_exception('missingpassword', 'webservice');
}
if (!$auth->user_login_webservice($this->username, $this->password)) {
// Log failed login attempts.
$params = $loginfaileddefaultparams;
$params['other']['reason'] = 'password';
$params['other']['username'] = $this->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, 'webservice', get_string('simpleauthlog', 'webservice'), '', get_string('failedtolog', 'webservice') . ": " . $this->username . "/" . $this->password . " - " . getremoteaddr(), 0));
$event->trigger();
throw new moodle_exception('wrongusernamepassword', 'webservice');
}
$user = $DB->get_record('user', array('username' => $this->username, 'mnethostid' => $CFG->mnet_localhost_id), '*', MUST_EXIST);
} else {
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT);
} else {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED);
}
}
//Non admin can not authenticate if maintenance mode
$hassiteconfig = has_capability('moodle/site:config', context_system::instance(), $user);
if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) {
throw new moodle_exception('sitemaintenance', 'admin');
}
//only confirmed user should be able to call web service
if (!empty($user->deleted)) {
$params = $loginfaileddefaultparams;
$params['other']['reason'] = 'user_deleted';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new webservice_access_exception('Refused web service access for deleted username: '******'other']['reason'] = 'user_unconfirmed';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new moodle_exception('wsaccessuserunconfirmed', 'webservice', '', $user->username);
}
//check the user is suspended
if (!empty($user->suspended)) {
$params = $loginfaileddefaultparams;
$params['other']['reason'] = 'user_unconfirmed';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new webservice_access_exception('Refused web service access for suspended username: '******'other']['reason'] = 'password_expired';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new webservice_access_exception('Refused web service access for password expired username: '******'nologin') {
$params = $loginfaileddefaultparams;
$params['other']['reason'] = 'login';
$params['other']['username'] = $user->username;
$event = \core\event\webservice_login_failed::create($params);
$event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id));
$event->trigger();
throw new webservice_access_exception('Refused web service access for nologin authentication username: '******'You are not allowed to use the {$a} protocol (missing capability: webservice/' . $this->wsname . ':use)');
}
external_api::set_context_restriction($this->restricted_context);
}
/**
* Authenticate user using username+password or token.
* This function sets up $USER global.
* It is safe to use has_capability() after this.
* This method also verifies user is allowed to use this
* server.
*/
protected function authenticate_user()
{
global $CFG, $DB;
if (!NO_MOODLE_COOKIES) {
throw new coding_exception('Cookies must be disabled in WS servers!');
}
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) {
//we check that authentication plugin is enabled
//it is only required by simple authentication
if (!is_enabled_auth('webservice')) {
throw new webservice_access_exception(get_string('wsauthnotenabled', 'webservice'));
}
if (!($auth = get_auth_plugin('webservice'))) {
throw new webservice_access_exception(get_string('wsauthmissing', 'webservice'));
}
$this->restricted_context = get_context_instance(CONTEXT_SYSTEM);
if (!$this->username) {
throw new webservice_access_exception(get_string('missingusername', 'webservice'));
}
if (!$this->password) {
throw new webservice_access_exception(get_string('missingpassword', 'webservice'));
}
if (!$auth->user_login_webservice($this->username, $this->password)) {
// log failed login attempts
add_to_log(SITEID, 'webservice', get_string('simpleauthlog', 'webservice'), '', get_string('failedtolog', 'webservice') . ": " . $this->username . "/" . $this->password . " - " . getremoteaddr(), 0);
throw new webservice_access_exception(get_string('wrongusernamepassword', 'webservice'));
}
$user = $DB->get_record('user', array('username' => $this->username, 'mnethostid' => $CFG->mnet_localhost_id), '*', MUST_EXIST);
} else {
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT);
} else {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED);
}
}
//Non admin can not authenticate if maintenance mode
$hassiteconfig = has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $user);
if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) {
throw new webservice_access_exception(get_string('sitemaintenance', 'admin'));
}
//only confirmed user should be able to call web service
if (!empty($user->deleted)) {
add_to_log(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessuserdeleted', 'webservice', $user->username));
}
//only confirmed user should be able to call web service
if (empty($user->confirmed)) {
add_to_log(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessuserunconfirmed', 'webservice', $user->username));
}
//check the user is suspended
if (!empty($user->suspended)) {
add_to_log(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessusersuspended', 'webservice', $user->username));
}
//retrieve the authentication plugin if no previously done
if (empty($auth)) {
$auth = get_auth_plugin($user->auth);
}
// check if credentials have expired
if (!empty($auth->config->expiration) and $auth->config->expiration == 1) {
$days2expire = $auth->password_expire($user->username);
if (intval($days2expire) < 0) {
add_to_log(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessuserexpired', 'webservice', $user->username));
}
}
//check if the auth method is nologin (in this case refuse connection)
if ($user->auth == 'nologin') {
add_to_log(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessusernologin', 'webservice', $user->username));
}
// now fake user login, the session is completely empty too
enrol_check_plugins($user);
session_set_user($user);
$this->userid = $user->id;
if ($this->authmethod != WEBSERVICE_AUTHMETHOD_SESSION_TOKEN && !has_capability("webservice/{$this->wsname}:use", $this->restricted_context)) {
throw new webservice_access_exception(get_string('protocolnotallowed', 'webservice', $this->wsname));
}
external_api::set_context_restriction($this->restricted_context);
}
