UrlManager::add_user_to_url(api_get_user_id(), $my_url['id']);
$url_str .= $my_url['url'] . ' <br />';
}
}
Display::display_normal_message(get_lang('AdminUserRegisteredToThisURL') . ': ' . $url_str . '<br />', false);
}
}
break;
}
}
Security::clear_token();
}
$parameters['sec_token'] = Security::get_token();
// checking if the admin is registered in all sites
$url_string = '';
$my_user_url_list = api_get_access_url_from_user(api_get_user_id());
foreach ($url_list as $my_url) {
if (!in_array($my_url['id'], $my_user_url_list)) {
$url_string .= $my_url['url'] . ' <br />';
}
}
if (!empty($url_string)) {
Display::display_warning_message(get_lang('AdminShouldBeRegisterInSite') . '<br />' . $url_string, false);
}
// checking the current installation
if ($current_access_url_id == -1) {
Display::display_warning_message(get_lang('URLNotConfiguredPleaseChangedTo') . ': ' . api_get_path(WEB_PATH));
} elseif (api_is_platform_admin()) {
$quant = UrlManager::relation_url_user_exist(api_get_user_id(), $current_access_url_id);
if ($quant == 0) {
Display::display_warning_message('<a href="' . api_get_self() . '?action=register&sec_token=' . $parameters['sec_token'] . '">' . get_lang('ClickToRegisterAdmin') . '</a>', false);
/**
* Function used to protect a "global" admin script.
* The function blocks access when the user has no global platform admin rights.
* Global admins are the admins that are registered in the main.admin table
* AND the users who have access to the "principal" portal.
* That means that there is a record in the main.access_url_rel_user table
* with his user id and the access_url_id=1
*
* @author Julio Montoya
*/
function api_is_global_platform_admin($user_id = null)
{
$user_id = intval($user_id);
if (empty($user_id)) {
$user_id = api_get_user_id();
}
if (api_is_platform_admin_by_id($user_id)) {
$urlList = api_get_access_url_from_user($user_id);
// The admin is registered in the first "main" site with access_url_id = 1
if (in_array(1, $urlList)) {
return true;
} else {
return false;
}
}
return false;
}
/**
* Validates the received active connection data with the database
* @return bool Return the loginFailed variable value to local.inc.php
*/
public function check_user()
{
global $_user;
$loginFailed = false;
//change the way we recover the cookie depending on how it is formed
$sso = $this->decode_cookie($_GET['sso_cookie']);
//error_log('check_user');
//error_log('sso decode cookie: '.print_r($sso,1));
//lookup the user in the main database
$user_table = Database::get_main_table(TABLE_MAIN_USER);
$sql = "SELECT user_id, username, password, auth_source, active, expiration_date, status\n FROM {$user_table}\n WHERE username = '******'username'])) . "'";
$result = Database::query($sql);
if (Database::num_rows($result) > 0) {
//error_log('user exists');
$uData = Database::fetch_array($result);
//Check the user's password
if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE) {
//This user's authentification is managed by Chamilo itself
// check the user's password
// password hash comes already parsed in sha1, md5 or none
/*
error_log($sso['secret']);
error_log($uData['password']);
error_log($sso['username']);
error_log($uData['username']);
*/
global $_configuration;
// Two possible authentication methods here: legacy using password
// and new using a temporary, session-fixed, tempkey
if ($sso['username'] == $uData['username'] && $sso['secret'] === sha1($uData['username'] . Session::read('tempkey') . $_configuration['security_key']) or $sso['secret'] === sha1($uData['password']) && $sso['username'] == $uData['username']) {
//error_log('user n password are ok');
//Check if the account is active (not locked)
if ($uData['active'] == '1') {
// check if the expiration date has not been reached
if ($uData['expiration_date'] > date('Y-m-d H:i:s') or $uData['expiration_date'] == '0000-00-00 00:00:00') {
//If Multiple URL is enabled
if (api_get_multiple_access_url()) {
//Check the access_url configuration setting if
// the user is registered in the access_url_rel_user table
//Getting the current access_url_id of the platform
$current_access_url_id = api_get_current_access_url_id();
// my user is subscribed in these
//sites: $my_url_list
$my_url_list = api_get_access_url_from_user($uData['user_id']);
} else {
$current_access_url_id = 1;
$my_url_list = array(1);
}
$my_user_is_admin = UserManager::is_admin($uData['user_id']);
if ($my_user_is_admin === false) {
if (is_array($my_url_list) && count($my_url_list) > 0) {
if (in_array($current_access_url_id, $my_url_list)) {
// the user has permission to enter at this site
$_user['user_id'] = $uData['user_id'];
$_user = api_get_user_info($_user['user_id']);
Session::write('_user', $_user);
event_login();
// Redirect to homepage
$sso_target = isset($sso['target']) ? $sso['target'] : api_get_path(WEB_PATH) . '.index.php';
header('Location: ' . $sso_target);
exit;
} else {
// user does not have permission for this site
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive');
exit;
}
} else {
// there is no URL in the multiple
// urls list for this user
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive');
exit;
}
} else {
//Only admins of the "main" (first) Chamilo
// portal can login wherever they want
if (in_array(1, $my_url_list)) {
//Check if this admin is admin on the
// principal portal
$_user['user_id'] = $uData['user_id'];
$_user = api_get_user_info($_user['user_id']);
$is_platformAdmin = $uData['status'] == COURSEMANAGER;
Session::write('is_platformAdmin', $is_platformAdmin);
Session::write('_user', $_user);
event_login();
} else {
//Secondary URL admin wants to login
// so we check as a normal user
if (in_array($current_access_url_id, $my_url_list)) {
$_user['user_id'] = $uData['user_id'];
$_user = api_get_user_info($_user['user_id']);
Session::write('_user', $_user);
event_login();
} else {
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive');
exit;
}
}
}
} else {
// user account expired
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_expired');
exit;
}
} else {
//User not active
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_inactive');
exit;
}
} else {
//SHA1 of password is wrong
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_password');
exit;
}
} else {
//Auth_source is wrong
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_authentication_source');
exit;
}
} else {
//No user by that login
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=user_not_found');
exit;
}
return $loginFailed;
}
$extraFields = $uData['extra_fields'];
// $update_type = UserManager::get_extra_user_data_by_field($uData['user_id'], 'update_type');
$update_type = isset($extraFields['extra_update_type']) ? $extraFields['extra_update_type'] : null;
if (!empty($extAuthSource[$update_type]['updateUser']) && file_exists($extAuthSource[$update_type]['updateUser'])) {
include_once $extAuthSource[$update_type]['updateUser'];
}
// Check if the account is active (not locked)
if ($uData['active'] == '1') {
// Check if the expiration date has not been reached
if ($uData['expiration_date'] > date('Y-m-d H:i:s') or $uData['expiration_date'] == '0000-00-00 00:00:00') {
global $_configuration;
if (isset($_configuration['multiple_access_urls']) && $_configuration['multiple_access_urls']) {
//Check if user is an admin
$my_user_is_admin = UserManager::is_admin($uData['user_id']);
// This user is subscribed in these sites => $my_url_list
$my_url_list = api_get_access_url_from_user($uData['user_id']);
//Check the access_url configuration setting if the user is registered in the access_url_rel_user table
//Getting the current access_url_id of the platform
$current_access_url_id = api_get_current_access_url_id();
if ($my_user_is_admin === false) {
if (is_array($my_url_list) && count($my_url_list) > 0) {
// the user have the permissions to enter at this site
if (in_array($current_access_url_id, $my_url_list)) {
ConditionalLogin::check_conditions($uData);
Session::write('_user', $uData);
$logging_in = true;
} else {
$loginFailed = true;
Session::erase('_uid');
$errorMessage = 'access_url_inactive';
}
/**
* Validates the received active connection data with the database
* @return bool Return the loginFailed variable value to local.inc.php
*/
public function check_user()
{
global $_user;
$loginFailed = false;
//change the way we recover the cookie depending on how it is formed
$sso = $this->decode_cookie($_GET['sso_cookie']);
//get token that should have been used and delete it
//from session since it can only be used once
$sso_challenge = '';
if (isset($_SESSION['sso_challenge'])) {
$sso_challenge = $_SESSION['sso_challenge'];
unset($_SESSION['sso_challenge']);
}
//lookup the user in the main database
$user_table = Database::get_main_table(TABLE_MAIN_USER);
$sql = "SELECT id, username, password, auth_source, active, expiration_date, status\n FROM {$user_table}\n WHERE username = '******'username'])) . "'";
$result = Database::query($sql);
if (Database::num_rows($result) > 0) {
$uData = Database::fetch_array($result);
//Check the user's password
if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE) {
if ($sso['secret'] === sha1($uData['username'] . $sso_challenge . api_get_security_key()) && $sso['username'] == $uData['username']) {
//Check if the account is active (not locked)
if ($uData['active'] == '1') {
// check if the expiration date has not been reached
if (empty($uData['expiration_date']) or $uData['expiration_date'] > date('Y-m-d H:i:s') or $uData['expiration_date'] == '0000-00-00 00:00:00') {
//If Multiple URL is enabled
if (api_get_multiple_access_url()) {
//Check the access_url configuration setting if the user is registered in the access_url_rel_user table
//Getting the current access_url_id of the platform
$current_access_url_id = api_get_current_access_url_id();
// my user is subscribed in these
//sites: $my_url_list
$my_url_list = api_get_access_url_from_user($uData['id']);
} else {
$current_access_url_id = 1;
$my_url_list = array(1);
}
$my_user_is_admin = UserManager::is_admin($uData['id']);
if ($my_user_is_admin === false) {
if (is_array($my_url_list) && count($my_url_list) > 0) {
if (in_array($current_access_url_id, $my_url_list)) {
// the user has permission to enter at this site
$_user['user_id'] = $uData['id'];
$_user = api_get_user_info($_user['user_id']);
$_user['uidReset'] = true;
Session::write('_user', $_user);
Event::event_login($_user['user_id']);
// Redirect to homepage
$sso_target = '';
if (!empty($sso['ruri'])) {
//The referrer URI is *only* used if
// the user credentials are OK, which
// should be protection enough
// against evil URL spoofing...
$sso_target = api_get_path(WEB_PATH) . base64_decode($sso['ruri']);
} else {
$sso_target = isset($sso['target']) ? $sso['target'] : api_get_path(WEB_PATH) . 'index.php';
}
header('Location: ' . $sso_target);
exit;
} else {
// user does not have permission for this site
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive');
exit;
}
} else {
// there is no URL in the multiple
// urls list for this user
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive');
exit;
}
} else {
//Only admins of the "main" (first) Chamilo
// portal can login wherever they want
if (in_array(1, $my_url_list)) {
//Check if this admin is admin on the
// principal portal
$_user['user_id'] = $uData['id'];
$_user = api_get_user_info($_user['user_id']);
$is_platformAdmin = $uData['status'] == COURSEMANAGER;
Session::write('is_platformAdmin', $is_platformAdmin);
Session::write('_user', $_user);
Event::event_login($_user['user_id']);
} else {
//Secondary URL admin wants to login
// so we check as a normal user
if (in_array($current_access_url_id, $my_url_list)) {
$_user['user_id'] = $uData['user_id'];
$_user = api_get_user_info($_user['user_id']);
Session::write('_user', $_user);
Event::event_login($_user['user_id']);
} else {
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=access_url_inactive');
exit;
}
}
}
} else {
// user account expired
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_expired');
exit;
}
} else {
//User not active
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=account_inactive');
exit;
}
} else {
//SHA1 of password is wrong
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_password');
exit;
}
} else {
//Auth_source is wrong
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=wrong_authentication_source');
exit;
}
} else {
//No user by that login
$loginFailed = true;
Session::erase('_uid');
header('Location: ' . api_get_path(WEB_PATH) . 'index.php?loginFailed=1&error=user_not_found');
exit;
}
return $loginFailed;
}
