public function __fav_user_login($user) { global $CFG, $USER; // regenerate session id and delete old session, // this helps prevent session fixation attacks from the same domain session_regenerate_id(true); // let enrol plugins deal with new enrolments if necessary enrol_check_plugins($user); // check enrolments, load caps and setup $USER object session_set_user($user); // reload preferences from DB unset($USER->preference); check_user_preferences_loaded($USER); // update login times update_user_login_times(); // extra session prefs init set_login_session_preferences(); if (isguestuser()) { // no need to continue when user is THE guest return $USER; } return $USER; }
/** * Call to complete the user login process after authenticate_user_login() * has succeeded. It will setup the $USER variable and other required bits * and pieces. * * NOTE: * - It will NOT log anything -- up to the caller to decide what to log. * - this function does not set any cookies any more! * * @param stdClass $user * @return stdClass A {@link $USER} object - BC only, do not use */ function complete_user_login($user) { global $CFG, $USER, $SESSION; \core\session\manager::login_user($user); // Reload preferences from DB. unset($USER->preference); check_user_preferences_loaded($USER); // Update login times. update_user_login_times(); // Extra session prefs init. set_login_session_preferences(); // Trigger login event. $event = \core\event\user_loggedin::create(array('userid' => $USER->id, 'objectid' => $USER->id, 'other' => array('username' => $USER->username))); $event->trigger(); if (isguestuser()) { // No need to continue when user is THE guest. return $USER; } if (CLI_SCRIPT) { // We can redirect to password change URL only in browser. return $USER; } // Select password change url. $userauth = get_auth_plugin($USER->auth); // Check whether the user should be changing password. if (get_user_preferences('auth_forcepasswordchange', false)) { if ($userauth->can_change_password()) { if ($changeurl = $userauth->change_password_url()) { redirect($changeurl); } else { $SESSION->wantsurl = core_login_get_return_url(); redirect($CFG->httpswwwroot . '/login/change_password.php'); } } else { print_error('nopasswordchangeforced', 'auth'); } } return $USER; }
print_footer(); die; } /// Let's get them all set up. $USER = $user; add_to_log(SITEID, 'user', 'login', "view.php?id={$USER->id}&course=" . SITEID, $USER->id, 0, $USER->id); update_user_login_times(); if (empty($CFG->nolastloggedin)) { set_moodle_cookie($USER->username); } else { // do not store last logged in user in cookie // auth plugins can temporarily override this from loginpage_hook() // do not save $CFG->nolastloggedin in database! set_moodle_cookie('nobody'); } set_login_session_preferences(); /// This is what lets the user do anything on the site :-) load_all_capabilities(); /// Select password change url $userauth = get_auth_plugin($USER->auth); if ($userauth->can_change_password()) { if ($userauth->change_password_url()) { $passwordchangeurl = $userauth->change_password_url(); } else { $passwordchangeurl = $CFG->httpswwwroot . '/login/change_password.php'; } } else { $passwordchangeurl = ''; } /// check whether the user should be changing password if (get_user_preferences('auth_forcepasswordchange', false) || $frm->password == 'changeme') {
/** * Call to complete the user login process after authenticate_user_login() * has succeeded. It will setup the $USER variable and other required bits * and pieces. * * NOTE: * - It will NOT log anything -- up to the caller to decide what to log. * * * * @uses $CFG, $USER * @param string $user obj * @return user|flase A {@link $USER} object or false if error */ function complete_user_login($user) { global $CFG, $USER; $USER = $user; // this is required because we need to access preferences here! if (!empty($CFG->regenloginsession)) { // please note this setting may break some auth plugins session_regenerate_id(); } reload_user_preferences(); update_user_login_times(); if (empty($CFG->nolastloggedin)) { set_moodle_cookie($USER->username); } else { // do not store last logged in user in cookie // auth plugins can temporarily override this from loginpage_hook() // do not save $CFG->nolastloggedin in database! set_moodle_cookie('nobody'); } set_login_session_preferences(); // Call enrolment plugins check_enrolment_plugins($user); /// This is what lets the user do anything on the site :-) load_all_capabilities(); /// Select password change url $userauth = get_auth_plugin($USER->auth); /// check whether the user should be changing password if (get_user_preferences('auth_forcepasswordchange', false)) { if ($userauth->can_change_password()) { if ($changeurl = $userauth->change_password_url()) { redirect($changeurl); } else { redirect($CFG->httpswwwroot . '/login/change_password.php'); } } else { print_error('nopasswordchangeforced', 'auth'); } } return $USER; }
/** * Call to complete the user login process after authenticate_user_login() * has succeeded. It will setup the $USER variable and other required bits * and pieces. * * NOTE: * - It will NOT log anything -- up to the caller to decide what to log. * * @param object $user * @param bool $setcookie * @return object A {@link $USER} object - BC only, do not use */ function complete_user_login($user, $setcookie = true) { global $CFG, $USER; // regenerate session id and delete old session, // this helps prevent session fixation attacks from the same domain session_regenerate_id(true); // check enrolments, load caps and setup $USER object session_set_user($user); // reload preferences from DB unset($user->preference); check_user_preferences_loaded($user); // update login times update_user_login_times(); // extra session prefs init set_login_session_preferences(); if (isguestuser()) { // no need to continue when user is THE guest return $USER; } if ($setcookie) { if (empty($CFG->nolastloggedin)) { set_moodle_cookie($USER->username); } else { // do not store last logged in user in cookie // auth plugins can temporarily override this from loginpage_hook() // do not save $CFG->nolastloggedin in database! set_moodle_cookie(''); } } /// Select password change url $userauth = get_auth_plugin($USER->auth); /// check whether the user should be changing password if (get_user_preferences('auth_forcepasswordchange', false)) { if ($userauth->can_change_password()) { if ($changeurl = $userauth->change_password_url()) { redirect($changeurl); } else { redirect($CFG->httpswwwroot . '/login/change_password.php'); } } else { print_error('nopasswordchangeforced', 'auth'); } } return $USER; }
/** * Call to complete the user login process after authenticate_user_login() * has succeeded. It will setup the $USER variable and other required bits * and pieces. * * NOTE: * - It will NOT log anything -- up to the caller to decide what to log. * - this function does not set any cookies any more! * * @param object $user * @return object A {@link $USER} object - BC only, do not use */ function complete_user_login($user) { global $CFG, $USER; // regenerate session id and delete old session, // this helps prevent session fixation attacks from the same domain session_regenerate_id(true); // let enrol plugins deal with new enrolments if necessary enrol_check_plugins($user); // check enrolments, load caps and setup $USER object session_set_user($user); // reload preferences from DB unset($USER->preference); check_user_preferences_loaded($USER); // update login times update_user_login_times(); // extra session prefs init set_login_session_preferences(); if (isguestuser()) { // no need to continue when user is THE guest return $USER; } /// Select password change url $userauth = get_auth_plugin($USER->auth); /// check whether the user should be changing password if (get_user_preferences('auth_forcepasswordchange', false)) { if ($userauth->can_change_password()) { if ($changeurl = $userauth->change_password_url()) { redirect($changeurl); } else { redirect($CFG->httpswwwroot . '/login/change_password.php'); } } else { print_error('nopasswordchangeforced', 'auth'); } } return $USER; }
function teosso_authenticate_user() { global $CFG, $USER, $SESSION; $pluginconfig = get_config('auth/teosso'); // retrieve the login data from the HTTP Headers $attributes = auth_plugin_teosso::get_sso_attributes(); // check to see if we got any authentication data if (empty($attributes)) { redirect($pluginconfig->signin_url); } // get the http headers for error reporting $headers = apache_request_headers(); $attr_hdrs = array(); foreach ($headers as $key => $value) { if (preg_match('/^HTTP_/', $key)) { $attr_hdrs[] = $key . ': ' . $value; } } $headers = implode(' | ', $attr_hdrs); // FIND THE VALIDIDTY OF THE HTTP HEADER $attrmap = auth_plugin_teosso::get_attributes(); if (empty($attrmap['idnumber'])) { // serious misdemeanour print_error('missingidnumber', 'auth_teosso'); } if (empty($attributes[$attrmap['idnumber']])) { # // not valid session. Ship user off to Federation Manager add_to_log(0, 'login', 'error', '/auth/teosso/index.php', get_string('idnumber_error', 'auth_teosso', $headers)); redirect($pluginconfig->signin_error_url); } else { // in theory we only need acct_id at this point - we should retrieve the user record to get the username via idnumber if (!($user = get_record('user', 'idnumber', $attributes[$attrmap['idnumber']]))) { // must be a new user if (!empty($attributes[$attrmap['username']])) { $attributes['username'] = $attributes[$attrmap['username']]; } else { add_to_log(0, 'login', 'error', '/auth/teosso/index.php', get_string('username_error', 'auth_teosso', $headers)); redirect($pluginconfig->signin_error_url); } } else { // user must use the auth type teosso or authenticate_user_login() will fail if ($user->auth != 'teosso') { add_to_log(0, 'login', 'error', '/auth/teosso/index.php', get_string('user_auth_type_error', 'auth_teosso', $headers)); redirect($pluginconfig->signin_error_url); } // because we want to retain acct_id as the master ID // we need to modify idnumber on mdl_user NOW - so it all lines up later if (isset($attributes[$attrmap['username']]) && $user->username != $attributes[$attrmap['username']]) { if (!set_field('user', 'username', $attributes[$attrmap['username']], 'id', $user->id)) { print_error('usernameupdatefailed', 'auth_teosso'); } $attributes['username'] = $attributes[$attrmap['username']]; } else { $attributes['username'] = $user->username; } } // Valid session. Register or update user in Moodle, log him on, and redirect to Moodle front // we require the plugin to know that we are now doing a teosso login in hook puser_login $GLOBALS['teosso_login'] = TRUE; // make variables accessible to teosso->get_userinfo. Information will be requested from authenticate_user_login -> create_user_record / update_user_record $GLOBALS['teosso_login_attributes'] = $attributes; // just passes time as a password. User will never log in directly to moodle with this password anyway or so we hope? $USER = authenticate_user_login($attributes['username'], time()); $USER->loggedin = true; $USER->site = $CFG->wwwroot; update_user_login_times(); if ($pluginconfig->notshowusername) { // Don't show username on login page set_moodle_cookie('nobody'); } set_login_session_preferences(); add_to_log(SITEID, 'user', 'login', "view.php?id={$USER->id}&course=" . SITEID, $USER->id, 0, $USER->id); check_enrolment_plugins($USER); load_all_capabilities(); // just fast copied this from some other module - might not work... if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; } else { $urltogo = $CFG->wwwroot . '/'; } unset($SESSION->wantsurl); redirect($urltogo); } }
/** * Call to complete the user login process after authenticate_user_login() * has succeeded. It will setup the $USER variable and other required bits * and pieces. * * NOTE: * - It will NOT log anything -- up to the caller to decide what to log. * * @uses $CFG, $USER * @param string $user obj * @return object A {@link $USER} object - BC only, do not use */ function complete_user_login($user, $setcookie = true) { global $CFG, $USER, $SESSION; // check enrolments, load caps and setup $USER object session_set_user($user); update_user_login_times(); set_login_session_preferences(); if ($setcookie) { if (empty($CFG->nolastloggedin)) { set_moodle_cookie($USER->username); } else { // do not store last logged in user in cookie // auth plugins can temporarily override this from loginpage_hook() // do not save $CFG->nolastloggedin in database! set_moodle_cookie('nobody'); } } /// Select password change url $userauth = get_auth_plugin($USER->auth); /// check whether the user should be changing password if (get_user_preferences('auth_forcepasswordchange', false)) { if ($userauth->can_change_password()) { if ($changeurl = $userauth->change_password_url()) { redirect($changeurl); } else { redirect($CFG->httpswwwroot . '/login/change_password.php'); } } else { print_error('nopasswordchangeforced', 'auth'); } } return $USER; }
/** * Authenticate user using username+password or token. * This function sets up $USER global. * It is safe to use has_capability() after this. * This method also verifies user is allowed to use this * server. */ protected function authenticate_user() { global $CFG, $DB; if (!NO_MOODLE_COOKIES) { throw new coding_exception('Cookies must be disabled in WS servers!'); } $loginfaileddefaultparams = array('context' => context_system::instance(), 'other' => array('method' => $this->authmethod, 'reason' => null)); if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) { //we check that authentication plugin is enabled //it is only required by simple authentication if (!is_enabled_auth('webservice')) { throw new webservice_access_exception('The web service authentication plugin is disabled.'); } if (!($auth = get_auth_plugin('webservice'))) { throw new webservice_access_exception('The web service authentication plugin is missing.'); } $this->restricted_context = context_system::instance(); if (!$this->username) { throw new moodle_exception('missingusername', 'webservice'); } if (!$this->password) { throw new moodle_exception('missingpassword', 'webservice'); } if (!$auth->user_login_webservice($this->username, $this->password)) { // Log failed login attempts. $params = $loginfaileddefaultparams; $params['other']['reason'] = 'password'; $params['other']['username'] = $this->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, 'webservice', get_string('simpleauthlog', 'webservice'), '', get_string('failedtolog', 'webservice') . ": " . $this->username . "/" . $this->password . " - " . getremoteaddr(), 0)); $event->trigger(); throw new moodle_exception('wrongusernamepassword', 'webservice'); } $user = $DB->get_record('user', array('username' => $this->username, 'mnethostid' => $CFG->mnet_localhost_id), '*', MUST_EXIST); } else { if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) { $user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT); } else { $user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED); } } // Cannot authenticate unless maintenance access is granted. $hasmaintenanceaccess = has_capability('moodle/site:maintenanceaccess', context_system::instance(), $user); if (!empty($CFG->maintenance_enabled) and !$hasmaintenanceaccess) { throw new moodle_exception('sitemaintenance', 'admin'); } //only confirmed user should be able to call web service if (!empty($user->deleted)) { $params = $loginfaileddefaultparams; $params['other']['reason'] = 'user_deleted'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new webservice_access_exception('Refused web service access for deleted username: '******'other']['reason'] = 'user_unconfirmed'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new moodle_exception('wsaccessuserunconfirmed', 'webservice', '', $user->username); } //check the user is suspended if (!empty($user->suspended)) { $params = $loginfaileddefaultparams; $params['other']['reason'] = 'user_unconfirmed'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new webservice_access_exception('Refused web service access for suspended username: '******'other']['reason'] = 'password_expired'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new webservice_access_exception('Refused web service access for password expired username: '******'nologin') { $params = $loginfaileddefaultparams; $params['other']['reason'] = 'login'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new webservice_access_exception('Refused web service access for nologin authentication username: '******'You are not allowed to use the {$a} protocol (missing capability: webservice/' . $this->wsname . ':use)'); } external_api::set_context_restriction($this->restricted_context); }