<?php
define('AJAX_SCRIPT', true);
define('NO_MOODLE_COOKIES', true);
require_once dirname(dirname(dirname(__FILE__))) . '/config.php';
$username = optional_param('username', PARAM_USERNAME, false);
$serviceshortname = required_param('service', PARAM_ALPHANUMEXT);
echo $OUTPUT->header();
if (!$CFG->enablewebservices) {
throw new moodle_exception('enablewsdescription', 'webservice');
}
$username = trim(core_text::strtolower($username));
if (is_restored_user($username)) {
throw new moodle_exception('restoredaccountresetpassword', 'webservice');
}
// Be very picky about who we let in
$remote_addr = getremoteaddr();
$clients = unserialize(get_config('local_ombieltoken', 'clients'));
if (!is_array($clients)) {
throw new moodle_exception('accessdenied', 'admin');
}
$inlist = false;
foreach ($clients as $client) {
$client = trim($client);
if (address_in_subnet($remote_addr, $client)) {
$inlist = true;
break;
}
}
if (!$inlist) {
throw new moodle_exception('accessdenied', 'admin');
}
if ($user) {
//user already supplied by aut plugin prelogin hook
} else {
if ($frm->username == 'guest' and empty($CFG->guestloginbutton)) {
$user = false;
/// Can't log in as guest if guest button is disabled
$frm = false;
} else {
if (empty($errormsg)) {
$user = authenticate_user_login($frm->username, $frm->password, false, $errorcode);
}
}
}
// Intercept 'restored' users to provide them with info & reset password
if (!$user and $frm and is_restored_user($frm->username)) {
$PAGE->set_title(get_string('restoredaccount'));
$PAGE->set_heading($site->fullname);
echo $OUTPUT->header();
echo $OUTPUT->heading(get_string('restoredaccount'));
echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
require_once 'restored_password_form.php';
// Use our "supplanter" login_forgot_password_form. MDL-20846
$form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
$form->display();
echo $OUTPUT->footer();
die;
}
if ($user) {
// language setup
if (isguestuser($user)) {
public function __authenticate($username, $password, $serviceshortname)
{
global $CFG, $DB;
//echo $OUTPUT->header();
if (!$CFG->enablewebservices) {
throw new moodle_exception('enablewsdescription', 'webservice');
}
$username = trim(textlib::strtolower($username));
if (is_restored_user($username)) {
throw new moodle_exception('restoredaccountresetpassword', 'webservice');
}
$user = authenticate_user_login($username, $password);
if (!empty($user)) {
//Non admin can not authenticate if maintenance mode
$hassiteconfig = has_capability('moodle/site:config', context_system::instance(), $user);
if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) {
throw new moodle_exception('sitemaintenance', 'admin');
}
if (isguestuser($user)) {
throw new moodle_exception('noguest');
}
if (empty($user->confirmed)) {
throw new moodle_exception('usernotconfirmed', 'moodle', '', $user->username);
}
// check credential expiry
$userauth = get_auth_plugin($user->auth);
if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
$days2expire = $userauth->password_expire($user->username);
if (intval($days2expire) < 0) {
throw new moodle_exception('passwordisexpired', 'webservice');
}
}
// let enrol plugins deal with new enrolments if necessary
enrol_check_plugins($user);
// setup user session to check capability
session_set_user($user);
//check if the service exists and is enabled
$service = $DB->get_record('external_services', array('shortname' => $serviceshortname, 'enabled' => 1));
if (empty($service)) {
// will throw exception if no token found
throw new moodle_exception('servicenotavailable', 'webservice');
}
//check if there is any required system capability
if ($service->requiredcapability and !has_capability($service->requiredcapability, context_system::instance(), $user)) {
throw new moodle_exception('missingrequiredcapability', 'webservice', '', $service->requiredcapability);
}
//specific checks related to user restricted service
if ($service->restrictedusers) {
$authoriseduser = $DB->get_record('external_services_users', array('externalserviceid' => $service->id, 'userid' => $user->id));
if (empty($authoriseduser)) {
throw new moodle_exception('usernotallowed', 'webservice', '', $serviceshortname);
}
if (!empty($authoriseduser->validuntil) and $authoriseduser->validuntil < time()) {
throw new moodle_exception('invalidtimedtoken', 'webservice');
}
if (!empty($authoriseduser->iprestriction) and !address_in_subnet(getremoteaddr(), $authoriseduser->iprestriction)) {
throw new moodle_exception('invalidiptoken', 'webservice');
}
}
//Check if a token has already been created for this user and this service
//Note: this could be an admin created or an user created token.
// It does not really matter we take the first one that is valid.
$tokenssql = "SELECT t.id, t.sid, t.token, t.validuntil, t.iprestriction\n FROM {external_tokens} t\n WHERE t.userid = ? AND t.externalserviceid = ? AND t.tokentype = ?\n ORDER BY t.timecreated ASC";
$tokens = $DB->get_records_sql($tokenssql, array($user->id, $service->id, EXTERNAL_TOKEN_PERMANENT));
//A bit of sanity checks
foreach ($tokens as $key => $token) {
/// Checks related to a specific token. (script execution continue)
$unsettoken = false;
//if sid is set then there must be a valid associated session no matter the token type
if (!empty($token->sid)) {
$session = session_get_instance();
if (!$session->session_exists($token->sid)) {
//this token will never be valid anymore, delete it
$DB->delete_records('external_tokens', array('sid' => $token->sid));
$unsettoken = true;
}
}
//remove token if no valid anymore
//Also delete this wrong token (similar logic to the web service servers
// /webservice/lib.php/webservice_server::authenticate_by_token())
if (!empty($token->validuntil) and $token->validuntil < time()) {
$DB->delete_records('external_tokens', array('token' => $token->token, 'tokentype' => EXTERNAL_TOKEN_PERMANENT));
$unsettoken = true;
}
// remove token if its ip not in whitelist
if (isset($token->iprestriction) and !address_in_subnet(getremoteaddr(), $token->iprestriction)) {
$unsettoken = true;
}
if ($unsettoken) {
unset($tokens[$key]);
}
}
// if some valid tokens exist then use the most recent
if (count($tokens) > 0) {
$token = array_pop($tokens);
} else {
if ($serviceshortname == MOODLE_OFFICIAL_MOBILE_SERVICE and has_capability('moodle/webservice:createmobiletoken', get_system_context()) or !is_siteadmin($user) && has_capability('moodle/webservice:createtoken', get_system_context())) {
// if service doesn't exist, dml will throw exception
$service_record = $DB->get_record('external_services', array('shortname' => $serviceshortname, 'enabled' => 1), '*', MUST_EXIST);
// create a new token
$token = new stdClass();
$token->token = md5(uniqid(rand(), 1));
$token->userid = $user->id;
$token->tokentype = EXTERNAL_TOKEN_PERMANENT;
$token->contextid = context_system::instance()->id;
$token->creatorid = $user->id;
$token->timecreated = time();
$token->externalserviceid = $service_record->id;
$tokenid = $DB->insert_record('external_tokens', $token);
add_to_log(SITEID, 'webservice', 'automatically create user token', '', 'User ID: ' . $user->id);
$token->id = $tokenid;
} else {
throw new moodle_exception('cannotcreatetoken', 'webservice', '', $serviceshortname);
}
}
// log token access
$DB->set_field('external_tokens', 'lastaccess', time(), array('id' => $token->id));
add_to_log(SITEID, 'webservice', 'sending requested user token', '', 'User ID: ' . $user->id);
$usertoken = new stdClass();
$usertoken->token = $token->token;
//complete login process by activating session.
// To restrict the admin user to login into application
if (is_siteadmin($user)) {
$heIsAdmin = new stdClass();
$heIsAdmin->error = 'admin_user';
echo json_encode($heIsAdmin);
die;
}
Login::__app_complete_user_login($user);
$forcePasswordChangesql = "SELECT up.userid\n FROM {user_preferences} up\n WHERE up.userid = ? AND up.name = ? AND up.value = ?";
$forcePasswordChange = $DB->get_records_sql($forcePasswordChangesql, array($user->id, 'auth_forcepasswordchange', 1));
//User Update Profile starts here
$admins = get_admins();
$currentAdmin = end($admins);
$admintokensql = "SELECT et.token\n FROM {external_tokens} et\n WHERE et.userid = ?";
$currrentAdminToken = $DB->get_records_sql($admintokensql, array($currentAdmin->id), 0, 1);
$unique_key = substr(md5(mt_rand(0, 1000000)), 0, 7);
$keys = array_keys($currrentAdminToken);
$appuser = new stdClass();
$user->token = $token->token;
$user->forcePasswordChange = !empty($forcePasswordChange) ? true : false;
$user->updateProfile = substr($unique_key, 0, 3) . $keys[0] . substr($unique_key, 3, 7);
//Get User role
$rolesql = "SELECT id\n FROM {role} \n WHERE shortname = ?";
$roleid = array_values($DB->get_records_sql($rolesql, array('reportuser')));
$reportuser = array_values($DB->get_records_sql("SELECT id FROM {role_assignments} WHERE roleid=" . $roleid[0]->id . " AND userid=" . $user->id . ""));
if ($reportuser[0]->id != '') {
$user->role = 'reportuser';
} else {
$user->role = '';
}
//User Update Profile ends here
unset($user->password);
$appuser->USER = $user;
$user->country_value = $user->country;
$user->country = get_string($user->country, 'countries');
echo json_encode($appuser);
} else {
throw new moodle_exception('usernamenotfound', 'moodle');
}
}
