/**
* Add capabilities to an existing role
*
* Usage: add_role_caps( 'contributor', array( 'upload_files' ) );
*
* @param string $role Role name
* @param array $caps Capabilities to add to the role
*/
function add_role_caps($role, $caps)
{
if (function_exists('wpcom_vip_add_role_caps')) {
wpcom_vip_add_role_caps($role, $caps);
} else {
$filtered_caps = array();
foreach ((array) $caps as $cap) {
$filtered_caps[$cap] = true;
}
merge_role_caps($role, $filtered_caps);
}
}
/**
* This function checks that the current user is logged in and has the
* required privileges
*
* This function checks that the current user is logged in, and optionally
* whether they are allowed to be in a particular course and view a particular
* course module.
* If they are not logged in, then it redirects them to the site login unless
* $autologinguest is set and {@link $CFG}->autologinguests is set to 1 in which
* case they are automatically logged in as guests.
* If $courseid is given and the user is not enrolled in that course then the
* user is redirected to the course enrolment page.
* If $cm is given and the coursemodule is hidden and the user is not a teacher
* in the course then the user is redirected to the course home page.
*
* @uses $CFG
* @uses $SESSION
* @uses $USER
* @uses $FULLME
* @uses SITEID
* @uses $COURSE
* @param mixed $courseorid id of the course or course object
* @param bool $autologinguest
* @param object $cm course module object
* @param bool $setwantsurltome Define if we want to set $SESSION->wantsurl, defaults to
* true. Used to avoid (=false) some scripts (file.php...) to set that variable,
* in order to keep redirects working properly. MDL-14495
*/
function require_login($courseorid = 0, $autologinguest = true, $cm = null, $setwantsurltome = true)
{
global $CFG, $SESSION, $USER, $COURSE, $FULLME;
/// setup global $COURSE, themes, language and locale
course_setup($courseorid);
/// If the user is not even logged in yet then make sure they are
if (!isloggedin()) {
//NOTE: $USER->site check was obsoleted by session test cookie,
// $USER->confirmed test is in login/index.php
if ($setwantsurltome) {
$SESSION->wantsurl = $FULLME;
}
if (!empty($_SERVER['HTTP_REFERER'])) {
$SESSION->fromurl = $_SERVER['HTTP_REFERER'];
}
if ($autologinguest and !empty($CFG->guestloginbutton) and !empty($CFG->autologinguests) and ($COURSE->id == SITEID or $COURSE->guest)) {
$loginguest = '?loginguest=true';
} else {
$loginguest = '';
}
if (empty($CFG->loginhttps) or $loginguest) {
//do not require https for guest logins
redirect($CFG->wwwroot . '/login/index.php' . $loginguest);
} else {
$wwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
redirect($wwwroot . '/login/index.php');
}
exit;
}
/// loginas as redirection if needed
if ($COURSE->id != SITEID and !empty($USER->realuser)) {
if ($USER->loginascontext->contextlevel == CONTEXT_COURSE) {
if ($USER->loginascontext->instanceid != $COURSE->id) {
print_error('loginasonecourse', '', $CFG->wwwroot . '/course/view.php?id=' . $USER->loginascontext->instanceid);
}
}
}
/// check whether the user should be changing password (but only if it is REALLY them)
$userauth = get_auth_plugin($USER->auth);
if (get_user_preferences('auth_forcepasswordchange') && empty($USER->realuser)) {
if ($userauth->can_change_password()) {
$SESSION->wantsurl = $FULLME;
if ($userauth->change_password_url()) {
//use plugin custom url
redirect($userauth->change_password_url());
} else {
//use moodle internal method
if (empty($CFG->loginhttps)) {
redirect($CFG->wwwroot . '/login/change_password.php');
} else {
$wwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
redirect($wwwroot . '/login/change_password.php');
}
}
} else {
error(get_string('nopasswordchangeforced', 'auth'));
}
}
/// Check that the user account is properly set up
if (user_not_fully_set_up($USER)) {
$SESSION->wantsurl = $FULLME;
redirect($CFG->wwwroot . '/user/edit.php?id=' . $USER->id . '&course=' . SITEID);
}
/// Make sure current IP matches the one for this session (if required)
if (!empty($CFG->tracksessionip)) {
if ($USER->sessionIP != md5(getremoteaddr())) {
error(get_string('sessionipnomatch', 'error'));
}
}
/// Make sure the USER has a sesskey set up. Used for checking script parameters.
sesskey();
// Check that the user has agreed to a site policy if there is one
if (!empty($CFG->sitepolicy)) {
if (!$USER->policyagreed) {
$SESSION->wantsurl = $FULLME;
redirect($CFG->wwwroot . '/user/policy.php');
}
}
/// If the site is currently under maintenance, then print a message
if (!has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM, SITEID))) {
if (file_exists($CFG->dataroot . '/' . SITEID . '/maintenance.html')) {
print_maintenance_message();
exit;
}
}
if ($COURSE->id == SITEID) {
/// We can eliminate hidden site activities straight away
if (!empty($cm) && !$cm->visible and !has_capability('moodle/course:viewhiddenactivities', get_context_instance(CONTEXT_COURSE, $COURSE->id))) {
redirect($CFG->wwwroot, get_string('activityiscurrentlyhidden'));
}
return;
} else {
/// Check if the user can be in a particular course
if (!($context = get_context_instance(CONTEXT_COURSE, $COURSE->id))) {
print_error('nocontext');
}
if (empty($USER->switchrole[$context->id]) && !($COURSE->visible && course_parent_visible($COURSE)) && !has_capability('moodle/course:viewhiddencourses', get_context_instance(CONTEXT_COURSE, $COURSE->id))) {
print_header_simple();
notice(get_string('coursehidden'), $CFG->wwwroot . '/');
}
/// Non-guests who don't currently have access, check if they can be allowed in as a guest
if ($USER->username != 'guest' and !has_capability('moodle/course:view', $context)) {
if ($COURSE->guest == 1) {
// Temporarily assign them guest role for this context, if it fails later user is asked to enrol
has_capability('clearcache');
// Must clear cache
$guestcaps = get_role_context_caps($CFG->guestroleid, $context);
$USER->capabilities = merge_role_caps($USER->capabilities, $guestcaps);
}
}
/// If the user is a guest then treat them according to the course policy about guests
if (has_capability('moodle/legacy:guest', $context, NULL, false)) {
if (has_capability('moodle/site:doanything', get_context_instance(CONTEXT_SYSTEM))) {
// administrators must be able to access any course - even if somebody gives them guest access
return;
}
switch ($COURSE->guest) {
/// Check course policy about guest access
case 1:
/// Guests always allowed
if (!has_capability('moodle/course:view', $context)) {
// Prohibited by capability
print_header_simple();
notice(get_string('guestsnotallowed', '', format_string($COURSE->fullname)), "{$CFG->wwwroot}/login/index.php");
}
if (!empty($cm) and !$cm->visible) {
// Not allowed to see module, send to course page
redirect($CFG->wwwroot . '/course/view.php?id=' . $cm->course, get_string('activityiscurrentlyhidden'));
}
return;
// User is allowed to see this course
break;
case 2:
/// Guests allowed with key
if (!empty($USER->enrolkey[$COURSE->id])) {
// Set by enrol/manual/enrol.php
return true;
}
// otherwise drop through to logic below (--> enrol.php)
break;
default:
/// Guests not allowed
print_header_simple('', '', get_string('loggedinasguest'));
if (empty($USER->switchrole[$context->id])) {
// Normal guest
notice(get_string('guestsnotallowed', '', format_string($COURSE->fullname)), "{$CFG->wwwroot}/login/index.php");
} else {
notify(get_string('guestsnotallowed', '', format_string($COURSE->fullname)));
echo '<div class="notifyproblem">' . switchroles_form($COURSE->id) . '</div>';
print_footer($COURSE);
exit;
}
break;
}
/// For non-guests, check if they have course view access
} else {
if (has_capability('moodle/course:view', $context)) {
if (!empty($USER->realuser)) {
// Make sure the REAL person can also access this course
if (!has_capability('moodle/course:view', $context, $USER->realuser)) {
print_header_simple();
notice(get_string('studentnotallowed', '', fullname($USER, true)), $CFG->wwwroot . '/');
}
}
/// Make sure they can read this activity too, if specified
if (!empty($cm) and !$cm->visible and !has_capability('moodle/course:viewhiddenactivities', $context)) {
redirect($CFG->wwwroot . '/course/view.php?id=' . $cm->course, get_string('activityiscurrentlyhidden'));
}
return;
// User is allowed to see this course
}
}
/// Currently not enrolled in the course, so see if they want to enrol
$SESSION->wantsurl = $FULLME;
redirect($CFG->wwwroot . '/course/enrol.php?id=' . $COURSE->id);
die;
}
}
/**
* A convenience function to completely load all the capabilities
* for the current user. This is what gets called from login, for example.
*/
function load_all_capabilities()
{
global $USER;
//caching - helps user switching in cron
static $defcaps = false;
unset($USER->mycourses);
// Reset a cache used by get_my_courses
if (isguestuser()) {
load_guest_role();
// All non-guest users get this by default
} else {
if (isloggedin()) {
if ($defcaps === false) {
$defcaps = load_defaultuser_role(true);
}
load_user_capability();
// when in "course login as" - load only course caqpabilitites (it may not always work as expected)
if (!empty($USER->realuser) and $USER->loginascontext->contextlevel != CONTEXT_SYSTEM) {
$children = get_child_contexts($USER->loginascontext);
$children[] = $USER->loginascontext->id;
foreach ($USER->capabilities as $conid => $caps) {
if (!in_array($conid, $children)) {
unset($USER->capabilities[$conid]);
}
}
}
// handle role switching in courses
if (!empty($USER->switchrole)) {
foreach ($USER->switchrole as $contextid => $roleid) {
$context = get_context_instance_by_id($contextid);
// first prune context and any child contexts
$children = get_child_contexts($context);
foreach ($children as $childid) {
unset($USER->capabilities[$childid]);
}
unset($USER->capabilities[$contextid]);
// now merge all switched role caps in context and bellow
$swithccaps = get_role_context_caps($roleid, $context);
$USER->capabilities = merge_role_caps($USER->capabilities, $swithccaps);
}
}
if (isset($USER->capabilities)) {
$USER->capabilities = merge_role_caps($USER->capabilities, $defcaps);
} else {
$USER->capabilities = $defcaps;
}
} else {
load_notloggedin_role();
}
}
}
