/** * Called when the login form is submitted. Validates the user and password, and * if they are valid, starts a new session for the user. * * @param object $form The Pieform form object * @param array $values The submitted values * @access private */ function login_submit(Pieform $form, $values) { global $SESSION, $USER; $username = trim($values['login_username']); $password = $values['login_password']; $authenticated = false; try { $authenticated = $USER->login($username, $password); if (empty($authenticated)) { $SESSION->add_error_msg(get_string('loginfailed')); return; } } catch (AuthUnknownUserException $e) { // If the user doesn't exist, check for institutions that // want to create users automatically. try { // Reset the LiveUser object, since we are attempting to create a // new user $SESSION->destroy_session(); $USER = new LiveUser(); $authinstances = get_records_sql_array("\n SELECT a.id, a.instancename, a.priority, a.authname, a.institution, i.suspended, i.displayname\n FROM {institution} i JOIN {auth_instance} a ON a.institution = i.name\n WHERE a.authname != 'internal'\n ORDER BY a.institution, a.priority, a.instancename", null); if ($authinstances == false) { throw new AuthUnknownUserException("\"{$username}\" is not known"); } $USER->username = $username; reset($authinstances); while ((list(, $authinstance) = each($authinstances)) && false == $authenticated) { $auth = AuthFactory::create($authinstance->id); if (!$auth->can_auto_create_users()) { continue; } // catch semi-fatal auth errors, but allow next auth instance to be // tried try { if ($auth->authenticate_user_account($USER, $password)) { $authenticated = true; } else { continue; } } catch (AuthInstanceException $e) { continue; } // Check now to see if the institution has its maximum quota of users require_once 'institution.php'; $institution = new Institution($authinstance->institution); if ($institution->isFull()) { $institution->send_admin_institution_is_full_message(); throw new AuthUnknownUserException('Institution has too many users'); } $USER->authinstance = $authinstance->id; $userdata = $auth->get_user_info($username); if (empty($userdata)) { throw new AuthUnknownUserException("\"{$username}\" is not known"); } // Check for a suspended institution if ($authinstance->suspended) { $sitename = get_config('sitename'); throw new AccessTotallyDeniedException(get_string('accesstotallydenied_institutionsuspended', 'mahara', $authinstance->displayname, $sitename)); } // We have the data - create the user $USER->lastlogin = db_format_timestamp(time()); if (isset($userdata->firstname)) { $USER->firstname = sanitize_firstname($userdata->firstname); } if (isset($userdata->lastname)) { $USER->lastname = sanitize_firstname($userdata->lastname); } if (isset($userdata->email)) { $USER->email = sanitize_email($userdata->email); } else { // The user will be asked to populate this when they log in. $USER->email = null; } $profilefields = array(); foreach (array('studentid', 'preferredname') as $pf) { if (isset($userdata->{$pf})) { $sanitize = 'sanitize_' . $pf; if (($USER->{$pf} = $sanitize($userdata->{$pf})) !== '') { $profilefields[$pf] = $USER->{$pf}; } } } try { // If this authinstance is a parent auth for some xmlrpc authinstance, pass it along to create_user // so that this username also gets recorded as the username for sso from the remote sites. $remoteauth = $auth->is_parent_authority(); create_user($USER, $profilefields, $institution, $remoteauth); $USER->reanimate($USER->id, $authinstance->id); } catch (Exception $e) { db_rollback(); throw $e; } } if (!$authenticated) { $SESSION->add_error_msg(get_string('loginfailed')); return; } } catch (AuthUnknownUserException $e) { // We weren't able to authenticate the user for some reason that // probably isn't their fault (e.g. ldap extension not available // when using ldap authentication) log_info($e->getMessage()); $SESSION->add_error_msg(get_string('loginfailed')); return; } } auth_check_admin_section(); // This is also checked in $USER->login(), but it's good to check it again here in case a buggy auth plugin // lets a suspended user through somehow. ensure_user_account_is_active(); // User is allowed to log in //$USER->login($userdata); auth_check_required_fields(); }
/** * Called when the login form is submitted. Validates the user and password, and * if they are valid, starts a new session for the user. * * @param object $form The Pieform form object * @param array $values The submitted values * @access private */ function login_submit(Pieform $form, $values) { global $SESSION, $USER; $username = $values['login_username']; $password = $values['login_password']; $authenticated = false; $oldlastlogin = 0; try { $authenticated = $USER->login($username, $password); if (empty($authenticated)) { $SESSION->add_error_msg(get_string('loginfailed')); return; } } catch (AuthUnknownUserException $e) { // If the user doesn't exist, check for institutions that // want to create users automatically. try { // Reset the LiveUser object, since we are attempting to create a // new user $SESSION->destroy_session(); $USER = new LiveUser(); $authinstances = get_records_sql_array(' SELECT a.id, a.instancename, a.priority, a.authname, a.institution, i.suspended, i.displayname FROM {institution} i JOIN {auth_instance} a ON a.institution = i.name ORDER BY a.institution, a.priority, a.instancename', null); if ($authinstances == false) { throw new AuthUnknownUserException("\"{$username}\" is not known"); } $USER->username = $username; reset($authinstances); while ((list(, $authinstance) = each($authinstances)) && false == $authenticated) { $auth = AuthFactory::create($authinstance->id); if (!$auth->can_auto_create_users()) { continue; } if ($auth->authenticate_user_account($USER, $password)) { $authenticated = true; } else { continue; } // Check now to see if the institution has its maximum quota of users require_once 'institution.php'; $institution = new Institution($authinstance->institution); if ($institution->isFull()) { throw new AuthUnknownUserException('Institution has too many users'); } $USER->authinstance = $authinstance->id; $userdata = $auth->get_user_info($username); if (empty($userdata)) { throw new AuthUnknownUserException("\"{$username}\" is not known"); } // Check for a suspended institution if ($authinstance->suspended) { $sitename = get_config('sitename'); throw new AccessTotallyDeniedException(get_string('accesstotallydenied_institutionsuspended', 'mahara', $authinstance->displayname, $sitename)); } // We have the data - create the user $USER->lastlogin = db_format_timestamp(time()); if (isset($userdata->firstname)) { $USER->firstname = $userdata->firstname; } if (isset($userdata->lastname)) { $USER->lastname = $userdata->lastname; } if (isset($userdata->email)) { $USER->email = $userdata->email; } else { // The user will be asked to populate this when they log in. $USER->email = null; } try { create_user($USER, array(), $institution); $USER->reanimate($USER->id, $authinstance->id); } catch (Exception $e) { db_rollback(); throw $e; } } if (!$authenticated) { $SESSION->add_error_msg(get_string('loginfailed')); return; } } catch (AuthUnknownUserException $e) { // We weren't able to authenticate the user for some reason that // probably isn't their fault (e.g. ldap extension not available // when using ldap authentication) log_info($e->getMessage()); $SESSION->add_error_msg(get_string('loginfailed')); return; } } // Only admins in the admin section! if (!$USER->get('admin') && (defined('ADMIN') || defined('INSTITUTIONALADMIN') && !$USER->is_institutional_admin())) { $SESSION->add_error_msg(get_string('accessforbiddentoadminsection')); redirect(); } // Check if the user's account has been deleted if ($USER->deleted) { $USER->logout(); die_info(get_string('accountdeleted')); } // Check if the user's account has expired if ($USER->expiry > 0 && time() > $USER->expiry) { $USER->logout(); die_info(get_string('accountexpired')); } // Check if the user's account has become inactive $inactivetime = get_config('defaultaccountinactiveexpire'); if ($inactivetime && $oldlastlogin > 0 && $oldlastlogin + $inactivetime < time()) { $USER->logout(); die_info(get_string('accountinactive')); } // Check if the user's account has been suspended if ($USER->suspendedcusr) { $suspendedctime = $USER->suspendedctime; $suspendedreason = $USER->suspendedreason; $USER->logout(); die_info(get_string('accountsuspended', 'mahara', $suspendedctime, $suspendedreason)); } // User is allowed to log in //$USER->login($userdata); auth_check_password_change(); auth_check_required_fields(); }
/** * Called when the auth_saml_login form is submitted. Validates the user and password, and * if they are valid, starts a new session for the user. * * Copied and modified from core login_submit * * @param object $form The Pieform form object * @param array $values The submitted values */ function auth_saml_login_submit(Pieform $form, $values) { global $SESSION, $USER; $username = trim($values['login_username']); $password = $values['login_password']; $authenticated = false; $oldlastlogin = 0; try { $authenticated = login_test_all_user_authinstance($username, $password); if (empty($authenticated)) { $SESSION->add_error_msg(get_string('loginfailed')); redirect('/auth/saml/index.php'); } } catch (AuthUnknownUserException $e) { $SESSION->add_error_msg(get_string('loginfailed')); redirect('/auth/saml/index.php'); } auth_check_admin_section(); // Check if the user's account has been deleted if ($USER->deleted) { $USER->logout(); die_info(get_string('accountdeleted')); } // Check if the user's account has expired if ($USER->expiry > 0 && time() > $USER->expiry) { $USER->logout(); die_info(get_string('accountexpired')); } // Check if the user's account has become inactive $inactivetime = get_config('defaultaccountinactiveexpire'); if ($inactivetime && $oldlastlogin > 0 && $oldlastlogin + $inactivetime < time()) { $USER->logout(); die_info(get_string('accountinactive')); } // Check if the user's account has been suspended if ($USER->suspendedcusr) { $suspendedctime = strftime(get_string('strftimedaydate'), $USER->suspendedctime); $suspendedreason = $USER->suspendedreason; $USER->logout(); die_info(get_string('accountsuspended', 'mahara', $suspendedctime, $suspendedreason)); } // User is allowed to log in auth_check_required_fields(); // all happy - carry on now redirect('/auth/saml/index.php'); }
/** * Called when the login form is submitted. Validates the user and password, and * if they are valid, starts a new session for the user. * * @param object $form The Pieform form object * @param array $values The submitted values * @access private */ function login_submit(Pieform $form, $values) { global $SESSION, $USER; $username = $values['login_username']; $password = $values['login_password']; $authenticated = false; $oldlastlogin = 0; try { $authenticated = $USER->login($username, $password); if (empty($authenticated)) { $SESSION->add_error_msg(get_string('loginfailed')); return; } } catch (AuthUnknownUserException $e) { // If the user doesn't exist, check for institutions that // want to create users automatically. try { // Reset the LiveUser object, since we are attempting to create a // new user $SESSION->destroy_session(); $USER = new LiveUser(); $authinstances = get_records_sql_array(' SELECT a.id, a.instancename, a.priority, a.authname, a.institution, i.suspended, i.displayname FROM {institution} i JOIN {auth_instance} a ON a.institution = i.name ORDER BY a.institution, a.priority, a.instancename', null); if ($authinstances == false) { throw new AuthUnknownUserException("\"{$username}\" is not known"); } $USER->username = $username; reset($authinstances); while ((list(, $authinstance) = each($authinstances)) && false == $authenticated) { $auth = AuthFactory::create($authinstance->id); if (!$auth->can_auto_create_users()) { continue; } // catch semi-fatal auth errors, but allow next auth instance to be // tried try { if ($auth->authenticate_user_account($USER, $password)) { $authenticated = true; } else { continue; } } catch (AuthInstanceException $e) { continue; } // Check now to see if the institution has its maximum quota of users require_once 'institution.php'; $institution = new Institution($authinstance->institution); if ($institution->isFull()) { throw new AuthUnknownUserException('Institution has too many users'); } $USER->authinstance = $authinstance->id; $userdata = $auth->get_user_info($username); if (empty($userdata)) { throw new AuthUnknownUserException("\"{$username}\" is not known"); } // Check for a suspended institution if ($authinstance->suspended) { $sitename = get_config('sitename'); throw new AccessTotallyDeniedException(get_string('accesstotallydenied_institutionsuspended', 'mahara', $authinstance->displayname, $sitename)); } // We have the data - create the user $USER->lastlogin = db_format_timestamp(time()); if (isset($userdata->firstname)) { $USER->firstname = $userdata->firstname; } if (isset($userdata->lastname)) { $USER->lastname = $userdata->lastname; } if (isset($userdata->email)) { $USER->email = $userdata->email; } else { // The user will be asked to populate this when they log in. $USER->email = null; } try { // If this authinstance is a parent auth for some xmlrpc authinstance, pass it along to create_user // so that this username also gets recorded as the username for sso from the remote sites. $remoteauth = count_records('auth_instance_config', 'field', 'parent', 'value', $authinstance->id) ? $authinstance : null; create_user($USER, array(), $institution, $remoteauth); $USER->reanimate($USER->id, $authinstance->id); } catch (Exception $e) { db_rollback(); throw $e; } } if (!$authenticated) { $SESSION->add_error_msg(get_string('loginfailed')); return; } } catch (AuthUnknownUserException $e) { // We weren't able to authenticate the user for some reason that // probably isn't their fault (e.g. ldap extension not available // when using ldap authentication) log_info($e->getMessage()); $SESSION->add_error_msg(get_string('loginfailed')); return; } } // Only admins in the admin section! if (!$USER->get('admin') && (defined('ADMIN') || defined('INSTITUTIONALADMIN') && !$USER->is_institutional_admin())) { $SESSION->add_error_msg(get_string('accessforbiddentoadminsection')); redirect(); } // Check if the user's account has been deleted if ($USER->deleted) { $USER->logout(); die_info(get_string('accountdeleted')); } // Check if the user's account has expired if ($USER->expiry > 0 && time() > $USER->expiry) { $USER->logout(); die_info(get_string('accountexpired')); } // Check if the user's account has become inactive $inactivetime = get_config('defaultaccountinactiveexpire'); if ($inactivetime && $oldlastlogin > 0 && $oldlastlogin + $inactivetime < time()) { $USER->logout(); die_info(get_string('accountinactive')); } // Check if the user's account has been suspended if ($USER->suspendedcusr) { $suspendedctime = strftime(get_string('strftimedaydate'), $USER->suspendedctime); $suspendedreason = $USER->suspendedreason; $USER->logout(); die_info(get_string('accountsuspended', 'mahara', $suspendedctime, $suspendedreason)); } // User is allowed to log in //$USER->login($userdata); auth_check_required_fields(); if (get_config('httpswwwroot') && !defined('JSON')) { // If we are using HTTPS for logins we need to go back to // non-HTTPS URLs. Otherwise, Javascript (and possibly CSS) // breaks. Don't use get_full_script_path(), as it doesn't // work if someone sets httpswwwroot to something like // 'https://x.y.z.w:443/...' (unlikely, but // possible). get_full_script_path() doesn't gives us the // ':443' part and things break horribly. $parts = parse_url(get_config('httpswwwroot')); $httpsrequest = rtrim($parts['path'], '/'); redirect(hsc(substr(get_script_path(), strlen($httpsrequest)))); } }