/** * Function to enable SSO (it runs before user_login() is called) * If a valid CHOCOLATECHIP cookie is not found, the user will be forced to the * master bakery login page where have to authenticate the user. * * @return logged in USER */ function loginpage_hook() { global $CFG, $USER, $DB; global $key, $cookieDomain, $slaveURL, $masterURL, $defaultCountry; $key = $this->config->skey; $cookieDomain = $this->config->cookiedomain; $masterURL = $this->config->masterurl; $slaveURL = $this->config->slaveurl; $defaultCountry = $this->config->defaultcountry; $mdBakery['slave'] = validateCookie(); if (!empty($mdBakery['slave'])) { $username = $mdBakery['slave']['name']; $user = authenticate_user_login($username, null); if ($user) { complete_user_login($user); $urltogo = $CFG->wwwroot . '/'; $userMail = $USER->email; // If dummie change init url through edit user form $userInit = $USER->idnumber; // Don't check for username because of user freedom for Firstname and Lastname display if ($userMail != $mdBakery['slave']['mail'] || $userInit != $mdBakery['slave']['init']) { $emptyString = " "; // Or just "default" string $user->idnumber = $mdBakery['slave']['init']; $fName = ucfirst($mdBakery['slave']['name']); $user->firstname = $fName; $user->lastname = $emptyString; $user->email = $mdBakery['slave']['mail']; $user->city = $emptyString; $user->country = $defaultCountry; $DB->update_record('user', $user); } redirect($urltogo); } } else { if (isloggedin() && !isguestuser()) { require_logout(); } else { // $master_redirect = $masterURL . 'user/login?return_dest=' . urlencode($slaveURL . 'login/index.php'); // header('Location: ' . $master_redirect); } } }
function validation($data, $files) { global $USER; $errors = parent::validation($data, $files); update_login_count(); // ignore submitted username if (!($user = authenticate_user_login($USER->username, $data['password']))) { $errors['password'] = get_string('invalidlogin'); return $errors; } reset_login_count(); if ($data['newpassword1'] != $data['newpassword2']) { $errors['newpassword1'] = get_string('passwordsdiffer'); $errors['newpassword2'] = get_string('passwordsdiffer'); return $errors; } if ($data['password'] == $data['newpassword1']) { $errors['newpassword1'] = get_string('mustchangepassword'); $errors['newpassword2'] = get_string('mustchangepassword'); return $errors; } $errmsg = ''; //prevents eclipse warnings if (!check_password_policy($data['newpassword1'], $errmsg)) { $errors['newpassword1'] = $errmsg; $errors['newpassword2'] = $errmsg; return $errors; } return $errors; }
public function login($username, $password) { $user = authenticate_user_login($username, $password); if (0 < $user->id && $user->admin) { $_SESSION['MoodlePlugin'] = true; return session_id(); //var_export($user, true); } return MOODLEWS_ERROR; }
/** * podcaster basic authentication * * @author Humboldt Universitaet zu Berlin * Christoph Soergel <*****@*****.**> * @version 1.0 * @package podcaster * */ function http_basic_login() { global $USER; $realm = 'restricted'; $userValid = false; if (isloggedin()) { return true; } $realm = 'restricted'; if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { $user = authenticate_user_login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); do { if (!$user) { $realm = 'loginerror'; break; } $USER = $user; // check whether the user should be changing password if (get_user_preferences('auth_forcepasswordchange', false)) { if ($passwordchangeurl != '') { $realm = 'mustchangepassword'; } else { $realm = 'mustchangepassword_butnourl'; } break; } // check wether user is fully setup if (user_not_fully_set_up($USER)) { $realm = 'notfullysetup'; break; } return true; } while (false); unset($USER); } // no credentials header('WWW-Authenticate: Basic realm="' . get_string($realm, 'podcaster') . '"'); header('HTTP/1.0 401 Unauthorized'); echo get_string($realm, 'podcaster'); exit; }
function validation($data) { global $USER; $errors = array(); update_login_count(); // ignore submitted username if (!($user = authenticate_user_login($USER->username, $data['password']))) { $errors['password'] = get_string('invalidlogin'); return $errors; } reset_login_count(); if ($data['newpassword1'] != $data['newpassword2']) { $errors['newpassword1'] = get_string('passwordsdiffer'); $errors['newpassword2'] = get_string('passwordsdiffer'); return $errors; } if ($data['password'] == $data['newpassword1']) { $errors['newpassword1'] = get_string('mustchangepassword'); $errors['newpassword2'] = get_string('mustchangepassword'); return $errors; } return true; }
function validation($data, $files) { global $USER; $errors = parent::validation($data, $files); update_login_count(); // ignore submitted username if (!($user = authenticate_user_login($USER->username, $data['password']))) { $errors['password'] = get_string('invalidlogin'); return $errors; } reset_login_count(); if ($data['newpassword1'] != $data['newpassword2']) { $errors['newpassword1'] = get_string('passwordsdiffer'); $errors['newpassword2'] = get_string('passwordsdiffer'); return $errors; } if ($data['password'] == $data['newpassword1']) { $errors['newpassword1'] = get_string('mustchangepassword'); $errors['newpassword2'] = get_string('mustchangepassword'); return $errors; } $errmsg = ''; //prevents eclipse warnings if (!check_password_policy($data['newpassword1'], $errmsg)) { $errors['newpassword1'] = $errmsg; $errors['newpassword2'] = $errmsg; return $errors; } // Added by SMS 8/7/2011: To make sure the password does not include special // characters that may result in issues when synching the password with vms if (!isValidPassword($data['newpassword1'])) { $errors['newpassword1'] .= 'Your password cannot contain the following characters: " / \\ [ ] : ; | = , + * ? < > @ & !'; $errors['newpassword2'] .= 'Your password cannot contain the following characters: " / \\ [ ] : ; | = , + * ? < > @ & !'; } return $errors; }
print_error('shib_not_set_up_error', 'auth_shibboleth'); } /// If we can find the Shibboleth attribute, save it in session and return to main login page if (!empty($_SERVER[$pluginconfig->user_attribute])) { // Shibboleth auto-login $frm = new stdClass(); $frm->username = strtolower($_SERVER[$pluginconfig->user_attribute]); // The password is never actually used, but needs to be passed to the functions 'user_login' and // 'authenticate_user_login'. Shibboleth returns true for the function 'prevent_local_password', which is // used when setting the password in 'update_internal_user_password'. When 'prevent_local_password' // returns true, the password is set to 'not cached' (AUTH_PASSWORD_NOT_CACHED) in the Moodle DB. However, // rather than setting the password to a hard-coded value, we will generate one each time, in case there are // changes to the Shibboleth plugin and it is actually used. $frm->password = generate_password(8); /// Check if the user has actually submitted login data to us if ($shibbolethauth->user_login($frm->username, $frm->password) && ($user = authenticate_user_login($frm->username, $frm->password))) { complete_user_login($user); if (user_not_fully_set_up($USER)) { $urltogo = $CFG->wwwroot . '/user/edit.php?id=' . $USER->id . '&course=' . SITEID; // We don't delete $SESSION->wantsurl yet, so we get there later } else { if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; /// Because it's an address in this site unset($SESSION->wantsurl); } else { $urltogo = $CFG->wwwroot . '/'; /// Go to the standard home page unset($SESSION->wantsurl); /// Just in case }
function teosso_authenticate_user() { global $CFG, $USER, $SESSION; $pluginconfig = get_config('auth/teosso'); // retrieve the login data from the HTTP Headers $attributes = auth_plugin_teosso::get_sso_attributes(); // check to see if we got any authentication data if (empty($attributes)) { redirect($pluginconfig->signin_url); } // get the http headers for error reporting $headers = apache_request_headers(); $attr_hdrs = array(); foreach ($headers as $key => $value) { if (preg_match('/^HTTP_/', $key)) { $attr_hdrs[] = $key . ': ' . $value; } } $headers = implode(' | ', $attr_hdrs); // FIND THE VALIDIDTY OF THE HTTP HEADER $attrmap = auth_plugin_teosso::get_attributes(); if (empty($attrmap['idnumber'])) { // serious misdemeanour print_error('missingidnumber', 'auth_teosso'); } if (empty($attributes[$attrmap['idnumber']])) { # // not valid session. Ship user off to Federation Manager add_to_log(0, 'login', 'error', '/auth/teosso/index.php', get_string('idnumber_error', 'auth_teosso', $headers)); redirect($pluginconfig->signin_error_url); } else { // in theory we only need acct_id at this point - we should retrieve the user record to get the username via idnumber if (!($user = get_record('user', 'idnumber', $attributes[$attrmap['idnumber']]))) { // must be a new user if (!empty($attributes[$attrmap['username']])) { $attributes['username'] = $attributes[$attrmap['username']]; } else { add_to_log(0, 'login', 'error', '/auth/teosso/index.php', get_string('username_error', 'auth_teosso', $headers)); redirect($pluginconfig->signin_error_url); } } else { // user must use the auth type teosso or authenticate_user_login() will fail if ($user->auth != 'teosso') { add_to_log(0, 'login', 'error', '/auth/teosso/index.php', get_string('user_auth_type_error', 'auth_teosso', $headers)); redirect($pluginconfig->signin_error_url); } // because we want to retain acct_id as the master ID // we need to modify idnumber on mdl_user NOW - so it all lines up later if (isset($attributes[$attrmap['username']]) && $user->username != $attributes[$attrmap['username']]) { if (!set_field('user', 'username', $attributes[$attrmap['username']], 'id', $user->id)) { print_error('usernameupdatefailed', 'auth_teosso'); } $attributes['username'] = $attributes[$attrmap['username']]; } else { $attributes['username'] = $user->username; } } // Valid session. Register or update user in Moodle, log him on, and redirect to Moodle front // we require the plugin to know that we are now doing a teosso login in hook puser_login $GLOBALS['teosso_login'] = TRUE; // make variables accessible to teosso->get_userinfo. Information will be requested from authenticate_user_login -> create_user_record / update_user_record $GLOBALS['teosso_login_attributes'] = $attributes; // just passes time as a password. User will never log in directly to moodle with this password anyway or so we hope? $USER = authenticate_user_login($attributes['username'], time()); $USER->loggedin = true; $USER->site = $CFG->wwwroot; update_user_login_times(); if ($pluginconfig->notshowusername) { // Don't show username on login page set_moodle_cookie('nobody'); } set_login_session_preferences(); add_to_log(SITEID, 'user', 'login', "view.php?id={$USER->id}&course=" . SITEID, $USER->id, 0, $USER->id); check_enrolment_plugins($USER); load_all_capabilities(); // just fast copied this from some other module - might not work... if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; } else { $urltogo = $CFG->wwwroot . '/'; } unset($SESSION->wantsurl); redirect($urltogo); } }
/** * Authentication hook - is called every time user hit the login page * The code is run only if the param code is mentionned. */ function loginpage_hook() { global $USER, $SESSION, $CFG, $DB; //check the Google authorization code $authorizationcode = optional_param('code', '', PARAM_TEXT); if (!empty($authorizationcode)) { $authprovider = required_param('authprovider', PARAM_ALPHANUMEXT); //set the params specific to the authentication provider $params = array(); switch ($authprovider) { case 'google': $params['client_id'] = get_config('auth/googleoauth2', 'googleclientid'); $params['client_secret'] = get_config('auth/googleoauth2', 'googleclientsecret'); $requestaccesstokenurl = 'https://accounts.google.com/o/oauth2/token'; $params['grant_type'] = 'authorization_code'; $params['redirect_uri'] = $CFG->wwwroot . '/auth/googleoauth2/google_redirect.php'; $params['code'] = $authorizationcode; break; case 'facebook': $params['client_id'] = get_config('auth/googleoauth2', 'facebookclientid'); $params['client_secret'] = get_config('auth/googleoauth2', 'facebookclientsecret'); $requestaccesstokenurl = 'https://graph.facebook.com/oauth/access_token'; $params['redirect_uri'] = $CFG->wwwroot . '/auth/googleoauth2/facebook_redirect.php'; $params['code'] = $authorizationcode; break; case 'messenger': $params['client_id'] = get_config('auth/googleoauth2', 'messengerclientid'); $params['client_secret'] = get_config('auth/googleoauth2', 'messengerclientsecret'); $requestaccesstokenurl = 'https://oauth.live.com/token'; $params['redirect_uri'] = $CFG->wwwroot . '/auth/googleoauth2/messenger_redirect.php'; $params['code'] = $authorizationcode; $params['grant_type'] = 'authorization_code'; break; default: throw new moodle_exception('unknown_oauth2_provider'); break; } //request by curl an access token and refresh token require_once $CFG->libdir . '/filelib.php'; if ($authprovider == 'messenger') { //Windows Live returns an "Object moved" error with curl->post() encoding $curl = new curl(); $postreturnvalues = $curl->get('https://oauth.live.com/token?client_id=' . urlencode($params['client_id']) . '&redirect_uri=' . urlencode($params['redirect_uri']) . '&client_secret=' . urlencode($params['client_secret']) . '&code=' . urlencode($params['code']) . '&grant_type=authorization_code'); } else { $curl = new curl(); $postreturnvalues = $curl->post($requestaccesstokenurl, $params); } switch ($authprovider) { case 'google': $postreturnvalues = json_decode($postreturnvalues); $accesstoken = $postreturnvalues->access_token; //$refreshtoken = $postreturnvalues->refresh_token; //$expiresin = $postreturnvalues->expires_in; //$tokentype = $postreturnvalues->token_type; break; case 'facebook': parse_str($postreturnvalues, $returnvalues); $accesstoken = $returnvalues['access_token']; break; case 'messenger': $accesstoken = json_decode($postreturnvalues)->access_token; break; default: break; } //with access token request by curl the email address if (!empty($accesstoken)) { //get the username matching the email switch ($authprovider) { case 'google': $params = array(); $params['access_token'] = $accesstoken; $params['alt'] = 'json'; $postreturnvalues = $curl->get('https://www.googleapis.com/userinfo/email', $params); $postreturnvalues = json_decode($postreturnvalues); $useremail = $postreturnvalues->data->email; $verified = $postreturnvalues->data->isVerified; break; case 'facebook': $params = array(); $params['access_token'] = $accesstoken; $postreturnvalues = $curl->get('https://graph.facebook.com/me', $params); $facebookuser = json_decode($postreturnvalues); $useremail = $facebookuser->email; $verified = $facebookuser->verified; break; case 'messenger': $params = array(); $params['access_token'] = $accesstoken; $postreturnvalues = $curl->get('https://apis.live.net/v5.0/me', $params); $messengeruser = json_decode($postreturnvalues); $useremail = $messengeruser->emails->preferred; $verified = 1; //not super good but there are no way to check it yet: //http://social.msdn.microsoft.com/Forums/en-US/messengerconnect/thread/515d546d-1155-4775-95d8-89dadc5ee929 break; default: break; } //throw an error if the email address is not verified if (!$verified) { throw new moodle_exception('emailaddressmustbeverified', 'auth_googleoauth2'); } //if email not existing in user database then create a new username (userX). if (empty($useremail) or $useremail != clean_param($useremail, PARAM_EMAIL)) { throw new moodle_exception('couldnotgetuseremail'); //TODO: display a link for people to retry } //get the user - don't bother with auth = googleoauth2 because //authenticate_user_login() will fail it if it's not 'googleoauth2' $user = $DB->get_record('user', array('email' => $useremail, 'deleted' => 0, 'mnethostid' => $CFG->mnet_localhost_id)); //create the user if it doesn't exist if (empty($user)) { //get following incremented username $lastusernumber = get_config('auth/googleoauth2', 'lastusernumber'); $lastusernumber = empty($lastusernumber) ? 1 : $lastusernumber++; //check the user doesn't exist $nextuser = $DB->get_record('user', array('username' => get_config('auth/googleoauth2', 'googleuserprefix') . $lastusernumber)); while (!empty($nextuser)) { $lastusernumber = $lastusernumber + 1; $nextuser = $DB->get_record('user', array('username' => get_config('auth/googleoauth2', 'googleuserprefix') . $lastusernumber)); } set_config('lastusernumber', $lastusernumber, 'auth/googleoauth2'); $username = get_config('auth/googleoauth2', 'googleuserprefix') . $lastusernumber; //retrieve more information from the provider $newuser = new stdClass(); $newuser->email = $useremail; switch ($authprovider) { case 'google': $params = array(); $params['access_token'] = $accesstoken; $params['alt'] = 'json'; $userinfo = $curl->get('https://www.googleapis.com/oauth2/v1/userinfo', $params); $userinfo = json_decode($userinfo); //email, id, name, verified_email, given_name, family_name, link, gender, locale $newuser->auth = 'googleoauth2'; if (!empty($userinfo->given_name)) { $newuser->firstname = $userinfo->given_name; } if (!empty($userinfo->family_name)) { $newuser->lastname = $userinfo->family_name; } if (!empty($userinfo->locale)) { //$newuser->lang = $userinfo->locale; //TODO: convert the locale into correct Moodle language code } break; case 'facebook': $newuser->firstname = $facebookuser->first_name; $newuser->lastname = $facebookuser->last_name; break; case 'messenger': $newuser->firstname = $messengeruser->first_name; $newuser->lastname = $messengeruser->last_name; break; default: break; } //retrieve country and city if the provider failed to give it if (!isset($newuser->country) or !isset($newuser->city)) { $googleipinfodbkey = get_config('auth/googleoauth2', 'googleipinfodbkey'); if (!empty($googleipinfodbkey)) { $locationdata = $curl->get('http://api.ipinfodb.com/v3/ip-city/?key=' . $googleipinfodbkey . '&ip=' . getremoteaddr() . '&format=json'); $locationdata = json_decode($locationdata); } if (!empty($locationdata)) { //TODO: check that countryCode does match the Moodle country code $newuser->country = isset($newuser->country) ? isset($newuser->country) : $locationdata->countryCode; $newuser->city = isset($newuser->city) ? isset($newuser->city) : $locationdata->cityName; } } } else { $username = $user->username; } //authenticate the user //TODO: delete this log later $userid = empty($user) ? 'new user' : $user->id; add_to_log(SITEID, 'auth_googleoauth2', '', '', $username . '/' . $useremail . '/' . $userid); $user = authenticate_user_login($username, null); if ($user) { //set a cookie to remember what auth provider was selected setcookie('MOODLEGOOGLEOAUTH2_' . $CFG->sessioncookie, $authprovider, time() + DAYSECS * 60, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly); //prefill more user information if new user if (!empty($newuser)) { $newuser->id = $user->id; $DB->update_record('user', $newuser); } complete_user_login($user); // Redirection if (user_not_fully_set_up($USER)) { $urltogo = $CFG->wwwroot . '/user/edit.php'; // We don't delete $SESSION->wantsurl yet, so we get there later } else { if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; // Because it's an address in this site unset($SESSION->wantsurl); } else { // No wantsurl stored or external - go to homepage $urltogo = $CFG->wwwroot . '/'; unset($SESSION->wantsurl); } } redirect($urltogo); } } else { throw new moodle_exception('couldnotgetgoogleaccesstoken', 'auth_googleoauth2'); } } }
} } $new_section["modules"] = array_for_modules($section_modules); $sections_array[] = $new_section; } } $json_output["site_sections"] = $sections_array; if ($CFG->rolesactive) { $json_output["site_admin"] = has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM)); } else { $json_output["site_admin"] = isadmin(); } $json_output["auto_login_guests"] = $CFG->autologinguests == 1; } if (isset($_GET['check_user']) || $update_all && isset($_POST['username']) && isset($_POST['password'])) { $json_output["login_valid"] = authenticate_user_login($_POST['username'], $_POST['password']) != FALSE; } if (isset($_GET['course_categories']) || $update_all) { include_once $CFG->dirroot . '/course/lib.php'; $categories = array(); $given_categories = get_categories(); foreach ($given_categories as $i => $each_category) { $is_admin = FALSE; if ($CFG->rolesactive) { } else { $is_admin = isadmin(); } $show_category = $each_category->visible or $is_admin; if ($each_category->visible) { $new_category = array(); $new_category["id"] = $each_category->id;
$authorize_error = get_string("auth_saml_not_authorize", "auth_saml", $username); $authorize_user = false; } if (function_exists('saml_hook_authorize_user')) { $result = saml_hook_authorize_user($username, $saml_attributes, $authorize_user); if ($result !== true) { $authorize_user = false; $authorize_error = $result; } } if (!$authorize_user) { $err['login'] = "******" . $authorize_error . "</p>"; saml_error($err, '?logout', $pluginconfig->samllogfile); } // Just passes time as a password. User will never log in directly to moodle with this password anyway or so we hope? $user = authenticate_user_login($username, time()); if ($user === false) { $err['login'] = get_string("auth_saml_error_authentication_process", "auth_saml", $username); saml_error($err['login'], '?logout', $pluginconfig->samllogfile); } // Complete the user login sequence $user = get_complete_user_data('id', $user->id); if ($user === false) { $err['login'] = get_string("auth_saml_error_complete_user_data", "auth_saml", $username); saml_error($err['login'], '?logout', $pluginconfig->samllogfile); } $USER = complete_user_login($user); if (function_exists('saml_hook_post_user_created')) { saml_hook_post_user_created($USER); } if (isset($SESSION->wantsurl) && !empty($SESSION->wantsurl)) {
public function test_authenticate_user_login() { global $CFG; $this->resetAfterTest(); $oldlog = ini_get('error_log'); ini_set('error_log', "{$CFG->dataroot}/testlog.log"); // Prevent standard logging. set_config('lockoutthreshold', 0); set_config('lockoutwindow', 60 * 20); set_config('lockoutduration', 60 * 30); $_SERVER['HTTP_USER_AGENT'] = 'no browser'; // Hack around missing user agent in CLI scripts. $user1 = $this->getDataGenerator()->create_user(array('username' => 'username1', 'password' => 'password1')); $user2 = $this->getDataGenerator()->create_user(array('username' => 'username2', 'password' => 'password2', 'suspended' => 1)); $user3 = $this->getDataGenerator()->create_user(array('username' => 'username3', 'password' => 'password3', 'auth' => 'nologin')); $result = authenticate_user_login('username1', 'password1'); $this->assertInstanceOf('stdClass', $result); $this->assertEquals($user1->id, $result->id); $reason = null; $result = authenticate_user_login('username1', 'password1', false, $reason); $this->assertInstanceOf('stdClass', $result); $this->assertEquals(AUTH_LOGIN_OK, $reason); $reason = null; $result = authenticate_user_login('username1', 'nopass', false, $reason); $this->assertFalse($result); $this->assertEquals(AUTH_LOGIN_FAILED, $reason); $reason = null; $result = authenticate_user_login('username2', 'password2', false, $reason); $this->assertFalse($result); $this->assertEquals(AUTH_LOGIN_SUSPENDED, $reason); $reason = null; $result = authenticate_user_login('username3', 'password3', false, $reason); $this->assertFalse($result); $this->assertEquals(AUTH_LOGIN_SUSPENDED, $reason); $reason = null; $result = authenticate_user_login('username4', 'password3', false, $reason); $this->assertFalse($result); $this->assertEquals(AUTH_LOGIN_NOUSER, $reason); set_config('lockoutthreshold', 3); $reason = null; $result = authenticate_user_login('username1', 'nopass', false, $reason); $this->assertFalse($result); $this->assertEquals(AUTH_LOGIN_FAILED, $reason); $result = authenticate_user_login('username1', 'nopass', false, $reason); $this->assertFalse($result); $this->assertEquals(AUTH_LOGIN_FAILED, $reason); ob_start(); // Prevent nomailever notice. $result = authenticate_user_login('username1', 'nopass', false, $reason); ob_end_clean(); $this->assertFalse($result); $this->assertEquals(AUTH_LOGIN_FAILED, $reason); $result = authenticate_user_login('username1', 'password1', false, $reason); $this->assertFalse($result); $this->assertEquals(AUTH_LOGIN_LOCKOUT, $reason); $result = authenticate_user_login('username1', 'password1', true, $reason); $this->assertInstanceOf('stdClass', $result); $this->assertEquals(AUTH_LOGIN_OK, $reason); ini_set('error_log', $oldlog); }
/** * Sign up a new user ready for confirmation. * Password is passed in plaintext. * * @param object $user new user object * @param boolean $notify print notice with link and terminate */ function user_signup($user, $notify = true) { global $CFG, $DB, $SESSION; require_once $CFG->dirroot . '/user/profile/lib.php'; require_once $CFG->dirroot . '/user/lib.php'; if (isset($SESSION->wantsurl)) { $wantsurl = $SESSION->wantsurl; } $plainpassword = $user->password; $user->password = hash_internal_user_password($user->password); if (empty($user->calendartype)) { $user->calendartype = $CFG->calendartype; } $user->confirmed = 1; $user->id = user_create_user($user, false, false); user_add_password_history($user->id, $plainpassword); // Save any custom profile field information. profile_save_data($user); // Trigger event. \core\event\user_created::create_from_userid($user->id)->trigger(); $thisuser = authenticate_user_login($user->username, $plainpassword, false, $errorcode); if ($thisuser == false) { print_error('authfailure'); } else { complete_user_login($thisuser); if (isset($wantsurl)) { $urltogo = $wantsurl; if (isset($_SESSION["fiaction"]) && isset($_SESSION["ficourseid"]) && is_numeric($_SESSION["ficourseid"]) && $_SESSION["fiaction"] == "enroll") { $urltogo = $CFG->wwwroot . '/course/enrol.php?id=' . $_SESSION["ficourseid"]; unset($_SESSION['fiaction']); unset($_SESSION['ficourseid']); unset($SESSION->wantsurl); } } else { $urltogo = $CFG->wwwroot . '/'; } redirect($urltogo); } // if ($notify) { // global $CFG, $PAGE, $OUTPUT; // $emailconfirm = get_string('emailconfirm'); // $PAGE->navbar->add($emailconfirm); // $PAGE->set_title($emailconfirm); // $PAGE->set_heading($PAGE->course->fullname); // echo $OUTPUT->header(); // notice(get_string('emailconfirmsent', '', $user->email), "$CFG->wwwroot/index.php"); // } else { // return true; // } }
public function __authenticate($username, $password, $serviceshortname) { global $CFG, $DB; //echo $OUTPUT->header(); if (!$CFG->enablewebservices) { throw new moodle_exception('enablewsdescription', 'webservice'); } $username = trim(textlib::strtolower($username)); if (is_restored_user($username)) { throw new moodle_exception('restoredaccountresetpassword', 'webservice'); } $user = authenticate_user_login($username, $password); if (!empty($user)) { //Non admin can not authenticate if maintenance mode $hassiteconfig = has_capability('moodle/site:config', context_system::instance(), $user); if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) { throw new moodle_exception('sitemaintenance', 'admin'); } if (isguestuser($user)) { throw new moodle_exception('noguest'); } if (empty($user->confirmed)) { throw new moodle_exception('usernotconfirmed', 'moodle', '', $user->username); } // check credential expiry $userauth = get_auth_plugin($user->auth); if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) { $days2expire = $userauth->password_expire($user->username); if (intval($days2expire) < 0) { throw new moodle_exception('passwordisexpired', 'webservice'); } } // let enrol plugins deal with new enrolments if necessary enrol_check_plugins($user); // setup user session to check capability session_set_user($user); //check if the service exists and is enabled $service = $DB->get_record('external_services', array('shortname' => $serviceshortname, 'enabled' => 1)); if (empty($service)) { // will throw exception if no token found throw new moodle_exception('servicenotavailable', 'webservice'); } //check if there is any required system capability if ($service->requiredcapability and !has_capability($service->requiredcapability, context_system::instance(), $user)) { throw new moodle_exception('missingrequiredcapability', 'webservice', '', $service->requiredcapability); } //specific checks related to user restricted service if ($service->restrictedusers) { $authoriseduser = $DB->get_record('external_services_users', array('externalserviceid' => $service->id, 'userid' => $user->id)); if (empty($authoriseduser)) { throw new moodle_exception('usernotallowed', 'webservice', '', $serviceshortname); } if (!empty($authoriseduser->validuntil) and $authoriseduser->validuntil < time()) { throw new moodle_exception('invalidtimedtoken', 'webservice'); } if (!empty($authoriseduser->iprestriction) and !address_in_subnet(getremoteaddr(), $authoriseduser->iprestriction)) { throw new moodle_exception('invalidiptoken', 'webservice'); } } //Check if a token has already been created for this user and this service //Note: this could be an admin created or an user created token. // It does not really matter we take the first one that is valid. $tokenssql = "SELECT t.id, t.sid, t.token, t.validuntil, t.iprestriction\n FROM {external_tokens} t\n WHERE t.userid = ? AND t.externalserviceid = ? AND t.tokentype = ?\n ORDER BY t.timecreated ASC"; $tokens = $DB->get_records_sql($tokenssql, array($user->id, $service->id, EXTERNAL_TOKEN_PERMANENT)); //A bit of sanity checks foreach ($tokens as $key => $token) { /// Checks related to a specific token. (script execution continue) $unsettoken = false; //if sid is set then there must be a valid associated session no matter the token type if (!empty($token->sid)) { $session = session_get_instance(); if (!$session->session_exists($token->sid)) { //this token will never be valid anymore, delete it $DB->delete_records('external_tokens', array('sid' => $token->sid)); $unsettoken = true; } } //remove token if no valid anymore //Also delete this wrong token (similar logic to the web service servers // /webservice/lib.php/webservice_server::authenticate_by_token()) if (!empty($token->validuntil) and $token->validuntil < time()) { $DB->delete_records('external_tokens', array('token' => $token->token, 'tokentype' => EXTERNAL_TOKEN_PERMANENT)); $unsettoken = true; } // remove token if its ip not in whitelist if (isset($token->iprestriction) and !address_in_subnet(getremoteaddr(), $token->iprestriction)) { $unsettoken = true; } if ($unsettoken) { unset($tokens[$key]); } } // if some valid tokens exist then use the most recent if (count($tokens) > 0) { $token = array_pop($tokens); } else { if ($serviceshortname == MOODLE_OFFICIAL_MOBILE_SERVICE and has_capability('moodle/webservice:createmobiletoken', get_system_context()) or !is_siteadmin($user) && has_capability('moodle/webservice:createtoken', get_system_context())) { // if service doesn't exist, dml will throw exception $service_record = $DB->get_record('external_services', array('shortname' => $serviceshortname, 'enabled' => 1), '*', MUST_EXIST); // create a new token $token = new stdClass(); $token->token = md5(uniqid(rand(), 1)); $token->userid = $user->id; $token->tokentype = EXTERNAL_TOKEN_PERMANENT; $token->contextid = context_system::instance()->id; $token->creatorid = $user->id; $token->timecreated = time(); $token->externalserviceid = $service_record->id; $tokenid = $DB->insert_record('external_tokens', $token); add_to_log(SITEID, 'webservice', 'automatically create user token', '', 'User ID: ' . $user->id); $token->id = $tokenid; } else { throw new moodle_exception('cannotcreatetoken', 'webservice', '', $serviceshortname); } } // log token access $DB->set_field('external_tokens', 'lastaccess', time(), array('id' => $token->id)); add_to_log(SITEID, 'webservice', 'sending requested user token', '', 'User ID: ' . $user->id); $usertoken = new stdClass(); $usertoken->token = $token->token; //complete login process by activating session. // To restrict the admin user to login into application if (is_siteadmin($user)) { $heIsAdmin = new stdClass(); $heIsAdmin->error = 'admin_user'; echo json_encode($heIsAdmin); die; } Login::__app_complete_user_login($user); $forcePasswordChangesql = "SELECT up.userid\n FROM {user_preferences} up\n WHERE up.userid = ? AND up.name = ? AND up.value = ?"; $forcePasswordChange = $DB->get_records_sql($forcePasswordChangesql, array($user->id, 'auth_forcepasswordchange', 1)); //User Update Profile starts here $admins = get_admins(); $currentAdmin = end($admins); $admintokensql = "SELECT et.token\n FROM {external_tokens} et\n WHERE et.userid = ?"; $currrentAdminToken = $DB->get_records_sql($admintokensql, array($currentAdmin->id), 0, 1); $unique_key = substr(md5(mt_rand(0, 1000000)), 0, 7); $keys = array_keys($currrentAdminToken); $appuser = new stdClass(); $user->token = $token->token; $user->forcePasswordChange = !empty($forcePasswordChange) ? true : false; $user->updateProfile = substr($unique_key, 0, 3) . $keys[0] . substr($unique_key, 3, 7); //Get User role $rolesql = "SELECT id\n FROM {role} \n WHERE shortname = ?"; $roleid = array_values($DB->get_records_sql($rolesql, array('reportuser'))); $reportuser = array_values($DB->get_records_sql("SELECT id FROM {role_assignments} WHERE roleid=" . $roleid[0]->id . " AND userid=" . $user->id . "")); if ($reportuser[0]->id != '') { $user->role = 'reportuser'; } else { $user->role = ''; } //User Update Profile ends here unset($user->password); $appuser->USER = $user; $user->country_value = $user->country; $user->country = get_string($user->country, 'countries'); echo json_encode($appuser); } else { throw new moodle_exception('usernamenotfound', 'moodle'); } }
function check_user_secret($username, $passwd) { $user = get_complete_user_data('username', $username); if (is_object($user)) { // try to login this user ... if (!empty($passwd)) { return authenticate_user_login($username, $passwd); // returns $USER object on success } } return false; }
$USER->id = 0; require_once '../../config.php'; print_error('auth_onelogin_saml: auth failed due to missing username/email saml attribute: ' . $pluginconfig->saml_username_map . "<br />" . get_string("auth_onelogin_saml_username_email_error", "auth_onelogin_saml") . "\r\n"); } if ($_POST['SAMLResponse']) { $saml_account_matcher = $pluginconfig->saml_account_matcher; if (empty($saml_account_matcher)) { $saml_account_matcher = 'username'; } $saml_create = $pluginconfig->saml_auto_create_users == 'on' ? true : false; $saml_update = $pluginconfig->saml_auto_update_users == 'on' ? true : false; $USER = auth_onelogin_saml_authenticate_user_login($saml_account_matcher, $saml_user, $saml_create, $saml_update); } else { print_error("Info received. Finishing authentication process through regular method hook because no SAML response detected."); display_object($_POST); $USER = authenticate_user_login($saml_user[$saml_account_matcher], time()); } // check that the signin worked if ($USER == false) { print_error("You could not be identified or created. <br />Login result: FAILURE<br />I have...<br />" . htmlspecialchars(print_r($USER, true))); session_write_close(); $USER = new object(); $USER->id = 0; require_once '../../config.php'; print_error('pluginauthfailed', 'auth_onelogin_saml', '', !empty($saml_user['username']) ? $saml_user['username'] : $saml_user['email']); } // complete the user login sequence $USER->loggedin = true; $USER->site = $CFG->wwwroot; $USER = get_complete_user_data('id', $USER->id); complete_user_login($USER);
function RWSLIMUser($r_usrn, $r_pw, $r_csf) { global $RWSECAS; /*********** eClass Modification ************ Extra Comments: LDAP lookup call for the employee id translation for ccid CCID->empid, this is needed because the authentication fails and tries to create a user. ************/ global $CFG; require_once $CFG->dirroot . '/local/eclass/lib/IMS.php'; $ims = new IMS($r_usrn, $r_pw, 'uid=', 'ou=people,dc=ualberta,dc=ca'); $user_info = $ims->get_user_info($r_usrn); $empid = $user_info->employeenumber; /*********** End eClass Modification ********/ if ($RWSECAS) { RWSPLICas($r_usrn, $r_pw, $r_csf); } //$r_usr = authenticate_user_login($r_usrn, $r_pw); $r_usr = authenticate_user_login($empid, $r_pw); //eClass Modification if ($r_usr) { complete_user_login($r_usr); } if (isloggedin()) { RWSSStat("1000"); } else { if ($RWSECAS) { if (isset($_SESSION['rwscas']['cookiejar'])) { $r_ckf = $_SESSION['rwscas']['cookiejar']; if (file_exists($r_ckf)) { unlink($r_ckf); } unset($_SESSION['rwscas']['cookiejar']); } unset($_SESSION['rwscas']); } RWSSErr("2008"); } }
/** * @link http://docs.moodle.org/dev/Authentication_plugins#loginpage_hook.28.29 * * Hook for overriding behaviour of login page. * Another auth hook. Process login if $authorizationcode is defined in OAuth url. * Makes cURL POST/GET request to social webservice and fill response data to Moodle user. * We check access tokens in cookies, if the ones exists - get it from $_COOKIE, if no - setcookie * * @uses $SESSION, $CFG, $DB core global objects/variables * @return void or @moodle_exception if OAuth request returns error or fail * * @author Igor Sazonov ( @tigusigalpa ) */ function loginpage_hook() { global $SESSION, $CFG, $DB; $access_token = false; $authorizationcode = optional_param('oauthcode', '', PARAM_TEXT); // get authorization code from url if (!empty($authorizationcode)) { $authprovider = required_param('authprovider', PARAM_TEXT); // get authorization provider (webservice name) $hack_authprovider = $authprovider == 'yahoo1' || $authprovider == 'yahoo2' ? 'yahoo' : $authprovider; $config_field_str = 'auth_lenauth_' . $hack_authprovider . '_social_id_field'; $this->_field_shortname = $this->_oauth_config->{$config_field_str}; $this->_field_id = $this->_lenauth_get_fieldid(); $params = array(); // params to generate data for token request $encode_params = true; $code = true; $redirect_uri = true; $curl_header = false; $curl_options = array(); //if we have access_token in $_COOKIE, so do not need to make request fot the one $this->_send_oauth_request = !isset($_COOKIE[$authprovider]['access_token']) ? true : false; //if service is not enabled, why should we make request? hack protect. maybe $enabled_str = 'auth_lenauth_' . $hack_authprovider . '_enabled'; if (empty($this->_oauth_config->{$enabled_str})) { throw new moodle_exception('Service not enabled in your LenAuth Settings', 'auth_lenauth'); } switch ($authprovider) { case 'facebook': /** * @link https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.0#exchangecode */ $params['client_id'] = $this->_oauth_config->auth_lenauth_facebook_app_id; $params['client_secret'] = $this->_oauth_config->auth_lenauth_facebook_app_secret; break; case 'google': /** * @link https://developers.google.com/accounts/docs/OAuth2Login#exchangecode */ $params['client_id'] = $this->_oauth_config->auth_lenauth_google_client_id; $params['client_secret'] = $this->_oauth_config->auth_lenauth_google_client_secret; $params['grant_type'] = $this->_settings[$authprovider]['grant_type']; break; case 'yahoo1': if (!isset($_COOKIE[$authprovider]['access_token']) && !isset($_COOKIE[$authprovider]['oauth_verifier'])) { $params = array_merge($this->_lenauth_yahoo_request_array($this->_oauth_config->auth_lenauth_yahoo_consumer_secret . '&'), array('oauth_callback' => $this->_lenauth_redirect_uri($authprovider))); $code = false; $redirect_uri = false; $this->_send_oauth_request = isset($_REQUEST['oauth_token'], $_REQUEST['oauth_verifier']) ? false : true; $oauth_verifier = false; // yahoo =)) if (!$this->_send_oauth_request && isset($SESSION->yahoo_expires) && !empty($SESSION->yahoo_expires)) { $access_token = $SESSION->yahoo_access_token = optional_param('oauth_token', '', PARAM_TEXT); setcookie($authprovider . '[access_token]', $access_token, time() + $SESSION->yahoo_expires); $oauth_verifier = $SESSION->yahoo_oauth_verifier = optional_param('oauth_verifier', '', PARAM_TEXT); setcookie($authprovider . '[oauth_verifier]', $oauth_verifier, time() + $SESSION->yahoo_expires); } else { } } else { $this->_send_oauth_request = false; } break; case 'yahoo2': $params['grant_type'] = $this->_settings[$authprovider]['grant_type']; $curl_options = array('USERPWD' => $this->_oauth_config->auth_lenauth_yahoo_consumer_key . ':' . $this->_oauth_config->auth_lenauth_yahoo_consumer_secret); break; case 'twitter': if (!empty($this->_oauth_config->auth_lenauth_twitter_enabled)) { if (!isset($_COOKIE[$authprovider]['access_token'])) { $params = array_merge($this->_lenauth_twitter_request_array($this->_oauth_config->auth_lenauth_twitter_consumer_secret . '&'), array('oauth_callback' => $this->_lenauth_redirect_uri($authprovider))); $code = false; $redirect_uri = false; $this->_send_oauth_request = isset($_REQUEST['oauth_token'], $_REQUEST['oauth_verifier']) ? false : true; $oauth_verifier = false; if (!$this->_send_oauth_request && isset($_COOKIE[$authprovider]['oauth_token_secret'])) { $access_token = $SESSION->twitter_access_token = optional_param('oauth_token', '', PARAM_TEXT); setcookie($authprovider . '[access_token]', $access_token, time() + $this->_settings[$authprovider]['expire'], '/'); $oauth_verifier = $SESSION->twitter_oauth_verifier = optional_param('oauth_verifier', '', PARAM_TEXT); setcookie($authprovider . '[oauth_verifier]', $oauth_verifier, time() + $this->_settings[$authprovider]['expire'], '/'); } else { $curl_header = $this->_lenauth_set_twitter_header($params); } //$curl_header = $this->_lenauth_set_twitter_header($params, $access_token/*, $oauth_token_secret = false*/); /*$curl_options = array( 'CURLOPT_RETURNTRANSFER' => true, 'CURLOPT_FOLLOWLOCATION' => true ); if ( !empty( $params['oauth_callback'] ) ) { $curl_options['CURLOPT_POSTFIELDS'] = http_build_query( array() ); }*/ //TWITTER IS GOOD!! $encode_params = false; } else { $this->_send_oauth_request = false; } } break; case 'vk': /** * @link http://vk.com/dev/auth_sites */ $params['client_id'] = $this->_oauth_config->auth_lenauth_vk_app_id; $params['client_secret'] = $this->_oauth_config->auth_lenauth_vk_app_secret; break; case 'yandex': $params['grant_type'] = $this->_settings[$authprovider]['grant_type']; $params['client_id'] = $this->_oauth_config->auth_lenauth_yandex_app_id; $params['client_secret'] = $this->_oauth_config->auth_lenauth_yandex_app_password; break; case 'mailru': $params['client_id'] = $this->_oauth_config->auth_lenauth_mailru_site_id; $params['client_secret'] = $this->_oauth_config->auth_lenauth_mailru_client_secret; $params['grant_type'] = $this->_settings[$authprovider]['grant_type']; break; //odnoklassniki.ru was wrote by school programmers at 1st class and it not used mojority. bye-bye! /*case 'ok': $params['client_id'] = $this->_oauth_config->ok_app_id; $params['client_secret'] = $this->_oauth_config->ok_secret_key; break;*/ //odnoklassniki.ru was wrote by school programmers at 1st class and it not used mojority. bye-bye! /*case 'ok': $params['client_id'] = $this->_oauth_config->ok_app_id; $params['client_secret'] = $this->_oauth_config->ok_secret_key; break;*/ default: // if authorization provider is wrong throw new moodle_exception('Unknown OAuth Provider', 'auth_lenauth'); } // url for catch token value // exception for Yahoo OAuth, because it like.. if ($code) { $params['code'] = $authorizationcode; } if ($redirect_uri) { $params['redirect_uri'] = $this->_lenauth_redirect_uri($authprovider); } //require cURL from Moodle core require_once $CFG->libdir . '/filelib.php'; // requires library with cURL class $curl = new curl(); //hack for twitter and Yahoo if (!empty($curl_options) && is_array($curl_options)) { $curl->setopt($curl_options); } $curl->resetHeader(); // clean cURL header from garbage //Twitter and Yahoo has an own cURL headers, so let them to be! if (!$curl_header) { $curl->setHeader('Content-Type: application/x-www-form-urlencoded'); } else { $curl->setHeader($curl_header); } // cURL REQUEST for tokens if we hasnt it in $_COOKIE if ($this->_send_oauth_request) { if ($this->_curl_type == 'post') { $curl_tokens_values = $curl->post($this->_settings[$authprovider]['request_token_url'], $encode_params ? $this->_generate_query_data($params) : $params); } else { $curl_tokens_values = $curl->get($this->_settings[$authprovider]['request_token_url'] . '?' . ($encode_params ? $this->_generate_query_data($params) : $params)); } } // check for token response if (!empty($curl_tokens_values) || !$this->_send_oauth_request) { $token_values = array(); // parse token values switch ($authprovider) { case 'facebook': if ($this->_send_oauth_request || !isset($_COOKIE[$authprovider]['access_token'])) { parse_str($curl_tokens_values, $token_values); $expires = $token_values['expires']; //5183999 = 2 months $access_token = $token_values['access_token']; if (!empty($expires) && !empty($access_token)) { setcookie($authprovider . '[access_token]', $access_token, time() + $expires, '/'); } else { throw new moodle_exception('Can not get access for "access_token" or/and "expires" params after request', 'auth_lenauth'); } } else { if (isset($_COOKIE[$authprovider]['access_token'])) { $access_token = $_COOKIE[$authprovider]['access_token']; } else { throw new moodle_exception('Someting wrong, maybe expires', 'auth_lenauth'); } } break; case 'google': if ($this->_send_oauth_request || !isset($_COOKIE[$authprovider]['access_token'])) { $token_values = json_decode($curl_tokens_values, true); $expires = $token_values['expires_in']; //3600 = 1 hour $access_token = $token_values['access_token']; if (!empty($access_token) && !empty($expires)) { setcookie($authprovider . '[access_token]', $access_token, time() + $expires, '/'); } else { throw new moodle_exception('Can not get access for "access_token" or/and "expires" params after request', 'auth_lenauth'); } } else { if (isset($_COOKIE[$authprovider]['access_token'])) { $access_token = $_COOKIE[$authprovider]['access_token']; } else { throw new moodle_exception('Someting wrong, maybe expires', 'auth_lenauth'); } } break; case 'yahoo1': if ($this->_send_oauth_request || !isset($_COOKIE[$authprovider]['oauth_token_secret'])) { parse_str($curl_tokens_values, $token_values); $expires = $SESSION->yahoo_expires = $token_values['oauth_expires_in']; //3600 = 1 hour $access_token = $SESSION->yahoo_access_token = $token_values['oauth_token']; setcookie($authprovider . '[oauth_token_secret]', $token_values['oauth_token_secret'], time() + $SESSION->yahoo_expires); $xoauth_request_auth_url = $token_values['xoauth_request_auth_url']; } else { if (isset($_COOKIE[$authprovider]['access_token'], $_COOKIE[$authprovider]['oauth_verifier']) || isset($SESSION->yahoo_access_token, $SESSION->yahoo_oauth_verifier)) { $access_token = isset($_COOKIE[$authprovider]['access_token']) ? $_COOKIE[$authprovider]['access_token'] : $SESSION->yahoo_access_token; $oauth_verifier = isset($_COOKIE[$authprovider]['oauth_verifier']) ? $_COOKIE[$authprovider]['oauth_verifier'] : $SESSION->yahoo_oauth_verifier; } else { throw new moodle_exception('Someting wrong, maybe expires', 'auth_lenauth'); } } break; case 'yahoo2': if ($this->_send_oauth_request || !isset($_COOKIE[$authprovider]['access_token'])) { $token_values = json_decode($curl_tokens_values, true); $expires = $token_values['expires_in']; //3600 = 1 hour $access_token = $token_values['access_token']; $refresh_token = $token_values['refresh_token']; $user_id = $token_values['xoauth_yahoo_guid']; if (!empty($expires) && !empty($access_token)) { setcookie($authprovider . '[access_token]', $access_token, time() + $expires, '/'); if (!empty($user_id)) { setcookie($authprovider . '[user_id]', $user_id, time() + $expires, '/'); } } else { throw new moodle_exception('Can not get access for "access_token" or/and "expires" params after request', 'auth_lenauth'); } } else { if (isset($_COOKIE[$authprovider]['access_token'], $_COOKIE[$authprovider]['user_id'])) { $access_token = $_COOKIE[$authprovider]['access_token']; $user_id = $_COOKIE[$authprovider]['user_id']; } else { throw new moodle_exception('Someting wrong, maybe expires', 'auth_lenauth'); } } break; case 'twitter': if ($this->_send_oauth_request || !isset($_COOKIE[$authprovider]['oauth_token_secret'])) { parse_str($curl_tokens_values, $token_values); $access_token = $SESSION->twitter_access_token = $token_values['oauth_token']; setcookie($authprovider . '[oauth_token_secret]', $token_values['oauth_token_secret'], time() + $this->_settings[$authprovider]['expire'], '/'); } else { if (isset($_COOKIE[$authprovider]['access_token'], $_COOKIE[$authprovider]['oauth_token_secret']) || isset($SESSION->twitter_access_token, $SESSION->twitter_oauth_verifier)) { $access_token = isset($_COOKIE[$authprovider]['access_token']) ? $_COOKIE[$authprovider]['access_token'] : $SESSION->twitter_access_token; $oauth_verifier = isset($_COOKIE[$authprovider]['oauth_verifier']) ? $_COOKIE[$authprovider]['oauth_verifier'] : $SESSION->twitter_oauth_verifier; } else { throw new moodle_exception('Someting wrong, maybe expires', 'auth_lenauth'); } } break; case 'vk': if ($this->_send_oauth_request || !isset($_COOKIE[$authprovider]['access_token'])) { $token_values = json_decode($curl_tokens_values, true); if (isset($token_values['error'])) { throw new moodle_exception('Native VK Error ' . $token_values['error'] . (isset($token_values['error_description']) ? ' with description: ' . $token_values['error_description'] : ''), 'auth_lenauth'); } $expires = $token_values['expires_in']; //86400 = 24 hours $access_token = $token_values['access_token']; if (!empty($access_token) && !empty($expires)) { setcookie($authprovider . '[access_token]', $access_token, time() + $expires, '/'); } $user_id = $token_values['user_id']; if (!empty($user_id)) { setcookie($authprovider . '[user_id]', $user_id, time() + $expires, '/'); } /** * VK user may do not enter email, soooo =(( */ $user_email = isset($token_values['email']) ? $token_values['email'] : false; // WOW!!! So early???))) Awesome! if (!empty($user_email)) { setcookie($authprovider . '[user_email]', $user_email, time() + $expires, '/'); } } else { if (isset($_COOKIE[$authprovider]['access_token'], $_COOKIE[$authprovider]['user_id'])) { $access_token = $_COOKIE[$authprovider]['access_token']; $user_id = $_COOKIE[$authprovider]['user_id']; if (isset($_COOKIE[$authprovider]['user_email'])) { $user_email = $_COOKIE[$authprovider]['user_email']; } } else { throw new moodle_exception('Someting wrong, maybe expires', 'auth_lenauth'); } } break; case 'yandex': if ($this->_send_oauth_request || !isset($_COOKIE[$authprovider]['access_token'])) { $token_values = json_decode($curl_tokens_values, true); $expires = $token_values['expires_in']; //31536000 = 1 year $access_token = $token_values['access_token']; if (!empty($expires) && !empty($access_token)) { setcookie($authprovider . '[access_token]', $access_token, time() + $expires, '/'); } else { throw new moodle_exception('Can not get access for "access_token" or/and "expires" params after request', 'auth_lenauth'); } } else { if (isset($_COOKIE[$authprovider]['access_token'])) { $access_token = $_COOKIE[$authprovider]['access_token']; } else { throw new moodle_exception('Someting wrong, maybe expires', 'auth_lenauth'); } } break; case 'mailru': if ($this->_send_oauth_request || !isset($_COOKIE[$authprovider]['access_token'])) { $token_values = json_decode($curl_tokens_values, true); $expires = $token_values['expires_in']; //86400 = 24 hours $access_token = $token_values['access_token']; if (!empty($expires) && !empty($access_token)) { setcookie($authprovider . '[access_token]', $access_token, time() + $expires, '/'); } else { //check native errors if exists if (isset($token_values['error'])) { switch ($token_values['error']) { case 'invalid_client': throw new moodle_exception('Mail.RU invalid OAuth settings. Check your Private Key and Secret Key', 'auth_lenauth'); default: throw new moodle_exception('Mail.RU Unknown Error with code: ' . $token_values['error']); } } if (empty($expires) || empty($access_token)) { throw new moodle_exception('Can not get access for "access_token" or/and "expires" params after request', 'auth_lenauth'); } } } else { if (isset($_COOKIE[$authprovider]['access_token'])) { $access_token = $_COOKIE[$authprovider]['access_token']; } else { throw new moodle_exception('Someting wrong, maybe expires', 'auth_lenauth'); } } break; /*case 'ok': $token_values = json_decode( $curl_tokens_values, true ); $access_token = $token_values['access_token']; break;*/ /*case 'ok': $token_values = json_decode( $curl_tokens_values, true ); $access_token = $token_values['access_token']; break;*/ default: throw new moodle_exception('Unknown OAuth Provider', 'auth_lenauth'); } } if (!empty($access_token)) { $queryparams = array(); // array to generate data for final request to get user data $request_api_url = $this->_settings[$authprovider]['request_api_url']; //some services check accounts for verifier, so we will check it too. No unverified accounts, only verified! only hardCORE! $is_verified = true; $image_url = ''; switch ($authprovider) { case 'facebook': $queryparams['access_token'] = $access_token; $curl_response = $curl->get($request_api_url . '?' . $this->_generate_query_data($queryparams)); $curl_final_data = json_decode($curl_response, true); $social_uid = $curl_final_data['id']; $user_email = $curl_final_data['email']; $first_name = $curl_final_data['first_name']; $last_name = $curl_final_data['last_name']; $is_verified = $curl_final_data['verified']; if ($this->_oauth_config->auth_lenauth_retrieve_avatar) { $image_url = 'http://graph.facebook.com/' . $social_uid . '/picture'; } break; /** * @link https://developers.google.com/accounts/docs/OAuth2Login#obtaininguserprofileinformation */ /** * @link https://developers.google.com/accounts/docs/OAuth2Login#obtaininguserprofileinformation */ case 'google': $queryparams['access_token'] = $access_token; $queryparams['alt'] = 'json'; $curl_response = $curl->get($request_api_url . '?' . $this->_generate_query_data($queryparams)); $curl_final_data = json_decode($curl_response, true); if (isset($curl_final_data['error'])) { if (!empty($curl_final_data['error']['errors']) && is_array($curl_final_data['error']['errors'])) { foreach ($curl_final_data['error']['errors'] as $error) { throw new moodle_exception('Native Google error. Message: ' . $error['message'], 'auth_lenauth'); } } else { throw new moodle_exception('Native Google error', 'auth_lenauth'); } } $social_uid = $curl_final_data['id']; $user_email = $curl_final_data['emails'][0]['value']; $first_name = $curl_final_data['name']['givenName']; $last_name = $curl_final_data['name']['familyName']; if ($this->_oauth_config->auth_lenauth_retrieve_avatar) { $image_url = isset($curl_final_data['image']['url']) ? $curl_final_data['image']['url'] : ''; } break; case 'yahoo1': if (!$oauth_verifier) { header('Location: ' . $xoauth_request_auth_url); // yahoo =)) die; } $queryparams1 = array_merge($this->_lenauth_yahoo_request_array($this->_oauth_config->auth_lenauth_yahoo_consumer_secret . '&' . $_COOKIE[$authprovider]['oauth_token_secret']), array('oauth_token' => $access_token, 'oauth_verifier' => $oauth_verifier)); $curl_response_pre = $curl->get($request_api_url . '?' . $this->_generate_query_data($queryparams1)); parse_str($curl_response_pre, $values); $queryparams2 = array_merge($this->_lenauth_yahoo_request_array($this->_oauth_config->auth_lenauth_yahoo_consumer_secret . '&' . $values['oauth_token_secret']), array('oauth_token' => $values['oauth_token'], 'oauth_session_handle' => $values['oauth_session_handle'])); $yet_another = $curl->post($request_api_url . '?' . $this->_generate_query_data($queryparams2)); parse_str($yet_another, $yet_another_values); $params = array('q' => 'SELECT * FROM social.profile where guid="' . $yet_another_values['xoauth_yahoo_guid'] . '"', 'format' => 'json', 'env' => 'http://datatables.org/alltables.env'); $auth_array = array_merge($this->_lenauth_yahoo_request_array($this->_oauth_config->auth_lenauth_yahoo_consumer_secret . '&' . $yet_another_values['oauth_token_secret']), array('realm' => 'yahooapis.com', 'oauth_token' => $yet_another_values['oauth_token'])); $header = ''; foreach ($auth_array as $key => $value) { $header .= ($header === '' ? ' ' : ',') . $this->urlEncodeRfc3986($key) . '="' . $this->urlEncodeRfc3986($value) . '"'; } $curl->setHeader(array('Expect:', 'Accept: application/json', 'Authorization: OAuth ' . $header)); $curl_response = $curl->post($this->_settings[$authprovider]['yql_url'] . '?' . $this->_generate_query_data($params)); $curl_final_data = json_decode($curl_response, true); $social_uid = $curl_final_data['query']['results']['profile']['guid']; $emails = $curl_final_data['query']['results']['profile']['emails']; if (!empty($emails) && is_array($emails)) { foreach ($emails as $email_array) { $user_email = $email_array['handle']; if (isset($email_array['primary'])) { break; } } } $first_name = $curl_final_data['query']['results']['profile']['givenName']; $last_name = $curl_final_data['query']['results']['profile']['familyName']; if ($this->_oauth_config->auth_lenauth_retrieve_avatar) { $image_url = isset($curl_final_data['query']['results']['profile']['image']['imageUrl']) ? $curl_final_data['query']['results']['profile']['image']['imageUrl'] : ''; } break; case 'yahoo2': $request_api_url = 'https://social.yahooapis.com/v1/user/' . $user_id . '/profile?format=json'; $queryparams['access_token'] = $access_token; $now_header = array('Authorization: Bearer ' . $access_token, 'Accept: application/json', 'Content-Type: application/json'); $curl->resetHeader(); $curl->setHeader($now_header); $curl_response = $curl->get($request_api_url, $queryparams); $curl->resetHeader(); $curl_final_data = json_decode($curl_response, true); $social_uid = $curl_final_data['profile']['guid']; $emails = $curl_final_data['profile']['emails']; if (!empty($emails) && is_array($emails)) { foreach ($emails as $email_array) { $user_email = $email_array['handle']; if (isset($email_array['primary'])) { break; } } } $first_name = $curl_final_data['profile']['givenName']; $last_name = $curl_final_data['profile']['familyName']; if ($this->_oauth_config->auth_lenauth_retrieve_avatar) { $image_url = isset($curl_final_data['profile']['image']['imageUrl']) ? $curl_final_data['profile']['image']['imageUrl'] : ''; } break; case 'twitter': if (!$oauth_verifier) { header('Location: ' . $this->_settings[$authprovider]['request_api_url'] . '?' . http_build_query(array('oauth_token' => $access_token))); die; } $queryparams = array_merge($this->_lenauth_twitter_request_array(), array('oauth_verifier' => $oauth_verifier, 'oauth_token' => $access_token, 'oauth_token_secret' => $_COOKIE[$authprovider]['oauth_token_secret'])); $curl_header = $this->_lenauth_set_twitter_header($queryparams, $access_token, $_COOKIE[$authprovider]['oauth_token_secret']); $curl->setHeader($curl_header); $curl_final_data_pre = $curl->post($this->_settings[$authprovider]['token_url'], $queryparams); $json_decoded = json_decode($curl_final_data_pre, true); if (isset($json_decoded['error']) && isset($json_decoded['request'])) { throw new moodle_exception('Native Twitter Error: ' . $json_decoded['error'] . '. For request ' . $json_decoded['request'], 'auth_lenauth'); } parse_str($curl_final_data_pre, $curl_final_data); $social_uid = $curl_final_data['user_id']; if ($this->_oauth_config->auth_lenauth_retrieve_avatar) { $image_url_pre = 'https://twitter.com/' . $curl_final_data['screen_name'] . '/profile_image?size=original'; $image_header = get_headers($image_url_pre, 1); $image_url = $image_header['location']; } break; case 'vk': /** * @link http://vk.com/dev/api_requests */ $queryparams['access_token'] = $access_token; $queryparams['user_id'] = !empty($user_id) ? $user_id : false; $queryparams['v'] = self::$vk_api_version; $curl_response = $curl->post($request_api_url, $this->_generate_query_data($queryparams)); $curl_final_data = json_decode($curl_response, true); //$social_uid = ( isset( $user_id ) ) ? $user_id : $curl_final_data['response'][0]['id']; //dont forget about this $social_uid = $queryparams['user_id']; /** * If user_email is empty, its not so scare, because its second login and */ $user_email = isset($user_email) ? $user_email : false; //hack, because VK has bugs sometimes $first_name = $curl_final_data['response'][0]['first_name']; $last_name = $curl_final_data['response'][0]['last_name']; /** * @link http://vk.com/dev/users.get */ $fields_array = array('avatar' => 'photo_200'); $additional_fields_pre = $curl->get('http://api.vk.com/method/users.get?user_ids=' . $social_uid . '&fields=' . join(',', $fields_array)); $additional_fields = json_decode($additional_fields_pre, true); if ($this->_oauth_config->auth_lenauth_retrieve_avatar) { $image_url = isset($additional_fields['response'][0][$fields_array['avatar']]) ? $additional_fields['response'][0][$fields_array['avatar']] : ''; } break; /** * @link http://api.yandex.ru/oauth/doc/dg/reference/accessing-protected-resource.xml * @link http://api.yandex.ru/login/doc/dg/reference/request.xml */ /** * @link http://api.yandex.ru/oauth/doc/dg/reference/accessing-protected-resource.xml * @link http://api.yandex.ru/login/doc/dg/reference/request.xml */ case 'yandex': $queryparams['format'] = $this->_settings[$authprovider]['format']; $queryparams['oauth_token'] = $access_token; $curl_response = $curl->get($request_api_url . '?' . $this->_generate_query_data($queryparams)); $curl_final_data = json_decode($curl_response, true); $social_uid = $curl_final_data['id']; /** * fix @since 24.12.2014. Thanks for Yandex Tech team guys!! * @link https://tech.yandex.ru/passport/ */ $user_email = $curl_final_data['default_email']; //was $curl_final_data['emails'][0]; - wrong! $first_name = $curl_final_data['first_name']; $last_name = $curl_final_data['last_name']; $nickname = $curl_final_data['display_name']; //for future if ($this->_oauth_config->auth_lenauth_retrieve_avatar) { /** * @link https://tech.yandex.ru/passport/doc/dg/reference/response-docpage/#norights_5 */ $yandex_avatar_size = 'islands-200'; if (isset($curl_final_data['default_avatar_id'])) { $image_url = 'https://avatars.yandex.net/get-yapic/' . $curl_final_data['default_avatar_id'] . '/' . $yandex_avatar_size; } } break; case 'mailru': $queryparams['app_id'] = $params['client_id']; $secret_key = $params['client_secret']; /** * @link http://api.mail.ru/docs/reference/rest/users-getinfo/ */ $queryparams['method'] = 'users.getInfo'; $queryparams['session_key'] = $access_token; $queryparams['secure'] = 1; /** * Additional security from mail.ru * @link http://api.mail.ru/docs/guides/restapi/#sig */ ksort($queryparams); $sig = ''; foreach ($queryparams as $k => $v) { $sig .= "{$k}={$v}"; } $queryparams['sig'] = md5($sig . $secret_key); $curl_response = $curl->post($request_api_url, $this->_generate_query_data($queryparams)); $curl_final_data = json_decode($curl_response, true); $social_uid = $curl_final_data[0]['uid']; $user_email = $curl_final_data[0]['email']; $first_name = $curl_final_data[0]['first_name']; $last_name = $curl_final_data[0]['last_name']; $is_verified = $curl_final_data[0]['is_verified']; $birthday = $curl_final_data[0]['birthday']; //dd.mm.YYYY if ($this->_oauth_config->auth_lenauth_retrieve_avatar) { $image_url = isset($curl_final_data[0]['pic_big']) ? $curl_final_data[0]['pic_big'] : ''; } break; /*case 'ok': $queryparams['access_token'] = $access_token; $queryparams['method'] = 'users.getCurrentUser'; $queryparams['sig'] = md5( 'application_key=' . $this->_oauth_config->ok_public_key . 'method=' . $queryparams['method'] . md5( $queryparams['access_token'] . $this->_oauth_config->ok_secret_key ) ); $queryparams['application_key'] = $this->_oauth_config->ok_public_key; $curl_response = $curl->get( $request_api_url . '?' . $this->_generate_query_data( $queryparams ) ); $curl_final_data = json_decode( $curl_response, true ); $first_name = $curl_final_data['first_name']; $last_name = $curl_final_data['last_name']; $social_uid = $curl_final_data['uid']; break;*/ /*case 'ok': $queryparams['access_token'] = $access_token; $queryparams['method'] = 'users.getCurrentUser'; $queryparams['sig'] = md5( 'application_key=' . $this->_oauth_config->ok_public_key . 'method=' . $queryparams['method'] . md5( $queryparams['access_token'] . $this->_oauth_config->ok_secret_key ) ); $queryparams['application_key'] = $this->_oauth_config->ok_public_key; $curl_response = $curl->get( $request_api_url . '?' . $this->_generate_query_data( $queryparams ) ); $curl_final_data = json_decode( $curl_response, true ); $first_name = $curl_final_data['first_name']; $last_name = $curl_final_data['last_name']; $social_uid = $curl_final_data['uid']; break;*/ default: throw new moodle_exception('Unknown OAuth Provider', 'auth_lenauth'); } /** * Check for email returned by webservice. If exist - check for user with this email in Moodle Database */ if (!empty($curl_final_data)) { if (!empty($social_uid)) { if ($is_verified) { if (!empty($user_email)) { if ($err = email_is_not_allowed($user_email)) { throw new moodle_exception($err, 'auth_lenauth'); } $user_lenauth = $DB->get_record('user', array('email' => $user_email, 'deleted' => 0, 'mnethostid' => $CFG->mnet_localhost_id)); } else { if (empty($user_lenauth)) { $user_lenauth = $this->_lenauth_get_userdata_by_social_id($social_uid); } /*if ( empty( $user_lenauth ) ) { $user_lenauth = $DB->get_record('user', array('username' => $username, 'deleted' => 0, 'mnethostid' => $CFG->mnet_localhost_id)); }*/ } } else { throw new moodle_exception('Your social account is not verified', 'auth_lenauth'); } } else { throw new moodle_exception('Empty Social UID', 'auth_lenauth'); } } else { /** * addon @since 24.12.2014 * I forgot about clear $_COOKIE, thanks again for Yandex Tech Team guys!!! */ @setcookie($authprovider, null, time() - 3600); throw new moodle_exception('Final request returns nothing', 'auth_lenauth'); } $last_user_number = intval($this->_oauth_config->auth_lenauth_last_user_number); $last_user_number = empty($last_user_number) ? 1 : $last_user_number + 1; //$username = $this->_oauth_config->auth_lenauth_user_prefix . $last_user_number; //@todo /** * If user with email from webservice not exists, we will create an account */ if (empty($user_lenauth)) { $username = $this->_oauth_config->auth_lenauth_user_prefix . $last_user_number; //check for username exists in DB $user_lenauth_check = $DB->get_record('user', array('username' => $username)); $i_check = 0; while (!empty($user_lenauth_check)) { $user_lenauth_check = $user_lenauth_check + 1; $username = $this->_oauth_config->auth_lenauth_user_prefix . $last_user_number; $user_lenauth_check = $DB->get_record('user', array('username' => $username)); $i_check++; if ($i_check > 20) { throw new moodle_exception('Something wrong with usernames of LenAuth users. Limit of 20 queries is out. Check last mdl_user table of Moodle', 'auth_lenauth'); } } // create user HERE $user_lenauth = create_user_record($username, '', 'lenauth'); /** * User exists... */ } else { $username = $user_lenauth->username; } set_config('auth_lenauth_last_user_number', $last_user_number, 'auth/lenauth'); if (!empty($social_uid)) { $user_social_uid_custom_field = new stdClass(); $user_social_uid_custom_field->userid = $user_lenauth->id; $user_social_uid_custom_field->fieldid = $this->_field_id; $user_social_uid_custom_field->data = $social_uid; if (!$DB->record_exists('user_info_data', array('userid' => $user_lenauth->id, 'fieldid' => $this->_field_id))) { $DB->insert_record('user_info_data', $user_social_uid_custom_field); } else { $record = $DB->get_record('user_info_data', array('userid' => $user_lenauth->id, 'fieldid' => $this->_field_id)); $user_social_uid_custom_field->id = $record->id; $DB->update_record('user_info_data', $user_social_uid_custom_field); } } //add_to_log( SITEID, 'auth_lenauth', '', '', $username . '/' . $user_email . '/' . $userid ); // complete Authenticate user authenticate_user_login($username, null); // fill $newuser object with response data from webservices $newuser = new stdClass(); if (!empty($user_email)) { $newuser->email = $user_email; } if (!empty($first_name)) { $newuser->firstname = $first_name; } if (!empty($last_name)) { $newuser->lastname = $last_name; } if (!empty($this->_oauth_config->auth_lenauth_default_country)) { $newuser->country = $this->_oauth_config->auth_lenauth_default_country; } if ($user_lenauth) { // update user record if (!empty($newuser)) { $newuser->id = $user_lenauth->id; /*require_once( $CFG->libdir . '/gdlib.php' ); $fs = get_file_storage(); $file_obj = $fs->create_file_from_url( array( 'contextid' => context_user::instance( $newuser->id, MUST_EXIST )->id, 'component' => 'user', 'filearea' => 'icon', 'itemid' => 0, 'filepath' => '/', 'source' => '', 'filename' => 'f' . $newuser->id . '.' . $ext ), $image_url ); //$newuser->picture = $file_obj->get_id();*/ $user_lenauth = (object) array_merge((array) $user_lenauth, (array) $newuser); $DB->update_record('user', $user_lenauth); if ($this->_oauth_config->auth_lenauth_retrieve_avatar) { //processing user avatar from social webservice if (!empty($image_url) && intval($user_lenauth->picture) === 0) { $image_header = get_headers($image_url, 1); if (isset($image_header['Content-Type']) && is_string($image_header['Content-Type']) && in_array($image_header['Content-Type'], array_keys(self::$_allowed_icons_types))) { $mime = $image_header['Content-Type']; } else { if (isset($image_header['Content-Type'][0]) && is_string($image_header['Content-Type'][0]) && in_array($image_header['Content-Type'][0], array_keys(self::$_allowed_icons_types))) { $mime = $image_header['Content-Type'][0]; } } $ext = $this->_lenauth_get_image_extension_from_mime($mime); if ($ext) { //create temp file $tempfilename = substr(microtime(), 0, 10) . '.tmp'; $templfolder = $CFG->tempdir . '/filestorage'; if (!file_exists($templfolder)) { mkdir($templfolder, $CFG->directorypermissions); } @chmod($templfolder, 0777); $tempfile = $templfolder . '/' . $tempfilename; if (copy($image_url, $tempfile)) { require_once $CFG->libdir . '/gdlib.php'; $usericonid = process_new_icon(context_user::instance($newuser->id, MUST_EXIST), 'user', 'icon', 0, $tempfile); if ($usericonid) { $DB->set_field('user', 'picture', $usericonid, array('id' => $newuser->id)); } unset($tempfile); } @chmod($templfolder, $CFG->directorypermissions); } } } } complete_user_login($user_lenauth); // complete user login // Redirection $urltogo = $CFG->wwwroot; if (user_not_fully_set_up($user_lenauth)) { $urltogo = $CFG->wwwroot . '/user/edit.php'; } else { if (isset($SESSION->wantsurl) && strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; unset($SESSION->wantsurl); } else { unset($SESSION->wantsurl); } } } redirect($urltogo); } else { throw new moodle_exception('Could not get access to access token. Check your App Settings', 'auth_lenauth'); } } }
/** * Find the session set by ntlmsso_magic(), validate it and * call authenticate_user_login() to authenticate the user through * the auth machinery. * * It is complemented by a similar check in user_login(). * * If it succeeds, it never returns. * */ function ntlmsso_finish() { global $CFG, $USER, $SESSION; $key = sesskey(); $cf = get_cache_flags('auth/ldap/ntlmsess'); if (!isset($cf[$key]) || $cf[$key] === '') { return false; } $username = $cf[$key]; // Here we want to trigger the whole authentication machinery // to make sure no step is bypassed... $user = authenticate_user_login($username, $key); if ($user) { add_to_log(SITEID, 'user', 'login', "view.php?id={$USER->id}&course=" . SITEID, $user->id, 0, $user->id); $USER = complete_user_login($user); // Cleanup the key to prevent reuse... // and to allow re-logins with normal credentials unset_cache_flag('auth/ldap/ntlmsess', $key); /// Redirection if (user_not_fully_set_up($USER)) { $urltogo = $CFG->wwwroot . '/user/edit.php'; // We don't delete $SESSION->wantsurl yet, so we get there later } else { if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; /// Because it's an address in this site unset($SESSION->wantsurl); } else { // no wantsurl stored or external - go to homepage $urltogo = $CFG->wwwroot . '/'; unset($SESSION->wantsurl); } } redirect($urltogo); } // Should never reach here. return false; }
/** * Authentication hook - is called every time user hit the login page * The code is run only if the param code is mentionned. */ public function loginpage_hook() { global $USER, $SESSION, $CFG, $DB; // Check the Google authorization code. $authorizationcode = optional_param('code', '', PARAM_TEXT); if (!empty($authorizationcode)) { $authprovider = required_param('authprovider', PARAM_ALPHANUMEXT); require_once $CFG->dirroot . '/auth/googleoauth2/classes/provider/' . $authprovider . '.php'; $providerclassname = 'provideroauth2' . $authprovider; $provider = new $providerclassname(); // Try to get an access token (using the authorization code grant). $token = $provider->getAccessToken('authorization_code', ['code' => $authorizationcode]); $accesstoken = $token->accessToken; $refreshtoken = $token->refreshToken; $tokenexpires = $token->expires; // With access token request by curl the email address. if (!empty($accesstoken)) { try { // We got an access token, let's now get the user's details. $userdetails = $provider->getUserDetails($token); // Use these details to create a new profile. switch ($authprovider) { case 'battlenet': // Battlenet as no email notion. // TODO: need to check the idp table for matching user and request user to add his email. // TODO: It will be similar logic for twitter. $useremail = $userdetails->id . '@fakebattle.net'; break; case 'github': $useremails = $provider->getUserEmails($token); // Going to try to find someone with a similar email using googleoauth2 auth. $fallbackuseremail = ''; foreach ($useremails as $githubuseremail) { if ($githubuseremail->verified) { if ($DB->record_exists('user', array('auth' => 'googleoauth2', 'email' => $githubuseremail->email))) { $useremail = $githubuseremail->email; } $fallbackuseremail = $githubuseremail->email; } } // If we didn't find anyone then we take a verified email address. if (empty($useremail)) { $useremail = $fallbackuseremail; } break; case 'vk': // VK doesn't return the email address? if ($userdetails->uid) { $useremail = 'id' . $userdetails->uid . '@vkmessenger.com'; } break; default: $useremail = $userdetails->email; break; } $verified = 1; } catch (Exception $e) { // Failed to get user details. throw new moodle_exception('faileduserdetails', 'auth_googleoauth2'); } // Throw an error if the email address is not verified. if (!$verified) { throw new moodle_exception('emailaddressmustbeverified', 'auth_googleoauth2'); } // Prohibit login if email belongs to the prohibited domain. if ($err = email_is_not_allowed($useremail)) { throw new moodle_exception($err, 'auth_googleoauth2'); } // If email not existing in user database then create a new username (userX). if (empty($useremail) or $useremail != clean_param($useremail, PARAM_EMAIL)) { throw new moodle_exception('couldnotgetuseremail', 'auth_googleoauth2'); // TODO: display a link for people to retry. } // Get the user. // Don't bother with auth = googleoauth2 because authenticate_user_login() will fail it if it's not 'googleoauth2'. $user = $DB->get_record('user', array('email' => $useremail, 'deleted' => 0, 'mnethostid' => $CFG->mnet_localhost_id)); // Create the user if it doesn't exist. if (empty($user)) { // Deny login if setting "Prevent account creation when authenticating" is on. if ($CFG->authpreventaccountcreation) { throw new moodle_exception("noaccountyet", "auth_googleoauth2"); } // Get following incremented username. $googleuserprefix = core_text::strtolower(get_config('auth/googleoauth2', 'googleuserprefix')); $lastusernumber = get_config('auth/googleoauth2', 'lastusernumber'); $lastusernumber = empty($lastusernumber) ? 1 : $lastusernumber + 1; // Check the user doesn't exist. $nextuser = $DB->record_exists('user', array('username' => $googleuserprefix . $lastusernumber)); while ($nextuser) { $lastusernumber++; $nextuser = $DB->record_exists('user', array('username' => $googleuserprefix . $lastusernumber)); } set_config('lastusernumber', $lastusernumber, 'auth/googleoauth2'); $username = $googleuserprefix . $lastusernumber; // Retrieve more information from the provider. $newuser = new stdClass(); $newuser->email = $useremail; switch ($authprovider) { case 'battlenet': // Battlenet as no firstname/lastname notion. $newuser->firstname = $userdetails->display_name; $newuser->lastname = '[' . $userdetails->clan_tag . ']'; break; case 'github': case 'dropbox': // As Github/Dropbox doesn't provide firstname/lastname, we'll split the name at the first whitespace. $githubusername = explode(' ', $userdetails->name, 2); $newuser->firstname = $githubusername[0]; $newuser->lastname = $githubusername[1]; break; default: $newuser->firstname = $userdetails->firstName; $newuser->lastname = $userdetails->lastName; break; } // Some providers allow empty firstname and lastname. if (empty($newuser->firstname)) { $newuser->firstname = get_string('unknownfirstname', 'auth_googleoauth2'); } if (empty($newuser->lastname)) { $newuser->lastname = get_string('unknownlastname', 'auth_googleoauth2'); } // Retrieve country and city if the provider failed to give it. if (!isset($newuser->country) or !isset($newuser->city)) { $googleipinfodbkey = get_config('auth/googleoauth2', 'googleipinfodbkey'); if (!empty($googleipinfodbkey)) { require_once $CFG->libdir . '/filelib.php'; $curl = new curl(); $locationdata = $curl->get('http://api.ipinfodb.com/v3/ip-city/?key=' . $googleipinfodbkey . '&ip=' . getremoteaddr() . '&format=json'); $locationdata = json_decode($locationdata); } if (!empty($locationdata)) { // TODO: check that countryCode does match the Moodle country code. $newuser->country = isset($newuser->country) ? isset($newuser->country) : $locationdata->countryCode; $newuser->city = isset($newuser->city) ? isset($newuser->city) : $locationdata->cityName; } } create_user_record($username, '', 'googleoauth2'); } else { $username = $user->username; } // Authenticate the user. // TODO: delete this log later. require_once $CFG->dirroot . '/auth/googleoauth2/lib.php'; $userid = empty($user) ? 'new user' : $user->id; oauth_add_to_log(SITEID, 'auth_googleoauth2', '', '', $username . '/' . $useremail . '/' . $userid); $user = authenticate_user_login($username, null); if ($user) { // Set a cookie to remember what auth provider was selected. setcookie('MOODLEGOOGLEOAUTH2_' . $CFG->sessioncookie, $authprovider, time() + DAYSECS * 60, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly); // Prefill more user information if new user. if (!empty($newuser)) { $newuser->id = $user->id; $DB->update_record('user', $newuser); $user = (object) array_merge((array) $user, (array) $newuser); } complete_user_login($user); // Let's save/update the access token for this user. $cansaveaccesstoken = get_config('auth/googleoauth2', 'saveaccesstoken'); if (!empty($cansaveaccesstoken)) { $existingaccesstoken = $DB->get_record('auth_googleoauth2_user_idps', array('userid' => $user->id, 'provider' => $authprovider)); if (empty($existingaccesstoken)) { $accesstokenrow = new stdClass(); $accesstokenrow->userid = $user->id; switch ($authprovider) { case 'battlenet': $accesstokenrow->provideruserid = $userdetails->id; break; default: $accesstokenrow->provideruserid = $userdetails->uid; break; } $accesstokenrow->provider = $authprovider; $accesstokenrow->accesstoken = $accesstoken; $accesstokenrow->refreshtoken = $refreshtoken; $accesstokenrow->expires = $tokenexpires; $DB->insert_record('auth_googleoauth2_user_idps', $accesstokenrow); } else { $existingaccesstoken->accesstoken = $accesstoken; $DB->update_record('auth_googleoauth2_user_idps', $existingaccesstoken); } } // Check if the user picture is the default and retrieve the provider picture. if (empty($user->picture)) { switch ($authprovider) { case 'battlenet': require_once $CFG->libdir . '/filelib.php'; require_once $CFG->libdir . '/gdlib.php'; $imagefilename = $CFG->tempdir . '/googleoauth2-portrait-' . $user->id; $imagecontents = download_file_content($userdetails->portrait_url); file_put_contents($imagefilename, $imagecontents); if ($newrev = process_new_icon(context_user::instance($user->id), 'user', 'icon', 0, $imagefilename)) { $DB->set_field('user', 'picture', $newrev, array('id' => $user->id)); } unlink($imagefilename); break; default: // TODO retrieve other provider profile pictures. break; } } // Create event for authenticated user. $event = \auth_googleoauth2\event\user_loggedin::create(array('context' => context_system::instance(), 'objectid' => $user->id, 'relateduserid' => $user->id, 'other' => array('accesstoken' => $accesstoken))); $event->trigger(); // Redirection. if (user_not_fully_set_up($USER)) { $urltogo = $CFG->wwwroot . '/user/edit.php'; // We don't delete $SESSION->wantsurl yet, so we get there later. } else { if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; // Because it's an address in this site. unset($SESSION->wantsurl); } else { // No wantsurl stored or external - go to homepage. $urltogo = $CFG->wwwroot . '/'; unset($SESSION->wantsurl); } } $loginrecord = array('userid' => $USER->id, 'time' => time(), 'auth' => 'googleoauth2', 'subtype' => $authprovider); $DB->insert_record('auth_googleoauth2_logins', $loginrecord); redirect($urltogo); } else { // Authenticate_user_login() failure, probably email registered by another auth plugin. // Do a check to confirm this hypothesis. $userexist = $DB->get_record('user', array('email' => $useremail)); if (!empty($userexist) and $userexist->auth != 'googleoauth2') { $a = new stdClass(); $a->loginpage = (string) new moodle_url(empty($CFG->alternateloginurl) ? '/login/index.php' : $CFG->alternateloginurl); $a->forgotpass = (string) new moodle_url('/login/forgot_password.php'); throw new moodle_exception('couldnotauthenticateuserlogin', 'auth_googleoauth2', '', $a); } else { throw new moodle_exception('couldnotauthenticate', 'auth_googleoauth2'); } } } else { throw new moodle_exception('couldnotgetgoogleaccesstoken', 'auth_googleoauth2'); } } else { // If you are having issue with the display buttons option, add the button code directly in the theme login page. if (get_config('auth/googleoauth2', 'oauth2displaybuttons') and empty($_POST['username']) and empty($_POST['password'])) { // Display the button on the login page. require_once $CFG->dirroot . '/auth/googleoauth2/lib.php'; // Insert the html code below the login field. // Code/Solution from Elcentra plugin: https://moodle.org/plugins/view/auth_elcentra. global $PAGE, $CFG; $PAGE->requires->jquery(); $content = str_replace(array("\n", "\r"), array("\\\n", "\\\r"), auth_googleoauth2_display_buttons(false)); $PAGE->requires->css('/auth/googleoauth2/style.css'); $PAGE->requires->js_init_code("buttonsCodeOauth2 = '{$content}';"); $PAGE->requires->js(new moodle_url($CFG->wwwroot . "/auth/googleoauth2/script.js")); } } }
define('AJAX_SCRIPT', true); define('REQUIRE_CORRECT_ACCESS', true); define('NO_MOODLE_COOKIES', true); require_once dirname(dirname(__FILE__)) . '/config.php'; $username = required_param('username', PARAM_USERNAME); $password = required_param('password', PARAM_RAW); $serviceshortname = required_param('service', PARAM_ALPHANUMEXT); echo $OUTPUT->header(); if (!$CFG->enablewebservices) { throw new moodle_exception('enablewsdescription', 'webservice'); } $username = trim(core_text::strtolower($username)); if (is_restored_user($username)) { throw new moodle_exception('restoredaccountresetpassword', 'webservice'); } $user = authenticate_user_login($username, $password); if (!empty($user)) { //Non admin can not authenticate if maintenance mode $hassiteconfig = has_capability('moodle/site:config', context_system::instance(), $user); if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) { throw new moodle_exception('sitemaintenance', 'admin'); } if (isguestuser($user)) { throw new moodle_exception('noguest'); } if (empty($user->confirmed)) { throw new moodle_exception('usernotconfirmed', 'moodle', '', $user->username); } // check credential expiry $userauth = get_auth_plugin($user->auth); if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
public function generate_data() { if (is_null($this->get('username')) || $this->get('username') == '') { echo "You must enter a valid username for a moodle administrator account on this site.{$this->eolchar}"; die; } elseif (is_null($this->get('password')) || $this->get('password') == '') { echo "You must enter a valid password for a moodle administrator account on this site.{$this->eolchar}"; die; } else { if (!($user = authenticate_user_login($this->get('username'), $this->get('password')))) { echo "Invalid username or password!{$this->eolchar}"; die; } complete_user_login($user); $systemcontext = get_context_instance(CONTEXT_SYSTEM); if (!is_siteadmin($user->id)) { //TODO: add some proper access control check here!! echo "You do not have administration privileges on this Moodle site. " . "These are required for running the generation script.{$this->eolchar}"; die; } } parent::generate_data(); }
} else { $mform->display(); } $web_interface = true; } if ($run_script) { // User authentication if (!$web_interface) { if (empty($settings['username'])) { echo "You must enter a valid username for a moodle administrator account on this site.{$settings['eolchar']}"; die; } elseif (empty($settings['password'])) { echo "You must enter a valid password for a moodle administrator account on this site.{$settings['eolchar']}"; die; } else { if (!($user = authenticate_user_login($settings['username'], $settings['password']))) { echo "Invalid username or password!{$settings['eolchar']}"; die; } $USER = complete_user_login($user); if (!has_capability('moodle/site:doanything', $systemcontext)) { echo "You do not have administration privileges on this Moodle site. These are required for running the restore script.{$settings['eolchar']}"; die; } } } // Script code here // Look for old moodledata/users directory $oldusersdir = $CFG->dataroot . '/users'; if (!file_exists($oldusersdir)) { notify('The old directory for user profile images (' . $oldusersdir . ') does not exist. Pictures cannot be restored!');
/** * Find the session set by ntlmsso_magic(), validate it and * call authenticate_user_login() to authenticate the user through * the auth machinery. * * It is complemented by a similar check in user_login(). * * If it succeeds, it never returns. * */ function ntlmsso_finish() { global $CFG, $USER, $SESSION; $key = sesskey(); $cf = get_cache_flags($this->pluginconfig . '/ntlmsess'); if (!isset($cf[$key]) || $cf[$key] === '') { return false; } $username = $cf[$key]; // Here we want to trigger the whole authentication machinery // to make sure no step is bypassed... $user = authenticate_user_login($username, $key); if ($user) { complete_user_login($user); // Cleanup the key to prevent reuse... // and to allow re-logins with normal credentials unset_cache_flag($this->pluginconfig . '/ntlmsess', $key); // Redirection if (user_not_fully_set_up($USER)) { $urltogo = $CFG->wwwroot . '/user/edit.php'; // We don't delete $SESSION->wantsurl yet, so we get there later } else { if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; // Because it's an address in this site unset($SESSION->wantsurl); } else { // No wantsurl stored or external - go to homepage $urltogo = $CFG->wwwroot . '/'; unset($SESSION->wantsurl); } } // We do not want to redirect if we are in a PHPUnit test. if (!PHPUNIT_TEST) { redirect($urltogo); } } // Should never reach here. return false; }
function loginpage_hook() { global $CFG, $SESSION, $DB, $USER; require_once $CFG->dirroot . '/auth/vatsim/config.php'; // initiate the SSO class with consumer details and encryption details $SSO = new SSO($sso['base'], $sso['key'], $sso['secret'], $sso['method'], $sso['cert']); // return variable is needed later in this script $sso_return = $sso['return']; // remove other config variables unset($sso); // if VATSIM has redirected the member back if (isset($_GET['oauth_verifier']) && !isset($_GET['oauth_cancel'])) { // check to make sure there is a saved token for this user if (isset($_SESSION[SSO_SESSION]) && isset($_SESSION[SSO_SESSION]['key']) && isset($_SESSION[SSO_SESSION]['secret'])) { if (@$_GET['oauth_token'] != $_SESSION[SSO_SESSION]['key']) { throw new moodle_exception("An error occurred with the login process - please try again", 'auth_vatsim'); } if (@(!isset($_GET['oauth_verifier']))) { throw new moodle_exception("An error occurred with the login process", 'auth_vatsim'); } // obtain the details of this user from VATSIM $vatsimUser = $SSO->checkLogin($_SESSION[SSO_SESSION]['key'], $_SESSION[SSO_SESSION]['secret'], @$_GET['oauth_verifier']); if ($vatsimUser) { // One-time use of tokens, token no longer valid unset($_SESSION[SSO_SESSION]); $vatsim = $vatsimUser->user; //print_r($user->user); $username = $vatsim->id; // plugin only designed where email address is returned, if no email specified, if (@empty($vatsim->email)) { throw new moodle_exception('noemail', "auth_vatsim"); } $useremail = $vatsim->email; // find the user in the current database, by CID, not email $user = $DB->get_record('user', array('username' => $username, 'deleted' => 0, 'mnethostid' => $CFG->mnet_localhost_id)); // create the user if it doesn't exist if (empty($user)) { // deny login if setting "Prevent account creation when authenticating" is on if ($CFG->authpreventaccountcreation) { throw new moodle_exception("noaccountyet", "auth_vatsim"); } //retrieve more information from the provider $newuser = new stdClass(); $newuser->email = $useremail; $newuser->firstname = $vatsim->name_first; $newuser->lastname = $vatsim->name_last; $newuser->country = $vatsim->country->code; create_user_record($username, '', 'vatsim'); } else { $username = $user->username; } add_to_log(SITEID, 'auth_vatsim', '', '', $username . '/' . $useremail); $user = authenticate_user_login($username, null); if ($user) { //prefill more user information if new user if (!empty($newuser)) { $newuser->id = $user->id; $DB->update_record('user', $newuser); $user = (object) array_merge((array) $user, (array) $newuser); } complete_user_login($user); // Redirection if (user_not_fully_set_up($USER)) { $urltogo = $CFG->wwwroot . '/user/edit.php'; // We don't delete $SESSION->wantsurl yet, so we get there later } else { if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; // Because it's an address in this site unset($SESSION->wantsurl); } else { // No wantsurl stored or external - go to homepage $urltogo = $CFG->wwwroot . '/'; unset($SESSION->wantsurl); } } redirect($urltogo); } } else { // OAuth or cURL errors have occurred //$error = $SSO->error(); throw new moodle_exception("An error occurred with the login process", 'auth_vatsim'); } } // the user cancelled their login and were sent back } else { if (isset($_GET['oauth_cancel'])) { throw new moodle_exception("You cancelled your login", 'auth_vatsim'); } } // create a request token for this login. Provides return URL and suspended/inactive settings $token = $SSO->requestToken($sso_return, false, false); if ($token) { // store the token information in the session so that we can retrieve it when the user returns $_SESSION[SSO_SESSION] = array('key' => (string) $token->token->oauth_token, 'secret' => (string) $token->token->oauth_token_secret); // redirect the member to VATSIM $SSO->sendToVatsim(); } else { throw new moodle_exception("An error occurred with the login process", 'auth_vatsim'); } }
} $courseid = required_param('courseid', PARAM_INT); $session = $DB->get_record_sql('SELECT s.id,c.fullname FROM {user} u INNER JOIN {user_enrolments} ue ON (ue.userid = u.id) INNER JOIN {enrol} e ON (e.id = ue.enrolid) INNER JOIN {course} c ON (e.courseid = c.id) INNER JOIN {local_attendance_session} s ON (c.id=s.courseid) WHERE ue.userid = ' . $user->id . ' AND s.open=1 AND c.id=' . $courseid); $attendanceExists = $DB->record_exists("local_attendance_attendance", array('sessionid' => $session->id, 'userid' => $user->id)); if (!$attendanceExists) { $DB->insert_record('local_attendance_attendance', array('sessionid' => $session->id, 'userid' => $user->id, 'ip' => $ip)); } else { echo get_string('alreadyregistered', 'local_attendance'); } } if ($action == "teacherLogin") { $username = required_param('user', PARAM_ALPHANUMEXT); $password = required_param('pass', PARAM_RAW_TRIMMED); if (!($username && $password)) { echo get_string('allfields', 'local_attendance'); } elseif (!($user = authenticate_user_login($username, $password))) { echo get_string('invalidlogin', 'local_attendance'); } else { $userCourses = enrol_get_users_courses($user->id); $n = 0; foreach ($userCourses as $course) { $courseContext = context_course::instance($course->id); if (has_capability('local/attendance:teacherview', $courseContext, $user->id)) { $n++; } } if ($n > 0) { $_SESSION['teacher_webapp'] = $user; } else { echo 'No eres profesor de ningun ramo'; }
/** * Authentication hook - is called every time user hit the login page * The code is run only if the param code is mentionned. */ function loginpage_hook() { global $SESSION, $CFG, $DB, $USER; $authorizationcode = optional_param('code', '', PARAM_TEXT); if (!empty($authorizationcode) && 200 == $authorizationcode) { require_once $CFG->dirroot . '/auth/oauth_simple/lib.php'; $cfg = get_config('auth/oauth_simple'); $accesstoken = $SESSION->access_token; $connection = new TwitterOAuth($cfg->apiurl, $cfg->baseurl, $cfg->consumer_key, $cfg->consumer_secret, $accesstoken['oauth_token'], $accesstoken['oauth_token_secret']); $userinfo = $connection->post($cfg->apifunc); if (!empty($userinfo->{$cfg->username})) { $user = $DB->get_record('user', array('username' => $userinfo->{$cfg->username}, 'deleted' => 0, 'mnethostid' => $CFG->mnet_localhost_id)); // Create the user if it doesn't exist. if (empty($user)) { // Deny login if setting "Prevent account creation when authenticating" is on. if ($CFG->authpreventaccountcreation) { throw new moodle_exception("noaccountyet", "auth_oauth_simple"); } $username = $userinfo->{$cfg->username}; create_user_record($username, '', 'oauth_simple'); } else { $username = $user->username; } // Authenticate the user. $userid = empty($user) ? 'new user' : $user->id; add_to_log(SITEID, 'auth_oauth_simple', '', '', $username . '/' . $userid); $user = authenticate_user_login($username, null); if ($user) { // if (!empty($newuser)) { // $newuser->id = $user->id; // $newuser->id = $user->id; // $DB->update_record('user', $newuser); $DB->update_record('user', $user); // $user = (object) array_merge((array) $user, (array) $newuser); // } complete_user_login($user); // Create event for authenticated user. $event = \auth_oauth_simple\event\user_loggedin::create(array('context' => context_system::instance(), 'objectid' => $user->id, 'relateduserid' => $user->id, 'other' => array('accesstoken' => $accesstoken))); $event->trigger(); // Redirection. if (user_not_fully_set_up($USER)) { $urltogo = $CFG->wwwroot . '/user/edit.php'; // We don't delete $SESSION->wantsurl yet, so we get there later. } else { if (isset($SESSION->wantsurl) and strpos($SESSION->wantsurl, $CFG->wwwroot) === 0) { $urltogo = $SESSION->wantsurl; // Because it's an address in this site. unset($SESSION->wantsurl); } else { // No wantsurl stored or external - go to homepage. $urltogo = $CFG->wwwroot . '/'; unset($SESSION->wantsurl); } } redirect($urltogo); } } else { throw new moodle_exception('invalid access', 'auth_oauth_simple'); } } }
/** * Handle a login event. * * @param string $oidcuniqid A unique identifier for the user. * @param array $authparams Parameters receieved from the auth request. * @param array $tokenparams Parameters received from the token request. * @param \auth_oidc\jwt $idtoken A JWT object representing the received id_token. */ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken) { global $DB, $CFG; $tokenrec = $DB->get_record('auth_oidc_token', ['oidcuniqid' => $oidcuniqid]); if (!empty($tokenrec)) { $username = $tokenrec->username; $this->updatetoken($tokenrec->id, $authparams, $tokenparams); } else { // Use 'upn' if available for username (Azure-specific), or fall back to lower-case oidcuniqid. $username = $idtoken->claim('upn'); if (empty($username)) { $username = strtolower($oidcuniqid); } $matchedwith = $this->check_for_matched($username); if (!empty($matchedwith)) { $matchedwith->aadupn = $username; throw new \moodle_exception('errorusermatched', 'local_o365', null, $matchedwith); } $tokenrec = $this->createtoken($oidcuniqid, $username, $authparams, $tokenparams, $idtoken); } $existinguserparams = ['username' => $username, 'mnethostid' => $CFG->mnet_localhost_id]; if ($DB->record_exists('user', $existinguserparams) !== true) { // User does not exist. Create user if site allows, otherwise fail. if (empty($CFG->authpreventaccountcreation)) { $user = create_user_record($username, null, 'oidc'); } else { // Trigger login failed event. $failurereason = AUTH_LOGIN_NOUSER; $eventdata = ['other' => ['username' => $username, 'reason' => $failurereason]]; $event = \core\event\user_login_failed::create($eventdata); $event->trigger(); throw new \moodle_exception('errorauthloginfailednouser', 'auth_oidc'); } } $user = authenticate_user_login($username, null, true); if (empty($user)) { throw new \moodle_exception('errorauthloginfailednouser', 'auth_oidc'); } complete_user_login($user); return true; }
if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) { $errormsg = get_string('username') . ': ' . get_string("invalidusername"); $errorcode = 2; $user = null; } } if ($user) { //user already supplied by aut plugin prelogin hook } else { if ($frm->username == 'guest' and empty($CFG->guestloginbutton)) { $user = false; /// Can't log in as guest if guest button is disabled $frm = false; } else { if (empty($errormsg)) { $user = authenticate_user_login($frm->username, $frm->password, false, $errorcode); } } } // Intercept 'restored' users to provide them with info & reset password if (!$user and $frm and is_restored_user($frm->username)) { $PAGE->set_title(get_string('restoredaccount')); $PAGE->set_heading($site->fullname); echo $OUTPUT->header(); echo $OUTPUT->heading(get_string('restoredaccount')); echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter'); require_once 'restored_password_form.php'; // Use our "supplanter" login_forgot_password_form. MDL-20846 $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username)); $form->display(); echo $OUTPUT->footer();
if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) { $errormsg = get_string('username') . ': ' . get_string("invalidusername"); $errorcode = 2; $user = null; } } if ($user) { //user already supplied by aut plugin prelogin hook } else { if ($frm->username == 'guest' and empty($CFG->guestloginbutton)) { $user = false; /// Can't log in as guest if guest button is disabled $frm = false; } else { if (empty($errormsg)) { $user = authenticate_user_login($frm->username, $frm->password); } } } // Intercept 'restored' users to provide them with info & reset password if (!$user and $frm and is_restored_user($frm->username)) { $PAGE->set_title(get_string('restoredaccount')); $PAGE->set_heading($site->fullname); echo $OUTPUT->header(); echo $OUTPUT->heading(get_string('restoredaccount')); echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter'); require_once 'restored_password_form.php'; // Use our "supplanter" login_forgot_password_form. MDL-20846 $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username)); $form->display(); echo $OUTPUT->footer();