if ($acl = $DB->get_record('mnet_sso_access_control', array('username' => $user->username, 'mnet_host_id' => $user->mnethostid))) {
$accessctrl = $acl->accessctrl;
}
$changeaccessto = $accessctrl == 'deny' ? 'allow' : 'deny';
$buttons[] = " (<a href=\"?acl={$user->id}&accessctrl={$changeaccessto}&sesskey=" . sesskey() . "\">" . get_string($changeaccessto, 'mnet') . " access</a>)";
} else {
if ($user->suspended) {
$buttons[] = html_writer::link(new moodle_url($returnurl, array('unsuspend' => $user->id, 'sesskey' => sesskey())), html_writer::empty_tag('img', array('src' => $OUTPUT->pix_url('t/show'), 'alt' => $strunsuspend, 'class' => 'iconsmall')), array('title' => $strunsuspend));
} else {
if ($user->id == $USER->id or is_siteadmin($user)) {
// no suspending of admins or self!
} else {
$buttons[] = html_writer::link(new moodle_url($returnurl, array('suspend' => $user->id, 'sesskey' => sesskey())), html_writer::empty_tag('img', array('src' => $OUTPUT->pix_url('t/hide'), 'alt' => $strsuspend, 'class' => 'iconsmall')), array('title' => $strsuspend));
}
}
if (login_is_lockedout($user)) {
$buttons[] = html_writer::link(new moodle_url($returnurl, array('unlock' => $user->id, 'sesskey' => sesskey())), html_writer::empty_tag('img', array('src' => $OUTPUT->pix_url('t/unlock'), 'alt' => $strunlock, 'class' => 'iconsmall')), array('title' => $strunlock));
}
}
}
// edit button
if (has_capability('moodle/user:update', $sitecontext)) {
// prevent editing of admins by non-admins
if (is_siteadmin($USER) or !is_siteadmin($user)) {
$buttons[] = html_writer::link(new moodle_url($securewwwroot . '/user/editadvanced.php', array('id' => $user->id, 'course' => $site->id)), html_writer::empty_tag('img', array('src' => $OUTPUT->pix_url('t/edit'), 'alt' => $stredit, 'class' => 'iconsmall')), array('title' => $stredit));
}
}
// the last column - confirm or mnet info
if (is_mnet_remote_user($user)) {
// all mnet users are confirmed, let's print just the name of the host there
if (isset($mnethosts[$user->mnethostid])) {
/**
* Authenticates a user against the chosen authentication mechanism
*
* Given a username and password, this function looks them
* up using the currently selected authentication mechanism,
* and if the authentication is successful, it returns a
* valid $user object from the 'user' table.
*
* Uses auth_ functions from the currently active auth module
*
* After authenticate_user_login() returns success, you will need to
* log that the user has logged in, and call complete_user_login() to set
* the session up.
*
* Note: this function works only with non-mnet accounts!
*
* @param string $username User's username
* @param string $password User's password
* @param bool $ignorelockout useful when guessing is prevented by other mechanism such as captcha or SSO
* @param int $failurereason login failure reason, can be used in renderers (it may disclose if account exists)
* @return stdClass|false A {@link $USER} object or false if error
*/
function authenticate_user_login($username, $password, $ignorelockout = false, &$failurereason = null)
{
global $CFG, $DB;
require_once "{$CFG->libdir}/authlib.php";
$authsenabled = get_enabled_auth_plugins();
if ($user = get_complete_user_data('username', $username, $CFG->mnet_localhost_id)) {
// Use manual if auth not set.
$auth = empty($user->auth) ? 'manual' : $user->auth;
if (!empty($user->suspended)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Suspended Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_SUSPENDED;
return false;
}
if ($auth == 'nologin' or !is_enabled_auth($auth)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Disabled Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
// Legacy way to suspend user.
$failurereason = AUTH_LOGIN_SUSPENDED;
return false;
}
$auths = array($auth);
} else {
// Check if there's a deleted record (cheaply), this should not happen because we mangle usernames in delete_user().
if ($DB->get_field('user', 'id', array('username' => $username, 'mnethostid' => $CFG->mnet_localhost_id, 'deleted' => 1))) {
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Deleted Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_NOUSER;
return false;
}
// Do not try to authenticate non-existent accounts when user creation is not disabled.
if (!empty($CFG->authpreventaccountcreation)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Unknown user, can not create new accounts: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_NOUSER;
return false;
}
// User does not exist.
$auths = $authsenabled;
$user = new stdClass();
$user->id = 0;
}
if ($ignorelockout) {
// Some other mechanism protects against brute force password guessing, for example login form might include reCAPTCHA
// or this function is called from a SSO script.
} else {
if ($user->id) {
// Verify login lockout after other ways that may prevent user login.
if (login_is_lockedout($user)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Login lockout: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_LOCKOUT;
return false;
}
} else {
// We can not lockout non-existing accounts.
}
}
foreach ($auths as $auth) {
$authplugin = get_auth_plugin($auth);
// On auth fail fall through to the next plugin.
if (!$authplugin->user_login($username, $password)) {
continue;
}
// Successful authentication.
if ($user->id) {
// User already exists in database.
if (empty($user->auth)) {
// For some reason auth isn't set yet.
$DB->set_field('user', 'auth', $auth, array('username' => $username));
$user->auth = $auth;
}
// If the existing hash is using an out-of-date algorithm (or the legacy md5 algorithm), then we should update to
// the current hash algorithm while we have access to the user's password.
update_internal_user_password($user, $password);
if ($authplugin->is_synchronised_with_external()) {
// Update user record from external DB.
$user = update_user_record($username);
}
} else {
// Create account, we verified above that user creation is allowed.
$user = create_user_record($username, $password, $auth);
}
$authplugin->sync_roles($user);
foreach ($authsenabled as $hau) {
$hauth = get_auth_plugin($hau);
$hauth->user_authenticated_hook($user, $username, $password);
}
if (empty($user->id)) {
$failurereason = AUTH_LOGIN_NOUSER;
return false;
}
if (!empty($user->suspended)) {
// Just in case some auth plugin suspended account.
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Suspended Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_SUSPENDED;
return false;
}
login_attempt_valid($user);
$failurereason = AUTH_LOGIN_OK;
return $user;
}
// Failed if all the plugins have failed.
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
if (debugging('', DEBUG_ALL)) {
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Failed Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
}
if ($user->id) {
login_attempt_failed($user);
$failurereason = AUTH_LOGIN_FAILED;
} else {
$failurereason = AUTH_LOGIN_NOUSER;
}
return false;
}
/**
* Authenticates a user against the chosen authentication mechanism
*
* Given a username and password, this function looks them
* up using the currently selected authentication mechanism,
* and if the authentication is successful, it returns a
* valid $user object from the 'user' table.
*
* Uses auth_ functions from the currently active auth module
*
* After authenticate_user_login() returns success, you will need to
* log that the user has logged in, and call complete_user_login() to set
* the session up.
*
* Note: this function works only with non-mnet accounts!
*
* @param string $username User's username (or also email if $CFG->authloginviaemail enabled)
* @param string $password User's password
* @param bool $ignorelockout useful when guessing is prevented by other mechanism such as captcha or SSO
* @param int $failurereason login failure reason, can be used in renderers (it may disclose if account exists)
* @return stdClass|false A {@link $USER} object or false if error
*/
function authenticate_user_login($username, $password, $ignorelockout = false, &$failurereason = null)
{
global $CFG, $DB;
require_once "{$CFG->libdir}/authlib.php";
if ($user = get_complete_user_data('username', $username, $CFG->mnet_localhost_id)) {
// we have found the user
} else {
if (!empty($CFG->authloginviaemail)) {
if ($email = clean_param($username, PARAM_EMAIL)) {
$select = "mnethostid = :mnethostid AND LOWER(email) = LOWER(:email) AND deleted = 0";
$params = array('mnethostid' => $CFG->mnet_localhost_id, 'email' => $email);
$users = $DB->get_records_select('user', $select, $params, 'id', 'id', 0, 2);
if (count($users) === 1) {
// Use email for login only if unique.
$user = reset($users);
$user = get_complete_user_data('id', $user->id);
$username = $user->username;
}
unset($users);
}
}
}
$authsenabled = get_enabled_auth_plugins();
if ($user) {
// Use manual if auth not set.
$auth = empty($user->auth) ? 'manual' : $user->auth;
if (in_array($user->auth, $authsenabled)) {
$authplugin = get_auth_plugin($user->auth);
$authplugin->pre_user_login_hook($user);
}
if (!empty($user->suspended)) {
$failurereason = AUTH_LOGIN_SUSPENDED;
// Trigger login failed event.
$event = \core\event\user_login_failed::create(array('userid' => $user->id, 'other' => array('username' => $username, 'reason' => $failurereason)));
$event->trigger();
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Suspended Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
if ($auth == 'nologin' or !is_enabled_auth($auth)) {
// Legacy way to suspend user.
$failurereason = AUTH_LOGIN_SUSPENDED;
// Trigger login failed event.
$event = \core\event\user_login_failed::create(array('userid' => $user->id, 'other' => array('username' => $username, 'reason' => $failurereason)));
$event->trigger();
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Disabled Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
$auths = array($auth);
} else {
// Check if there's a deleted record (cheaply), this should not happen because we mangle usernames in delete_user().
if ($DB->get_field('user', 'id', array('username' => $username, 'mnethostid' => $CFG->mnet_localhost_id, 'deleted' => 1))) {
$failurereason = AUTH_LOGIN_NOUSER;
// Trigger login failed event.
$event = \core\event\user_login_failed::create(array('other' => array('username' => $username, 'reason' => $failurereason)));
$event->trigger();
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Deleted Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
// User does not exist.
$auths = $authsenabled;
$user = new stdClass();
$user->id = 0;
}
if ($ignorelockout) {
// Some other mechanism protects against brute force password guessing, for example login form might include reCAPTCHA
// or this function is called from a SSO script.
} else {
if ($user->id) {
// Verify login lockout after other ways that may prevent user login.
if (login_is_lockedout($user)) {
$failurereason = AUTH_LOGIN_LOCKOUT;
// Trigger login failed event.
$event = \core\event\user_login_failed::create(array('userid' => $user->id, 'other' => array('username' => $username, 'reason' => $failurereason)));
$event->trigger();
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Login lockout: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
} else {
// We can not lockout non-existing accounts.
}
}
foreach ($auths as $auth) {
$authplugin = get_auth_plugin($auth);
// On auth fail fall through to the next plugin.
if (!$authplugin->user_login($username, $password)) {
continue;
}
// Successful authentication.
if ($user->id) {
// User already exists in database.
if (empty($user->auth)) {
// For some reason auth isn't set yet.
$DB->set_field('user', 'auth', $auth, array('id' => $user->id));
$user->auth = $auth;
}
// If the existing hash is using an out-of-date algorithm (or the legacy md5 algorithm), then we should update to
// the current hash algorithm while we have access to the user's password.
update_internal_user_password($user, $password);
if ($authplugin->is_synchronised_with_external()) {
// Update user record from external DB.
$user = update_user_record_by_id($user->id);
}
} else {
// The user is authenticated but user creation may be disabled.
if (!empty($CFG->authpreventaccountcreation)) {
$failurereason = AUTH_LOGIN_UNAUTHORISED;
// Trigger login failed event.
$event = \core\event\user_login_failed::create(array('other' => array('username' => $username, 'reason' => $failurereason)));
$event->trigger();
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Unknown user, can not create new accounts: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
} else {
$user = create_user_record($username, $password, $auth);
}
}
$authplugin->sync_roles($user);
foreach ($authsenabled as $hau) {
$hauth = get_auth_plugin($hau);
$hauth->user_authenticated_hook($user, $username, $password);
}
if (empty($user->id)) {
$failurereason = AUTH_LOGIN_NOUSER;
// Trigger login failed event.
$event = \core\event\user_login_failed::create(array('other' => array('username' => $username, 'reason' => $failurereason)));
$event->trigger();
return false;
}
if (!empty($user->suspended)) {
// Just in case some auth plugin suspended account.
$failurereason = AUTH_LOGIN_SUSPENDED;
// Trigger login failed event.
$event = \core\event\user_login_failed::create(array('userid' => $user->id, 'other' => array('username' => $username, 'reason' => $failurereason)));
$event->trigger();
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Suspended Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
login_attempt_valid($user);
$failurereason = AUTH_LOGIN_OK;
return $user;
}
// Failed if all the plugins have failed.
if (debugging('', DEBUG_ALL)) {
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Failed Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
}
if ($user->id) {
login_attempt_failed($user);
$failurereason = AUTH_LOGIN_FAILED;
// Trigger login failed event.
$event = \core\event\user_login_failed::create(array('userid' => $user->id, 'other' => array('username' => $username, 'reason' => $failurereason)));
$event->trigger();
} else {
$failurereason = AUTH_LOGIN_NOUSER;
// Trigger login failed event.
$event = \core\event\user_login_failed::create(array('other' => array('username' => $username, 'reason' => $failurereason)));
$event->trigger();
}
return false;
}
public function test_lockout()
{
global $CFG;
require_once "{$CFG->libdir}/authlib.php";
$this->resetAfterTest();
$oldlog = ini_get('error_log');
ini_set('error_log', "{$CFG->dataroot}/testlog.log");
// Prevent standard logging.
set_config('lockoutthreshold', 0);
set_config('lockoutwindow', 60 * 20);
set_config('lockoutduration', 60 * 30);
$user = $this->getDataGenerator()->create_user();
// Test lockout is disabled when threshold not set.
$this->assertFalse(login_is_lockedout($user));
login_attempt_failed($user);
login_attempt_failed($user);
login_attempt_failed($user);
login_attempt_failed($user);
$this->assertFalse(login_is_lockedout($user));
// Test lockout threshold works.
set_config('lockoutthreshold', 3);
login_attempt_failed($user);
login_attempt_failed($user);
$this->assertFalse(login_is_lockedout($user));
ob_start();
login_attempt_failed($user);
$output = ob_get_clean();
$this->assertContains('noemailever', $output);
$this->assertTrue(login_is_lockedout($user));
// Test unlock works.
login_unlock_account($user);
$this->assertFalse(login_is_lockedout($user));
// Test lockout window works.
login_attempt_failed($user);
login_attempt_failed($user);
$this->assertFalse(login_is_lockedout($user));
set_user_preference('login_failed_last', time() - 60 * 20 - 10, $user);
login_attempt_failed($user);
$this->assertFalse(login_is_lockedout($user));
// Test valid login resets window.
login_attempt_valid($user);
$this->assertFalse(login_is_lockedout($user));
login_attempt_failed($user);
login_attempt_failed($user);
$this->assertFalse(login_is_lockedout($user));
// Test lock duration works.
ob_start();
// Prevent nomailever notice.
login_attempt_failed($user);
$output = ob_get_clean();
$this->assertContains('noemailever', $output);
$this->assertTrue(login_is_lockedout($user));
set_user_preference('login_lockout', time() - 60 * 30 + 10, $user);
$this->assertTrue(login_is_lockedout($user));
set_user_preference('login_lockout', time() - 60 * 30 - 10, $user);
$this->assertFalse(login_is_lockedout($user));
// Test lockout ignored pref works.
set_user_preference('login_lockout_ignored', 1, $user);
login_attempt_failed($user);
login_attempt_failed($user);
login_attempt_failed($user);
login_attempt_failed($user);
$this->assertFalse(login_is_lockedout($user));
ini_set('error_log', $oldlog);
}
