/** * Authenticate user using username+password or token. * This function sets up $USER global. * It is safe to use has_capability() after this. * This method also verifies user is allowed to use this * server. * @return void */ protected function authenticate_user() { global $CFG, $DB; if (!NO_MOODLE_COOKIES) { throw new coding_exception('Cookies must be disabled in WS servers!'); } if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) { //we check that authentication plugin is enabled //it is only required by simple authentication if (!is_enabled_auth('webservice')) { throw new webservice_access_exception(get_string('wsauthnotenabled', 'webservice')); } if (!($auth = get_auth_plugin('webservice'))) { throw new webservice_access_exception(get_string('wsauthmissing', 'webservice')); } $this->restricted_context = get_context_instance(CONTEXT_SYSTEM); if (!$this->username) { throw new webservice_access_exception(get_string('missingusername', 'webservice')); } if (!$this->password) { throw new webservice_access_exception(get_string('missingpassword', 'webservice')); } if (!$auth->user_login_webservice($this->username, $this->password)) { // log failed login attempts add_to_log(SITEID, 'webservice', get_string('simpleauthlog', 'webservice'), '', get_string('failedtolog', 'webservice') . ": " . $this->username . "/" . $this->password . " - " . getremoteaddr(), 0); throw new webservice_access_exception(get_string('wrongusernamepassword', 'webservice')); } $user = $DB->get_record('user', array('username' => $this->username, 'mnethostid' => $CFG->mnet_localhost_id, 'deleted' => 0), '*', MUST_EXIST); } else { if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) { $user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT); } else { $user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED); } } // now fake user login, the session is completely empty too session_set_user($user); $this->userid = $user->id; if ($this->authmethod != WEBSERVICE_AUTHMETHOD_SESSION_TOKEN && !has_capability("webservice/{$this->wsname}:use", $this->restricted_context)) { throw new webservice_access_exception(get_string('accessnotallowed', 'webservice')); } external_api::set_context_restriction($this->restricted_context); }
/** * Authenticate user using username+password or token. * This function sets up $USER global. * It is safe to use has_capability() after this. * This method also verifies user is allowed to use this * server. */ protected function authenticate_user() { global $CFG, $DB; if (!NO_MOODLE_COOKIES) { throw new coding_exception('Cookies must be disabled in WS servers!'); } $loginfaileddefaultparams = array('context' => context_system::instance(), 'other' => array('method' => $this->authmethod, 'reason' => null)); if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) { //we check that authentication plugin is enabled //it is only required by simple authentication if (!is_enabled_auth('webservice')) { throw new webservice_access_exception('The web service authentication plugin is disabled.'); } if (!($auth = get_auth_plugin('webservice'))) { throw new webservice_access_exception('The web service authentication plugin is missing.'); } $this->restricted_context = context_system::instance(); if (!$this->username) { throw new moodle_exception('missingusername', 'webservice'); } if (!$this->password) { throw new moodle_exception('missingpassword', 'webservice'); } if (!$auth->user_login_webservice($this->username, $this->password)) { // Log failed login attempts. $params = $loginfaileddefaultparams; $params['other']['reason'] = 'password'; $params['other']['username'] = $this->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, 'webservice', get_string('simpleauthlog', 'webservice'), '', get_string('failedtolog', 'webservice') . ": " . $this->username . "/" . $this->password . " - " . getremoteaddr(), 0)); $event->trigger(); throw new moodle_exception('wrongusernamepassword', 'webservice'); } $user = $DB->get_record('user', array('username' => $this->username, 'mnethostid' => $CFG->mnet_localhost_id), '*', MUST_EXIST); } else { if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) { $user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT); } else { $user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED); } } //Non admin can not authenticate if maintenance mode $hassiteconfig = has_capability('moodle/site:config', context_system::instance(), $user); if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) { throw new moodle_exception('sitemaintenance', 'admin'); } //only confirmed user should be able to call web service if (!empty($user->deleted)) { $params = $loginfaileddefaultparams; $params['other']['reason'] = 'user_deleted'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new webservice_access_exception('Refused web service access for deleted username: '******'other']['reason'] = 'user_unconfirmed'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new moodle_exception('wsaccessuserunconfirmed', 'webservice', '', $user->username); } //check the user is suspended if (!empty($user->suspended)) { $params = $loginfaileddefaultparams; $params['other']['reason'] = 'user_unconfirmed'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new webservice_access_exception('Refused web service access for suspended username: '******'other']['reason'] = 'password_expired'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new webservice_access_exception('Refused web service access for password expired username: '******'nologin') { $params = $loginfaileddefaultparams; $params['other']['reason'] = 'login'; $params['other']['username'] = $user->username; $event = \core\event\webservice_login_failed::create($params); $event->set_legacy_logdata(array(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id)); $event->trigger(); throw new webservice_access_exception('Refused web service access for nologin authentication username: '******'You are not allowed to use the {$a} protocol (missing capability: webservice/' . $this->wsname . ':use)'); } external_api::set_context_restriction($this->restricted_context); }
/** * Authenticate user using username+password or token. * This function sets up $USER global. * It is safe to use has_capability() after this. * This method also verifies user is allowed to use this * server. */ protected function authenticate_user() { global $CFG, $DB; if (!NO_MOODLE_COOKIES) { throw new coding_exception('Cookies must be disabled in WS servers!'); } if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) { //we check that authentication plugin is enabled //it is only required by simple authentication if (!is_enabled_auth('webservice')) { throw new webservice_access_exception(get_string('wsauthnotenabled', 'webservice')); } if (!($auth = get_auth_plugin('webservice'))) { throw new webservice_access_exception(get_string('wsauthmissing', 'webservice')); } $this->restricted_context = get_context_instance(CONTEXT_SYSTEM); if (!$this->username) { throw new webservice_access_exception(get_string('missingusername', 'webservice')); } if (!$this->password) { throw new webservice_access_exception(get_string('missingpassword', 'webservice')); } if (!$auth->user_login_webservice($this->username, $this->password)) { // log failed login attempts add_to_log(SITEID, 'webservice', get_string('simpleauthlog', 'webservice'), '', get_string('failedtolog', 'webservice') . ": " . $this->username . "/" . $this->password . " - " . getremoteaddr(), 0); throw new webservice_access_exception(get_string('wrongusernamepassword', 'webservice')); } $user = $DB->get_record('user', array('username' => $this->username, 'mnethostid' => $CFG->mnet_localhost_id), '*', MUST_EXIST); } else { if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) { $user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT); } else { $user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED); } } //Non admin can not authenticate if maintenance mode $hassiteconfig = has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $user); if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) { throw new webservice_access_exception(get_string('sitemaintenance', 'admin')); } //only confirmed user should be able to call web service if (!empty($user->deleted)) { add_to_log(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id); throw new webservice_access_exception(get_string('wsaccessuserdeleted', 'webservice', $user->username)); } //only confirmed user should be able to call web service if (empty($user->confirmed)) { add_to_log(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id); throw new webservice_access_exception(get_string('wsaccessuserunconfirmed', 'webservice', $user->username)); } //check the user is suspended if (!empty($user->suspended)) { add_to_log(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id); throw new webservice_access_exception(get_string('wsaccessusersuspended', 'webservice', $user->username)); } //retrieve the authentication plugin if no previously done if (empty($auth)) { $auth = get_auth_plugin($user->auth); } // check if credentials have expired if (!empty($auth->config->expiration) and $auth->config->expiration == 1) { $days2expire = $auth->password_expire($user->username); if (intval($days2expire) < 0) { add_to_log(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id); throw new webservice_access_exception(get_string('wsaccessuserexpired', 'webservice', $user->username)); } } //check if the auth method is nologin (in this case refuse connection) if ($user->auth == 'nologin') { add_to_log(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - " . getremoteaddr(), 0, $user->id); throw new webservice_access_exception(get_string('wsaccessusernologin', 'webservice', $user->username)); } // now fake user login, the session is completely empty too enrol_check_plugins($user); session_set_user($user); $this->userid = $user->id; if ($this->authmethod != WEBSERVICE_AUTHMETHOD_SESSION_TOKEN && !has_capability("webservice/{$this->wsname}:use", $this->restricted_context)) { throw new webservice_access_exception(get_string('protocolnotallowed', 'webservice', $this->wsname)); } external_api::set_context_restriction($this->restricted_context); }