search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MDL-60569 registration: fix bug with showing email in the form
[moodle.git] / login / index.php
blobef92109deb9b251cfe0e758be59a49a851ce5fd1
1 <?php
2
3 // This file is part of Moodle - http://moodle.org/
4 //
5 // Moodle is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
9 //
10 // Moodle is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
14 //
15 // You should have received a copy of the GNU General Public License
16 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
17
18 /**
19 * Main login page.
20 *
21 * @package core
22 * @subpackage auth
23 * @copyright 1999 onwards Martin Dougiamas http://dougiamas.com
24 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
25 */
26
27 require('../config.php');
28 require_once('lib.php');
29
30 redirect_if_major_upgrade_required();
31
32 $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
33 $cancel = optional_param('cancel', 0, PARAM_BOOL); // redirect to frontpage, needed for loginhttps
34 $anchor = optional_param('anchor', '', PARAM_RAW); // Used to restore hash anchor to wantsurl.
35
36 if ($cancel) {
37 redirect(new moodle_url('/'));
38 }
39
40 //HTTPS is required in this page when $CFG->loginhttps enabled
41 $PAGE->https_required();
42
43 $context = context_system::instance();
44 $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
45 $PAGE->set_context($context);
46 $PAGE->set_pagelayout('login');
47
48 /// Initialize variables
49 $errormsg = '';
50 $errorcode = 0;
51
52 // login page requested session test
53 if ($testsession) {
54 if ($testsession == $USER->id) {
55 if (isset($SESSION->wantsurl)) {
56 $urltogo = $SESSION->wantsurl;
57 } else {
58 $urltogo = $CFG->wwwroot.'/';
59 }
60 unset($SESSION->wantsurl);
61 redirect($urltogo);
62 } else {
63 // TODO: try to find out what is the exact reason why sessions do not work
64 $errormsg = get_string("cookiesnotenabled");
65 $errorcode = 1;
66 }
67 }
68
69 /// Check for timed out sessions
70 if (!empty($SESSION->has_timed_out)) {
71 $session_has_timed_out = true;
72 unset($SESSION->has_timed_out);
73 } else {
74 $session_has_timed_out = false;
75 }
76
77 /// auth plugins may override these - SSO anyone?
78 $frm = false;
79 $user = false;
80
81 $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
82 foreach($authsequence as $authname) {
83 $authplugin = get_auth_plugin($authname);
84 $authplugin->loginpage_hook();
85 }
86
87
88 /// Define variables used in page
89 $site = get_site();
90
91 // Ignore any active pages in the navigation/settings.
92 // We do this because there won't be an active page there, and by ignoring the active pages the
93 // navigation and settings won't be initialised unless something else needs them.
94 $PAGE->navbar->ignore_active();
95 $loginsite = get_string("loginsite");
96 $PAGE->navbar->add($loginsite);
97
98 if ($user !== false or $frm !== false or $errormsg !== '') {
99 // some auth plugin already supplied full user, fake form data or prevented user login with error message
100
101 } else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
102 // Handles the case of another Moodle site linking into a page on this site
103 //TODO: move weblink into own auth plugin
104 include($CFG->dirroot.'/login/weblinkauth.php');
105 if (function_exists('weblink_auth')) {
106 $user = weblink_auth($SESSION->wantsurl);
107 }
108 if ($user) {
109 $frm->username = $user->username;
110 } else {
111 $frm = data_submitted();
112 }
113
114 } else {
115 $frm = data_submitted();
116 }
117
118 // Restore the #anchor to the original wantsurl. Note that this
119 // will only work for internal auth plugins, SSO plugins such as
120 // SAML / CAS / OIDC will have to handle this correctly directly.
121 if ($anchor && isset($SESSION->wantsurl) && strpos($SESSION->wantsurl, '#') === false) {
122 $wantsurl = new moodle_url($SESSION->wantsurl);
123 $wantsurl->set_anchor(substr($anchor, 1));
124 $SESSION->wantsurl = $wantsurl->out();
125 }
126
127 /// Check if the user has actually submitted login data to us
128
129 if ($frm and isset($frm->username)) { // Login WITH cookies
130
131 $frm->username = trim(core_text::strtolower($frm->username));
132
133 if (is_enabled_auth('none') ) {
134 if ($frm->username !== core_user::clean_field($frm->username, 'username')) {
135 $errormsg = get_string('username').': '.get_string("invalidusername");
136 $errorcode = 2;
137 $user = null;
138 }
139 }
140
141 if ($user) {
142 //user already supplied by aut plugin prelogin hook
143 } else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
144 $user = false; /// Can't log in as guest if guest button is disabled
145 $frm = false;
146 } else {
147 if (empty($errormsg)) {
148 $user = authenticate_user_login($frm->username, $frm->password, false, $errorcode);
149 }
150 }
151
152 // Intercept 'restored' users to provide them with info & reset password
153 if (!$user and $frm and is_restored_user($frm->username)) {
154 $PAGE->set_title(get_string('restoredaccount'));
155 $PAGE->set_heading($site->fullname);
156 echo $OUTPUT->header();
157 echo $OUTPUT->heading(get_string('restoredaccount'));
158 echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
159 require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
160 $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
161 $form->display();
162 echo $OUTPUT->footer();
163 die;
164 }
165
166 if ($user) {
167
168 // language setup
169 if (isguestuser($user)) {
170 // no predefined language for guests - use existing session or default site lang
171 unset($user->lang);
172
173 } else if (!empty($user->lang)) {
174 // unset previous session language - use user preference instead
175 unset($SESSION->lang);
176 }
177
178 if (empty($user->confirmed)) { // This account was never confirmed
179 $PAGE->set_title(get_string("mustconfirm"));
180 $PAGE->set_heading($site->fullname);
181 echo $OUTPUT->header();
182 echo $OUTPUT->heading(get_string("mustconfirm"));
183 echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
184 echo $OUTPUT->footer();
185 die;
186 }
187
188 /// Let's get them all set up.
189 complete_user_login($user);
190
191 \core\session\manager::apply_concurrent_login_limit($user->id, session_id());
192
193 // sets the username cookie
194 if (!empty($CFG->nolastloggedin)) {
195 // do not store last logged in user in cookie
196 // auth plugins can temporarily override this from loginpage_hook()
197 // do not save $CFG->nolastloggedin in database!
198
199 } else if (empty($CFG->rememberusername) or ($CFG->rememberusername == 2 and empty($frm->rememberusername))) {
200 // no permanent cookies, delete old one if exists
201 set_moodle_cookie('');
202
203 } else {
204 set_moodle_cookie($USER->username);
205 }
206
207 $urltogo = core_login_get_return_url();
208
209 /// check if user password has expired
210 /// Currently supported only for ldap-authentication module
211 $userauth = get_auth_plugin($USER->auth);
212 if (!isguestuser() and !empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
213 $externalchangepassword = false;
214 if ($userauth->can_change_password()) {
215 $passwordchangeurl = $userauth->change_password_url();
216 if (!$passwordchangeurl) {
217 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
218 } else {
219 $externalchangepassword = true;
220 }
221 } else {
222 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
223 }
224 $days2expire = $userauth->password_expire($USER->username);
225 $PAGE->set_title("$site->fullname: $loginsite");
226 $PAGE->set_heading("$site->fullname");
227 if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
228 echo $OUTPUT->header();
229 echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
230 echo $OUTPUT->footer();
231 exit;
232 } elseif (intval($days2expire) < 0 ) {
233 if ($externalchangepassword) {
234 // We end the session if the change password form is external. This prevents access to the site
235 // until the password is correctly changed.
236 require_logout();
237 } else {
238 // If we use the standard change password form, this user preference will be reset when the password
239 // is changed. Until then it will prevent access to the site.
240 set_user_preference('auth_forcepasswordchange', 1, $USER);
241 }
242 echo $OUTPUT->header();
243 echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
244 echo $OUTPUT->footer();
245 exit;
246 }
247 }
248
249 // Discard any errors before the last redirect.
250 unset($SESSION->loginerrormsg);
251
252 // test the session actually works by redirecting to self
253 $SESSION->wantsurl = $urltogo;
254 redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
255
256 } else {
257 if (empty($errormsg)) {
258 if ($errorcode == AUTH_LOGIN_UNAUTHORISED) {
259 $errormsg = get_string("unauthorisedlogin", "", $frm->username);
260 } else {
261 $errormsg = get_string("invalidlogin");
262 $errorcode = 3;
263 }
264 }
265 }
266 }
267
268 /// Detect problems with timedout sessions
269 if ($session_has_timed_out and !data_submitted()) {
270 $errormsg = get_string('sessionerroruser', 'error');
271 $errorcode = 4;
272 }
273
274 /// First, let's remember where the user was trying to get to before they got here
275
276 if (empty($SESSION->wantsurl)) {
277 $SESSION->wantsurl = null;
278 $referer = get_local_referer(false);
279 if ($referer &&
280 $referer != $CFG->wwwroot &&
281 $referer != $CFG->wwwroot . '/' &&
282 $referer != $CFG->httpswwwroot . '/login/' &&
283 strpos($referer, $CFG->httpswwwroot . '/login/?') !== 0 &&
284 strpos($referer, $CFG->httpswwwroot . '/login/index.php') !== 0) { // There might be some extra params such as ?lang=.
285 $SESSION->wantsurl = $referer;
286 }
287 }
288
289 /// Redirect to alternative login URL if needed
290 if (!empty($CFG->alternateloginurl)) {
291 $loginurl = new moodle_url($CFG->alternateloginurl);
292
293 $loginurlstr = $loginurl->out(false);
294
295 if (strpos($SESSION->wantsurl, $loginurlstr) === 0) {
296 // We do not want to return to alternate url.
297 $SESSION->wantsurl = null;
298 }
299
300 // If error code then add that to url.
301 if ($errorcode) {
302 $loginurl->param('errorcode', $errorcode);
303 }
304
305 redirect($loginurl->out(false));
306 }
307
308 // make sure we really are on the https page when https login required
309 $PAGE->verify_https_required();
310
311 /// Generate the login page with forms
312
313 if (!isset($frm) or !is_object($frm)) {
314 $frm = new stdClass();
315 }
316
317 if (empty($frm->username) && $authsequence[0] != 'shibboleth') { // See bug 5184
318 if (!empty($_GET["username"])) {
319 // we do not want data from _POST here
320 $frm->username = clean_param($_GET["username"], PARAM_RAW); // we do not want data from _POST here
321 } else {
322 $frm->username = get_moodle_cookie();
323 }
324
325 $frm->password = "";
326 }
327
328 if (!empty($SESSION->loginerrormsg)) {
329 // We had some errors before redirect, show them now.
330 $errormsg = $SESSION->loginerrormsg;
331 unset($SESSION->loginerrormsg);
332
333 } else if ($testsession) {
334 // No need to redirect here.
335 unset($SESSION->loginerrormsg);
336
337 } else if ($errormsg or !empty($frm->password)) {
338 // We must redirect after every password submission.
339 if ($errormsg) {
340 $SESSION->loginerrormsg = $errormsg;
341 }
342 redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php'));
343 }
344
345 $PAGE->set_title("$site->fullname: $loginsite");
346 $PAGE->set_heading("$site->fullname");
347
348 echo $OUTPUT->header();
349
350 if (isloggedin() and !isguestuser()) {
351 // prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
352 echo $OUTPUT->box_start();
353 $logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
354 $continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
355 echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
356 echo $OUTPUT->box_end();
357 } else {
358 $loginform = new \core_auth\output\login($authsequence, $frm->username);
359 $loginform->set_error($errormsg);
360 echo $OUTPUT->render($loginform);
361 }
362
363 echo $OUTPUT->footer();
Read-only mirror of the Moodle CVS