search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'MDL-38286-m' of git://github.com/andrewnicols/moodle
[moodle.git] / login / index.php
blobc4e21f61249e6722fb4e0fabc0e9d4165af47d5b
1 <?php
2
3 // This file is part of Moodle - http://moodle.org/
4 //
5 // Moodle is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
9 //
10 // Moodle is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
14 //
15 // You should have received a copy of the GNU General Public License
16 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
17
18 /**
19 * Main login page.
20 *
21 * @package core
22 * @subpackage auth
23 * @copyright 1999 onwards Martin Dougiamas http://dougiamas.com
24 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
25 */
26
27 require('../config.php');
28
29 // Try to prevent searching for sites that allow sign-up.
30 if (!isset($CFG->additionalhtmlhead)) {
31 $CFG->additionalhtmlhead = '';
32 }
33 $CFG->additionalhtmlhead .= '<meta name="robots" content="noindex" />';
34
35 redirect_if_major_upgrade_required();
36
37 $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
38 $cancel = optional_param('cancel', 0, PARAM_BOOL); // redirect to frontpage, needed for loginhttps
39
40 if ($cancel) {
41 redirect(new moodle_url('/'));
42 }
43
44 //HTTPS is required in this page when $CFG->loginhttps enabled
45 $PAGE->https_required();
46
47 $context = context_system::instance();
48 $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
49 $PAGE->set_context($context);
50 $PAGE->set_pagelayout('login');
51
52 /// Initialize variables
53 $errormsg = '';
54 $errorcode = 0;
55
56 // login page requested session test
57 if ($testsession) {
58 if ($testsession == $USER->id) {
59 if (isset($SESSION->wantsurl)) {
60 $urltogo = $SESSION->wantsurl;
61 } else {
62 $urltogo = $CFG->wwwroot.'/';
63 }
64 unset($SESSION->wantsurl);
65 redirect($urltogo);
66 } else {
67 // TODO: try to find out what is the exact reason why sessions do not work
68 $errormsg = get_string("cookiesnotenabled");
69 $errorcode = 1;
70 }
71 }
72
73 /// Check for timed out sessions
74 if (!empty($SESSION->has_timed_out)) {
75 $session_has_timed_out = true;
76 unset($SESSION->has_timed_out);
77 } else {
78 $session_has_timed_out = false;
79 }
80
81 /// auth plugins may override these - SSO anyone?
82 $frm = false;
83 $user = false;
84
85 $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
86 foreach($authsequence as $authname) {
87 $authplugin = get_auth_plugin($authname);
88 $authplugin->loginpage_hook();
89 }
90
91
92 /// Define variables used in page
93 $site = get_site();
94
95 $loginsite = get_string("loginsite");
96 $PAGE->navbar->add($loginsite);
97
98 if ($user !== false or $frm !== false or $errormsg !== '') {
99 // some auth plugin already supplied full user, fake form data or prevented user login with error message
100
101 } else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
102 // Handles the case of another Moodle site linking into a page on this site
103 //TODO: move weblink into own auth plugin
104 include($CFG->dirroot.'/login/weblinkauth.php');
105 if (function_exists('weblink_auth')) {
106 $user = weblink_auth($SESSION->wantsurl);
107 }
108 if ($user) {
109 $frm->username = $user->username;
110 } else {
111 $frm = data_submitted();
112 }
113
114 } else {
115 $frm = data_submitted();
116 }
117
118 /// Check if the user has actually submitted login data to us
119
120 if ($frm and isset($frm->username)) { // Login WITH cookies
121
122 $frm->username = trim(core_text::strtolower($frm->username));
123
124 if (is_enabled_auth('none') ) {
125 if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) {
126 $errormsg = get_string('username').': '.get_string("invalidusername");
127 $errorcode = 2;
128 $user = null;
129 }
130 }
131
132 if ($user) {
133 //user already supplied by aut plugin prelogin hook
134 } else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
135 $user = false; /// Can't log in as guest if guest button is disabled
136 $frm = false;
137 } else {
138 if (empty($errormsg)) {
139 $user = authenticate_user_login($frm->username, $frm->password);
140 }
141 }
142
143 // Intercept 'restored' users to provide them with info & reset password
144 if (!$user and $frm and is_restored_user($frm->username)) {
145 $PAGE->set_title(get_string('restoredaccount'));
146 $PAGE->set_heading($site->fullname);
147 echo $OUTPUT->header();
148 echo $OUTPUT->heading(get_string('restoredaccount'));
149 echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
150 require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
151 $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
152 $form->display();
153 echo $OUTPUT->footer();
154 die;
155 }
156
157 if ($user) {
158
159 // language setup
160 if (isguestuser($user)) {
161 // no predefined language for guests - use existing session or default site lang
162 unset($user->lang);
163
164 } else if (!empty($user->lang)) {
165 // unset previous session language - use user preference instead
166 unset($SESSION->lang);
167 }
168
169 if (empty($user->confirmed)) { // This account was never confirmed
170 $PAGE->set_title(get_string("mustconfirm"));
171 $PAGE->set_heading($site->fullname);
172 echo $OUTPUT->header();
173 echo $OUTPUT->heading(get_string("mustconfirm"));
174 echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
175 echo $OUTPUT->footer();
176 die;
177 }
178
179 /// Let's get them all set up.
180 complete_user_login($user);
181
182 // sets the username cookie
183 if (!empty($CFG->nolastloggedin)) {
184 // do not store last logged in user in cookie
185 // auth plugins can temporarily override this from loginpage_hook()
186 // do not save $CFG->nolastloggedin in database!
187
188 } else if (empty($CFG->rememberusername) or ($CFG->rememberusername == 2 and empty($frm->rememberusername))) {
189 // no permanent cookies, delete old one if exists
190 set_moodle_cookie('');
191
192 } else {
193 set_moodle_cookie($USER->username);
194 }
195
196 /// Prepare redirection
197 if (user_not_fully_set_up($USER)) {
198 $urltogo = $CFG->wwwroot.'/user/edit.php';
199 // We don't delete $SESSION->wantsurl yet, so we get there later
200
201 } else if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0 or strpos($SESSION->wantsurl, str_replace('http://', 'https://', $CFG->wwwroot)) === 0)) {
202 $urltogo = $SESSION->wantsurl; /// Because it's an address in this site
203 unset($SESSION->wantsurl);
204
205 } else {
206 // no wantsurl stored or external - go to homepage
207 $urltogo = $CFG->wwwroot.'/';
208 unset($SESSION->wantsurl);
209 }
210
211 // If the url to go to is the same as the site page, check for default homepage.
212 if ($urltogo == ($CFG->wwwroot . '/')) {
213 $home_page = get_home_page();
214 // Go to my-moodle page instead of site homepage if defaulthomepage set to homepage_my
215 if ($home_page == HOMEPAGE_MY && !is_siteadmin() && !isguestuser()) {
216 if ($urltogo == $CFG->wwwroot or $urltogo == $CFG->wwwroot.'/' or $urltogo == $CFG->wwwroot.'/index.php') {
217 $urltogo = $CFG->wwwroot.'/my/';
218 }
219 }
220 }
221
222 /// check if user password has expired
223 /// Currently supported only for ldap-authentication module
224 $userauth = get_auth_plugin($USER->auth);
225 if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
226 if ($userauth->can_change_password()) {
227 $passwordchangeurl = $userauth->change_password_url();
228 if (!$passwordchangeurl) {
229 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
230 }
231 } else {
232 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
233 }
234 $days2expire = $userauth->password_expire($USER->username);
235 $PAGE->set_title("$site->fullname: $loginsite");
236 $PAGE->set_heading("$site->fullname");
237 if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
238 echo $OUTPUT->header();
239 echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
240 echo $OUTPUT->footer();
241 exit;
242 } elseif (intval($days2expire) < 0 ) {
243 echo $OUTPUT->header();
244 echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
245 echo $OUTPUT->footer();
246 exit;
247 }
248 }
249
250 // Discard any errors before the last redirect.
251 unset($SESSION->loginerrormsg);
252
253 // test the session actually works by redirecting to self
254 $SESSION->wantsurl = $urltogo;
255 redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
256
257 } else {
258 if (empty($errormsg)) {
259 $errormsg = get_string("invalidlogin");
260 $errorcode = 3;
261 }
262 }
263 }
264
265 /// Detect problems with timedout sessions
266 if ($session_has_timed_out and !data_submitted()) {
267 $errormsg = get_string('sessionerroruser', 'error');
268 $errorcode = 4;
269 }
270
271 /// First, let's remember where the user was trying to get to before they got here
272
273 if (empty($SESSION->wantsurl)) {
274 $SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
275 $_SERVER["HTTP_REFERER"] != $CFG->wwwroot &&
276 $_SERVER["HTTP_REFERER"] != $CFG->wwwroot.'/' &&
277 $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/' &&
278 $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/index.php')
279 ? $_SERVER["HTTP_REFERER"] : NULL;
280 }
281
282 /// Redirect to alternative login URL if needed
283 if (!empty($CFG->alternateloginurl)) {
284 $loginurl = $CFG->alternateloginurl;
285
286 if (strpos($SESSION->wantsurl, $loginurl) === 0) {
287 //we do not want to return to alternate url
288 $SESSION->wantsurl = NULL;
289 }
290
291 if ($errorcode) {
292 if (strpos($loginurl, '?') === false) {
293 $loginurl .= '?';
294 } else {
295 $loginurl .= '&';
296 }
297 $loginurl .= 'errorcode='.$errorcode;
298 }
299
300 redirect($loginurl);
301 }
302
303 // make sure we really are on the https page when https login required
304 $PAGE->verify_https_required();
305
306 /// Generate the login page with forms
307
308 if (!isset($frm) or !is_object($frm)) {
309 $frm = new stdClass();
310 }
311
312 if (empty($frm->username) && $authsequence[0] != 'shibboleth') { // See bug 5184
313 if (!empty($_GET["username"])) {
314 $frm->username = clean_param($_GET["username"], PARAM_RAW); // we do not want data from _POST here
315 } else {
316 $frm->username = get_moodle_cookie();
317 }
318
319 $frm->password = "";
320 }
321
322 if (!empty($frm->username)) {
323 $focus = "password";
324 } else {
325 $focus = "username";
326 }
327
328 if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
329 $show_instructions = true;
330 } else {
331 $show_instructions = false;
332 }
333
334 $potentialidps = array();
335 foreach($authsequence as $authname) {
336 $authplugin = get_auth_plugin($authname);
337 $potentialidps = array_merge($potentialidps, $authplugin->loginpage_idp_list($SESSION->wantsurl));
338 }
339
340 if (!empty($SESSION->loginerrormsg)) {
341 // We had some errors before redirect, show them now.
342 $errormsg = $SESSION->loginerrormsg;
343 unset($SESSION->loginerrormsg);
344
345 } else if ($testsession) {
346 // No need to redirect here.
347 unset($SESSION->loginerrormsg);
348
349 } else if ($errormsg or !empty($frm->password)) {
350 // We must redirect after every password submission.
351 if ($errormsg) {
352 $SESSION->loginerrormsg = $errormsg;
353 }
354 redirect(new moodle_url('/login/index.php'));
355 }
356
357 $PAGE->set_title("$site->fullname: $loginsite");
358 $PAGE->set_heading("$site->fullname");
359
360 echo $OUTPUT->header();
361
362 if (isloggedin() and !isguestuser()) {
363 // prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
364 echo $OUTPUT->box_start();
365 $logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
366 $continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
367 echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
368 echo $OUTPUT->box_end();
369 } else {
370 include("index_form.html");
371 if ($errormsg) {
372 $PAGE->requires->js_init_call('M.util.focus_login_error', null, true);
373 } else if (!empty($CFG->loginpageautofocus)) {
374 //focus username or password
375 $PAGE->requires->js_init_call('M.util.focus_login_form', null, true);
376 }
377 }
378
379 echo $OUTPUT->footer();
Read-only mirror of the Moodle CVS