2 // This file is part of Moodle - http://moodle.org/
4 // Moodle is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
9 // Moodle is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
14 // You should have received a copy of the GNU General Public License
15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
20 * @copyright 1999 onwards Martin Dougiamas {@link http://moodle.com}
21 * @copyright 2008, 2009 Petr Skoda {@link http://skodak.org}
22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
25 defined('MOODLE_INTERNAL') ||
die();
29 * Makes sure that $USER->sesskey exists, if $USER itself exists. It sets a new sesskey
30 * if one does not already exist, but does not overwrite existing sesskeys. Returns the
31 * sesskey string if $USER exists, or boolean false if not.
37 // note: do not use $USER because it may not be initialised yet
38 if (empty($_SESSION['USER']->sesskey
)) {
39 if (!isset($_SESSION['USER'])) {
40 // This should never happen,
41 // do not mess with session and globals here,
42 // let any checks fail instead!
45 $_SESSION['USER']->sesskey
= random_string(10);
48 return $_SESSION['USER']->sesskey
;
53 * Check the sesskey and return true of false for whether it is valid.
54 * (You might like to imagine this function is called sesskey_is_valid().)
56 * Every script that lets the user perform a significant action (that is,
57 * changes data in the database) should check the sesskey before doing the action.
58 * Depending on your code flow, you may want to use the {@link require_sesskey()}
61 * @param string $sesskey The sesskey value to check (optional). Normally leave this blank
62 * and this function will do required_param('sesskey', ...).
63 * @return bool whether the sesskey sent in the request matches the one stored in the session.
65 function confirm_sesskey($sesskey=NULL) {
68 if (!empty($USER->ignoresesskey
)) {
72 if (empty($sesskey)) {
73 $sesskey = required_param('sesskey', PARAM_RAW
); // Check script parameters
76 return (sesskey() === $sesskey);
80 * Check the session key using {@link confirm_sesskey()},
81 * and cause a fatal error if it does not match.
83 function require_sesskey() {
84 if (!confirm_sesskey()) {
85 print_error('invalidsesskey');
90 * Determine wether the secure flag should be set on cookies
93 function is_moodle_cookie_secure() {
96 if (!isset($CFG->cookiesecure
)) {
99 if (!is_https() and empty($CFG->sslproxy
)) {
102 return !empty($CFG->cookiesecure
);
106 * Sets a moodle cookie with a weakly encrypted username
108 * @param string $username to encrypt and place in a cookie, '' means delete current cookie
111 function set_moodle_cookie($username) {
114 if (NO_MOODLE_COOKIES
) {
118 if (empty($CFG->rememberusername
)) {
119 // erase current and do not store permanent cookies
123 if ($username === 'guest') {
124 // keep previous cookie in case of guest account login
128 $cookiename = 'MOODLEID1_'.$CFG->sessioncookie
;
130 $cookiesecure = is_moodle_cookie_secure();
132 // Delete old cookie.
133 setcookie($cookiename, '', time() - HOURSECS
, $CFG->sessioncookiepath
, $CFG->sessioncookiedomain
, $cookiesecure, $CFG->cookiehttponly
);
135 if ($username !== '') {
136 // Set username cookie for 60 days.
137 setcookie($cookiename, rc4encrypt($username), time() +
(DAYSECS
* 60), $CFG->sessioncookiepath
, $CFG->sessioncookiedomain
, $cookiesecure, $CFG->cookiehttponly
);
142 * Gets a moodle cookie with a weakly encrypted username
144 * @return string username
146 function get_moodle_cookie() {
149 if (NO_MOODLE_COOKIES
) {
153 if (empty($CFG->rememberusername
)) {
157 $cookiename = 'MOODLEID1_'.$CFG->sessioncookie
;
159 if (empty($_COOKIE[$cookiename])) {
162 $username = rc4decrypt($_COOKIE[$cookiename]);
163 if ($username === 'guest' or $username === 'nobody') {
164 // backwards compatibility - we do not set these cookies any more
172 * Sets up current user and course environment (lang, etc.) in cron.
173 * Do not use outside of cron script!
175 * @param stdClass $user full user object, null means default cron user (admin),
176 * value 'reset' means reset internal static caches.
177 * @param stdClass $course full course record, null means $SITE
178 * @param bool $leavepagealone If specified, stops it messing with global page object
181 function cron_setup_user($user = null, $course = null, $leavepagealone = false) {
182 global $CFG, $SITE, $PAGE;
184 if (!CLI_SCRIPT
&& !$leavepagealone) {
185 throw new coding_exception('Function cron_setup_user() cannot be used in normal requests!');
188 static $cronuser = NULL;
189 static $cronsession = NULL;
191 if ($user === 'reset') {
194 \core\session\manager
::init_empty_session();
198 if (empty($cronuser)) {
199 /// ignore admins timezone, language and locale - use site default instead!
200 $cronuser = get_admin();
201 $cronuser->timezone
= $CFG->timezone
;
202 $cronuser->lang
= '';
203 $cronuser->theme
= '';
204 unset($cronuser->description
);
206 $cronsession = new stdClass();
210 // Cached default cron user (==modified admin for now).
211 \core\session\manager
::init_empty_session();
212 \core\session\manager
::set_user($cronuser);
213 $GLOBALS['SESSION'] = $cronsession;
216 // Emulate real user session - needed for caps in cron.
217 if ($GLOBALS['USER']->id
!= $user->id
) {
218 \core\session\manager
::init_empty_session();
219 \core\session\manager
::set_user($user);
223 // TODO MDL-19774 relying on global $PAGE in cron is a bad idea.
224 // Temporary hack so that cron does not give fatal errors.
225 if (!$leavepagealone) {
226 $PAGE = new moodle_page();
228 $PAGE->set_course($course);
230 $PAGE->set_course($SITE);
234 // TODO: it should be possible to improve perf by caching some limited number of users here ;-)