login/index.php

   1 <?php
   2
   3 // This file is part of Moodle - http://moodle.org/
   4 //
   5 // Moodle is free software: you can redistribute it and/or modify
   6 // it under the terms of the GNU General Public License as published by
   7 // the Free Software Foundation, either version 3 of the License, or
   8 // (at your option) any later version.
   9 //
  10 // Moodle is distributed in the hope that it will be useful,
  11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 // GNU General Public License for more details.
  14 //
  15 // You should have received a copy of the GNU General Public License
  16 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17
  18 /**
  19  * Main login page.
  20  *
  21  * @package    core
  22  * @subpackage auth
  23  * @copyright  1999 onwards Martin Dougiamas  http://dougiamas.com
  24  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  25  */
  26
  27 require('../config.php');
  28 require_once('lib.php');
  29
  30 // Try to prevent searching for sites that allow sign-up.
  31 if (!isset($CFG->additionalhtmlhead)) {
  32     $CFG->additionalhtmlhead = '';
  33 }
  34 $CFG->additionalhtmlhead .= '<meta name="robots" content="noindex" />';
  35
  36 redirect_if_major_upgrade_required();
  37
  38 $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
  39 $cancel      = optional_param('cancel', 0, PARAM_BOOL);      // redirect to frontpage, needed for loginhttps
  40
  41 if ($cancel) {
  42     redirect(new moodle_url('/'));
  43 }
  44
  45 //HTTPS is required in this page when $CFG->loginhttps enabled
  46 $PAGE->https_required();
  47
  48 $context = context_system::instance();
  49 $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
  50 $PAGE->set_context($context);
  51 $PAGE->set_pagelayout('login');
  52
  53 /// Initialize variables
  54 $errormsg = '';
  55 $errorcode = 0;
  56
  57 // login page requested session test
  58 if ($testsession) {
  59     if ($testsession == $USER->id) {
  60         if (isset($SESSION->wantsurl)) {
  61             $urltogo = $SESSION->wantsurl;
  62         } else {
  63             $urltogo = $CFG->wwwroot.'/';
  64         }
  65         unset($SESSION->wantsurl);
  66         redirect($urltogo);
  67     } else {
  68         // TODO: try to find out what is the exact reason why sessions do not work
  69         $errormsg = get_string("cookiesnotenabled");
  70         $errorcode = 1;
  71     }
  72 }
  73
  74 /// Check for timed out sessions
  75 if (!empty($SESSION->has_timed_out)) {
  76     $session_has_timed_out = true;
  77     unset($SESSION->has_timed_out);
  78 } else {
  79     $session_has_timed_out = false;
  80 }
  81
  82 /// auth plugins may override these - SSO anyone?
  83 $frm  = false;
  84 $user = false;
  85
  86 $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
  87 foreach($authsequence as $authname) {
  88     $authplugin = get_auth_plugin($authname);
  89     $authplugin->loginpage_hook();
  90 }
  91
  92
  93 /// Define variables used in page
  94 $site = get_site();
  95
  96 // Ignore any active pages in the navigation/settings.
  97 // We do this because there won't be an active page there, and by ignoring the active pages the
  98 // navigation and settings won't be initialised unless something else needs them.
  99 $PAGE->navbar->ignore_active();
 100 $loginsite = get_string("loginsite");
 101 $PAGE->navbar->add($loginsite);
 102
 103 if ($user !== false or $frm !== false or $errormsg !== '') {
 104     // some auth plugin already supplied full user, fake form data or prevented user login with error message
 105
 106 } else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
 107     // Handles the case of another Moodle site linking into a page on this site
 108     //TODO: move weblink into own auth plugin
 109     include($CFG->dirroot.'/login/weblinkauth.php');
 110     if (function_exists('weblink_auth')) {
 111         $user = weblink_auth($SESSION->wantsurl);
 112     }
 113     if ($user) {
 114         $frm->username = $user->username;
 115     } else {
 116         $frm = data_submitted();
 117     }
 118
 119 } else {
 120     $frm = data_submitted();
 121 }
 122
 123 /// Check if the user has actually submitted login data to us
 124
 125 if ($frm and isset($frm->username)) {                             // Login WITH cookies
 126
 127     $frm->username = trim(core_text::strtolower($frm->username));
 128
 129     if (is_enabled_auth('none') ) {
 130         if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) {
 131             $errormsg = get_string('username').': '.get_string("invalidusername");
 132             $errorcode = 2;
 133             $user = null;
 134         }
 135     }
 136
 137     if ($user) {
 138         //user already supplied by aut plugin prelogin hook
 139     } else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
 140         $user = false;    /// Can't log in as guest if guest button is disabled
 141         $frm = false;
 142     } else {
 143         if (empty($errormsg)) {
 144             $user = authenticate_user_login($frm->username, $frm->password, false, $errorcode);
 145         }
 146     }
 147
 148     // Intercept 'restored' users to provide them with info & reset password
 149     if (!$user and $frm and is_restored_user($frm->username)) {
 150         $PAGE->set_title(get_string('restoredaccount'));
 151         $PAGE->set_heading($site->fullname);
 152         echo $OUTPUT->header();
 153         echo $OUTPUT->heading(get_string('restoredaccount'));
 154         echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
 155         require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
 156         $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
 157         $form->display();
 158         echo $OUTPUT->footer();
 159         die;
 160     }
 161
 162     if ($user) {
 163
 164         // language setup
 165         if (isguestuser($user)) {
 166             // no predefined language for guests - use existing session or default site lang
 167             unset($user->lang);
 168
 169         } else if (!empty($user->lang)) {
 170             // unset previous session language - use user preference instead
 171             unset($SESSION->lang);
 172         }
 173
 174         if (empty($user->confirmed)) {       // This account was never confirmed
 175             $PAGE->set_title(get_string("mustconfirm"));
 176             $PAGE->set_heading($site->fullname);
 177             echo $OUTPUT->header();
 178             echo $OUTPUT->heading(get_string("mustconfirm"));
 179             echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
 180             echo $OUTPUT->footer();
 181             die;
 182         }
 183
 184     /// Let's get them all set up.
 185         complete_user_login($user);
 186
 187         \core\session\manager::apply_concurrent_login_limit($user->id, session_id());
 188
 189         // sets the username cookie
 190         if (!empty($CFG->nolastloggedin)) {
 191             // do not store last logged in user in cookie
 192             // auth plugins can temporarily override this from loginpage_hook()
 193             // do not save $CFG->nolastloggedin in database!
 194
 195         } else if (empty($CFG->rememberusername) or ($CFG->rememberusername == 2 and empty($frm->rememberusername))) {
 196             // no permanent cookies, delete old one if exists
 197             set_moodle_cookie('');
 198
 199         } else {
 200             set_moodle_cookie($USER->username);
 201         }
 202
 203         $urltogo = core_login_get_return_url();
 204
 205     /// check if user password has expired
 206     /// Currently supported only for ldap-authentication module
 207         $userauth = get_auth_plugin($USER->auth);
 208         if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
 209             if ($userauth->can_change_password()) {
 210                 $passwordchangeurl = $userauth->change_password_url();
 211                 if (!$passwordchangeurl) {
 212                     $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
 213                 }
 214             } else {
 215                 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
 216             }
 217             $days2expire = $userauth->password_expire($USER->username);
 218             $PAGE->set_title("$site->fullname: $loginsite");
 219             $PAGE->set_heading("$site->fullname");
 220             if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
 221                 echo $OUTPUT->header();
 222                 echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
 223                 echo $OUTPUT->footer();
 224                 exit;
 225             } elseif (intval($days2expire) < 0 ) {
 226                 echo $OUTPUT->header();
 227                 echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
 228                 echo $OUTPUT->footer();
 229                 exit;
 230             }
 231         }
 232
 233         // Discard any errors before the last redirect.
 234         unset($SESSION->loginerrormsg);
 235
 236         // test the session actually works by redirecting to self
 237         $SESSION->wantsurl = $urltogo;
 238         redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
 239
 240     } else {
 241         if (empty($errormsg)) {
 242             if ($errorcode == AUTH_LOGIN_UNAUTHORISED) {
 243                 $errormsg = get_string("unauthorisedlogin", "", $frm->username);
 244             } else {
 245                 $errormsg = get_string("invalidlogin");
 246                 $errorcode = 3;
 247             }
 248         }
 249     }
 250 }
 251
 252 /// Detect problems with timedout sessions
 253 if ($session_has_timed_out and !data_submitted()) {
 254     $errormsg = get_string('sessionerroruser', 'error');
 255     $errorcode = 4;
 256 }
 257
 258 /// First, let's remember where the user was trying to get to before they got here
 259
 260 if (empty($SESSION->wantsurl)) {
 261     $SESSION->wantsurl = null;
 262     $referer = get_local_referer(false);
 263     if ($referer &&
 264             $referer != $CFG->wwwroot &&
 265             $referer != $CFG->wwwroot . '/' &&
 266             $referer != $CFG->httpswwwroot . '/login/' &&
 267             strpos($referer, $CFG->httpswwwroot . '/login/?') !== 0 &&
 268             strpos($referer, $CFG->httpswwwroot . '/login/index.php') !== 0) { // There might be some extra params such as ?lang=.
 269         $SESSION->wantsurl = $referer;
 270     }
 271 }
 272
 273 /// Redirect to alternative login URL if needed
 274 if (!empty($CFG->alternateloginurl)) {
 275     $loginurl = $CFG->alternateloginurl;
 276
 277     if (strpos($SESSION->wantsurl, $loginurl) === 0) {
 278         //we do not want to return to alternate url
 279         $SESSION->wantsurl = NULL;
 280     }
 281
 282     if ($errorcode) {
 283         if (strpos($loginurl, '?') === false) {
 284             $loginurl .= '?';
 285         } else {
 286             $loginurl .= '&';
 287         }
 288         $loginurl .= 'errorcode='.$errorcode;
 289     }
 290
 291     redirect($loginurl);
 292 }
 293
 294 // make sure we really are on the https page when https login required
 295 $PAGE->verify_https_required();
 296
 297 /// Generate the login page with forms
 298
 299 if (!isset($frm) or !is_object($frm)) {
 300     $frm = new stdClass();
 301 }
 302
 303 if (empty($frm->username) && $authsequence[0] != 'shibboleth') {  // See bug 5184
 304     if (!empty($_GET["username"])) {
 305         $frm->username = clean_param($_GET["username"], PARAM_RAW); // we do not want data from _POST here
 306     } else {
 307         $frm->username = get_moodle_cookie();
 308     }
 309
 310     $frm->password = "";
 311 }
 312
 313 if (!empty($frm->username)) {
 314     $focus = "password";
 315 } else {
 316     $focus = "username";
 317 }
 318
 319 if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
 320     $show_instructions = true;
 321 } else {
 322     $show_instructions = false;
 323 }
 324
 325 $potentialidps = array();
 326 foreach($authsequence as $authname) {
 327     $authplugin = get_auth_plugin($authname);
 328     $potentialidps = array_merge($potentialidps, $authplugin->loginpage_idp_list($SESSION->wantsurl));
 329 }
 330
 331 if (!empty($SESSION->loginerrormsg)) {
 332     // We had some errors before redirect, show them now.
 333     $errormsg = $SESSION->loginerrormsg;
 334     unset($SESSION->loginerrormsg);
 335
 336 } else if ($testsession) {
 337     // No need to redirect here.
 338     unset($SESSION->loginerrormsg);
 339
 340 } else if ($errormsg or !empty($frm->password)) {
 341     // We must redirect after every password submission.
 342     if ($errormsg) {
 343         $SESSION->loginerrormsg = $errormsg;
 344     }
 345     redirect(new moodle_url('/login/index.php'));
 346 }
 347
 348 $PAGE->set_title("$site->fullname: $loginsite");
 349 $PAGE->set_heading("$site->fullname");
 350
 351 echo $OUTPUT->header();
 352
 353 if (isloggedin() and !isguestuser()) {
 354     // prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
 355     echo $OUTPUT->box_start();
 356     $logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
 357     $continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
 358     echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
 359     echo $OUTPUT->box_end();
 360 } else {
 361     include("index_form.html");
 362     if ($errormsg) {
 363         $PAGE->requires->js_init_call('M.util.focus_login_error', null, true);
 364     } else if (!empty($CFG->loginpageautofocus)) {
 365         //focus username or password
 366         $PAGE->requires->js_init_call('M.util.focus_login_form', null, true);
 367     }
 368 }
 369
 370 echo $OUTPUT->footer();