search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MDL-25826 import HTMLPurifier 4.3.0
[moodle.git] / login / index.php
blobb0791ed5bf1e4c37497384949395135d9bfa1532
1 <?php
2
3 // This file is part of Moodle - http://moodle.org/
4 //
5 // Moodle is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
9 //
10 // Moodle is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
14 //
15 // You should have received a copy of the GNU General Public License
16 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
17
18 /**
19 * Main login page.
20 *
21 * @package core
22 * @subpackage auth
23 * @copyright 1999 onwards Martin Dougiamas http://dougiamas.com
24 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
25 */
26
27 require('../config.php');
28
29 redirect_if_major_upgrade_required();
30
31 $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
32 $cancel = optional_param('cancel', 0, PARAM_BOOL); // redirect to frontpage, needed for loginhttps
33
34 if ($cancel) {
35 redirect(new moodle_url('/'));
36 }
37
38 //HTTPS is required in this page when $CFG->loginhttps enabled
39 $PAGE->https_required();
40
41 $context = get_context_instance(CONTEXT_SYSTEM);
42 $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
43 $PAGE->set_context($context);
44 $PAGE->set_pagelayout('login');
45
46 /// Initialize variables
47 $errormsg = '';
48 $errorcode = 0;
49
50 // login page requested session test
51 if ($testsession) {
52 if ($testsession == $USER->id) {
53 if (isset($SESSION->wantsurl)) {
54 $urltogo = $SESSION->wantsurl;
55 } else {
56 $urltogo = $CFG->wwwroot.'/';
57 }
58 unset($SESSION->wantsurl);
59 redirect($urltogo);
60 } else {
61 // TODO: try to find out what is the exact reason why sessions do not work
62 $errormsg = get_string("cookiesnotenabled");
63 $errorcode = 1;
64 }
65 }
66
67 /// Check for timed out sessions
68 if (!empty($SESSION->has_timed_out)) {
69 $session_has_timed_out = true;
70 unset($SESSION->has_timed_out);
71 } else {
72 $session_has_timed_out = false;
73 }
74
75 /// auth plugins may override these - SSO anyone?
76 $frm = false;
77 $user = false;
78
79 $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
80 foreach($authsequence as $authname) {
81 $authplugin = get_auth_plugin($authname);
82 $authplugin->loginpage_hook();
83 }
84
85
86 /// Define variables used in page
87 $site = get_site();
88
89 $loginsite = get_string("loginsite");
90 $PAGE->navbar->add($loginsite);
91
92 if ($user !== false or $frm !== false or $errormsg !== '') {
93 // some auth plugin already supplied full user, fake form data or prevented user login with error message
94
95 } else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
96 // Handles the case of another Moodle site linking into a page on this site
97 //TODO: move weblink into own auth plugin
98 include($CFG->dirroot.'/login/weblinkauth.php');
99 if (function_exists('weblink_auth')) {
100 $user = weblink_auth($SESSION->wantsurl);
101 }
102 if ($user) {
103 $frm->username = $user->username;
104 } else {
105 $frm = data_submitted();
106 }
107
108 } else {
109 $frm = data_submitted();
110 }
111
112 /// Check if the user has actually submitted login data to us
113
114 if ($frm and isset($frm->username)) { // Login WITH cookies
115
116 $frm->username = trim(moodle_strtolower($frm->username));
117
118 if (is_enabled_auth('none') ) {
119 if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) {
120 $errormsg = get_string('username').': '.get_string("invalidusername");
121 $errorcode = 2;
122 $user = null;
123 }
124 }
125
126 if ($user) {
127 //user already supplied by aut plugin prelogin hook
128 } else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
129 $user = false; /// Can't log in as guest if guest button is disabled
130 $frm = false;
131 } else {
132 if (empty($errormsg)) {
133 $user = authenticate_user_login($frm->username, $frm->password);
134 }
135 }
136
137 // Intercept 'restored' users to provide them with info & reset password
138 if (!$user and $frm and is_restored_user($frm->username)) {
139 $PAGE->set_title(get_string('restoredaccount'));
140 $PAGE->set_heading($site->fullname);
141 echo $OUTPUT->header();
142 echo $OUTPUT->heading(get_string('restoredaccount'));
143 echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
144 require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
145 $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
146 $form->display();
147 echo $OUTPUT->footer();
148 die;
149 }
150
151 update_login_count();
152
153 if ($user) {
154
155 // language setup
156 if (isguestuser($user)) {
157 // no predefined language for guests - use existing session or default site lang
158 unset($user->lang);
159
160 } else if (!empty($user->lang)) {
161 // unset previous session language - use user preference instead
162 unset($SESSION->lang);
163 }
164
165 if (empty($user->confirmed)) { // This account was never confirmed
166 $PAGE->set_title(get_string("mustconfirm"));
167 $PAGE->set_heading($site->fullname);
168 echo $OUTPUT->header();
169 echo $OUTPUT->heading(get_string("mustconfirm"));
170 echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
171 echo $OUTPUT->footer();
172 die;
173 }
174
175 /// Let's get them all set up.
176 add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID,
177 $user->id, 0, $user->id);
178 complete_user_login($user, true); // sets the username cookie
179
180 /// Prepare redirection
181 if (user_not_fully_set_up($USER)) {
182 $urltogo = $CFG->wwwroot.'/user/edit.php';
183 // We don't delete $SESSION->wantsurl yet, so we get there later
184
185 } else if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0 or strpos($SESSION->wantsurl, str_replace('http://', 'https://', $CFG->wwwroot)) === 0)) {
186 $urltogo = $SESSION->wantsurl; /// Because it's an address in this site
187 unset($SESSION->wantsurl);
188
189 } else {
190 // no wantsurl stored or external - go to homepage
191 $urltogo = $CFG->wwwroot.'/';
192 unset($SESSION->wantsurl);
193 }
194
195 /// Go to my-moodle page instead of site homepage if defaulthomepage set to homepage_my
196 if (!empty($CFG->defaulthomepage) && $CFG->defaulthomepage == HOMEPAGE_MY && !is_siteadmin() && !isguestuser()) {
197 if ($urltogo == $CFG->wwwroot or $urltogo == $CFG->wwwroot.'/' or $urltogo == $CFG->wwwroot.'/index.php') {
198 $urltogo = $CFG->wwwroot.'/my/';
199 }
200 }
201
202
203 /// check if user password has expired
204 /// Currently supported only for ldap-authentication module
205 $userauth = get_auth_plugin($USER->auth);
206 if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
207 if ($userauth->can_change_password()) {
208 $passwordchangeurl = $userauth->change_password_url();
209 if (!$passwordchangeurl) {
210 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
211 }
212 } else {
213 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
214 }
215 $days2expire = $userauth->password_expire($USER->username);
216 $PAGE->set_title("$site->fullname: $loginsite");
217 $PAGE->set_heading("$site->fullname");
218 if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
219 echo $OUTPUT->header();
220 echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
221 echo $OUTPUT->footer();
222 exit;
223 } elseif (intval($days2expire) < 0 ) {
224 echo $OUTPUT->header();
225 echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
226 echo $OUTPUT->footer();
227 exit;
228 }
229 }
230
231 reset_login_count();
232
233 // test the session actually works by redirecting to self
234 $SESSION->wantsurl = $urltogo;
235 redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
236
237 } else {
238 if (empty($errormsg)) {
239 $errormsg = get_string("invalidlogin");
240 $errorcode = 3;
241 }
242 }
243 }
244
245 /// Detect problems with timedout sessions
246 if ($session_has_timed_out and !data_submitted()) {
247 $errormsg = get_string('sessionerroruser', 'error');
248 $errorcode = 4;
249 }
250
251 /// First, let's remember where the user was trying to get to before they got here
252
253 if (empty($SESSION->wantsurl)) {
254 $SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
255 $_SERVER["HTTP_REFERER"] != $CFG->wwwroot &&
256 $_SERVER["HTTP_REFERER"] != $CFG->wwwroot.'/' &&
257 $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/' &&
258 $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/index.php')
259 ? $_SERVER["HTTP_REFERER"] : NULL;
260 }
261
262 /// Redirect to alternative login URL if needed
263 if (!empty($CFG->alternateloginurl)) {
264 $loginurl = $CFG->alternateloginurl;
265
266 if (strpos($SESSION->wantsurl, $loginurl) === 0) {
267 //we do not want to return to alternate url
268 $SESSION->wantsurl = NULL;
269 }
270
271 if ($errorcode) {
272 if (strpos($loginurl, '?') === false) {
273 $loginurl .= '?';
274 } else {
275 $loginurl .= '&';
276 }
277 $loginurl .= 'errorcode='.$errorcode;
278 }
279
280 redirect($loginurl);
281 }
282
283 // make sure we really are on the https page when https login required
284 $PAGE->verify_https_required();
285
286 /// Generate the login page with forms
287
288 if (empty($frm->username) && $authsequence[0] != 'shibboleth') { // See bug 5184
289 if (!empty($_GET["username"])) {
290 $frm->username = $_GET["username"];
291 } else {
292 $frm->username = get_moodle_cookie() === 'nobody' ? '' : get_moodle_cookie();
293 }
294
295 $frm->password = "";
296 }
297
298 if (!empty($frm->username)) {
299 $focus = "password";
300 } else {
301 $focus = "username";
302 }
303
304 if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
305 $show_instructions = true;
306 } else {
307 $show_instructions = false;
308 }
309
310 $potentialidps = array();
311 foreach($authsequence as $authname) {
312 $authplugin = get_auth_plugin($authname);
313 $potentialidps = array_merge($potentialidps, $authplugin->loginpage_idp_list($SESSION->wantsurl));
314 }
315
316 $PAGE->set_title("$site->fullname: $loginsite");
317 $PAGE->set_heading("$site->fullname");
318
319 echo $OUTPUT->header();
320
321 if (isloggedin() and !isguestuser()) {
322 // prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
323 echo $OUTPUT->box_start();
324 $logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
325 $continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
326 echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
327 echo $OUTPUT->box_end();
328 } else {
329 include("index_form.html");
330 }
331
332 echo $OUTPUT->footer();
Read-only mirror of the Moodle CVS