login/index.php

   1 <?php
   2
   3 // This file is part of Moodle - http://moodle.org/
   4 //
   5 // Moodle is free software: you can redistribute it and/or modify
   6 // it under the terms of the GNU General Public License as published by
   7 // the Free Software Foundation, either version 3 of the License, or
   8 // (at your option) any later version.
   9 //
  10 // Moodle is distributed in the hope that it will be useful,
  11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 // GNU General Public License for more details.
  14 //
  15 // You should have received a copy of the GNU General Public License
  16 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17
  18 /**
  19  * Main login page.
  20  *
  21  * @package    core
  22  * @subpackage auth
  23  * @copyright  1999 onwards Martin Dougiamas  http://dougiamas.com
  24  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  25  */
  26
  27 require('../config.php');
  28 require_once('lib.php');
  29
  30 // Try to prevent searching for sites that allow sign-up.
  31 if (!isset($CFG->additionalhtmlhead)) {
  32     $CFG->additionalhtmlhead = '';
  33 }
  34 $CFG->additionalhtmlhead .= '<meta name="robots" content="noindex" />';
  35
  36 redirect_if_major_upgrade_required();
  37
  38 $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
  39 $cancel      = optional_param('cancel', 0, PARAM_BOOL);      // redirect to frontpage, needed for loginhttps
  40
  41 if ($cancel) {
  42     redirect(new moodle_url('/'));
  43 }
  44
  45 //HTTPS is required in this page when $CFG->loginhttps enabled
  46 $PAGE->https_required();
  47
  48 $context = context_system::instance();
  49 $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
  50 $PAGE->set_context($context);
  51 $PAGE->set_pagelayout('login');
  52
  53 /// Initialize variables
  54 $errormsg = '';
  55 $errorcode = 0;
  56
  57 // login page requested session test
  58 if ($testsession) {
  59     if ($testsession == $USER->id) {
  60         if (isset($SESSION->wantsurl)) {
  61             $urltogo = $SESSION->wantsurl;
  62         } else {
  63             $urltogo = $CFG->wwwroot.'/';
  64         }
  65         unset($SESSION->wantsurl);
  66         redirect($urltogo);
  67     } else {
  68         // TODO: try to find out what is the exact reason why sessions do not work
  69         $errormsg = get_string("cookiesnotenabled");
  70         $errorcode = 1;
  71     }
  72 }
  73
  74 /// Check for timed out sessions
  75 if (!empty($SESSION->has_timed_out)) {
  76     $session_has_timed_out = true;
  77     unset($SESSION->has_timed_out);
  78 } else {
  79     $session_has_timed_out = false;
  80 }
  81
  82 /// auth plugins may override these - SSO anyone?
  83 $frm  = false;
  84 $user = false;
  85
  86 $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
  87 foreach($authsequence as $authname) {
  88     $authplugin = get_auth_plugin($authname);
  89     $authplugin->loginpage_hook();
  90 }
  91
  92
  93 /// Define variables used in page
  94 $site = get_site();
  95
  96 $loginsite = get_string("loginsite");
  97 $PAGE->navbar->add($loginsite);
  98
  99 if ($user !== false or $frm !== false or $errormsg !== '') {
 100     // some auth plugin already supplied full user, fake form data or prevented user login with error message
 101
 102 } else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
 103     // Handles the case of another Moodle site linking into a page on this site
 104     //TODO: move weblink into own auth plugin
 105     include($CFG->dirroot.'/login/weblinkauth.php');
 106     if (function_exists('weblink_auth')) {
 107         $user = weblink_auth($SESSION->wantsurl);
 108     }
 109     if ($user) {
 110         $frm->username = $user->username;
 111     } else {
 112         $frm = data_submitted();
 113     }
 114
 115 } else {
 116     $frm = data_submitted();
 117 }
 118
 119 /// Check if the user has actually submitted login data to us
 120
 121 if ($frm and isset($frm->username)) {                             // Login WITH cookies
 122
 123     $frm->username = trim(core_text::strtolower($frm->username));
 124
 125     if (is_enabled_auth('none') ) {
 126         if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) {
 127             $errormsg = get_string('username').': '.get_string("invalidusername");
 128             $errorcode = 2;
 129             $user = null;
 130         }
 131     }
 132
 133     if ($user) {
 134         //user already supplied by aut plugin prelogin hook
 135     } else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
 136         $user = false;    /// Can't log in as guest if guest button is disabled
 137         $frm = false;
 138     } else {
 139         if (empty($errormsg)) {
 140             $user = authenticate_user_login($frm->username, $frm->password, false, $errorcode);
 141         }
 142     }
 143
 144     // Intercept 'restored' users to provide them with info & reset password
 145     if (!$user and $frm and is_restored_user($frm->username)) {
 146         $PAGE->set_title(get_string('restoredaccount'));
 147         $PAGE->set_heading($site->fullname);
 148         echo $OUTPUT->header();
 149         echo $OUTPUT->heading(get_string('restoredaccount'));
 150         echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
 151         require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
 152         $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
 153         $form->display();
 154         echo $OUTPUT->footer();
 155         die;
 156     }
 157
 158     if ($user) {
 159
 160         // language setup
 161         if (isguestuser($user)) {
 162             // no predefined language for guests - use existing session or default site lang
 163             unset($user->lang);
 164
 165         } else if (!empty($user->lang)) {
 166             // unset previous session language - use user preference instead
 167             unset($SESSION->lang);
 168         }
 169
 170         if (empty($user->confirmed)) {       // This account was never confirmed
 171             $PAGE->set_title(get_string("mustconfirm"));
 172             $PAGE->set_heading($site->fullname);
 173             echo $OUTPUT->header();
 174             echo $OUTPUT->heading(get_string("mustconfirm"));
 175             echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
 176             echo $OUTPUT->footer();
 177             die;
 178         }
 179
 180     /// Let's get them all set up.
 181         complete_user_login($user);
 182
 183         // sets the username cookie
 184         if (!empty($CFG->nolastloggedin)) {
 185             // do not store last logged in user in cookie
 186             // auth plugins can temporarily override this from loginpage_hook()
 187             // do not save $CFG->nolastloggedin in database!
 188
 189         } else if (empty($CFG->rememberusername) or ($CFG->rememberusername == 2 and empty($frm->rememberusername))) {
 190             // no permanent cookies, delete old one if exists
 191             set_moodle_cookie('');
 192
 193         } else {
 194             set_moodle_cookie($USER->username);
 195         }
 196
 197         $urltogo = core_login_get_return_url();
 198
 199     /// check if user password has expired
 200     /// Currently supported only for ldap-authentication module
 201         $userauth = get_auth_plugin($USER->auth);
 202         if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
 203             if ($userauth->can_change_password()) {
 204                 $passwordchangeurl = $userauth->change_password_url();
 205                 if (!$passwordchangeurl) {
 206                     $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
 207                 }
 208             } else {
 209                 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
 210             }
 211             $days2expire = $userauth->password_expire($USER->username);
 212             $PAGE->set_title("$site->fullname: $loginsite");
 213             $PAGE->set_heading("$site->fullname");
 214             if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
 215                 echo $OUTPUT->header();
 216                 echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
 217                 echo $OUTPUT->footer();
 218                 exit;
 219             } elseif (intval($days2expire) < 0 ) {
 220                 echo $OUTPUT->header();
 221                 echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
 222                 echo $OUTPUT->footer();
 223                 exit;
 224             }
 225         }
 226
 227         // Discard any errors before the last redirect.
 228         unset($SESSION->loginerrormsg);
 229
 230         // test the session actually works by redirecting to self
 231         $SESSION->wantsurl = $urltogo;
 232         redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
 233
 234     } else {
 235         if (empty($errormsg)) {
 236             if ($errorcode == AUTH_LOGIN_UNAUTHORISED) {
 237                 $errormsg = get_string("unauthorisedlogin", "", $frm->username);
 238             } else {
 239                 $errormsg = get_string("invalidlogin");
 240                 $errorcode = 3;
 241             }
 242         }
 243     }
 244 }
 245
 246 /// Detect problems with timedout sessions
 247 if ($session_has_timed_out and !data_submitted()) {
 248     $errormsg = get_string('sessionerroruser', 'error');
 249     $errorcode = 4;
 250 }
 251
 252 /// First, let's remember where the user was trying to get to before they got here
 253
 254 if (empty($SESSION->wantsurl)) {
 255     $SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
 256                           $_SERVER["HTTP_REFERER"] != $CFG->wwwroot &&
 257                           $_SERVER["HTTP_REFERER"] != $CFG->wwwroot.'/' &&
 258                           $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/' &&
 259                           strpos($_SERVER["HTTP_REFERER"], $CFG->httpswwwroot.'/login/?') !== 0 &&
 260                           strpos($_SERVER["HTTP_REFERER"], $CFG->httpswwwroot.'/login/index.php') !== 0) // There might be some extra params such as ?lang=.
 261         ? $_SERVER["HTTP_REFERER"] : NULL;
 262 }
 263
 264 /// Redirect to alternative login URL if needed
 265 if (!empty($CFG->alternateloginurl)) {
 266     $loginurl = $CFG->alternateloginurl;
 267
 268     if (strpos($SESSION->wantsurl, $loginurl) === 0) {
 269         //we do not want to return to alternate url
 270         $SESSION->wantsurl = NULL;
 271     }
 272
 273     if ($errorcode) {
 274         if (strpos($loginurl, '?') === false) {
 275             $loginurl .= '?';
 276         } else {
 277             $loginurl .= '&';
 278         }
 279         $loginurl .= 'errorcode='.$errorcode;
 280     }
 281
 282     redirect($loginurl);
 283 }
 284
 285 // make sure we really are on the https page when https login required
 286 $PAGE->verify_https_required();
 287
 288 /// Generate the login page with forms
 289
 290 if (!isset($frm) or !is_object($frm)) {
 291     $frm = new stdClass();
 292 }
 293
 294 if (empty($frm->username) && $authsequence[0] != 'shibboleth') {  // See bug 5184
 295     if (!empty($_GET["username"])) {
 296         $frm->username = clean_param($_GET["username"], PARAM_RAW); // we do not want data from _POST here
 297     } else {
 298         $frm->username = get_moodle_cookie();
 299     }
 300
 301     $frm->password = "";
 302 }
 303
 304 if (!empty($frm->username)) {
 305     $focus = "password";
 306 } else {
 307     $focus = "username";
 308 }
 309
 310 if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
 311     $show_instructions = true;
 312 } else {
 313     $show_instructions = false;
 314 }
 315
 316 $potentialidps = array();
 317 foreach($authsequence as $authname) {
 318     $authplugin = get_auth_plugin($authname);
 319     $potentialidps = array_merge($potentialidps, $authplugin->loginpage_idp_list($SESSION->wantsurl));
 320 }
 321
 322 if (!empty($SESSION->loginerrormsg)) {
 323     // We had some errors before redirect, show them now.
 324     $errormsg = $SESSION->loginerrormsg;
 325     unset($SESSION->loginerrormsg);
 326
 327 } else if ($testsession) {
 328     // No need to redirect here.
 329     unset($SESSION->loginerrormsg);
 330
 331 } else if ($errormsg or !empty($frm->password)) {
 332     // We must redirect after every password submission.
 333     if ($errormsg) {
 334         $SESSION->loginerrormsg = $errormsg;
 335     }
 336     redirect(new moodle_url('/login/index.php'));
 337 }
 338
 339 $PAGE->set_title("$site->fullname: $loginsite");
 340 $PAGE->set_heading("$site->fullname");
 341
 342 echo $OUTPUT->header();
 343
 344 if (isloggedin() and !isguestuser()) {
 345     // prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
 346     echo $OUTPUT->box_start();
 347     $logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
 348     $continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
 349     echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
 350     echo $OUTPUT->box_end();
 351 } else {
 352     include("index_form.html");
 353     if ($errormsg) {
 354         $PAGE->requires->js_init_call('M.util.focus_login_error', null, true);
 355     } else if (!empty($CFG->loginpageautofocus)) {
 356         //focus username or password
 357         $PAGE->requires->js_init_call('M.util.focus_login_form', null, true);
 358     }
 359 }
 360
 361 echo $OUTPUT->footer();