login/index.php

   1 <?php
   2
   3 // This file is part of Moodle - http://moodle.org/
   4 //
   5 // Moodle is free software: you can redistribute it and/or modify
   6 // it under the terms of the GNU General Public License as published by
   7 // the Free Software Foundation, either version 3 of the License, or
   8 // (at your option) any later version.
   9 //
  10 // Moodle is distributed in the hope that it will be useful,
  11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 // GNU General Public License for more details.
  14 //
  15 // You should have received a copy of the GNU General Public License
  16 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17
  18 /**
  19  * Main login page.
  20  *
  21  * @package    core
  22  * @subpackage auth
  23  * @copyright  1999 onwards Martin Dougiamas  http://dougiamas.com
  24  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  25  */
  26
  27 require('../config.php');
  28
  29 // Try to prevent searching for sites that allow sign-up.
  30 if (!isset($CFG->additionalhtmlhead)) {
  31     $CFG->additionalhtmlhead = '';
  32 }
  33 $CFG->additionalhtmlhead .= '<meta name="robots" content="noindex" />';
  34
  35 redirect_if_major_upgrade_required();
  36
  37 $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
  38 $cancel      = optional_param('cancel', 0, PARAM_BOOL);      // redirect to frontpage, needed for loginhttps
  39
  40 if ($cancel) {
  41     redirect(new moodle_url('/'));
  42 }
  43
  44 //HTTPS is required in this page when $CFG->loginhttps enabled
  45 $PAGE->https_required();
  46
  47 $context = context_system::instance();
  48 $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
  49 $PAGE->set_context($context);
  50 $PAGE->set_pagelayout('login');
  51
  52 /// Initialize variables
  53 $errormsg = '';
  54 $errorcode = 0;
  55
  56 // login page requested session test
  57 if ($testsession) {
  58     if ($testsession == $USER->id) {
  59         if (isset($SESSION->wantsurl)) {
  60             $urltogo = $SESSION->wantsurl;
  61         } else {
  62             $urltogo = $CFG->wwwroot.'/';
  63         }
  64         unset($SESSION->wantsurl);
  65         redirect($urltogo);
  66     } else {
  67         // TODO: try to find out what is the exact reason why sessions do not work
  68         $errormsg = get_string("cookiesnotenabled");
  69         $errorcode = 1;
  70     }
  71 }
  72
  73 /// Check for timed out sessions
  74 if (!empty($SESSION->has_timed_out)) {
  75     $session_has_timed_out = true;
  76     unset($SESSION->has_timed_out);
  77 } else {
  78     $session_has_timed_out = false;
  79 }
  80
  81 /// auth plugins may override these - SSO anyone?
  82 $frm  = false;
  83 $user = false;
  84
  85 $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
  86 foreach($authsequence as $authname) {
  87     $authplugin = get_auth_plugin($authname);
  88     $authplugin->loginpage_hook();
  89 }
  90
  91
  92 /// Define variables used in page
  93 $site = get_site();
  94
  95 $loginsite = get_string("loginsite");
  96 $PAGE->navbar->add($loginsite);
  97
  98 if ($user !== false or $frm !== false or $errormsg !== '') {
  99     // some auth plugin already supplied full user, fake form data or prevented user login with error message
 100
 101 } else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
 102     // Handles the case of another Moodle site linking into a page on this site
 103     //TODO: move weblink into own auth plugin
 104     include($CFG->dirroot.'/login/weblinkauth.php');
 105     if (function_exists('weblink_auth')) {
 106         $user = weblink_auth($SESSION->wantsurl);
 107     }
 108     if ($user) {
 109         $frm->username = $user->username;
 110     } else {
 111         $frm = data_submitted();
 112     }
 113
 114 } else {
 115     $frm = data_submitted();
 116 }
 117
 118 /// Check if the user has actually submitted login data to us
 119
 120 if ($frm and isset($frm->username)) {                             // Login WITH cookies
 121
 122     $frm->username = trim(textlib::strtolower($frm->username));
 123
 124     if (is_enabled_auth('none') ) {
 125         if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) {
 126             $errormsg = get_string('username').': '.get_string("invalidusername");
 127             $errorcode = 2;
 128             $user = null;
 129         }
 130     }
 131
 132     if ($user) {
 133         //user already supplied by aut plugin prelogin hook
 134     } else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
 135         $user = false;    /// Can't log in as guest if guest button is disabled
 136         $frm = false;
 137     } else {
 138         if (empty($errormsg)) {
 139             $user = authenticate_user_login($frm->username, $frm->password);
 140         }
 141     }
 142
 143     // Intercept 'restored' users to provide them with info & reset password
 144     if (!$user and $frm and is_restored_user($frm->username)) {
 145         $PAGE->set_title(get_string('restoredaccount'));
 146         $PAGE->set_heading($site->fullname);
 147         echo $OUTPUT->header();
 148         echo $OUTPUT->heading(get_string('restoredaccount'));
 149         echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
 150         require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
 151         $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
 152         $form->display();
 153         echo $OUTPUT->footer();
 154         die;
 155     }
 156
 157     if ($user) {
 158
 159         // language setup
 160         if (isguestuser($user)) {
 161             // no predefined language for guests - use existing session or default site lang
 162             unset($user->lang);
 163
 164         } else if (!empty($user->lang)) {
 165             // unset previous session language - use user preference instead
 166             unset($SESSION->lang);
 167         }
 168
 169         if (empty($user->confirmed)) {       // This account was never confirmed
 170             $PAGE->set_title(get_string("mustconfirm"));
 171             $PAGE->set_heading($site->fullname);
 172             echo $OUTPUT->header();
 173             echo $OUTPUT->heading(get_string("mustconfirm"));
 174             echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
 175             echo $OUTPUT->footer();
 176             die;
 177         }
 178
 179     /// Let's get them all set up.
 180         add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID,
 181                    $user->id, 0, $user->id);
 182         complete_user_login($user);
 183
 184         // sets the username cookie
 185         if (!empty($CFG->nolastloggedin)) {
 186             // do not store last logged in user in cookie
 187             // auth plugins can temporarily override this from loginpage_hook()
 188             // do not save $CFG->nolastloggedin in database!
 189
 190         } else if (empty($CFG->rememberusername) or ($CFG->rememberusername == 2 and empty($frm->rememberusername))) {
 191             // no permanent cookies, delete old one if exists
 192             set_moodle_cookie('');
 193
 194         } else {
 195             set_moodle_cookie($USER->username);
 196         }
 197
 198     /// Prepare redirection
 199         if (user_not_fully_set_up($USER)) {
 200             $urltogo = $CFG->wwwroot.'/user/edit.php';
 201             // We don't delete $SESSION->wantsurl yet, so we get there later
 202
 203         } else if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0 or strpos($SESSION->wantsurl, str_replace('http://', 'https://', $CFG->wwwroot)) === 0)) {
 204             $urltogo = $SESSION->wantsurl;    /// Because it's an address in this site
 205             unset($SESSION->wantsurl);
 206
 207         } else {
 208             // no wantsurl stored or external - go to homepage
 209             $urltogo = $CFG->wwwroot.'/';
 210             unset($SESSION->wantsurl);
 211         }
 212
 213         // If the url to go to is the same as the site page, check for default homepage.
 214         if ($urltogo == ($CFG->wwwroot . '/')) {
 215             $home_page = get_home_page();
 216             // Go to my-moodle page instead of site homepage if defaulthomepage set to homepage_my
 217             if ($home_page == HOMEPAGE_MY && !is_siteadmin() && !isguestuser()) {
 218                 if ($urltogo == $CFG->wwwroot or $urltogo == $CFG->wwwroot.'/' or $urltogo == $CFG->wwwroot.'/index.php') {
 219                     $urltogo = $CFG->wwwroot.'/my/';
 220                 }
 221             }
 222         }
 223
 224     /// check if user password has expired
 225     /// Currently supported only for ldap-authentication module
 226         $userauth = get_auth_plugin($USER->auth);
 227         if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
 228             if ($userauth->can_change_password()) {
 229                 $passwordchangeurl = $userauth->change_password_url();
 230                 if (!$passwordchangeurl) {
 231                     $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
 232                 }
 233             } else {
 234                 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
 235             }
 236             $days2expire = $userauth->password_expire($USER->username);
 237             $PAGE->set_title("$site->fullname: $loginsite");
 238             $PAGE->set_heading("$site->fullname");
 239             if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
 240                 echo $OUTPUT->header();
 241                 echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
 242                 echo $OUTPUT->footer();
 243                 exit;
 244             } elseif (intval($days2expire) < 0 ) {
 245                 echo $OUTPUT->header();
 246                 echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
 247                 echo $OUTPUT->footer();
 248                 exit;
 249             }
 250         }
 251
 252         // test the session actually works by redirecting to self
 253         $SESSION->wantsurl = $urltogo;
 254         redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
 255
 256     } else {
 257         if (empty($errormsg)) {
 258             $errormsg = get_string("invalidlogin");
 259             $errorcode = 3;
 260         }
 261     }
 262 }
 263
 264 /// Detect problems with timedout sessions
 265 if ($session_has_timed_out and !data_submitted()) {
 266     $errormsg = get_string('sessionerroruser', 'error');
 267     $errorcode = 4;
 268 }
 269
 270 /// First, let's remember where the user was trying to get to before they got here
 271
 272 if (empty($SESSION->wantsurl)) {
 273     $SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
 274                           $_SERVER["HTTP_REFERER"] != $CFG->wwwroot &&
 275                           $_SERVER["HTTP_REFERER"] != $CFG->wwwroot.'/' &&
 276                           $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/' &&
 277                           $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/index.php')
 278         ? $_SERVER["HTTP_REFERER"] : NULL;
 279 }
 280
 281 /// Redirect to alternative login URL if needed
 282 if (!empty($CFG->alternateloginurl)) {
 283     $loginurl = $CFG->alternateloginurl;
 284
 285     if (strpos($SESSION->wantsurl, $loginurl) === 0) {
 286         //we do not want to return to alternate url
 287         $SESSION->wantsurl = NULL;
 288     }
 289
 290     if ($errorcode) {
 291         if (strpos($loginurl, '?') === false) {
 292             $loginurl .= '?';
 293         } else {
 294             $loginurl .= '&';
 295         }
 296         $loginurl .= 'errorcode='.$errorcode;
 297     }
 298
 299     redirect($loginurl);
 300 }
 301
 302 // make sure we really are on the https page when https login required
 303 $PAGE->verify_https_required();
 304
 305 /// Generate the login page with forms
 306
 307 if (!isset($frm) or !is_object($frm)) {
 308     $frm = new stdClass();
 309 }
 310
 311 if (empty($frm->username) && $authsequence[0] != 'shibboleth') {  // See bug 5184
 312     if (!empty($_GET["username"])) {
 313         $frm->username = clean_param($_GET["username"], PARAM_RAW); // we do not want data from _POST here
 314     } else {
 315         $frm->username = get_moodle_cookie();
 316     }
 317
 318     $frm->password = "";
 319 }
 320
 321 if (!empty($frm->username)) {
 322     $focus = "password";
 323 } else {
 324     $focus = "username";
 325 }
 326
 327 if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
 328     $show_instructions = true;
 329 } else {
 330     $show_instructions = false;
 331 }
 332
 333 $potentialidps = array();
 334 foreach($authsequence as $authname) {
 335     $authplugin = get_auth_plugin($authname);
 336     $potentialidps = array_merge($potentialidps, $authplugin->loginpage_idp_list($SESSION->wantsurl));
 337 }
 338
 339 $PAGE->set_title("$site->fullname: $loginsite");
 340 $PAGE->set_heading("$site->fullname");
 341
 342 echo $OUTPUT->header();
 343
 344 if (isloggedin() and !isguestuser()) {
 345     // prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
 346     echo $OUTPUT->box_start();
 347     $logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
 348     $continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
 349     echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
 350     echo $OUTPUT->box_end();
 351 } else {
 352     include("index_form.html");
 353     if ($errormsg) {
 354         $PAGE->requires->js_init_call('M.util.focus_login_error', null, true);
 355     } else if (!empty($CFG->loginpageautofocus)) {
 356         //focus username or password
 357         $PAGE->requires->js_init_call('M.util.focus_login_form', null, true);
 358     }
 359 }
 360
 361 echo $OUTPUT->footer();