login/index.php

   1 <?php
   2
   3 // This file is part of Moodle - http://moodle.org/
   4 //
   5 // Moodle is free software: you can redistribute it and/or modify
   6 // it under the terms of the GNU General Public License as published by
   7 // the Free Software Foundation, either version 3 of the License, or
   8 // (at your option) any later version.
   9 //
  10 // Moodle is distributed in the hope that it will be useful,
  11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 // GNU General Public License for more details.
  14 //
  15 // You should have received a copy of the GNU General Public License
  16 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17
  18 /**
  19  * Main login page.
  20  *
  21  * @package    core
  22  * @subpackage auth
  23  * @copyright  1999 onwards Martin Dougiamas  http://dougiamas.com
  24  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  25  */
  26
  27 require('../config.php');
  28 require_once('lib.php');
  29
  30 // Try to prevent searching for sites that allow sign-up.
  31 if (!isset($CFG->additionalhtmlhead)) {
  32     $CFG->additionalhtmlhead = '';
  33 }
  34 $CFG->additionalhtmlhead .= '<meta name="robots" content="noindex" />';
  35
  36 redirect_if_major_upgrade_required();
  37
  38 $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
  39 $cancel      = optional_param('cancel', 0, PARAM_BOOL);      // redirect to frontpage, needed for loginhttps
  40
  41 if ($cancel) {
  42     redirect(new moodle_url('/'));
  43 }
  44
  45 //HTTPS is required in this page when $CFG->loginhttps enabled
  46 $PAGE->https_required();
  47
  48 $context = context_system::instance();
  49 $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
  50 $PAGE->set_context($context);
  51 $PAGE->set_pagelayout('login');
  52
  53 /// Initialize variables
  54 $errormsg = '';
  55 $errorcode = 0;
  56
  57 // login page requested session test
  58 if ($testsession) {
  59     if ($testsession == $USER->id) {
  60         if (isset($SESSION->wantsurl)) {
  61             $urltogo = $SESSION->wantsurl;
  62         } else {
  63             $urltogo = $CFG->wwwroot.'/';
  64         }
  65         unset($SESSION->wantsurl);
  66         redirect($urltogo);
  67     } else {
  68         // TODO: try to find out what is the exact reason why sessions do not work
  69         $errormsg = get_string("cookiesnotenabled");
  70         $errorcode = 1;
  71     }
  72 }
  73
  74 /// Check for timed out sessions
  75 if (!empty($SESSION->has_timed_out)) {
  76     $session_has_timed_out = true;
  77     unset($SESSION->has_timed_out);
  78 } else {
  79     $session_has_timed_out = false;
  80 }
  81
  82 /// auth plugins may override these - SSO anyone?
  83 $frm  = false;
  84 $user = false;
  85
  86 $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
  87 foreach($authsequence as $authname) {
  88     $authplugin = get_auth_plugin($authname);
  89     $authplugin->loginpage_hook();
  90 }
  91
  92
  93 /// Define variables used in page
  94 $site = get_site();
  95
  96 $loginsite = get_string("loginsite");
  97 $PAGE->navbar->add($loginsite);
  98
  99 if ($user !== false or $frm !== false or $errormsg !== '') {
 100     // some auth plugin already supplied full user, fake form data or prevented user login with error message
 101
 102 } else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
 103     // Handles the case of another Moodle site linking into a page on this site
 104     //TODO: move weblink into own auth plugin
 105     include($CFG->dirroot.'/login/weblinkauth.php');
 106     if (function_exists('weblink_auth')) {
 107         $user = weblink_auth($SESSION->wantsurl);
 108     }
 109     if ($user) {
 110         $frm->username = $user->username;
 111     } else {
 112         $frm = data_submitted();
 113     }
 114
 115 } else {
 116     $frm = data_submitted();
 117 }
 118
 119 /// Check if the user has actually submitted login data to us
 120
 121 if ($frm and isset($frm->username)) {                             // Login WITH cookies
 122
 123     $frm->username = trim(core_text::strtolower($frm->username));
 124
 125     if (is_enabled_auth('none') ) {
 126         if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) {
 127             $errormsg = get_string('username').': '.get_string("invalidusername");
 128             $errorcode = 2;
 129             $user = null;
 130         }
 131     }
 132
 133     if ($user) {
 134         //user already supplied by aut plugin prelogin hook
 135     } else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
 136         $user = false;    /// Can't log in as guest if guest button is disabled
 137         $frm = false;
 138     } else {
 139         if (empty($errormsg)) {
 140             $user = authenticate_user_login($frm->username, $frm->password);
 141         }
 142     }
 143
 144     // Intercept 'restored' users to provide them with info & reset password
 145     if (!$user and $frm and is_restored_user($frm->username)) {
 146         $PAGE->set_title(get_string('restoredaccount'));
 147         $PAGE->set_heading($site->fullname);
 148         echo $OUTPUT->header();
 149         echo $OUTPUT->heading(get_string('restoredaccount'));
 150         echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
 151         require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
 152         $form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
 153         $form->display();
 154         echo $OUTPUT->footer();
 155         die;
 156     }
 157
 158     if ($user) {
 159
 160         // language setup
 161         if (isguestuser($user)) {
 162             // no predefined language for guests - use existing session or default site lang
 163             unset($user->lang);
 164
 165         } else if (!empty($user->lang)) {
 166             // unset previous session language - use user preference instead
 167             unset($SESSION->lang);
 168         }
 169
 170         if (empty($user->confirmed)) {       // This account was never confirmed
 171             $PAGE->set_title(get_string("mustconfirm"));
 172             $PAGE->set_heading($site->fullname);
 173             echo $OUTPUT->header();
 174             echo $OUTPUT->heading(get_string("mustconfirm"));
 175             echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
 176             echo $OUTPUT->footer();
 177             die;
 178         }
 179
 180     /// Let's get them all set up.
 181         complete_user_login($user);
 182
 183         // sets the username cookie
 184         if (!empty($CFG->nolastloggedin)) {
 185             // do not store last logged in user in cookie
 186             // auth plugins can temporarily override this from loginpage_hook()
 187             // do not save $CFG->nolastloggedin in database!
 188
 189         } else if (empty($CFG->rememberusername) or ($CFG->rememberusername == 2 and empty($frm->rememberusername))) {
 190             // no permanent cookies, delete old one if exists
 191             set_moodle_cookie('');
 192
 193         } else {
 194             set_moodle_cookie($USER->username);
 195         }
 196
 197         $urltogo = core_login_get_return_url();
 198
 199     /// check if user password has expired
 200     /// Currently supported only for ldap-authentication module
 201         $userauth = get_auth_plugin($USER->auth);
 202         if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
 203             if ($userauth->can_change_password()) {
 204                 $passwordchangeurl = $userauth->change_password_url();
 205                 if (!$passwordchangeurl) {
 206                     $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
 207                 }
 208             } else {
 209                 $passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
 210             }
 211             $days2expire = $userauth->password_expire($USER->username);
 212             $PAGE->set_title("$site->fullname: $loginsite");
 213             $PAGE->set_heading("$site->fullname");
 214             if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
 215                 echo $OUTPUT->header();
 216                 echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
 217                 echo $OUTPUT->footer();
 218                 exit;
 219             } elseif (intval($days2expire) < 0 ) {
 220                 echo $OUTPUT->header();
 221                 echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
 222                 echo $OUTPUT->footer();
 223                 exit;
 224             }
 225         }
 226
 227         // Discard any errors before the last redirect.
 228         unset($SESSION->loginerrormsg);
 229
 230         // test the session actually works by redirecting to self
 231         $SESSION->wantsurl = $urltogo;
 232         redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
 233
 234     } else {
 235         if (empty($errormsg)) {
 236             $errormsg = get_string("invalidlogin");
 237             $errorcode = 3;
 238         }
 239     }
 240 }
 241
 242 /// Detect problems with timedout sessions
 243 if ($session_has_timed_out and !data_submitted()) {
 244     $errormsg = get_string('sessionerroruser', 'error');
 245     $errorcode = 4;
 246 }
 247
 248 /// First, let's remember where the user was trying to get to before they got here
 249
 250 if (empty($SESSION->wantsurl)) {
 251     $SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
 252                           $_SERVER["HTTP_REFERER"] != $CFG->wwwroot &&
 253                           $_SERVER["HTTP_REFERER"] != $CFG->wwwroot.'/' &&
 254                           $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/' &&
 255                           strpos($_SERVER["HTTP_REFERER"], $CFG->httpswwwroot.'/login/?') !== 0 &&
 256                           strpos($_SERVER["HTTP_REFERER"], $CFG->httpswwwroot.'/login/index.php') !== 0) // There might be some extra params such as ?lang=.
 257         ? $_SERVER["HTTP_REFERER"] : NULL;
 258 }
 259
 260 /// Redirect to alternative login URL if needed
 261 if (!empty($CFG->alternateloginurl)) {
 262     $loginurl = $CFG->alternateloginurl;
 263
 264     if (strpos($SESSION->wantsurl, $loginurl) === 0) {
 265         //we do not want to return to alternate url
 266         $SESSION->wantsurl = NULL;
 267     }
 268
 269     if ($errorcode) {
 270         if (strpos($loginurl, '?') === false) {
 271             $loginurl .= '?';
 272         } else {
 273             $loginurl .= '&';
 274         }
 275         $loginurl .= 'errorcode='.$errorcode;
 276     }
 277
 278     redirect($loginurl);
 279 }
 280
 281 // make sure we really are on the https page when https login required
 282 $PAGE->verify_https_required();
 283
 284 /// Generate the login page with forms
 285
 286 if (!isset($frm) or !is_object($frm)) {
 287     $frm = new stdClass();
 288 }
 289
 290 if (empty($frm->username) && $authsequence[0] != 'shibboleth') {  // See bug 5184
 291     if (!empty($_GET["username"])) {
 292         $frm->username = clean_param($_GET["username"], PARAM_RAW); // we do not want data from _POST here
 293     } else {
 294         $frm->username = get_moodle_cookie();
 295     }
 296
 297     $frm->password = "";
 298 }
 299
 300 if (!empty($frm->username)) {
 301     $focus = "password";
 302 } else {
 303     $focus = "username";
 304 }
 305
 306 if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
 307     $show_instructions = true;
 308 } else {
 309     $show_instructions = false;
 310 }
 311
 312 $potentialidps = array();
 313 foreach($authsequence as $authname) {
 314     $authplugin = get_auth_plugin($authname);
 315     $potentialidps = array_merge($potentialidps, $authplugin->loginpage_idp_list($SESSION->wantsurl));
 316 }
 317
 318 if (!empty($SESSION->loginerrormsg)) {
 319     // We had some errors before redirect, show them now.
 320     $errormsg = $SESSION->loginerrormsg;
 321     unset($SESSION->loginerrormsg);
 322
 323 } else if ($testsession) {
 324     // No need to redirect here.
 325     unset($SESSION->loginerrormsg);
 326
 327 } else if ($errormsg or !empty($frm->password)) {
 328     // We must redirect after every password submission.
 329     if ($errormsg) {
 330         $SESSION->loginerrormsg = $errormsg;
 331     }
 332     redirect(new moodle_url('/login/index.php'));
 333 }
 334
 335 $PAGE->set_title("$site->fullname: $loginsite");
 336 $PAGE->set_heading("$site->fullname");
 337
 338 echo $OUTPUT->header();
 339
 340 if (isloggedin() and !isguestuser()) {
 341     // prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
 342     echo $OUTPUT->box_start();
 343     $logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
 344     $continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
 345     echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
 346     echo $OUTPUT->box_end();
 347 } else {
 348     include("index_form.html");
 349     if ($errormsg) {
 350         $PAGE->requires->js_init_call('M.util.focus_login_error', null, true);
 351     } else if (!empty($CFG->loginpageautofocus)) {
 352         //focus username or password
 353         $PAGE->requires->js_init_call('M.util.focus_login_form', null, true);
 354     }
 355 }
 356
 357 echo $OUTPUT->footer();