auth/lti/login.php

   1 <?php
   2 // This file is part of Moodle - http://moodle.org/
   3 //
   4 // Moodle is free software: you can redistribute it and/or modify
   5 // it under the terms of the GNU General Public License as published by
   6 // the Free Software Foundation, either version 3 of the License, or
   7 // (at your option) any later version.
   8 //
   9 // Moodle is distributed in the hope that it will be useful,
  10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 // GNU General Public License for more details.
  13 //
  14 // You should have received a copy of the GNU General Public License
  15 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16 /**
  17  * Page allowing a platform user, identified by their {iss, sub} tuple, to be bound to a new or existing Moodle account.
  18  *
  19  * This is an LTI Advantage specific login feature.
  20  *
  21  * The auth flow defined in auth_lti\auth::complete_login() redirects here when a launching user does not have an
  22  * account binding yet. This page prompts the user to select between:
  23  * a) An auto provisioned account.
  24  * An account with auth type 'lti' is created for the user. This account is bound to the launch credentials.
  25  * Or
  26  * b) Use an existing account
  27  * The standard Moodle auth flow is leveraged to get an existing user account. This account is then bound to the launch
  28  * credentials.
  29  *
  30  * @package    auth_lti
  31  * @copyright  2021 Jake Dallimore <jrhdallimore@gmail.com>
  32  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  33  */
  34
  35 use core\event\user_login_failed;
  36 use core\output\notification;
  37
  38 require_once(__DIR__ . '/../../config.php');
  39
  40 global $OUTPUT, $PAGE, $SESSION;
  41
  42 // Form fields dealing with the user's choice about account types (new, existing).
  43 $newaccount = optional_param('new_account', false, PARAM_BOOL);
  44 $existingaccount = optional_param('existing_account', false, PARAM_BOOL);
  45
  46 if (empty($SESSION->auth_lti) || empty($SESSION->auth_lti->launchdata)) {
  47     throw new coding_exception('Missing LTI launch credentials.');
  48 }
  49 if (empty($SESSION->auth_lti->returnurl)) {
  50     throw new coding_exception('Missing return URL.');
  51 }
  52
  53 if ($newaccount) {
  54     require_sesskey();
  55     $launchdata = $SESSION->auth_lti->launchdata;
  56     $returnurl = $SESSION->auth_lti->returnurl;
  57     unset($SESSION->auth_lti);
  58
  59     if (!empty($CFG->authpreventaccountcreation)) {
  60         // If 'authpreventaccountcreation' is enabled, the option to create a new account isn't presented to users in the form.
  61         // This just ensures no action is taken were the 'newaccount' value to be present in the submitted data.
  62
  63         // Trigger login failed event.
  64         $failurereason = AUTH_LOGIN_UNAUTHORISED;
  65         $event = user_login_failed::create(['other' => ['reason' => $failurereason]]);
  66         $event->trigger();
  67
  68         // Site settings prevent creating new accounts.
  69         $errormsg = get_string('cannotcreateaccounts', 'auth_lti');
  70         $SESSION->loginerrormsg = $errormsg;
  71         redirect(new moodle_url('/login/index.php'));
  72     } else {
  73         // Create a new account and link it, logging the user in.
  74         $auth = get_auth_plugin('lti');
  75         $newuser = $auth->find_or_create_user_from_launch($launchdata);
  76         complete_user_login($newuser);
  77         $auth->update_user_account($newuser, $launchdata, $launchdata['iss']);
  78
  79         $PAGE->set_context(context_system::instance());
  80         $PAGE->set_url(new moodle_url('/auth/lti/login.php'));
  81         $PAGE->set_pagelayout('popup');
  82         $renderer = $PAGE->get_renderer('auth_lti');
  83         echo $OUTPUT->header();
  84         echo $renderer->render_account_binding_complete(
  85             new notification(get_string('accountcreatedsuccess', 'auth_lti'), notification::NOTIFY_SUCCESS, false),
  86             $returnurl
  87         );
  88         echo $OUTPUT->footer();
  89         exit();
  90     }
  91 } else if ($existingaccount) {
  92     // Only when authenticated can an account be bound, allowing the user to continue to the original launch action.
  93     require_login(null, false);
  94     require_sesskey();
  95     $launchdata = $SESSION->auth_lti->launchdata;
  96     $returnurl = $SESSION->auth_lti->returnurl;
  97     unset($SESSION->auth_lti);
  98
  99     global $USER;
 100     $auth = get_auth_plugin('lti');
 101     $auth->create_user_binding($launchdata['iss'], $launchdata['sub'], $USER->id);
 102
 103     $PAGE->set_context(context_system::instance());
 104     $PAGE->set_url(new moodle_url('/auth/lti/login.php'));
 105     $PAGE->set_pagelayout('popup');
 106     $renderer = $PAGE->get_renderer('auth_lti');
 107     echo $OUTPUT->header();
 108     echo $renderer->render_account_binding_complete(
 109         new notification(get_string('accountlinkedsuccess', 'auth_lti'), notification::NOTIFY_SUCCESS, false),
 110         $returnurl
 111     );
 112     echo $OUTPUT->footer();
 113     exit();
 114 }
 115
 116 // Render the relevant account provisioning page, based on the provisioningmode set in the calling code.
 117 $PAGE->set_context(context_system::instance());
 118 $PAGE->set_url(new moodle_url('/auth/lti/login.php'));
 119 $PAGE->set_pagelayout('popup');
 120 $renderer = $PAGE->get_renderer('auth_lti');
 121
 122 echo $OUTPUT->header();
 123 require_once($CFG->dirroot . '/auth/lti/auth.php');
 124 echo $renderer->render_account_binding_options_page($SESSION->auth_lti->provisioningmode);
 125 echo $OUTPUT->footer();