moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-06 09:26:35 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
moodle/login/index.php
Petr Škoda 0448818b49 MDL-39503 tell robots to not index login and signup page 
This should partially prevent people from googling moodle sites that allow signup. Please note you can not use login block if because it would still disclose the signup link.
2013-05-31 21:25:27 +02:00

361 lines
13 KiB
PHP
Raw Blame History

<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Main login page.
*
* @package core
* @subpackage auth
* @copyright 1999 onwards Martin Dougiamas http://dougiamas.com
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
require('../config.php');
// Try to prevent searching for sites that allow sign-up.
if (!isset($CFG->additionalhtmlhead)) {
$CFG->additionalhtmlhead = '';
}
$CFG->additionalhtmlhead .= '<meta name="robots" content="noindex" />';
redirect_if_major_upgrade_required();
$testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
$cancel = optional_param('cancel', 0, PARAM_BOOL); // redirect to frontpage, needed for loginhttps
if ($cancel) {
redirect(new moodle_url('/'));
}
//HTTPS is required in this page when $CFG->loginhttps enabled
$PAGE->https_required();
$context = context_system::instance();
$PAGE->set_url("$CFG->httpswwwroot/login/index.php");
$PAGE->set_context($context);
$PAGE->set_pagelayout('login');
/// Initialize variables
$errormsg = '';
$errorcode = 0;
// login page requested session test
if ($testsession) {
if ($testsession == $USER->id) {
if (isset($SESSION->wantsurl)) {
$urltogo = $SESSION->wantsurl;
} else {
$urltogo = $CFG->wwwroot.'/';
}
unset($SESSION->wantsurl);
redirect($urltogo);
} else {
// TODO: try to find out what is the exact reason why sessions do not work
$errormsg = get_string("cookiesnotenabled");
$errorcode = 1;
}
}
/// Check for timed out sessions
if (!empty($SESSION->has_timed_out)) {
$session_has_timed_out = true;
unset($SESSION->has_timed_out);
} else {
$session_has_timed_out = false;
}
/// auth plugins may override these - SSO anyone?
$frm = false;
$user = false;
$authsequence = get_enabled_auth_plugins(true); // auths, in sequence
foreach($authsequence as $authname) {
$authplugin = get_auth_plugin($authname);
$authplugin->loginpage_hook();
}
/// Define variables used in page
$site = get_site();
$loginsite = get_string("loginsite");
$PAGE->navbar->add($loginsite);
if ($user !== false or $frm !== false or $errormsg !== '') {
// some auth plugin already supplied full user, fake form data or prevented user login with error message
} else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
// Handles the case of another Moodle site linking into a page on this site
//TODO: move weblink into own auth plugin
include($CFG->dirroot.'/login/weblinkauth.php');
if (function_exists('weblink_auth')) {
$user = weblink_auth($SESSION->wantsurl);
}
if ($user) {
$frm->username = $user->username;
} else {
$frm = data_submitted();
}
} else {
$frm = data_submitted();
}
/// Check if the user has actually submitted login data to us
if ($frm and isset($frm->username)) { // Login WITH cookies
$frm->username = trim(textlib::strtolower($frm->username));
if (is_enabled_auth('none') ) {
if ($frm->username !== clean_param($frm->username, PARAM_USERNAME)) {
$errormsg = get_string('username').': '.get_string("invalidusername");
$errorcode = 2;
$user = null;
}
}
if ($user) {
//user already supplied by aut plugin prelogin hook
} else if (($frm->username == 'guest') and empty($CFG->guestloginbutton)) {
$user = false; /// Can't log in as guest if guest button is disabled
$frm = false;
} else {
if (empty($errormsg)) {
$user = authenticate_user_login($frm->username, $frm->password);
}
}
// Intercept 'restored' users to provide them with info & reset password
if (!$user and $frm and is_restored_user($frm->username)) {
$PAGE->set_title(get_string('restoredaccount'));
$PAGE->set_heading($site->fullname);
echo $OUTPUT->header();
echo $OUTPUT->heading(get_string('restoredaccount'));
echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
require_once('restored_password_form.php'); // Use our "supplanter" login_forgot_password_form. MDL-20846
$form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
$form->display();
echo $OUTPUT->footer();
die;
}
if ($user) {
// language setup
if (isguestuser($user)) {
// no predefined language for guests - use existing session or default site lang
unset($user->lang);
} else if (!empty($user->lang)) {
// unset previous session language - use user preference instead
unset($SESSION->lang);
}
if (empty($user->confirmed)) { // This account was never confirmed
$PAGE->set_title(get_string("mustconfirm"));
$PAGE->set_heading($site->fullname);
echo $OUTPUT->header();
echo $OUTPUT->heading(get_string("mustconfirm"));
echo $OUTPUT->box(get_string("emailconfirmsent", "", $user->email), "generalbox boxaligncenter");
echo $OUTPUT->footer();
die;
}
/// Let's get them all set up.
add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID,
$user->id, 0, $user->id);
complete_user_login($user);
// sets the username cookie
if (!empty($CFG->nolastloggedin)) {
// do not store last logged in user in cookie
// auth plugins can temporarily override this from loginpage_hook()
// do not save $CFG->nolastloggedin in database!
} else if (empty($CFG->rememberusername) or ($CFG->rememberusername == 2 and empty($frm->rememberusername))) {
// no permanent cookies, delete old one if exists
set_moodle_cookie('');
} else {
set_moodle_cookie($USER->username);
}
/// Prepare redirection
if (user_not_fully_set_up($USER)) {
$urltogo = $CFG->wwwroot.'/user/edit.php';
// We don't delete $SESSION->wantsurl yet, so we get there later
} else if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0 or strpos($SESSION->wantsurl, str_replace('http://', 'https://', $CFG->wwwroot)) === 0)) {
$urltogo = $SESSION->wantsurl; /// Because it's an address in this site
unset($SESSION->wantsurl);
} else {
// no wantsurl stored or external - go to homepage
$urltogo = $CFG->wwwroot.'/';
unset($SESSION->wantsurl);
}
// If the url to go to is the same as the site page, check for default homepage.
if ($urltogo == ($CFG->wwwroot . '/')) {
$home_page = get_home_page();
// Go to my-moodle page instead of site homepage if defaulthomepage set to homepage_my
if ($home_page == HOMEPAGE_MY && !is_siteadmin() && !isguestuser()) {
if ($urltogo == $CFG->wwwroot or $urltogo == $CFG->wwwroot.'/' or $urltogo == $CFG->wwwroot.'/index.php') {
$urltogo = $CFG->wwwroot.'/my/';
}
}
}
/// check if user password has expired
/// Currently supported only for ldap-authentication module
$userauth = get_auth_plugin($USER->auth);
if (!empty($userauth->config->expiration) and $userauth->config->expiration == 1) {
if ($userauth->can_change_password()) {
$passwordchangeurl = $userauth->change_password_url();
if (!$passwordchangeurl) {
$passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
}
} else {
$passwordchangeurl = $CFG->httpswwwroot.'/login/change_password.php';
}
$days2expire = $userauth->password_expire($USER->username);
$PAGE->set_title("$site->fullname: $loginsite");
$PAGE->set_heading("$site->fullname");
if (intval($days2expire) > 0 && intval($days2expire) < intval($userauth->config->expiration_warning)) {
echo $OUTPUT->header();
echo $OUTPUT->confirm(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo);
echo $OUTPUT->footer();
exit;
} elseif (intval($days2expire) < 0 ) {
echo $OUTPUT->header();
echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
echo $OUTPUT->footer();
exit;
}
}
// test the session actually works by redirecting to self
$SESSION->wantsurl = $urltogo;
redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
} else {
if (empty($errormsg)) {
$errormsg = get_string("invalidlogin");
$errorcode = 3;
}
}
}
/// Detect problems with timedout sessions
if ($session_has_timed_out and !data_submitted()) {
$errormsg = get_string('sessionerroruser', 'error');
$errorcode = 4;
}
/// First, let's remember where the user was trying to get to before they got here
if (empty($SESSION->wantsurl)) {
$SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
$_SERVER["HTTP_REFERER"] != $CFG->wwwroot &&
$_SERVER["HTTP_REFERER"] != $CFG->wwwroot.'/' &&
$_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/' &&
$_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/index.php')
? $_SERVER["HTTP_REFERER"] : NULL;
}
/// Redirect to alternative login URL if needed
if (!empty($CFG->alternateloginurl)) {
$loginurl = $CFG->alternateloginurl;
if (strpos($SESSION->wantsurl, $loginurl) === 0) {
//we do not want to return to alternate url
$SESSION->wantsurl = NULL;
}
if ($errorcode) {
if (strpos($loginurl, '?') === false) {
$loginurl .= '?';
} else {
$loginurl .= '&';
}
$loginurl .= 'errorcode='.$errorcode;
}
redirect($loginurl);
}
// make sure we really are on the https page when https login required
$PAGE->verify_https_required();
/// Generate the login page with forms
if (!isset($frm) or !is_object($frm)) {
$frm = new stdClass();
}
if (empty($frm->username) && $authsequence[0] != 'shibboleth') { // See bug 5184
if (!empty($_GET["username"])) {
$frm->username = clean_param($_GET["username"], PARAM_RAW); // we do not want data from _POST here
} else {
$frm->username = get_moodle_cookie();
}
$frm->password = "";
}
if (!empty($frm->username)) {
$focus = "password";
} else {
$focus = "username";
}
if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
$show_instructions = true;
} else {
$show_instructions = false;
}
$potentialidps = array();
foreach($authsequence as $authname) {
$authplugin = get_auth_plugin($authname);
$potentialidps = array_merge($potentialidps, $authplugin->loginpage_idp_list($SESSION->wantsurl));
}
$PAGE->set_title("$site->fullname: $loginsite");
$PAGE->set_heading("$site->fullname");
echo $OUTPUT->header();
if (isloggedin() and !isguestuser()) {
// prevent logging when already logged in, we do not want them to relogin by accident because sesskey would be changed
echo $OUTPUT->box_start();
$logout = new single_button(new moodle_url($CFG->httpswwwroot.'/login/logout.php', array('sesskey'=>sesskey(),'loginpage'=>1)), get_string('logout'), 'post');
$continue = new single_button(new moodle_url($CFG->httpswwwroot.'/login/index.php', array('cancel'=>1)), get_string('cancel'), 'get');
echo $OUTPUT->confirm(get_string('alreadyloggedin', 'error', fullname($USER)), $logout, $continue);
echo $OUTPUT->box_end();
} else {
include("index_form.html");
if ($errormsg) {
$PAGE->requires->js_init_call('M.util.focus_login_error', null, true);
} else if (!empty($CFG->loginpageautofocus)) {
//focus username or password
$PAGE->requires->js_init_call('M.util.focus_login_form', null, true);
}
}
echo $OUTPUT->footer();
Reference in a new issue View git blame Copy permalink