diff --git a/main/inc/local.inc.php b/main/inc/local.inc.php index 79227dd52d..1b01a67a1e 100644 --- a/main/inc/local.inc.php +++ b/main/inc/local.inc.php @@ -92,7 +92,7 @@ * reset, setting correctly $cidReset (for course) and $gidReset (for group). * * 3. If needed, the script retrieves the other user informations (first name, - * last name, ...) and stores them in session. + * last name, ...) and stores them in session. * * 4. If needed, the script retrieves the course information and stores them * in session @@ -109,8 +109,8 @@ */ /* - INIT SECTION - variables should be initialised here + INIT SECTION + variables should be initialised here */ //require_once api_get_path(LIBRARY_PATH).'conditionallogin.lib.php'; moved to autologin @@ -120,15 +120,15 @@ use \ChamiloSession as Session; //Conditional login if (isset($_SESSION['conditional_login']['uid']) && $_SESSION['conditional_login']['can_login']=== true){ - $uData = UserManager::get_user_info_by_id($_SESSION['conditional_login']['uid']); - ConditionalLogin::check_conditions($uData); - - $_user['user_id'] = $_SESSION['conditional_login']['uid']; - $_user['status'] = $uData['status']; - Session::write('_user',$_user); - Session::erase('conditional_login'); - $uidReset=true; - event_login(); + $uData = UserManager::get_user_info_by_id($_SESSION['conditional_login']['uid']); + ConditionalLogin::check_conditions($uData); + + $_user['user_id'] = $_SESSION['conditional_login']['uid']; + $_user['status'] = $uData['status']; + Session::write('_user',$_user); + Session::erase('conditional_login'); + $uidReset=true; + event_login(); } // parameters passed via GET @@ -155,382 +155,382 @@ $gidReset = isset($gidReset) ? $gidReset : ''; // parameters passed via POST $login = isset($_POST["login"]) ? $_POST["login"] : ''; -/* MAIN CODE */ +/* MAIN CODE */ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) { - // uid is in session => login already done, continue with this value - $_user['user_id'] = $_SESSION['_user']['user_id']; + // uid is in session => login already done, continue with this value + $_user['user_id'] = $_SESSION['_user']['user_id']; //Check if we have to reset user data //This param can be used to reload user data if user has been logged by external script if (isset($_SESSION['_user']['uidReset']) && $_SESSION['_user']['uidReset']){ $uidReset=true; } } else { - if (isset($_user['user_id'])) { - unset($_user['user_id']); - } - - if (api_get_setting('allow_terms_conditions') == 'true') { - if (isset($_POST['login']) && isset($_POST['password']) && isset($_SESSION['term_and_condition']['user_id'])) { - $user_id = $_SESSION['term_and_condition']['user_id']; // user id - // Update the terms & conditions + if (isset($_user['user_id'])) { + unset($_user['user_id']); + } + + if (api_get_setting('allow_terms_conditions') == 'true') { + if (isset($_POST['login']) && isset($_POST['password']) && isset($_SESSION['term_and_condition']['user_id'])) { + $user_id = $_SESSION['term_and_condition']['user_id']; // user id + // Update the terms & conditions $legal_type = null; - //verify type of terms and conditions + //verify type of terms and conditions if (isset($_POST['legal_info'])) { $info_legal = explode(':', $_POST['legal_info']); $legal_type = LegalManager::get_type_of_terms_and_conditions($info_legal[0], $info_legal[1]); } - //is necessary verify check - if ($legal_type == 1) { - if ((isset($_POST['legal_accept']) && $_POST['legal_accept']=='1')) { - $legal_option = true; - } else { - $legal_option = false; - } - } - - //no is check option - if ($legal_type == 0) { - $legal_option=true; - } - - if (isset($_POST['legal_accept_type']) && $legal_option===true) { - $cond_array = explode(':',$_POST['legal_accept_type']); - if (!empty($cond_array[0]) && !empty($cond_array[1])){ - $time = time(); - $condition_to_save = intval($cond_array[0]).':'.intval($cond_array[1]).':'.$time; - UserManager::update_extra_field_value($user_id,'legal_accept',$condition_to_save); - } - } - } - } - - //IF cas is activated and user isn't logged in - if (api_get_setting('cas_activate') == 'true') { - $cas_activated = true; - } else { - $cas_activated = false; - } - - $cas_login=false; - if ($cas_activated AND !isset($_user['user_id']) and !isset($_POST['login']) && !$logout) { - require_once(api_get_path(SYS_PATH).'main/auth/cas/authcas.php'); - $cas_login = cas_is_authenticated(); - } - if ( ( isset($_POST['login']) AND isset($_POST['password']) ) OR ($cas_login) ) { - - // $login && $password are given to log in - if ( $cas_login && empty($_POST['login']) ) { - $login = $cas_login; - } else { - $login = $_POST['login']; - $password = $_POST['password']; - } + //is necessary verify check + if ($legal_type == 1) { + if ((isset($_POST['legal_accept']) && $_POST['legal_accept']=='1')) { + $legal_option = true; + } else { + $legal_option = false; + } + } + + //no is check option + if ($legal_type == 0) { + $legal_option=true; + } + + if (isset($_POST['legal_accept_type']) && $legal_option===true) { + $cond_array = explode(':',$_POST['legal_accept_type']); + if (!empty($cond_array[0]) && !empty($cond_array[1])){ + $time = time(); + $condition_to_save = intval($cond_array[0]).':'.intval($cond_array[1]).':'.$time; + UserManager::update_extra_field_value($user_id,'legal_accept',$condition_to_save); + } + } + } + } + + //IF cas is activated and user isn't logged in + if (api_get_setting('cas_activate') == 'true') { + $cas_activated = true; + } else { + $cas_activated = false; + } + + $cas_login=false; + if ($cas_activated AND !isset($_user['user_id']) and !isset($_POST['login']) && !$logout) { + require_once(api_get_path(SYS_PATH).'main/auth/cas/authcas.php'); + $cas_login = cas_is_authenticated(); + } + if ( ( isset($_POST['login']) AND isset($_POST['password']) ) OR ($cas_login) ) { + + // $login && $password are given to log in + if ( $cas_login && empty($_POST['login']) ) { + $login = $cas_login; + } else { + $login = $_POST['login']; + $password = $_POST['password']; + } - //Lookup the user in the main database - $user_table = Database::get_main_table(TABLE_MAIN_USER); - $sql = "SELECT user_id, username, password, auth_source, active, expiration_date, status FROM $user_table - WHERE username = '".Database::escape_string($login)."'"; - $result = Database::query($sql); + //Lookup the user in the main database + $user_table = Database::get_main_table(TABLE_MAIN_USER); + $sql = "SELECT user_id, username, password, auth_source, active, expiration_date, status FROM $user_table + WHERE username = '".Database::escape_string($login)."'"; + $result = Database::query($sql); - if (Database::num_rows($result) > 0) { - $uData = Database::fetch_array($result); + if (Database::num_rows($result) > 0) { + $uData = Database::fetch_array($result); - if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE || $uData['auth_source'] == CAS_AUTH_SOURCE) { - //The authentification of this user is managed by Chamilo itself + if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE || $uData['auth_source'] == CAS_AUTH_SOURCE) { + //The authentification of this user is managed by Chamilo itself $password = api_get_encrypted_password(trim(stripslashes($password))); - - // Check the user's password - if ( ($password == $uData['password'] OR $cas_login) AND (trim($login) == $uData['username'])) { + + // Check the user's password + if ( ($password == $uData['password'] OR $cas_login) AND (trim($login) == $uData['username'])) { $update_type = UserManager::get_extra_user_data_by_field($uData['user_id'], 'update_type'); $update_type= $update_type['update_type']; if (!empty($extAuthSource[$update_type]['updateUser']) && file_exists($extAuthSource[$update_type]['updateUser'])) { include_once $extAuthSource[$update_type]['updateUser']; } - // Check if the account is active (not locked) - if ($uData['active'] == '1') { + // Check if the account is active (not locked) + if ($uData['active'] == '1') { - // Check if the expiration date has not been reached + // Check if the expiration date has not been reached if ($uData['expiration_date'] > date('Y-m-d H:i:s') OR $uData['expiration_date'] == '0000-00-00 00:00:00') { - global $_configuration; + global $_configuration; if (isset($_configuration['multiple_access_urls']) && $_configuration['multiple_access_urls']) { - //Check if user is an admin + //Check if user is an admin $my_user_is_admin = UserManager::is_admin($uData['user_id']); - // This user is subscribed in these sites => $my_url_list - $my_url_list = api_get_access_url_from_user($uData['user_id']); - - //Check the access_url configuration setting if the user is registered in the access_url_rel_user table - //Getting the current access_url_id of the platform - $current_access_url_id = api_get_current_access_url_id(); - - if ($my_user_is_admin === false) { - - if (is_array($my_url_list) && count($my_url_list)>0 ) { - // the user have the permissions to enter at this site - if (in_array($current_access_url_id, $my_url_list)) { - ConditionalLogin::check_conditions($uData); - - $_user['user_id'] = $uData['user_id']; - $_user['status'] = $uData['status']; - Session::write('_user',$_user); - event_login(); - } else { - $loginFailed = true; - Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive'); - exit; - } - } else { - $loginFailed = true; - Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive'); - exit; - } - } else { //Only admins of the "main" (first) Chamilo portal can login wherever they want - //var_dump($current_access_url_id, $my_url_list); exit; - if (in_array(1, $my_url_list)) { //Check if this admin have the access_url_id = 1 which means the principal - ConditionalLogin::check_conditions($uData); - $_user['user_id'] = $uData['user_id']; - $_user['status'] = $uData['status']; - Session::write('_user',$_user); - event_login(); - } else { - //This means a secondary admin wants to login so we check as he's a normal user - if (in_array($current_access_url_id, $my_url_list)) { - $_user['user_id'] = $uData['user_id']; - $_user['status'] = $uData['status']; - Session::write('_user',$_user); - event_login(); - } else { - $loginFailed = true; - Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive'); - exit; - } - } - } + // This user is subscribed in these sites => $my_url_list + $my_url_list = api_get_access_url_from_user($uData['user_id']); + + //Check the access_url configuration setting if the user is registered in the access_url_rel_user table + //Getting the current access_url_id of the platform + $current_access_url_id = api_get_current_access_url_id(); + + if ($my_user_is_admin === false) { + + if (is_array($my_url_list) && count($my_url_list)>0 ) { + // the user have the permissions to enter at this site + if (in_array($current_access_url_id, $my_url_list)) { + ConditionalLogin::check_conditions($uData); + + $_user['user_id'] = $uData['user_id']; + $_user['status'] = $uData['status']; + Session::write('_user',$_user); + event_login(); + } else { + $loginFailed = true; + Session::erase('_uid'); + header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive'); + exit; + } + } else { + $loginFailed = true; + Session::erase('_uid'); + header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive'); + exit; + } + } else { //Only admins of the "main" (first) Chamilo portal can login wherever they want + //var_dump($current_access_url_id, $my_url_list); exit; + if (in_array(1, $my_url_list)) { //Check if this admin have the access_url_id = 1 which means the principal + ConditionalLogin::check_conditions($uData); + $_user['user_id'] = $uData['user_id']; + $_user['status'] = $uData['status']; + Session::write('_user',$_user); + event_login(); + } else { + //This means a secondary admin wants to login so we check as he's a normal user + if (in_array($current_access_url_id, $my_url_list)) { + $_user['user_id'] = $uData['user_id']; + $_user['status'] = $uData['status']; + Session::write('_user',$_user); + event_login(); + } else { + $loginFailed = true; + Session::erase('_uid'); + header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive'); + exit; + } + } + } } else { //error_log('Loggedin'); - ConditionalLogin::check_conditions($uData); + ConditionalLogin::check_conditions($uData); $_user['user_id'] = $uData['user_id']; $_user['status'] = $uData['status']; Session::write('_user',$_user); event_login(); - } - } else { - $loginFailed = true; - Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_expired'); - exit; - } - } else { - $loginFailed = true; - Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive'); - exit; - } - } else { - // login failed: username or password incorrect - $loginFailed = true; - Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=user_password_incorrect'); - exit; - } - - if (isset($uData['creator_id']) && $_user['user_id'] != $uData['creator_id']) { - //first login for a not self registred - //e.g. registered by a teacher - //do nothing (code may be added later) - } - } elseif (!empty($extAuthSource[$uData['auth_source']]['login']) && file_exists($extAuthSource[$uData['auth_source']]['login'])) { - /* - * Process external authentication - * on the basis of the given login name - */ - $loginFailed = true; // Default initialisation. It could - // change after the external authentication - $key = $uData['auth_source']; //'ldap','shibboleth'... - /* >>>>>>>> External authentication modules <<<<<<<<< */ - // see configuration.php to define these - include_once($extAuthSource[$key]['login']); - /* >>>>>>>> External authentication modules <<<<<<<<< */ - } else { // no standard Chamilo login - try external authentification - //huh... nothing to do... we shouldn't get here - error_log('Chamilo Authentication file '. $extAuthSource[$uData['auth_source']]['login']. ' could not be found - this might prevent your system from doing the corresponding authentication process',0); - } - } else { - // login failed, Database::num_rows($result) <= 0 - $loginFailed = true; // Default initialisation. It could - // change after the external authentication - - /* - * In this section: - * there is no entry for the $login user in the Chamilo - * database. This also means there is no auth_source for the user. - * We let all external procedures attempt to add him/her - * to the system. - * - * Process external login on the basis - * of the authentication source list - * provided by the configuration settings. - * If the login succeeds, for going further, - * Chamilo needs the $_user['user_id'] variable to be - * set and registered in the session. It's the - * responsability of the external login script - * to provide this $_user['user_id']. - */ - - if (isset($extAuthSource) && is_array($extAuthSource)) { - foreach($extAuthSource as $thisAuthSource) { - if (!empty($thisAuthSource['newUser']) && file_exists($thisAuthSource['newUser'])) { - include_once($thisAuthSource['newUser']); - } else { - error_log('Chamilo Authentication file '. $thisAuthSource['newUser']. ' could not be found - this might prevent your system from using the authentication process in the user creation process',0); - } - } - } //end if is_array($extAuthSource) - if ($loginFailed) { //If we are here username given is wrong - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=user_password_incorrect'); - } - } //end else login failed - } elseif (api_get_setting('sso_authentication')==='true' && !in_array('webservices', explode('/', $_SERVER['REQUEST_URI']))) { - /** - * TODO: - * - Work on a better validation for webservices paths. Current is very poor and exit - */ - $subsso = api_get_setting('sso_authentication_subclass'); - //require_once(api_get_path(SYS_CODE_PATH).'auth/sso/sso.class.php'); moved to autologin - if (!empty($subsso)) { - require_once(api_get_path(SYS_CODE_PATH).'auth/sso/sso.'.$subsso.'.class.php'); - $subsso = 'sso'.$subsso; - $osso = new $subsso(); //load the subclass - } else { - $osso = new sso(); - } - if (isset($_SESSION['_user']['user_id'])) { - if ($logout) { - // Make custom redirect after logout - online_logout($_SESSION['_user']['user_id'], false); - $osso->logout(); //redirects and exits - } - } elseif(!$logout) { - // Handle cookie comming from Master Server - if (!isset($_GET['sso_referer']) && !isset($_GET['loginFailed'])) { - // Redirect to master server - $osso->ask_master(); - } elseif (isset($_GET['sso_cookie'])) { - // Here we are going to check the origin of - // what the call says should be used for - // authentication, and ensure we know it - $matches_domain = false; - if (isset($_GET['sso_referer'])) { - $protocol = api_get_setting('sso_authentication_protocol'); - // sso_authentication_domain can list - // several, comma-separated, domains - $master_urls = split(',',api_get_setting('sso_authentication_domain')); - if (!empty($master_urls)) { - $master_auth_uri = api_get_setting('sso_authentication_auth_uri'); - foreach ($master_urls as $mu) { - if (empty($mu)) { continue; } - // for each URL, check until we find *one* that matches the $_GET['sso_referer'], then skip the rest - if ($protocol.trim($mu).$master_auth_uri === $_GET['sso_referer']) { - $matches_domain = true; - break; - } - } - } else { - error_log('Your sso_authentication_master param is empty. Check the platform configuration, security section. It can be a list of comma-separated domains'); - } - } - if ($matches_domain) { + } + } else { + $loginFailed = true; + Session::erase('_uid'); + header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_expired'); + exit; + } + } else { + $loginFailed = true; + Session::erase('_uid'); + header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive'); + exit; + } + } else { + // login failed: username or password incorrect + $loginFailed = true; + Session::erase('_uid'); + header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=user_password_incorrect'); + exit; + } + + if (isset($uData['creator_id']) && $_user['user_id'] != $uData['creator_id']) { + //first login for a not self registred + //e.g. registered by a teacher + //do nothing (code may be added later) + } + } elseif (!empty($extAuthSource[$uData['auth_source']]['login']) && file_exists($extAuthSource[$uData['auth_source']]['login'])) { + /* + * Process external authentication + * on the basis of the given login name + */ + $loginFailed = true; // Default initialisation. It could + // change after the external authentication + $key = $uData['auth_source']; //'ldap','shibboleth'... + /* >>>>>>>> External authentication modules <<<<<<<<< */ + // see configuration.php to define these + include_once($extAuthSource[$key]['login']); + /* >>>>>>>> External authentication modules <<<<<<<<< */ + } else { // no standard Chamilo login - try external authentification + //huh... nothing to do... we shouldn't get here + error_log('Chamilo Authentication file '. $extAuthSource[$uData['auth_source']]['login']. ' could not be found - this might prevent your system from doing the corresponding authentication process',0); + } + } else { + // login failed, Database::num_rows($result) <= 0 + $loginFailed = true; // Default initialisation. It could + // change after the external authentication + + /* + * In this section: + * there is no entry for the $login user in the Chamilo + * database. This also means there is no auth_source for the user. + * We let all external procedures attempt to add him/her + * to the system. + * + * Process external login on the basis + * of the authentication source list + * provided by the configuration settings. + * If the login succeeds, for going further, + * Chamilo needs the $_user['user_id'] variable to be + * set and registered in the session. It's the + * responsability of the external login script + * to provide this $_user['user_id']. + */ + + if (isset($extAuthSource) && is_array($extAuthSource)) { + foreach($extAuthSource as $thisAuthSource) { + if (!empty($thisAuthSource['newUser']) && file_exists($thisAuthSource['newUser'])) { + include_once($thisAuthSource['newUser']); + } else { + error_log('Chamilo Authentication file '. $thisAuthSource['newUser']. ' could not be found - this might prevent your system from using the authentication process in the user creation process',0); + } + } + } //end if is_array($extAuthSource) + if ($loginFailed) { //If we are here username given is wrong + header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=user_password_incorrect'); + } + } //end else login failed + } elseif (api_get_setting('sso_authentication')==='true' && !in_array('webservices', explode('/', $_SERVER['REQUEST_URI']))) { + /** + * TODO: + * - Work on a better validation for webservices paths. Current is very poor and exit + */ + $subsso = api_get_setting('sso_authentication_subclass'); + //require_once(api_get_path(SYS_CODE_PATH).'auth/sso/sso.class.php'); moved to autologin + if (!empty($subsso)) { + require_once(api_get_path(SYS_CODE_PATH).'auth/sso/sso.'.$subsso.'.class.php'); + $subsso = 'sso'.$subsso; + $osso = new $subsso(); //load the subclass + } else { + $osso = new sso(); + } + if (isset($_SESSION['_user']['user_id'])) { + if ($logout) { + // Make custom redirect after logout + online_logout($_SESSION['_user']['user_id'], false); + $osso->logout(); //redirects and exits + } + } elseif(!$logout) { + // Handle cookie comming from Master Server + if (!isset($_GET['sso_referer']) && !isset($_GET['loginFailed'])) { + // Redirect to master server + $osso->ask_master(); + } elseif (isset($_GET['sso_cookie'])) { + // Here we are going to check the origin of + // what the call says should be used for + // authentication, and ensure we know it + $matches_domain = false; + if (isset($_GET['sso_referer'])) { + $protocol = api_get_setting('sso_authentication_protocol'); + // sso_authentication_domain can list + // several, comma-separated, domains + $master_urls = split(',',api_get_setting('sso_authentication_domain')); + if (!empty($master_urls)) { + $master_auth_uri = api_get_setting('sso_authentication_auth_uri'); + foreach ($master_urls as $mu) { + if (empty($mu)) { continue; } + // for each URL, check until we find *one* that matches the $_GET['sso_referer'], then skip the rest + if ($protocol.trim($mu).$master_auth_uri === $_GET['sso_referer']) { + $matches_domain = true; + break; + } + } + } else { + error_log('Your sso_authentication_master param is empty. Check the platform configuration, security section. It can be a list of comma-separated domains'); + } + } + if ($matches_domain) { //make all the process of checking //if the user exists (delegated to the sso class) $osso->check_user(); - } else { - error_log('Check the sso_referer URL in your script, it doesn\'t match any of the possibilities'); - //Request comes from unknown source - $loginFailed = true; - Session::erase('_uid'); - header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=unrecognize_sso_origin'); - exit; - } - } - }//end logout ... else ... login - } elseif (api_get_setting('openid_authentication')=='true') { - if (!empty($_POST['openid_url'])) { - include 'main/auth/openid/login.php'; - openid_begin(trim($_POST['openid_url']),api_get_path(WEB_PATH).'index.php'); - //this last function should trigger a redirect, so we can die here safely - die('Openid login redirection should be in progress'); - } elseif (!empty($_GET['openid_identity'])) { - //it's usual for PHP to replace '.' (dot) by '_' (underscore) in URL parameters - include('main/auth/openid/login.php'); - $res = openid_complete($_GET); - if ($res['status'] == 'success') { - $id1 = Database::escape_string($res['openid.identity']); - //have another id with or without the final '/' - $id2 = (substr($id1,-1,1)=='/'?substr($id1,0,-1):$id1.'/'); - //lookup the user in the main database - $user_table = Database::get_main_table(TABLE_MAIN_USER); - $sql = "SELECT user_id, username, password, auth_source, active, expiration_date - FROM $user_table - WHERE openid = '$id1' - OR openid = '$id2' "; - $result = Database::query($sql); - if ($result !== false) { - if (Database::num_rows($result)>0) { - //$row = Database::fetch_array($res); - $uData = Database::fetch_array($result); - - if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE) { - //the authentification of this user is managed by Chamilo itself - - // check if the account is active (not locked) - if ($uData['active']=='1') { - // check if the expiration date has not been reached - if ($uData['expiration_date']>date('Y-m-d H:i:s') OR $uData['expiration_date']=='0000-00-00 00:00:00') { - $_user['user_id'] = $uData['user_id']; - $_user['status'] = $uData['status']; - - Session::write('_user',$_user); - event_login(); - } else { - $loginFailed = true; - Session::erase('_uid'); - header('Location: index.php?loginFailed=1&error=account_expired'); - exit; - } - } else { - $loginFailed = true; - Session::erase('_uid'); - header('Location: index.php?loginFailed=1&error=account_inactive'); - exit; - } - if (isset($uData['creator_id']) && $_user['user_id'] != $uData['creator_id']) { - //first login for a not self registred - //e.g. registered by a teacher - //do nothing (code may be added later) - } - } - } else { - //Redirect to the subscription form - header('Location: '.api_get_path(WEB_CODE_PATH).'auth/inscription.php?username='.$res['openid.sreg.nickname'].'&email='.$res['openid.sreg.email'].'&openid='.$res['openid.identity'].'&openid_msg=idnotfound'); - //$loginFailed = true; - } - } else { - $loginFailed = true; - } - } else { - $loginFailed = true; - } - } - } elseif (KeyAuth::is_enabled()) { + } else { + error_log('Check the sso_referer URL in your script, it doesn\'t match any of the possibilities'); + //Request comes from unknown source + $loginFailed = true; + Session::erase('_uid'); + header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=unrecognize_sso_origin'); + exit; + } + } + }//end logout ... else ... login + } elseif (api_get_setting('openid_authentication')=='true') { + if (!empty($_POST['openid_url'])) { + include 'main/auth/openid/login.php'; + openid_begin(trim($_POST['openid_url']),api_get_path(WEB_PATH).'index.php'); + //this last function should trigger a redirect, so we can die here safely + die('Openid login redirection should be in progress'); + } elseif (!empty($_GET['openid_identity'])) { + //it's usual for PHP to replace '.' (dot) by '_' (underscore) in URL parameters + include('main/auth/openid/login.php'); + $res = openid_complete($_GET); + if ($res['status'] == 'success') { + $id1 = Database::escape_string($res['openid.identity']); + //have another id with or without the final '/' + $id2 = (substr($id1,-1,1)=='/'?substr($id1,0,-1):$id1.'/'); + //lookup the user in the main database + $user_table = Database::get_main_table(TABLE_MAIN_USER); + $sql = "SELECT user_id, username, password, auth_source, active, expiration_date + FROM $user_table + WHERE openid = '$id1' + OR openid = '$id2' "; + $result = Database::query($sql); + if ($result !== false) { + if (Database::num_rows($result)>0) { + //$row = Database::fetch_array($res); + $uData = Database::fetch_array($result); + + if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE) { + //the authentification of this user is managed by Chamilo itself + + // check if the account is active (not locked) + if ($uData['active']=='1') { + // check if the expiration date has not been reached + if ($uData['expiration_date']>date('Y-m-d H:i:s') OR $uData['expiration_date']=='0000-00-00 00:00:00') { + $_user['user_id'] = $uData['user_id']; + $_user['status'] = $uData['status']; + + Session::write('_user',$_user); + event_login(); + } else { + $loginFailed = true; + Session::erase('_uid'); + header('Location: index.php?loginFailed=1&error=account_expired'); + exit; + } + } else { + $loginFailed = true; + Session::erase('_uid'); + header('Location: index.php?loginFailed=1&error=account_inactive'); + exit; + } + if (isset($uData['creator_id']) && $_user['user_id'] != $uData['creator_id']) { + //first login for a not self registred + //e.g. registered by a teacher + //do nothing (code may be added later) + } + } + } else { + //Redirect to the subscription form + header('Location: '.api_get_path(WEB_CODE_PATH).'auth/inscription.php?username='.$res['openid.sreg.nickname'].'&email='.$res['openid.sreg.email'].'&openid='.$res['openid.identity'].'&openid_msg=idnotfound'); + //$loginFailed = true; + } + } else { + $loginFailed = true; + } + } else { + $loginFailed = true; + } + } + } elseif (KeyAuth::is_enabled()) { $success = KeyAuth::instance()->login(); if($success) { @@ -538,41 +538,41 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) { } } - // else {} => continue as anonymous user - $uidReset = true; + // else {} => continue as anonymous user + $uidReset = true; - // $cidReset = true; - // $gidReset = true; + // $cidReset = true; + // $gidReset = true; } // end else //Now check for anonymous user mode if (isset($use_anonymous) && $use_anonymous) { - //if anonymous mode is set, then try to set the current user as anonymous - //if he doesn't have a login yet - api_set_anonymous(); + //if anonymous mode is set, then try to set the current user as anonymous + //if he doesn't have a login yet + api_set_anonymous(); } else { - //if anonymous mode is not set, then check if this user is anonymous. If it - //is, clean it from being anonymous (make him a nobody :-)) - api_clear_anonymous(); + //if anonymous mode is not set, then check if this user is anonymous. If it + //is, clean it from being anonymous (make him a nobody :-)) + api_clear_anonymous(); } // if there is a cDir parameter in the URL (coming from courses/.htaccess redirection) if (!empty($cDir)) { - $c = CourseManager::get_course_id_from_path($cDir); - if ($c) { $cidReq = $c; } + $c = CourseManager::get_course_id_from_path($cDir); + if ($c) { $cidReq = $c; } } // if the requested course is different from the course in session if (!empty($cidReq) && (!isset($_SESSION['_cid']) or (isset($_SESSION['_cid']) && $cidReq != $_SESSION['_cid']))) { - $cidReset = true; - $gidReset = true; // As groups depend from courses, group id is reset + $cidReset = true; + $gidReset = true; // As groups depend from courses, group id is reset } // if the requested group is different from the group in session $gid = isset($_SESSION['_gid']) ? $_SESSION['_gid'] : ''; if ($gidReq && $gidReq != $gid) { - $gidReset = true; + $gidReset = true; } @@ -583,48 +583,48 @@ if (isset($uidReset) && $uidReset) { // session data refresh requested $is_platformAdmin = false; $is_allowedCreateCourse = false; - if (isset($_user['user_id']) && $_user['user_id'] && ! api_is_anonymous()) { + if (isset($_user['user_id']) && $_user['user_id'] && ! api_is_anonymous()) { // a uid is given (log in succeeded) - $user_table = Database::get_main_table(TABLE_MAIN_USER); - $admin_table = Database::get_main_table(TABLE_MAIN_ADMIN); - $track_e_login = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_LOGIN); - - $sql = "SELECT user.*, a.user_id is_admin, UNIX_TIMESTAMP(login.login_date) login_date - FROM $user_table - LEFT JOIN $admin_table a - ON user.user_id = a.user_id - LEFT JOIN $track_e_login login - ON user.user_id = login.login_user_id - WHERE user.user_id = '".$_user['user_id']."' - ORDER BY login.login_date DESC LIMIT 1"; - - $result = Database::query($sql); - - if (Database::num_rows($result) > 0) { - // Extracting the user data - - $uData = Database::fetch_array($result); - - $_user ['firstName'] = $uData ['firstname' ]; - $_user ['lastName' ] = $uData ['lastname' ]; - $_user ['mail' ] = $uData ['email' ]; - $_user ['lastLogin'] = $uData ['login_date']; - $_user ['official_code'] = $uData ['official_code']; - $_user ['picture_uri'] = $uData ['picture_uri']; - $_user ['user_id'] = $uData ['user_id']; - $_user ['language'] = $uData ['language']; - $_user ['auth_source'] = $uData ['auth_source']; - $_user ['theme'] = $uData ['theme']; - $_user ['status'] = $uData ['status']; - - $is_platformAdmin = (bool) (! is_null( $uData['is_admin'])); - $is_allowedCreateCourse = (bool) (($uData ['status'] == COURSEMANAGER) or (api_get_setting('drhCourseManagerRights') and $uData['status'] == DRH)); - ConditionalLogin::check_conditions($uData); - - Session::write('_user',$_user); - UserManager::update_extra_field_value($_user['user_id'], 'already_logged_in', 'true'); - Session::write('is_platformAdmin',$is_platformAdmin); - Session::write('is_allowedCreateCourse',$is_allowedCreateCourse); + $user_table = Database::get_main_table(TABLE_MAIN_USER); + $admin_table = Database::get_main_table(TABLE_MAIN_ADMIN); + $track_e_login = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_LOGIN); + + $sql = "SELECT user.*, a.user_id is_admin, UNIX_TIMESTAMP(login.login_date) login_date + FROM $user_table + LEFT JOIN $admin_table a + ON user.user_id = a.user_id + LEFT JOIN $track_e_login login + ON user.user_id = login.login_user_id + WHERE user.user_id = '".$_user['user_id']."' + ORDER BY login.login_date DESC LIMIT 1"; + + $result = Database::query($sql); + + if (Database::num_rows($result) > 0) { + // Extracting the user data + + $uData = Database::fetch_array($result); + + $_user ['firstName'] = $uData ['firstname' ]; + $_user ['lastName' ] = $uData ['lastname' ]; + $_user ['mail' ] = $uData ['email' ]; + $_user ['lastLogin'] = $uData ['login_date']; + $_user ['official_code'] = $uData ['official_code']; + $_user ['picture_uri'] = $uData ['picture_uri']; + $_user ['user_id'] = $uData ['user_id']; + $_user ['language'] = $uData ['language']; + $_user ['auth_source'] = $uData ['auth_source']; + $_user ['theme'] = $uData ['theme']; + $_user ['status'] = $uData ['status']; + + $is_platformAdmin = (bool) (! is_null( $uData['is_admin'])); + $is_allowedCreateCourse = (bool) (($uData ['status'] == COURSEMANAGER) or (api_get_setting('drhCourseManagerRights') and $uData['status'] == DRH)); + ConditionalLogin::check_conditions($uData); + + Session::write('_user',$_user); + UserManager::update_extra_field_value($_user['user_id'], 'already_logged_in', 'true'); + Session::write('is_platformAdmin',$is_platformAdmin); + Session::write('is_allowedCreateCourse',$is_allowedCreateCourse); // If request_uri is setted we have to go further to have course permissions /*if (empty($_SESSION['request_uri']) || !isset($_SESSION['request_uri'])) { @@ -635,17 +635,17 @@ if (isset($uidReset) && $uidReset) { // session data refresh requested LoginRedirection::redirect(); } }*/ - } else { - header('location:'.api_get_path(WEB_PATH)); - //exit("WARNING UNDEFINED UID !! "); - } - } else { // no uid => logout or Anonymous - Session::erase('_user'); - Session::erase('_uid'); - } - - Session::write('is_platformAdmin',$is_platformAdmin); - Session::write('is_allowedCreateCourse',$is_allowedCreateCourse); + } else { + header('location:'.api_get_path(WEB_PATH)); + //exit("WARNING UNDEFINED UID !! "); + } + } else { // no uid => logout or Anonymous + Session::erase('_user'); + Session::erase('_uid'); + } + + Session::write('is_platformAdmin',$is_platformAdmin); + Session::write('is_allowedCreateCourse',$is_allowedCreateCourse); } else { // continue with the previous values $_user = $_SESSION['_user']; $is_platformAdmin = isset($_SESSION['is_platformAdmin']) ? $_SESSION['is_platformAdmin'] : false; @@ -656,39 +656,39 @@ if (isset($uidReset) && $uidReset) { // session data refresh requested if (isset($cidReset) && $cidReset) { // Course session data refresh requested or empty data - if ($cidReq) { + if ($cidReq) { $_course = CourseManager::get_course_info_with_category($cidReq); - if (!empty($_course)) { + if (!empty($_course)) { //@TODO real_cid should be cid, for working with numeric course id $_real_cid = $_course['real_id']; - $_cid = $_course['code']; + $_cid = $_course['code']; Session::write('_real_cid', $_real_cid); - Session::write('_cid', $_cid); - Session::write('_course', $_course); - - // if a session id has been given in url, we store the session - if (api_get_setting('use_session_mode') == 'true') { - // Database Table Definitions - $tbl_session = Database::get_main_table(TABLE_MAIN_SESSION); - $tbl_session_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE); - $tbl_session_course_user = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER); - - if (!empty($_GET['id_session'])) { - $_SESSION['id_session'] = intval($_GET['id_session']); - $sql = 'SELECT name FROM '.$tbl_session . ' WHERE id="'.intval($_SESSION['id_session']) . '"'; - $rs = Database::query($sql); - list($_SESSION['session_name']) = Database::fetch_array($rs); - } else { - Session::erase('session_name'); - Session::erase('id_session'); - } - } + Session::write('_cid', $_cid); + Session::write('_course', $_course); + + // if a session id has been given in url, we store the session + if (api_get_setting('use_session_mode') == 'true') { + // Database Table Definitions + $tbl_session = Database::get_main_table(TABLE_MAIN_SESSION); + $tbl_session_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE); + $tbl_session_course_user = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER); + + if (!empty($_GET['id_session'])) { + $_SESSION['id_session'] = intval($_GET['id_session']); + $sql = 'SELECT name FROM '.$tbl_session . ' WHERE id="'.intval($_SESSION['id_session']) . '"'; + $rs = Database::query($sql); + list($_SESSION['session_name']) = Database::fetch_array($rs); + } else { + Session::erase('session_name'); + Session::erase('id_session'); + } + } if (!isset($_SESSION['login_as'])) { - //Course login + //Course login if (isset($_user['user_id'])) { event_course_login($_course['code'], $_user['user_id'], api_get_session_id()); } @@ -878,36 +878,36 @@ if ((isset($uidReset) && $uidReset) || (isset($cidReset) && $cidReset)) { $tbl_session_course = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE); $tbl_session_course_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER); - //Session coach, session admin, course coach admin + //Session coach, session admin, course coach admin $sql = "SELECT session.id_coach, session_admin_id, session_rcru.id_user - FROM $tbl_session session, $tbl_session_course_user session_rcru - WHERE session_rcru.id_session = session.id AND - session_rcru.course_code = '$_cid' AND - session_rcru.id_user = '$user_id' AND + FROM $tbl_session session, $tbl_session_course_user session_rcru + WHERE session_rcru.id_session = session.id AND + session_rcru.course_code = '$_cid' AND + session_rcru.id_user = '$user_id' AND session_rcru.id_session = $session_id AND - session_rcru.status = 2"; + session_rcru.status = 2"; - $result = Database::query($sql); - $row = Database::store_result($result); + $result = Database::query($sql); + $row = Database::store_result($result); //I'm a session admin? if (isset($row) && isset($row[0]) && $row[0]['session_admin_id'] == $user_id) { - $_courseUser['role'] = 'Professor'; - $is_courseMember = false; - $is_courseTutor = false; - $is_courseAdmin = false; - $is_courseCoach = false; - $is_sessionAdmin = true; - } else { + $_courseUser['role'] = 'Professor'; + $is_courseMember = false; + $is_courseTutor = false; + $is_courseAdmin = false; + $is_courseCoach = false; + $is_sessionAdmin = true; + } else { //Im a coach or a student? - $sql = "SELECT id_user, status FROM ".$tbl_session_course_user." + $sql = "SELECT id_user, status FROM ".$tbl_session_course_user." WHERE course_code = '$_cid' AND id_user = '".$user_id."' AND id_session = '".$session_id."' LIMIT 1"; - $result = Database::query($sql); + $result = Database::query($sql); - if (Database::num_rows($result)) { + if (Database::num_rows($result)) { $row = Database::fetch_array($result, 'ASSOC'); $session_course_status = $row['status']; @@ -947,7 +947,7 @@ if ((isset($uidReset) && $uidReset) || (isset($cidReset) && $cidReset)) { Session::erase('_courseUser'); break; } - } else { + } else { //unregister user $is_courseMember = false; $is_courseTutor = false; @@ -955,8 +955,8 @@ if ((isset($uidReset) && $uidReset) || (isset($cidReset) && $cidReset)) { $is_sessionAdmin = false; $is_courseCoach = false; Session::erase('_courseUser'); - } - } + } + } } //If I'm the admin platform i'm a teacher of the course @@ -974,10 +974,10 @@ if ((isset($uidReset) && $uidReset) || (isset($cidReset) && $cidReset)) { Session::erase('_courseUser'); } - //Checking the course access + //Checking the course access $is_allowed_in_course = false; - if (isset($_course)) { + if (isset($_course)) { switch ($_course['visibility']) { case COURSE_VISIBILITY_OPEN_WORLD: //3 $is_allowed_in_course = true; @@ -998,16 +998,16 @@ if ((isset($uidReset) && $uidReset) || (isset($cidReset) && $cidReset)) { } break; } - } + } // check the session visibility - if ($is_allowed_in_course == true) { + if ($is_allowed_in_course == true) { - //if I'm in a session - if ($session_id != 0) { - if (!$is_platformAdmin) { - // admin is not affected to the invisible session mode - $session_visibility = api_get_session_visibility($session_id); + //if I'm in a session + if ($session_id != 0) { + if (!$is_platformAdmin) { + // admin is not affected to the invisible session mode + $session_visibility = api_get_session_visibility($session_id); switch ($session_visibility) { case SESSION_INVISIBLE: @@ -1015,84 +1015,84 @@ if ((isset($uidReset) && $uidReset) || (isset($cidReset) && $cidReset)) { break; } //checking date - } + } } - } + } - // save the states + // save the states Session::write('is_courseAdmin', $is_courseAdmin); - Session::write('is_courseMember', $is_courseMember); - Session::write('is_courseTutor', $is_courseTutor); + Session::write('is_courseMember', $is_courseMember); + Session::write('is_courseTutor', $is_courseTutor); Session::write('is_courseCoach', $is_courseCoach); - Session::write('is_allowed_in_course', $is_allowed_in_course); - Session::write('is_sessionAdmin', $is_sessionAdmin); + Session::write('is_allowed_in_course', $is_allowed_in_course); + Session::write('is_sessionAdmin', $is_sessionAdmin); } else { // continue with the previous values - if (isset($_SESSION['_courseUser'])) { - $_courseUser = $_SESSION ['_courseUser']; - } + if (isset($_SESSION['_courseUser'])) { + $_courseUser = $_SESSION ['_courseUser']; + } $is_courseAdmin = isset($_SESSION ['is_courseAdmin']) ? $_SESSION ['is_courseAdmin'] : false; $is_courseTutor = isset($_SESSION ['is_courseTutor']) ? $_SESSION ['is_courseTutor'] : false; $is_courseCoach = isset($_SESSION ['is_courseCoach']) ? $_SESSION ['is_courseCoach'] : false; - $is_courseMember = isset($_SESSION ['is_courseMember']) ? $_SESSION ['is_courseMember'] : false; - $is_allowed_in_course = isset($_SESSION ['is_allowed_in_course']) ? $_SESSION ['is_allowed_in_course'] : false; + $is_courseMember = isset($_SESSION ['is_courseMember']) ? $_SESSION ['is_courseMember'] : false; + $is_allowed_in_course = isset($_SESSION ['is_allowed_in_course']) ? $_SESSION ['is_allowed_in_course'] : false; } /* GROUP INIT */ if ((isset($gidReset) && $gidReset) || (isset($cidReset) && $cidReset)) { // session data refresh requested - if ($gidReq && $_cid && !empty($_course['real_id'])) { // have keys to search data - $group_table = Database::get_course_table(TABLE_GROUP); - $sql = "SELECT * FROM $group_table WHERE c_id = ".$_course['real_id']." AND id = '$gidReq'"; - $result = Database::query($sql); - if (Database::num_rows($result) > 0) { // This group has recorded status related to this course - $gpData = Database::fetch_array($result); - $_gid = $gpData ['id']; - Session::write('_gid',$_gid); - } else { + if ($gidReq && $_cid && !empty($_course['real_id'])) { // have keys to search data + $group_table = Database::get_course_table(TABLE_GROUP); + $sql = "SELECT * FROM $group_table WHERE c_id = ".$_course['real_id']." AND id = '$gidReq'"; + $result = Database::query($sql); + if (Database::num_rows($result) > 0) { // This group has recorded status related to this course + $gpData = Database::fetch_array($result); + $_gid = $gpData ['id']; + Session::write('_gid',$_gid); + } else { Session::erase('_gid'); - } - } elseif (isset($_SESSION['_gid']) or isset($_gid)) { // Keys missing => not anymore in the group - course relation - Session::erase('_gid'); - } + } + } elseif (isset($_SESSION['_gid']) or isset($_gid)) { // Keys missing => not anymore in the group - course relation + Session::erase('_gid'); + } } elseif (isset($_SESSION['_gid'])) { // continue with the previous values - $_gid = $_SESSION ['_gid']; + $_gid = $_SESSION ['_gid']; } else { //if no previous value, assign caracteristic undefined value - $_gid = -1; + $_gid = -1; } //set variable according to student_view_enabled choices if (api_get_setting('student_view_enabled') == "true") { - if (isset($_GET['isStudentView'])) { - if ($_GET['isStudentView'] == 'true') { - if (isset($_SESSION['studentview'])) { - if (!empty($_SESSION['studentview'])) { - // switching to studentview - $_SESSION['studentview'] = 'studentview'; - } - } - } elseif ($_GET['isStudentView'] == 'false') { - if (isset($_SESSION['studentview'])) { - if (!empty($_SESSION['studentview'])) { - // switching to teacherview - $_SESSION['studentview'] = 'teacherview'; - } - } - } - } elseif (!empty($_SESSION['studentview'])) { - //all is fine, no change to that, obviously - } elseif (empty($_SESSION['studentview'])) { - // We are in teacherview here - $_SESSION['studentview'] = 'teacherview'; - } + if (isset($_GET['isStudentView'])) { + if ($_GET['isStudentView'] == 'true') { + if (isset($_SESSION['studentview'])) { + if (!empty($_SESSION['studentview'])) { + // switching to studentview + $_SESSION['studentview'] = 'studentview'; + } + } + } elseif ($_GET['isStudentView'] == 'false') { + if (isset($_SESSION['studentview'])) { + if (!empty($_SESSION['studentview'])) { + // switching to teacherview + $_SESSION['studentview'] = 'teacherview'; + } + } + } + } elseif (!empty($_SESSION['studentview'])) { + //all is fine, no change to that, obviously + } elseif (empty($_SESSION['studentview'])) { + // We are in teacherview here + $_SESSION['studentview'] = 'teacherview'; + } } if (isset($_cid)) { - $tbl_course = Database::get_main_table(TABLE_MAIN_COURSE); - $time = api_get_datetime(); - $sql="UPDATE $tbl_course SET last_visit= '$time' WHERE code='$_cid'"; - Database::query($sql); + $tbl_course = Database::get_main_table(TABLE_MAIN_COURSE); + $time = api_get_datetime(); + $sql="UPDATE $tbl_course SET last_visit= '$time' WHERE code='$_cid'"; + Database::query($sql); } Redirect::session_request_uri();