Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge branch 'MDL-28629_MOODLE_21_STABLE' of git://github.com/mouneyr…

…ac/moodle into MOODLE_21_STABLE
  • Loading branch information...
commit 4236448a19a1837f3cc76e060ac7fcdc4a43cb8d 2 parents 27bc295 + 375c26d
Sam Hemelryk samhemelryk authored
Showing with 58 additions and 2 deletions.
  1. +5 −0 lang/en/webservice.php
  2. +7 −0 login/token.php
  3. +46 −2 webservice/lib.php
5 lang/en/webservice.php
View
@@ -196,6 +196,11 @@
$string['webservicesoverview'] = 'Overview';
$string['webservicetokens'] = 'Web service tokens';
$string['wrongusernamepassword'] = 'Wrong username or password';
+$string['wsaccessuserdeleted'] = 'Refused web service access for deleted username: {$a}';
+$string['wsaccessuserexpired'] = 'Refused web service access for password expired username: {$a}';
+$string['wsaccessusernologin'] = 'Refused web service access for nologin authentication username: {$a}';
+$string['wsaccessusersuspended'] = 'Refused web service access for suspended username: {$a}';
+$string['wsaccessuserunconfirmed'] = 'Refused web service access for unconfirmed username: {$a}';
$string['wsauthmissing'] = 'The web service authentication plugin is missing.';
$string['wsauthnotenabled'] = 'The web service authentication plugin is disabled.';
$string['wsclientdoc'] = 'Moodle web service client documentation';
7 login/token.php
View
@@ -41,6 +41,13 @@
}
$user = authenticate_user_login($username, $password);
if (!empty($user)) {
+
+ //Non admin can not authenticate if maintenance mode
+ $hassiteconfig = has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $user);
+ if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) {
+ throw new moodle_exception('sitemaintenance', 'admin');
+ }
+
if (isguestuser($user)) {
throw new moodle_exception('noguest');
}
48 webservice/lib.php
View
@@ -645,7 +645,7 @@ protected function authenticate_user() {
throw new webservice_access_exception(get_string('wrongusernamepassword', 'webservice'));
}
- $user = $DB->get_record('user', array('username'=>$this->username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0), '*', MUST_EXIST);
+ $user = $DB->get_record('user', array('username'=>$this->username, 'mnethostid'=>$CFG->mnet_localhost_id), '*', MUST_EXIST);
} else if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN){
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT);
@@ -653,6 +653,50 @@ protected function authenticate_user() {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED);
}
+ //Non admin can not authenticate if maintenance mode
+ $hassiteconfig = has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $user);
+ if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) {
+ throw new webservice_access_exception(get_string('sitemaintenance', 'admin'));
+ }
+
+ //only confirmed user should be able to call web service
+ if (!empty($user->deleted)) {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessuserdeleted', 'webservice', $user->username));
+ }
+
+ //only confirmed user should be able to call web service
+ if (empty($user->confirmed)) {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessuserunconfirmed', 'webservice', $user->username));
+ }
+
+ //check the user is suspended
+ if (!empty($user->suspended)) {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessusersuspended', 'webservice', $user->username));
+ }
+
+ //retrieve the authentication plugin if no previously done
+ if (empty($auth)) {
+ $auth = get_auth_plugin($user->auth);
+ }
+
+ // check if credentials have expired
+ if (!empty($auth->config->expiration) and $auth->config->expiration == 1) {
+ $days2expire = $auth->password_expire($user->username);
+ if (intval($days2expire) < 0 ) {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessuserexpired', 'webservice', $user->username));
+ }
+ }
+
+ //check if the auth method is nologin (in this case refuse connection)
+ if ($user->auth=='nologin') {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessusernologin', 'webservice', $user->username));
+ }
+
// now fake user login, the session is completely empty too
session_set_user($user);
$this->userid = $user->id;
@@ -693,7 +737,7 @@ protected function authenticate_by_token($tokentype){
$this->restricted_context = get_context_instance_by_id($token->contextid);
$this->restricted_serviceid = $token->externalserviceid;
- $user = $DB->get_record('user', array('id'=>$token->userid, 'deleted'=>0), '*', MUST_EXIST);
+ $user = $DB->get_record('user', array('id'=>$token->userid), '*', MUST_EXIST);
// log token access
$DB->set_field('external_tokens', 'lastaccess', time(), array('id'=>$token->id));
Please sign in to comment.
Something went wrong with that request. Please try again.