Skip to content
Browse files

MDL-28629 more checks during web service authentication

  • Loading branch information...
1 parent 919e659 commit 794e40ec3660ddde93b6d40857efe2d82090d7eb @mouneyrac mouneyrac committed Nov 11, 2011
Showing with 51 additions and 2 deletions.
  1. +5 −0 lang/en/webservice.php
  2. +46 −2 webservice/lib.php
View
5 lang/en/webservice.php
@@ -185,6 +185,11 @@
$string['webservicesoverview'] = 'Overview';
$string['webservicetokens'] = 'Web service tokens';
$string['wrongusernamepassword'] = 'Wrong username or password';
+$string['wsaccessuserdeleted'] = 'Refused web service access for deleted username: {$a}';
+$string['wsaccessuserexpired'] = 'Refused web service access for password expired username: {$a}';
+$string['wsaccessusernologin'] = 'Refused web service access for nologin authentication username: {$a}';
+$string['wsaccessusersuspended'] = 'Refused web service access for suspended username: {$a}';
+$string['wsaccessuserunconfirmed'] = 'Refused web service access for unconfirmed username: {$a}';
$string['wsauthmissing'] = 'The web service authentication plugin is missing.';
$string['wsauthnotenabled'] = 'The web service authentication plugin is disabled.';
$string['wsclientdoc'] = 'Moodle web service client documentation';
View
48 webservice/lib.php
@@ -607,14 +607,58 @@ protected function authenticate_user() {
throw new webservice_access_exception(get_string('wrongusernamepassword', 'webservice'));
}
- $user = $DB->get_record('user', array('username'=>$this->username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0), '*', MUST_EXIST);
+ $user = $DB->get_record('user', array('username'=>$this->username, 'mnethostid'=>$CFG->mnet_localhost_id), '*', MUST_EXIST);
} else if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN){
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT);
} else {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED);
}
+ //Non admin can not authenticate if maintenance mode
+ $hassiteconfig = has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $user);
+ if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) {
+ throw new webservice_access_exception(get_string('sitemaintenance', 'admin'));
+ }
+
+ //only confirmed user should be able to call web service
+ if (!empty($user->deleted)) {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessuserdeleted', 'webservice', $user->username));
+ }
+
+ //only confirmed user should be able to call web service
+ if (empty($user->confirmed)) {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessuserunconfirmed', 'webservice', $user->username));
+ }
+
+ //check the user is suspended
+ if (!empty($user->suspended)) {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessusersuspended', 'webservice', $user->username));
+ }
+
+ //retrieve the authentication plugin if no previously done
+ if (empty($auth)) {
+ $auth = get_auth_plugin($user->auth);
+ }
+
+ // check if credentials have expired
+ if (!empty($auth->config->expiration) and $auth->config->expiration == 1) {
+ $days2expire = $auth->password_expire($user->username);
+ if (intval($days2expire) < 0 ) {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessuserexpired', 'webservice', $user->username));
+ }
+ }
+
+ //check if the auth method is nologin (in this case refuse connection)
+ if ($user->auth=='nologin') {
+ add_to_log(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
+ throw new webservice_access_exception(get_string('wsaccessusernologin', 'webservice', $user->username));
+ }
+
// now fake user login, the session is completely empty too
session_set_user($user);
$this->userid = $user->id;
@@ -655,7 +699,7 @@ protected function authenticate_by_token($tokentype){
$this->restricted_context = get_context_instance_by_id($token->contextid);
$this->restricted_serviceid = $token->externalserviceid;
- $user = $DB->get_record('user', array('id'=>$token->userid, 'deleted'=>0), '*', MUST_EXIST);
+ $user = $DB->get_record('user', array('id'=>$token->userid), '*', MUST_EXIST);
// log token access
$DB->set_field('external_tokens', 'lastaccess', time(), array('id'=>$token->id));

0 comments on commit 794e40e

Please sign in to comment.
Something went wrong with that request. Please try again.