Permalink
Browse files

MDL-28629 more checks during web service authentication

  • Loading branch information...
mouneyrac committed Nov 11, 2011
1 parent 919e659 commit 794e40ec3660ddde93b6d40857efe2d82090d7eb
Showing with 51 additions and 2 deletions.
  1. +5 −0 lang/en/webservice.php
  2. +46 −2 webservice/lib.php
View
@@ -185,6 +185,11 @@
$string['webservicesoverview'] = 'Overview';
$string['webservicetokens'] = 'Web service tokens';
$string['wrongusernamepassword'] = 'Wrong username or password';
$string['wsaccessuserdeleted'] = 'Refused web service access for deleted username: {$a}';
$string['wsaccessuserexpired'] = 'Refused web service access for password expired username: {$a}';
$string['wsaccessusernologin'] = 'Refused web service access for nologin authentication username: {$a}';
$string['wsaccessusersuspended'] = 'Refused web service access for suspended username: {$a}';
$string['wsaccessuserunconfirmed'] = 'Refused web service access for unconfirmed username: {$a}';
$string['wsauthmissing'] = 'The web service authentication plugin is missing.';
$string['wsauthnotenabled'] = 'The web service authentication plugin is disabled.';
$string['wsclientdoc'] = 'Moodle web service client documentation';
View
@@ -607,14 +607,58 @@ protected function authenticate_user() {
throw new webservice_access_exception(get_string('wrongusernamepassword', 'webservice'));
}
$user = $DB->get_record('user', array('username'=>$this->username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0), '*', MUST_EXIST);
$user = $DB->get_record('user', array('username'=>$this->username, 'mnethostid'=>$CFG->mnet_localhost_id), '*', MUST_EXIST);
} else if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN){
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT);
} else {
$user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED);
}
//Non admin can not authenticate if maintenance mode
$hassiteconfig = has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $user);
if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) {
throw new webservice_access_exception(get_string('sitemaintenance', 'admin'));
}
//only confirmed user should be able to call web service
if (!empty($user->deleted)) {
add_to_log(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessuserdeleted', 'webservice', $user->username));
}
//only confirmed user should be able to call web service
if (empty($user->confirmed)) {
add_to_log(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessuserunconfirmed', 'webservice', $user->username));
}
//check the user is suspended
if (!empty($user->suspended)) {
add_to_log(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessusersuspended', 'webservice', $user->username));
}
//retrieve the authentication plugin if no previously done
if (empty($auth)) {
$auth = get_auth_plugin($user->auth);
}
// check if credentials have expired
if (!empty($auth->config->expiration) and $auth->config->expiration == 1) {
$days2expire = $auth->password_expire($user->username);
if (intval($days2expire) < 0 ) {
add_to_log(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessuserexpired', 'webservice', $user->username));
}
}
//check if the auth method is nologin (in this case refuse connection)
if ($user->auth=='nologin') {
add_to_log(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id);
throw new webservice_access_exception(get_string('wsaccessusernologin', 'webservice', $user->username));
}
// now fake user login, the session is completely empty too
session_set_user($user);
$this->userid = $user->id;
@@ -655,7 +699,7 @@ protected function authenticate_by_token($tokentype){
$this->restricted_context = get_context_instance_by_id($token->contextid);
$this->restricted_serviceid = $token->externalserviceid;
$user = $DB->get_record('user', array('id'=>$token->userid, 'deleted'=>0), '*', MUST_EXIST);
$user = $DB->get_record('user', array('id'=>$token->userid), '*', MUST_EXIST);
// log token access
$DB->set_field('external_tokens', 'lastaccess', time(), array('id'=>$token->id));

0 comments on commit 794e40e

Please sign in to comment.