MDL-26389 improve profile and search engine privacy

moodle · Feb 14, 2011 · 81b58cc · 81b58cc
1 parent d911c72
commit 81b58cc
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 21 deletions.
diff --git a/lib/sessionlib.php b/lib/sessionlib.php
@@ -216,19 +216,8 @@ protected function check_user_initialised() {
         $user = null;
 
         if (!empty($CFG->opentogoogle) and !NO_MOODLE_COOKIES) {
-            if (!empty($_SERVER['HTTP_USER_AGENT'])) {
-                // allow web spiders in as guest users
-                if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false ) {
-                    $user = guest_user();
-                } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'google.com') !== false ) { // Google
-                    $user = guest_user();
-                } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'Yahoo! Slurp') !== false ) {  // Yahoo
-                    $user = guest_user();
-                } else if (strpos($_SERVER['HTTP_USER_AGENT'], '[ZSEBOT]') !== false ) {  // Zoomspider
-                    $user = guest_user();
-                } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'MSNBOT') !== false ) {  // MSN Search
-                    $user = guest_user();
-                }
+            if (is_web_crawler()) {
+                $user = guest_user();
             }
             if (!empty($CFG->guestloginbutton) and !$user and !empty($_SERVER['HTTP_REFERER'])) {
                 // automaticaly log in users coming from search engine results

diff --git a/lib/setuplib.php b/lib/setuplib.php
@@ -1123,6 +1123,38 @@ function init_eaccelerator() {
     return false;
 }
 
+/**
+ * Checks if current user is a web crawler.
+ *
+ * This list can not be made complete, this is not a security
+ * restriction, we make the list only to help these sites
+ * especially when automatic guest login is disabled.
+ *
+ * If admin needs security they should enable forcelogin
+ * and disable guest access!!
+ *
+ * @return bool
+ */
+function is_web_crawler() {
+    if (!empty($_SERVER['HTTP_USER_AGENT'])) {
+        if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false ) {
+            return true;
+        } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'google.com') !== false ) { // Google
+            return true;
+        } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'Yahoo! Slurp') !== false ) {  // Yahoo
+            return true;
+        } else if (strpos($_SERVER['HTTP_USER_AGENT'], '[ZSEBOT]') !== false ) {  // Zoomspider
+            return true;
+        } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'MSNBOT') !== false ) {  // MSN Search
+            return true;
+        } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'Yandex') !== false ) {
+            return true;
+        } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'AltaVista') !== false ) {
+            return true;
+        }
+    }
+    return false;
+}
 
 /**
  * This class solves the problem of how to initialise $OUTPUT.

diff --git a/mod/forum/user.php b/mod/forum/user.php
@@ -106,11 +106,10 @@
 echo '<div class="user-content">';
 
 if ($course->id == SITEID) {
-    if (empty($CFG->forceloginforprofiles) || isloggedin()) {
+    $searchcourse = SITEID;
+    if (empty($CFG->forceloginforprofiles) or (isloggedin() and !isguestuser() and !is_web_crawler())) {
         // Search throughout the whole site.
         $searchcourse = 0;
-    } else {
-        $searchcourse = SITEID;
     }
 } else {
     // Search only for posts the user made in this course.

diff --git a/user/profile.php b/user/profile.php
@@ -42,9 +42,12 @@
 $userid = optional_param('id', 0, PARAM_INT);
 $edit   = optional_param('edit', null, PARAM_BOOL);    // Turn editing on and off
 
+$PAGE->set_url('/user/profile.php', array('id'=>$userid));
+
 if (!empty($CFG->forceloginforprofiles)) {
     require_login();
     if (isguestuser()) {
+        $SESSION->wantsurl = $PAGE->url->out(false);
         redirect(get_login_url());
     }
 } else if (!empty($CFG->forcelogin)) {
@@ -106,8 +109,6 @@
 // Start setting up the page
 $strpublicprofile = get_string('publicprofile');
 
-$params = array('id'=>$userid);
-$PAGE->set_url('/user/profile.php', $params);
 $PAGE->blocks->add_region('content');
 $PAGE->set_subpage($currentpage->id);
 $PAGE->set_title(fullname($user).": $strpublicprofile");

diff --git a/user/view.php b/user/view.php
@@ -40,8 +40,7 @@
     redirect($CFG->wwwroot.'/user/profile.php?id='.$id);  // Immediate redirect
 }
 
-$url = new moodle_url('/user/view.php', array('id'=>$id,'course'=>$courseid));
-$PAGE->set_url($url);
+$PAGE->set_url('/user/view.php', array('id'=>$id,'course'=>$courseid));
 
 $user = $DB->get_record('user', array('id'=>$id), '*', MUST_EXIST);
 $course = $DB->get_record('course', array('id'=>$courseid), '*', MUST_EXIST);
@@ -57,6 +56,14 @@
     print_error('invaliduserid');
 }
 
+if (!empty($CFG->forceloginforprofiles)) {
+    require_login(); // we can not log in to course due to the parent hack bellow
+    if (isguestuser()) {
+        $SESSION->wantsurl = $PAGE->url->out(false);
+        redirect(get_login_url());
+    }
+}
+
 $PAGE->set_context($coursecontext);
 $PAGE->set_course($course);
 $PAGE->set_pagetype('course-view-' . $course->format);  // To get the blocks exactly like the course
@@ -76,7 +83,7 @@
 } else {
     // normal course
     require_login($course);
-    // what to do with users temporary accessing this course? shoudl they see the details?
+    // what to do with users temporary accessing this course? should they see the details?
 }
 
 $strpersonalprofile = get_string('personalprofile');