Files
moodle/auth/shibboleth/index.php
T
David Mudrák d82859b2c1 MDL-46946 user: Make missing required custom fields trigger profile edit
If there is a required custom field that the user can fill by editing
their profile, and that field is missing, the user should be considered
as not fully set up. Instead, we want to redirect them to edit their
profile first.

There are some exceptions when we want to fall back to the previous
behaviour and check just the name and email fields. These exceptional
cases include checking remote user data in incoming MNet request (no
user id, no custom fields supported) and calls to require_login() with
redirecting disabled (typically ajax filepicker requests on profile
editing page itself).

Additional plugins that call the function user_not_fully_set_up()
themselves, should perform the strict check in most/typical cases. So
the strict mode is enabled by default even if it changes the behaviour
slightly. In improbable case of additional plugins relying on the
previous behaviour of the function, they can use the $strict parameter
and keep performing the lax check. However, I am sure the correct fix in
that case will likely be to stop abusing this function.

Note that custom fields are not currently transferred during the MNet
roaming. So having custom fields configured as required on MNet service
provider site (where users can't edit their profiles) is expected to
display an error (as the site is considered as misconfigured).
2016-09-21 18:02:51 +02:00

97 lines
4.3 KiB
PHP

<?php
// Designed to be redirected from moodle/login/index.php
require('../../config.php');
$context = context_system::instance();
$PAGE->set_url('/auth/shibboleth/index.php');
$PAGE->set_context($context);
// Support for WAYFless URLs.
$target = optional_param('target', '', PARAM_LOCALURL);
if (!empty($target) && empty($SESSION->wantsurl)) {
$SESSION->wantsurl = $target;
}
if (isloggedin() && !isguestuser()) { // Nothing to do
if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0)) {
$urltogo = $SESSION->wantsurl; /// Because it's an address in this site
unset($SESSION->wantsurl);
} else {
$urltogo = $CFG->wwwroot.'/'; /// Go to the standard home page
unset($SESSION->wantsurl); /// Just in case
}
redirect($urltogo);
}
$pluginconfig = get_config('auth/shibboleth');
$shibbolethauth = get_auth_plugin('shibboleth');
// Check whether Shibboleth is configured properly
if (empty($pluginconfig->user_attribute)) {
print_error('shib_not_set_up_error', 'auth_shibboleth');
}
/// If we can find the Shibboleth attribute, save it in session and return to main login page
if (!empty($_SERVER[$pluginconfig->user_attribute])) { // Shibboleth auto-login
$frm = new stdClass();
$frm->username = strtolower($_SERVER[$pluginconfig->user_attribute]);
// The password is never actually used, but needs to be passed to the functions 'user_login' and
// 'authenticate_user_login'. Shibboleth returns true for the function 'prevent_local_password', which is
// used when setting the password in 'update_internal_user_password'. When 'prevent_local_password'
// returns true, the password is set to 'not cached' (AUTH_PASSWORD_NOT_CACHED) in the Moodle DB. However,
// rather than setting the password to a hard-coded value, we will generate one each time, in case there are
// changes to the Shibboleth plugin and it is actually used.
$frm->password = generate_password(8);
/// Check if the user has actually submitted login data to us
if ($shibbolethauth->user_login($frm->username, $frm->password)
&& $user = authenticate_user_login($frm->username, $frm->password)) {
complete_user_login($user);
if (user_not_fully_set_up($USER, true)) {
$urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&amp;course='.SITEID;
// We don't delete $SESSION->wantsurl yet, so we get there later
} else if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0)) {
$urltogo = $SESSION->wantsurl; /// Because it's an address in this site
unset($SESSION->wantsurl);
} else {
$urltogo = $CFG->wwwroot.'/'; /// Go to the standard home page
unset($SESSION->wantsurl); /// Just in case
}
/// Go to my-moodle page instead of homepage if defaulthomepage enabled
if (!has_capability('moodle/site:config',context_system::instance()) and !empty($CFG->defaulthomepage) && $CFG->defaulthomepage == HOMEPAGE_MY and !isguestuser()) {
if ($urltogo == $CFG->wwwroot or $urltogo == $CFG->wwwroot.'/' or $urltogo == $CFG->wwwroot.'/index.php') {
$urltogo = $CFG->wwwroot.'/my/';
}
}
redirect($urltogo);
exit;
}
else {
// The Shibboleth user couldn't be mapped to a valid Moodle user
print_error('shib_invalid_account_error', 'auth_shibboleth');
}
}
// If we can find any (user independent) Shibboleth attributes but no user
// attributes we probably didn't receive any user attributes
elseif (!empty($_SERVER['HTTP_SHIB_APPLICATION_ID']) || !empty($_SERVER['Shib-Application-ID'])) {
print_error('shib_no_attributes_error', 'auth_shibboleth' , '', '\''.$pluginconfig->user_attribute.'\', \''.$pluginconfig->field_map_firstname.'\', \''.$pluginconfig->field_map_lastname.'\' and \''.$pluginconfig->field_map_email.'\'');
} else {
print_error('shib_not_set_up_error', 'auth_shibboleth');
}