From 1679334034dfcc85b9f8566b378cf9597bf65ff6 Mon Sep 17 00:00:00 2001
From: skodak <skodak>
Date: Tue, 20 Feb 2007 17:15:13 +0000
Subject: [PATCH] MDL-8590 auth cleanup - part 3

---
 enrol/imsenterprise/enrol.php |   2 +-
 lang/en_utf8/auth.php         |  49 ++++++++++------
 lib/db/upgrade.php            |   3 +
 lib/moodlelib.php             | 105 +++++++++++++++++-----------------
 4 files changed, 87 insertions(+), 72 deletions(-)

diff --git a/enrol/imsenterprise/enrol.php b/enrol/imsenterprise/enrol.php
index 6590f714b6..ebc4530f28 100644
--- a/enrol/imsenterprise/enrol.php
+++ b/enrol/imsenterprise/enrol.php
@@ -648,7 +648,7 @@ function process_person_tag($tagcontents){
             }else{
        
             // If they don't exist and they have a defined username, and $CFG->enrol_createnewusers == true, we create them.
-            $person->lang = $CFG->lang;
+            $person->lang = 'manual'; //TODO: this needs more work due tu multiauth changes 
             $person->auth = $CFG->auth;
             $person->confirmed = 1;
             $person->timemodified = time();
diff --git a/lang/en_utf8/auth.php b/lang/en_utf8/auth.php
index d798f40188..a5384ab53d 100644
--- a/lang/en_utf8/auth.php
+++ b/lang/en_utf8/auth.php
@@ -8,11 +8,32 @@ $string['alternateloginurl'] = 'Alternate Login URL';
 $string['pluginnotenabled'] = 'Authentication plugin \'$a\' is not enabled.';
 $string['pluginnotinstalled'] = 'Authentication plugin \'$a\' is not installed.';
 
+// syncronization
+$string['auth_sync_script'] ='Cron synchronization script';
+$string['auth_dbinsertuser'] ='Inserted user $a[0] id $a[1]';
+$string['auth_dbinsertusererror'] = 'Error inserting user $a';
+$string['auth_dbdeleteuser'] ='Deleted user $a[0] id $a[1]';
+$string['auth_dbdeleteusererror'] = 'Error deleting user $a';
+$string['auth_dbreviveduser'] ='Revived user $a[0] id $a[1]';
+$string['auth_dbrevivedusererror'] = 'Error reviving user $a';
+$string['auth_dbsuspenduser'] ='Suspended user $a[0] id $a[1]';
+$string['auth_dbsuspendusererror'] = 'Error suspending user $a';
+$string['auth_dbupdatinguser'] ='Updating user $a[0] id $a[1]';
+$string['auth_remove_user_key'] ='Removed ext user';
+$string['auth_remove_user'] ='Specify what to do with internal user account during mass synchronization when user was removed from external source. Only suspended users are automatically revived if they reappear in ext source.';
+$string['auth_remove_keep'] ='Keep internal';
+$string['auth_remove_suspend'] ='Suspend internal';
+$string['auth_remove_delete'] ='Full delete internal';
+
+// nologin plugin
+$string['auth_nologindescription'] = 'Auxiliary plugin that prevents user to login into system and also discards any mail send to user. Can be used to <em>suspend</em> user accounts.';
+$string['auth_nologintitle'] = 'No login';
+
 // CAS plugin
 $string['auth_cas_logincas'] = 'Secure connection access';
 $string['auth_cas_invalidcaslogin'] = 'Sorry, your login has failed - you could not be authorised';
 $string['auth_cas_server_settings'] = 'CAS server configuration';
-$string['auth_castitle'] = 'Use a CAS server (SSO)';
+$string['auth_castitle'] = 'CAS server (SSO)';
 $string['auth_cas_hostname'] = 'Hostname of the CAS server <br />eg: host.domain.fr';
 $string['auth_cas_baseuri'] = 'URI of the server (nothing if no baseUri)<br />For example, if the CAS server responds to host.domaine.fr/CAS/ then<br />cas_baseuri = CAS/';
 $string['auth_cas_port'] = 'Port of the CAS server';
@@ -27,7 +48,6 @@ $string['auth_cas_cantconnect'] ='LDAP part of CAS-module cannot connect to serv
 $string['auth_cas_use_cas'] ='Use CAS';
 $string['auth_cas_broken_password'] ='You cannot proceed without changing your password, however there is no available page for changing it. Please contact your Moodle Administrator.';
 
-
 $string['auth_cas_hostname_key'] ='Hostname';
 $string['auth_cas_changepasswordurl'] ='Password-change URL';
 $string['auth_cas_create_user_key'] ='Create user';
@@ -37,8 +57,6 @@ $string['auth_cas_casversion'] ='Version';
 $string['auth_cas_port_key'] ='Port';
 $string['auth_cas_baseuri_key'] ='Base URI';
 
-
-
 $string['auth_changepasswordurl'] = 'Change password URL';
 $string['auth_changepasswordurl_expl'] = 'Specify the url to send users who have lost their $a password. Set <strong>Use standard Change Password page</strong> to <strong>No</strong>.';
 $string['auth_changepasswordhelp'] = 'Change password help';
@@ -61,11 +79,6 @@ $string['auth_dbtype'] = 'The database type (See the <a href=\"../lib/adodb/read
 $string['auth_dbuser'] = 'Username with read access to the database';
 $string['auth_dbcantconnect'] ='Could not connect to the specified authentication database...';
 $string['auth_dbuserstoadd'] = 'User entries to add: $a';
-$string['auth_dbrevive'] = 'Revived user $a[0] id $a[1]';
-$string['auth_dbinsertuser'] ='inserted user $a[0] id $a[1]';
-$string['auth_dbinsertusererror'] = 'error inserting user $a';
-$string['auth_dbdeleteuser'] ='deleted user $a[0] id $a[1]';
-$string['auth_dbdeleteusererror'] = 'error deleting user $a';
 $string['auth_dbuserstoremove'] = 'User entries to remove: $a';
 $string['auth_dbusernotexist'] = 'Cannot update non-existent user: $a';
 $string['auth_dbhost_key'] = 'Host';
@@ -99,7 +112,7 @@ $string['auth_fcdescription'] = 'This method uses a FisrtClass server to check w
 $string['auth_fcfppport'] = 'Server port (3333 is the most common)';
 $string['auth_fchost'] = 'The FirstClass server address. Use the IP number or DNS name.';
 $string['auth_fcpasswd'] = 'Password for the account above.';
-$string['auth_fctitle'] = 'Use a FirstClass server';
+$string['auth_fctitle'] = 'FirstClass server';
 $string['auth_fcuserid'] = 'Userid for FirstClass account with privilege \'Subadministrator\' set.';
 $string['auth_fchost_key'] = 'Host:';
 $string['auth_fcfppport_key'] = 'Port';
@@ -120,7 +133,7 @@ $string['auth_imapnotinstalled'] = 'Cannot use IMAP authentication. The PHP IMAP
 $string['auth_imapdescription'] = 'This method uses an IMAP server to check whether a given username and password is valid.';
 $string['auth_imaphost'] = 'The IMAP server address. Use the IP number, not DNS name.';
 $string['auth_imapport'] = 'IMAP server port number. Usually this is 143 or 993.';
-$string['auth_imaptitle'] = 'Use an IMAP server';
+$string['auth_imaptitle'] = 'IMAP server';
 $string['auth_imaptype'] = 'The IMAP server type.  IMAP servers can have different types of authentication and negotiation.';
 $string['auth_imaptype_key'] = 'Type';
 $string['auth_imaphost_key'] = 'Host';
@@ -140,6 +153,7 @@ $string['auth_ldap_expireattr_desc'] = 'Optional: overrides ldap-attribute that
 $string['auth_ldap_graceattr_desc'] = 'Optional: Overrides  gracelogin attribute';
 $string['auth_ldap_gracelogins_desc'] = 'Enable LDAP gracelogin support. After password has expired user can login until gracelogin count is 0. Enabling this setting displays grace login message if password is exprired.';
 $string['auth_ldap_host_url'] = 'Specify LDAP host in URL-form like \'ldap://ldap.myorg.com/\' or \'ldaps://ldap.myorg.com/\' Separate multipleservers with \';\' to get failover support.';
+$string['auth_ldap_ldap_encoding'] = 'Specify encoding used by LDAP server. Most probably utf-8, MS AD v2 uses default platform encoding such as cp1252, cp1250, etc.';
 $string['auth_ldap_login_settings'] = 'Login settings';
 $string['auth_ldap_memberattribute'] = 'Optional: Overrides user member attribute, when users belongs to a group. Usually \'member\'';
 $string['auth_ldap_objectclass'] = 'Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this.';
@@ -162,6 +176,7 @@ $string['auth_ldapdescription'] = 'This method provides authentication against a
                                   wanted fields in Moodle.  For following logins only the username and 
 
                                   password are checked.';
+$string['auth_ldap_ldap_encoding_key'] = 'LDAP encoding';
 $string['auth_ldap_host_url_key'] = 'Host URL';
 $string['auth_ldap_version_key'] = 'Version';
 $string['auth_ldap_preventpassindb_key'] = 'Hide passwords';
@@ -191,12 +206,12 @@ $string['auth_ldap_usertypeundefined2'] = 'config.user_type not defined or funct
 $string['auth_ldap_noextension'] = 'Warning: The PHP LDAP module does not seem to be present. Please ensure it is installed and enabled.';
 
 $string['auth_ldapextrafields'] = 'These fields are optional.  You can choose to pre-fill some Moodle user fields with information from the <b>LDAP fields</b> that you specify here. <p>If you leave these fields blank, then nothing will be transferred from LDAP and Moodle defaults will be used instead.</p><p>In either case, the user will be able to edit all of these fields after they log in.</p>';
-$string['auth_ldaptitle'] = 'Use an LDAP server';
+$string['auth_ldaptitle'] = 'LDAP server';
 $string['auth_ldapnotinstalled'] = 'Cannot use LDAP authentication. The PHP LDAP module is not installed.';
 
 // Manual plugin
 $string['auth_manualdescription'] = 'This method removes any way for users to create their own accounts.  All accounts must be manually created by the admin user.';
-$string['auth_manualtitle'] = 'Manual accounts only';
+$string['auth_manualtitle'] = 'Manual accounts';
 
 // MNET plugin
 $string['auth_mnettitle'] = 'Moodle Network authentication';
@@ -214,7 +229,7 @@ $string['auth_multiplehosts'] = 'Multiple hosts OR addresses can be specified (e
 $string['auth_nntpdescription'] = 'This method uses an NNTP server to check whether a given username and password is valid.';
 $string['auth_nntphost'] = 'The NNTP server address. Use the IP number, not DNS name.';
 $string['auth_nntpport'] = 'Server port (119 is the most common)';
-$string['auth_nntptitle'] = 'Use an NNTP server';
+$string['auth_nntptitle'] = 'NNTP server';
 $string['auth_nntpnotinstalled'] = 'Cannot use NNTP authentication. The PHP IMAP module is not installed.';
 $string['auth_nntpchangepasswordurl_key'] = 'Password-change URL';
 $string['auth_nntpport_key'] = 'Port';
@@ -236,7 +251,7 @@ $string['auth_pop3description'] = 'This method uses a POP3 server to check wheth
 $string['auth_pop3host'] = 'The POP3 server address. Use the IP number, not DNS name.';
 $string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with.  (usually INBOX)';
 $string['auth_pop3port'] = 'Server port (110 is the most common, 995 is common for SSL)';
-$string['auth_pop3title'] = 'Use a POP3 server';
+$string['auth_pop3title'] = 'POP3 server';
 $string['auth_pop3type'] = 'Server type. If your server uses certificate security, choose pop3cert.';
 $string['auth_pop3notinstalled'] = 'Cannot use POP3 authentication. The PHP IMAP module is not installed.';
 $string['auth_pop3changepasswordurl_key'] = 'Password-change URL';
@@ -246,7 +261,7 @@ $string['auth_pop3type_key'] = 'Type';
 $string['auth_pop3host_key'] = 'Host';
 
 // RADIUS plugin
-$string['auth_radiustitle'] = 'Use a RADIUS server';
+$string['auth_radiustitle'] = 'RADIUS server';
 $string['auth_radiusdescription'] = 'This method uses a <a href=\"http://en.wikipedia.org/wiki/RADIUS\" target=\"_blank\">RADIUS</a> server to check whether a given username and password is valid.';
 $string['auth_radiushost'] = 'Address of the RADIUS server';
 $string['auth_radiusnasport'] = 'Port to use to connect';
@@ -301,7 +316,7 @@ $string['passwordhandling'] = 'Password field handling';
 $string['plaintext'] = 'Plain text';
 $string['selfregistration'] = 'Self registration';
 $string['selfregistration_help'] = 'Choose which auth plugin will handle user self-registration.';
-$string['sha1'] = 'SHA1 hash';
+$string['sha1'] = 'SHA-1 hash';
 $string['showguestlogin'] = 'You can hide or show the guest login button on the login page.';
 $string['stdchangepassword'] = 'Use standard Change Password Page';
 $string['stdchangepassword_expl'] = 'If the external authentication system allows password changes through Moodle, switch this to Yes. This setting overrides \'Change Password URL\'.';
diff --git a/lib/db/upgrade.php b/lib/db/upgrade.php
index dbf4847742..639078d72d 100644
--- a/lib/db/upgrade.php
+++ b/lib/db/upgrade.php
@@ -138,6 +138,9 @@ function xmldb_main_upgrade($oldversion=0) {
             if (strpos($k, 'auth_') !== 0) {
                 continue;
             }
+            if ($k == 'auth_instructions') {
+                continue; //keep as global auth option
+            }
             $authsetting = substr($k, 5);
             foreach ($authplugins as $auth) {
                 if (strpos($authsetting, $auth) !== 0) {
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 8d977e20c2..4293915653 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -2345,13 +2345,9 @@ function get_moodle_cookie() {
  *        global setting in {@link $CFG}.
  * @return boolean Whether the plugin is available.
  */
-function exists_auth_plugin($auth='') {
+function exists_auth_plugin($auth) {
     global $CFG;
     
-    // use the global default if not specified
-    if ($auth == '') {
-        $auth = $CFG->auth;
-    }
     if (file_exists("{$CFG->dirroot}/auth/$auth/auth.php")) {
         return is_readable("{$CFG->dirroot}/auth/$auth/auth.php");
     }
@@ -2364,14 +2360,16 @@ function exists_auth_plugin($auth='') {
  * @param string $auth Authentication plugin.
  * @return boolean Whether the plugin is enabled.
  */
-function is_enabled_auth($auth='') {
+function is_enabled_auth($auth) {
     global $CFG;
 
-    // use the global default if not specified
-    if ($auth == '') {
-        $auth = $CFG->auth;
+    if (empty($auth)) {
+        return false;
+    } else if ($auth == 'manual') {
+        return true;
     }
-    return in_array($auth, explode(',', $CFG->auth_plugins_enabled));
+
+    return in_array($auth, explode(',', $CFG->auth));
 }
 
 /**
@@ -2385,12 +2383,10 @@ function is_enabled_auth($auth='') {
 function get_auth_plugin($auth = '') {
     global $CFG;
     
-    // use the global default if not specified
-    if ($auth == '') {
-        $auth = $CFG->auth;
+    // use the manual if not specified
+    if (empty($auth)) {
+        $auth = 'manual';
     }
-
-    // TODO: plugin enabled?
     
     // check the plugin exists first
     if (! exists_auth_plugin($auth)) {
@@ -2412,7 +2408,7 @@ function get_auth_plugin($auth = '') {
  * @return bool
  * @todo Outline auth types and provide code example
  */
-function is_internal_auth($auth='') {
+function is_internal_auth($auth) {
     $authplugin = get_auth_plugin($auth); // throws error if bad $auth
     return $authplugin->is_internal();
 }
@@ -2456,7 +2452,7 @@ function create_user_record($username, $password, $auth='') {
         if ($newinfo = $authplugin->get_userinfo($username)) {
             $newinfo = truncate_userinfo($newinfo);
             foreach ($newinfo as $key => $value){
-                $newuser->$key = addslashes(stripslashes($value)); // Just in case
+                $newuser->$key = addslashes($value);
             }
         }
     }
@@ -2467,9 +2463,8 @@ function create_user_record($username, $password, $auth='') {
         }
     }
 
-    $newuser->auth = (empty($auth)) ? $CFG->auth : $auth;
+    $newuser->auth = (empty($auth)) ? 'manual' : $auth;
     $newuser->username = $username;
-    update_internal_user_password($newuser, $password, false);
     
     // fix for MDL-8480
     // user CFG lang for user if $newuser->lang is empty
@@ -2484,11 +2479,12 @@ function create_user_record($username, $password, $auth='') {
     $newuser->mnethostid = $CFG->mnet_localhost_id;
 
     if (insert_record('user', $newuser)) {
-         $user = get_complete_user_data('username', $newuser->username);
-         if($CFG->{'auth_'.$newuser->auth.'_forcechangepassword'}){
-             set_user_preference('auth_forcepasswordchange', 1, $user->id);
-         }
-         return $user;
+        $user = get_complete_user_data('username', $newuser->username);
+        if($CFG->{'auth_'.$newuser->auth.'_forcechangepassword'}){
+            set_user_preference('auth_forcepasswordchange', 1, $user->id);
+        }
+        update_internal_user_password($user, $password);
+        return $user;
     }
     return false;
 }
@@ -2589,45 +2585,37 @@ function authenticate_user_login($username, $password) {
 
     global $CFG;
 
-    // default to manual if global auth is undefined or broken
-    if (empty($CFG->auth_plugins_enabled)) {
-        $CFG->auth_plugins_enabled = empty($CFG->auth) ? 'manual' : $CFG->auth;
-    }
-    // if blank, set default auth to first enabled auth plugin
     if (empty($CFG->auth)) {
-        $auths = explode(',', $CFG->auth_plugins_enabled);
-        $CFG->auth = $auths[0];
-    }
-
-    // if user not found, use site auth
-    if (!$user = get_complete_user_data('username', $username)) {
-        $user = new object();
-        $user->id = 0;     // Not a user
-        $auth = $CFG->auth_plugins_enabled;
+        $authsenabled = array('manual');
+    } else {
+        $authsenabled = explode(',', 'manual,'.$CFG->auth);
     }
 
-    // Sort out the authentication method we are using.
-    if (empty($user->auth)) {      // For some reason it isn't set yet
-        $primadmin = get_admin();
-        if (!empty($user->id) && (($user->id==$primadmin->id) || isguest($user->id))) {
-            $auth = 'manual';    // always assume these guys are internal
+    if ($user = get_complete_user_data('username', $username)) {
+        $auth = empty($user->auth) ? 'manual' : $user->auth;  // use manual if auth not set
+        if ($auth=='nologin' or !is_enabled_auth($auth)) {
+            add_to_log(0, 'login', 'error', 'index.php', $username);
+            error_log('[client '.$_SERVER['REMOTE_ADDR']."]  $CFG->wwwroot  Disabled Login:  $username  ".$_SERVER['HTTP_USER_AGENT']);
+            return false;
         }
-        else {
-            $auth = $CFG->auth_plugins_enabled; // default to site method
+        if (!empty($user->deleted)) {
+            add_to_log(0, 'login', 'error', 'index.php', $username);
+            error_log('[client '.$_SERVER['REMOTE_ADDR']."]  $CFG->wwwroot  Deleted Login:  $username  ".$_SERVER['HTTP_USER_AGENT']);
+            return false;
         }
+        $auths = array($auth);
+
     } else {
-        $auth = $user->auth;
+        $auths = $authsenabled;
+        $user = new object();
+        $user->id = 0;     // User does not exist
     }
 
-    // walk each authentication plugin, in order
-    $auths = explode(',', $auth);
     foreach ($auths as $auth) {
         $authplugin = get_auth_plugin($auth);
 
-        // on auth fail, log and fall through to the next plugin
+        // on auth fail fall through to the next plugin
         if (!$authplugin->user_login($username, $password)) {
-            add_to_log(0, 'login', 'error', 'index.php', $username);
-            error_log("[client {$_SERVER['REMOTE_ADDR']}]  $CFG->wwwroot  Auth=$auth  Failed Login:  $username  {$_SERVER['HTTP_USER_AGENT']}");
             continue;
         }
 
@@ -2635,12 +2623,16 @@ function authenticate_user_login($username, $password) {
         if ($user->id) {                          // User already exists in database
             if (empty($user->auth)) {             // For some reason auth isn't set yet
                 set_field('user', 'auth', $auth, 'username', $username);
+                $user->auth = $auth;
             }
-            update_internal_user_password($user, $password);
+
+            update_internal_user_password($user, $password); // just in case salt or encoding were changed (magic quotes too one day)
+
             if (!$authplugin->is_internal()) {            // update user record from external DB
                 $user = update_user_record($username, get_auth_plugin($user->auth));
             }
         } else {
+            // if user not found, create him
             $user = create_user_record($username, $password, $auth);
         }
         // fix for MDL-6928
@@ -2745,11 +2737,11 @@ function hash_internal_user_password($password) {
  * @param bool store changes also in db, default true
  * @return true if hash changed
  */
-function update_internal_user_password(&$user, $password, $storeindb=true) {
+function update_internal_user_password(&$user, $password) {
     global $CFG;
 
     $authplugin = get_auth_plugin($user->auth);
-    if (!empty($authplugin->config->preventpassindb) /*|| $storeindb === false */) {
+    if (!empty($authplugin->config->preventpassindb)) {
         $hashedpassword = 'not cached';
     } else {
         $hashedpassword = hash_internal_user_password($password);
@@ -3280,6 +3272,11 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml='', $a
         return false;
     }
 
+    // skip mail to suspended users
+    if ($user->auth=='nologin') {
+        return true;
+    }
+
     if (!empty($user->emailstop)) {
         return 'emailstop';
     }
-- 
2.39.5