From dd0feda5c21d24c2415d1512b44a80b7f8ff89cf Mon Sep 17 00:00:00 2001 From: skodak Date: Tue, 27 Feb 2007 10:22:33 +0000 Subject: [PATCH] MDL-8669 broken auth signup code --- auth/email/auth.php | 29 +++++++++------ lib/moodlelib.php | 8 +++++ login/confirm.php | 82 ++++++++++++++++++++++--------------------- login/signup.php | 21 +++-------- login/signup_form.php | 4 +-- 5 files changed, 75 insertions(+), 69 deletions(-) diff --git a/auth/email/auth.php b/auth/email/auth.php index 2a1a515685..4f39c169d3 100644 --- a/auth/email/auth.php +++ b/auth/email/auth.php @@ -16,15 +16,6 @@ if (!defined('MOODLE_INTERNAL')) { die('Direct access to this script is forbidden.'); /// It must be included from a Moodle page } -/** - * Error codes for user confirm - */ -define('AUTH_CONFIRM_FAIL', 0); -define('AUTH_CONFIRM_OK', 1); -define('AUTH_CONFIRM_ALREADY', 2); -define('AUTH_CONFIRM_ERROR', 3); -// TODO: instead of integers these could be the language keys? - /** * Email authentication plugin. @@ -76,8 +67,14 @@ class auth_plugin_email { /** * Sign up a new user ready for confirmation. + * Password is passed in plaintext. + * + * @param object $user new user object (with system magic quotes) + * @param boolean $notify print notice with link and terminate */ function user_signup($user, $notify = true) { + $user->password = hash_internal_user_password($user->password); + if (! ($user->id = insert_record('user', $user)) ) { print_error('auth_emailnoinsert','auth'); } @@ -90,11 +87,16 @@ class auth_plugin_email { $emailconfirm = get_string('emailconfirm'); print_header($emailconfirm, $emailconfirm, $emailconfirm); notice(get_string('emailconfirmsent', '', $user->email), "$CFG->wwwroot/index.php"); + } else { + return true; } } /** * Confirm the new user as registered. + * + * @param string $username (with system magic quotes) + * @param string $confirmsecret (with system magic quotes) */ function user_confirm($username, $confirmsecret) { $user = get_complete_user_data('username', $username); @@ -102,8 +104,11 @@ class auth_plugin_email { if (!empty($user)) { if ($user->confirmed) { return AUTH_CONFIRM_ALREADY; - } - if ($user->secret == $confirmsecret) { // They have provided the secret key to get in + + } else if ($user->auth != 'email') { + return AUTH_CONFIRM_ERROR; + + } else if ($user->secret == stripslashes($confirmsecret)) { // They have provided the secret key to get in if (!set_field("user", "confirmed", 1, "id", $user->id)) { return AUTH_CONFIRM_FAIL; } @@ -112,6 +117,8 @@ class auth_plugin_email { } return AUTH_CONFIRM_OK; } + } else { + return AUTH_CONFIRM_ERROR; } } diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 5d28fcd40f..17bc7197ac 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -261,6 +261,14 @@ define ('BLOG_COURSE_LEVEL', 3); define ('BLOG_SITE_LEVEL', 4); define ('BLOG_GLOBAL_LEVEL', 5); +/** + * Authentication - error codes for user confirm + */ +define('AUTH_CONFIRM_FAIL', 0); +define('AUTH_CONFIRM_OK', 1); +define('AUTH_CONFIRM_ALREADY', 2); +define('AUTH_CONFIRM_ERROR', 3); + /// PARAMETER HANDLING //////////////////////////////////////////////////// diff --git a/login/confirm.php b/login/confirm.php index bef52d37f4..72fba41cf6 100644 --- a/login/confirm.php +++ b/login/confirm.php @@ -12,11 +12,11 @@ } $authplugin = get_auth_plugin($CFG->registerauth); - if (!method_exists($authplugin, 'user_create')) { + if (!method_exists($authplugin, 'user_confirm')) { error("Sorry, you may not use this page."); } - if (!empty($data) || (!empty($p) && !empty($s))) { + if (!empty($data) || (!empty($p) && !empty($s))) { if (!empty($data)) { $dataelements = explode('/',$data); @@ -27,49 +27,51 @@ $username = $s; } - $authplugin = get_auth_plugin($CFG->registerauth); $confirmed = $authplugin->user_confirm($username, $usersecret); if ($confirmed == AUTH_CONFIRM_ALREADY) { - $user = get_complete_user_data('username', $username); - print_header(get_string("alreadyconfirmed"), get_string("alreadyconfirmed"), "", ""); - echo "

".get_string("thanks").", ". fullname($user) . "

\n"; - echo "

".get_string("alreadyconfirmed")."

\n"; - echo "

-> wwwroot/course/\">".get_string("courses")."

\n"; - print_footer(); - exit; - } - if ($confirmed == AUTH_CONFIRM_OK) { - // Activate new user if necessary - $authplugin = get_auth_plugin($CFG->registerauth); - if (method_exists($authplugin, 'user_activate')) { - if (!$authplugin->user_activate($username)) { - error('Could not activate this user!'); - } - } - - // The user has confirmed successfully, let's log them in - - if (!$USER = get_complete_user_data('username', $username)) { - error("Something serious is wrong with the database"); + $user = get_complete_user_data('username', $username); + print_header(get_string("alreadyconfirmed"), get_string("alreadyconfirmed"), "", ""); + print_box_start('generalbox centerpara boxwidthnormal boxaligncenter'); + echo "

".get_string("thanks").", ". fullname($user) . "

\n"; + echo "

".get_string("alreadyconfirmed")."

\n"; + print_single_button("$CFG->wwwroot/course/", null, get_string('courses')); + print_box_end(); + print_footer(); + exit; + + } else if ($confirmed == AUTH_CONFIRM_OK) { + // Activate new user if necessary + if (method_exists($authplugin, 'user_activate')) { + if (!$authplugin->user_activate($username)) { + error('Could not activate this user!'); } - - set_moodle_cookie($USER->username); - - if ( ! empty($SESSION->wantsurl) ) { // Send them where they were going - $goto = $SESSION->wantsurl; - unset($SESSION->wantsurl); - redirect("$goto"); - } - - print_header(get_string("confirmed"), get_string("confirmed"), "", ""); - echo "

".get_string("thanks").", ". fullname($USER) . "

\n"; - echo "

".get_string("confirmed")."

\n"; - echo "

-> wwwroot/course/\">".get_string("courses")."

\n"; - print_footer(); - exit; + } + + // The user has confirmed successfully, let's log them in + + if (!$USER = get_complete_user_data('username', $username)) { + error("Something serious is wrong with the database"); + } + + set_moodle_cookie($USER->username); + + if ( ! empty($SESSION->wantsurl) ) { // Send them where they were going + $goto = $SESSION->wantsurl; + unset($SESSION->wantsurl); + redirect($goto); + } + + print_header(get_string("confirmed"), get_string("confirmed"), "", ""); + print_box_start('generalbox centerpara boxwidthnormal boxaligncenter'); + echo "

".get_string("thanks").", ". fullname($USER) . "

\n"; + echo "

".get_string("confirmed")."

\n"; + print_single_button("$CFG->wwwroot/course/", null, get_string('courses')); + print_box_end(); + print_footer(); + exit; } else { - error("Invalid confirmation data"); + error("Invalid confirmation data"); } } else { error(get_string("errorwhenconfirming")); diff --git a/login/signup.php b/login/signup.php index a372f83f6a..2aecde05c5 100644 --- a/login/signup.php +++ b/login/signup.php @@ -8,21 +8,19 @@ } $authplugin = get_auth_plugin($CFG->registerauth); - if (!method_exists($authplugin, 'user_create')) { + if (!method_exists($authplugin, 'user_signup')) { error("Sorry, you may not use this page."); } //HTTPS is potentially required in this page httpsrequired(); - $mform_signup = new login_signup_form_1(); + $mform_signup = new login_signup_form(); if ($mform_signup->is_cancelled()) { redirect($CFG->httpswwwroot.'/login/index.php'); - } else if ($user = $mform_signup->get_data()) { - $plainpass = $user->password; - $user->password = hash_internal_user_password($plainpass); + } else if ($user = $mform_signup->get_data()) { $user->confirmed = 0; $user->lang = current_language(); $user->firstaccess = time(); @@ -30,17 +28,8 @@ $user->secret = random_string(15); $user->auth = $CFG->registerauth; - if (! $authplugin->user_exists($user->username)) { - if (! $authplugin->user_create($user, $plainpass)) { - error("Could not add user to authentication module!"); - } - } else { - error("User already exists on authentication database."); - } - - $authplugin = get_auth_plugin($CFG->registerauth); - $signedup = $authplugin->user_signup($user, $notify=true); - exit; + $authplugin->user_signup($user, $notify=true); // prints notice and link to login/index.php + exit; //never reached } $newaccount = get_string('newaccount'); diff --git a/login/signup_form.php b/login/signup_form.php index 77849f250d..7a7081ab38 100644 --- a/login/signup_form.php +++ b/login/signup_form.php @@ -2,11 +2,11 @@ require_once($CFG->libdir.'/formslib.php'); -class login_signup_form_1 extends moodleform { +class login_signup_form extends moodleform { function definition() { global $USER, $CFG; - $mform =& $this->_form; + $mform =& $this->_form; $mform->addElement('header', '', get_string('createuserandpass'), ''); -- 2.39.5