diff --git a/lang/en/webservice.php b/lang/en/webservice.php index 48760276de0..3a27994d8d8 100644 --- a/lang/en/webservice.php +++ b/lang/en/webservice.php @@ -188,6 +188,11 @@ $string['webservices'] = 'Web services'; $string['webservicesoverview'] = 'Overview'; $string['webservicetokens'] = 'Web service tokens'; $string['wrongusernamepassword'] = 'Wrong username or password'; +$string['wsaccessuserdeleted'] = 'Refused web service access for deleted username: {$a}'; +$string['wsaccessuserexpired'] = 'Refused web service access for password expired username: {$a}'; +$string['wsaccessusernologin'] = 'Refused web service access for nologin authentication username: {$a}'; +$string['wsaccessusersuspended'] = 'Refused web service access for suspended username: {$a}'; +$string['wsaccessuserunconfirmed'] = 'Refused web service access for unconfirmed username: {$a}'; $string['wsauthmissing'] = 'The web service authentication plugin is missing.'; $string['wsauthnotenabled'] = 'The web service authentication plugin is disabled.'; $string['wsclientdoc'] = 'Moodle web service client documentation'; diff --git a/login/token.php b/login/token.php index d3f320dd0c7..93ba551090f 100644 --- a/login/token.php +++ b/login/token.php @@ -41,6 +41,13 @@ if (is_restored_user($username)) { } $user = authenticate_user_login($username, $password); if (!empty($user)) { + + //Non admin can not authenticate if maintenance mode + $hassiteconfig = has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $user); + if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) { + throw new moodle_exception('sitemaintenance', 'admin'); + } + if (isguestuser($user)) { throw new moodle_exception('noguest'); } diff --git a/webservice/lib.php b/webservice/lib.php index d5f5cda93d4..7117a9b0292 100644 --- a/webservice/lib.php +++ b/webservice/lib.php @@ -645,7 +645,7 @@ abstract class webservice_server implements webservice_server_interface { throw new webservice_access_exception(get_string('wrongusernamepassword', 'webservice')); } - $user = $DB->get_record('user', array('username'=>$this->username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0), '*', MUST_EXIST); + $user = $DB->get_record('user', array('username'=>$this->username, 'mnethostid'=>$CFG->mnet_localhost_id), '*', MUST_EXIST); } else if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN){ $user = $this->authenticate_by_token(EXTERNAL_TOKEN_PERMANENT); @@ -653,6 +653,50 @@ abstract class webservice_server implements webservice_server_interface { $user = $this->authenticate_by_token(EXTERNAL_TOKEN_EMBEDDED); } + //Non admin can not authenticate if maintenance mode + $hassiteconfig = has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $user); + if (!empty($CFG->maintenance_enabled) and !$hassiteconfig) { + throw new webservice_access_exception(get_string('sitemaintenance', 'admin')); + } + + //only confirmed user should be able to call web service + if (!empty($user->deleted)) { + add_to_log(SITEID, '', '', '', get_string('wsaccessuserdeleted', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id); + throw new webservice_access_exception(get_string('wsaccessuserdeleted', 'webservice', $user->username)); + } + + //only confirmed user should be able to call web service + if (empty($user->confirmed)) { + add_to_log(SITEID, '', '', '', get_string('wsaccessuserunconfirmed', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id); + throw new webservice_access_exception(get_string('wsaccessuserunconfirmed', 'webservice', $user->username)); + } + + //check the user is suspended + if (!empty($user->suspended)) { + add_to_log(SITEID, '', '', '', get_string('wsaccessusersuspended', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id); + throw new webservice_access_exception(get_string('wsaccessusersuspended', 'webservice', $user->username)); + } + + //retrieve the authentication plugin if no previously done + if (empty($auth)) { + $auth = get_auth_plugin($user->auth); + } + + // check if credentials have expired + if (!empty($auth->config->expiration) and $auth->config->expiration == 1) { + $days2expire = $auth->password_expire($user->username); + if (intval($days2expire) < 0 ) { + add_to_log(SITEID, '', '', '', get_string('wsaccessuserexpired', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id); + throw new webservice_access_exception(get_string('wsaccessuserexpired', 'webservice', $user->username)); + } + } + + //check if the auth method is nologin (in this case refuse connection) + if ($user->auth=='nologin') { + add_to_log(SITEID, '', '', '', get_string('wsaccessusernologin', 'webservice', $user->username) . " - ".getremoteaddr(), 0, $user->id); + throw new webservice_access_exception(get_string('wsaccessusernologin', 'webservice', $user->username)); + } + // now fake user login, the session is completely empty too enrol_check_plugins($user); session_set_user($user); @@ -694,7 +738,7 @@ abstract class webservice_server implements webservice_server_interface { $this->restricted_context = get_context_instance_by_id($token->contextid); $this->restricted_serviceid = $token->externalserviceid; - $user = $DB->get_record('user', array('id'=>$token->userid, 'deleted'=>0), '*', MUST_EXIST); + $user = $DB->get_record('user', array('id'=>$token->userid), '*', MUST_EXIST); // log token access $DB->set_field('external_tokens', 'lastaccess', time(), array('id'=>$token->id));