MDL-16723 automatic redirects to https when loginhttps enabled - this solves accidental usage of http version + it also solves recent navigation regressions + fixed regression from PAGE conversions + deprecated old httpsrequired() and $HTTPSPAGEREQUIRED

auth/ldap/auth.php

@@ -1498,7 +1498,7 @@ class auth_plugin_ldap extends auth_plugin_base {
         global $CFG, $SESSION;
 
         // HTTPS is potentially required
-        httpsrequired();
+        //httpsrequired(); - this must be used before setting the URL, it is already done on the login/index.php
 
         if (($_SERVER['REQUEST_METHOD'] === 'GET'         // Only on initial GET of loginpage
              || ($_SERVER['REQUEST_METHOD'] === 'POST'

auth/ldap/ntlmsso_attempt.php

@@ -2,8 +2,8 @@
 
 require_once(dirname(dirname(dirname(__FILE__))).'/config.php');
 
-// HTTPS is potentially required in this page
-httpsrequired();
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
 
 $PAGE->set_url('/auth/ldap/ntlmsso_attempt.php');
 $PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));

auth/ldap/ntlmsso_finish.php

@@ -2,8 +2,8 @@
 
 require_once(dirname(dirname(dirname(__FILE__))).'/config.php');
 
-// HTTPS is potentially required in this page
-httpsrequired();
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
 
 $PAGE->set_url('/auth/ldap/ntlmsso_finish.php');
 $PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));

auth/ldap/ntlmsso_magic.php

@@ -8,8 +8,9 @@ define('NO_MOODLE_COOKIES', true);
 
 require_once(dirname(dirname(dirname(__FILE__))).'/config.php');
 
-// HTTPS is potentially required in this page
-httpsrequired();
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
+
 $PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));
 
 $authsequence = get_enabled_auth_plugins(true); // auths, in sequence

auth/shibboleth/login.php

@@ -15,8 +15,8 @@
     }
 
 
-//HTTPS is potentially required in this page
-httpsrequired();
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
 
 /// Define variables used in page
     $site = get_site();
@@ -69,7 +69,7 @@ httpsrequired();
     $PAGE->set_url('/auth/shibboleth/login.php');
     $PAGE->navbar->add($loginsite);
     $PAGE->set_title("$site->fullname: $loginsite");
-    $PAGE->set_heading($site->fullname);   
+    $PAGE->set_heading($site->fullname);
 
     echo $OUTPUT->header();
     include("index_form.html");

lib/deprecatedlib.php

@@ -74,6 +74,19 @@ function filter_text($text, $courseid = NULL) {
     return filter_manager::instance()->filter_text($text, $context);
 }
 
+/**
+ * This function indicates that current page requires the https
+ * when $CFG->loginhttps enabled.
+ *
+ * By using this function properly, we can ensure 100% https-ized pages
+ * at our entire discretion (login, forgot_password, change_password)
+ * @deprecated use $PAGE->https_required() instead
+ */
+function httpsrequired() {
+    global $PAGE;
+    $PAGE->https_required();
+}
+
 /**
  * Given a physical path to a file, returns the URL through which it can be reached in Moodle.
  *
@@ -85,7 +98,7 @@ function filter_text($text, $courseid = NULL) {
  * @return string URL to file
  */
 function get_file_url($path, $options=null, $type='coursefile') {
-    global $CFG, $HTTPSPAGEREQUIRED;
+    global $CFG;
 
     $path = str_replace('//', '/', $path);
     $path = trim($path, '/'); // no leading and trailing slashes

lib/moodlelib.php

@@ -8621,19 +8621,6 @@ function address_in_subnet($addr, $subnetstr) {
     return false;
 }
 
-/**
- * This function sets the $HTTPSPAGEREQUIRED global
- * (used in some parts of moodle to change some links)
- * and calculate the proper wwwroot to be used
- *
- * By using this function properly, we can ensure 100% https-ized pages
- * at our entire discretion (login, forgot_password, change_password)
- */
-function httpsrequired() {
-    global $PAGE;
-    $PAGE->https_required();
-}
-
 /**
  * For outputting debugging info
  *

lib/pagelib.php

@@ -223,6 +223,8 @@ class moodle_page {
      */
     protected $_legacythemeinuse = false;
 
+    protected $_https_login_required = false;
+
 /// Magic getter methods =============================================================
 /// Due to the __get magic below, you normally do not call these as $PAGE->magic_get_x
 /// methods, but instead use the $PAGE->x syntax.
@@ -1086,26 +1088,70 @@ class moodle_page {
     }
 
     /**
-     * This function sets the $HTTPSPAGEREQUIRED global
-     * (used in some parts of moodle to change some links)
-     * and calculate the proper wwwroot to be used
+     * This function indicates that current page requires the https
+     * when $CFG->loginhttps enabled.
      *
      * By using this function properly, we can ensure 100% https-ized pages
      * at our entire discretion (login, forgot_password, change_password)
+     * @return void
      */
     public function https_required() {
-        global $CFG, $HTTPSPAGEREQUIRED;
+        global $CFG;
+
+        if (!is_null($this->_url)) {
+            throw new coding_exception('https_required() must be used before setting page url!');
+        }
 
         $this->ensure_theme_not_set();
 
+        $this->_https_login_required = true;
+
         if (!empty($CFG->loginhttps)) {
-            $HTTPSPAGEREQUIRED = true;
             $CFG->httpswwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
         } else {
             $CFG->httpswwwroot = $CFG->wwwroot;
         }
     }
 
+    /**
+     * Makes sure that page previously marked with https_required()
+     * is really using https://, if not it redirects to https://
+     *
+     * @return void (may redirect to https://self)
+     */
+    public function verify_https_required() {
+        global $CFG, $FULLME;
+
+        if (is_null($this->_url)) {
+            throw new coding_exception('verify_https_required() must be called after setting page url!');
+        }
+
+        if (!$this->_https_login_required) {
+            throw new coding_exception('verify_https_required() must be called only after https_required()!');
+        }
+
+        if (empty($CFG->loginhttps)) {
+            // https not required, so stop checking
+            return;
+        }
+
+        if (strpos($this->_url, 'https://')) {
+            // detect if incorrect PAGE->set_url() used, it is recommended to use root-relative paths there
+            throw new coding_exception('Invalid page url specified, it must start with https:// for pages that set https_required()!');
+        }
+
+        if (!empty($CFG->sslproxy)) {
+            // it does not make much sense to use sslproxy and loginhttps at the same time
+            return;
+        }
+
+        // now the real test and redirect!
+        if (strpos($FULLME, 'https:') !== 0) {
+            // this may lead to infinite redirect on misconfigured sites, in that case use $CFG->loginhttps=0; in /config.php
+            redirect($this->_url);
+        }
+    }
+
 /// Initialisation methods =====================================================
 /// These set various things up in a default way.
 

lib/setup.php

@@ -272,17 +272,6 @@ global $OUTPUT;
  */
 global $MCACHE;
 
-/**
- * A global to define if the page being displayed must run under HTTPS.
- *
- * Its primary goal is to allow 100% HTTPS pages when $CFG->loginhttps is enabled. Default to false.
- * Its enabled only by the $PAGE->https_required() function and used in some pages to update some URLs
- *
- * @global bool $HTTPSPAGEREQUIRED
- * @name $HTTPSPAGEREQUIRED
- */
-global $HTTPSPAGEREQUIRED;
-
 /**
  * Full script path including all params, slash arguments, scheme and host.
  * @global string $FULLME

login/change_password.php

@@ -29,18 +29,19 @@ require_once('change_password_form.php');
 
 $id = optional_param('id', SITEID, PARAM_INT); // current course
 
-$url = new moodle_url('/login/change_password.php');
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
+
+$uparams = array();
 if ($id != SITEID) {
-    $url->param('id', $id);
+    $uparams['id'] = $id;
 }
-$PAGE->set_url($url);
+$PAGE->set_url('/login/change_password.php', $uparams);
+
 $PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));
 
 $strparticipants = get_string('participants');
 
-//HTTPS is potentially required in this page
-httpsrequired();
-
 $systemcontext = get_context_instance(CONTEXT_SYSTEM);
 
 if (!$course = $DB->get_record('course', array('id'=>$id))) {
@@ -127,6 +128,8 @@ if ($mform->is_cancelled()) {
     exit;
 }
 
+// make sure we really are on the https page when https login required
+$PAGE->verify_https_required();
 
 $strchangepassword = get_string('changepassword');
 

login/forgot_password.php

@@ -32,10 +32,11 @@ require_once('forgot_password_form.php');
 $p_secret   = optional_param('p', false, PARAM_RAW);
 $p_username = optional_param('s', false, PARAM_RAW);
 
-httpsrequired();
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
 
-$systemcontext = get_context_instance(CONTEXT_SYSTEM);
 $PAGE->set_url('/login/forgot_password.php');
+$systemcontext = get_context_instance(CONTEXT_SYSTEM);
 $PAGE->set_context($systemcontext);
 
 // setup text strings
@@ -170,6 +171,9 @@ if ($mform->is_cancelled()) {
     die; // never reached
 }
 
+// make sure we really are on the https page when https login required
+$PAGE->verify_https_required();
+
 
 /// DISPLAY FORM
 

login/index.php

@@ -35,8 +35,8 @@ if ($cancel) {
     redirect(new moodle_url('/'));
 }
 
-//HTTPS is potentially required in this page
-httpsrequired();
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
 
 $context = get_context_instance(CONTEXT_SYSTEM);
 $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
@@ -273,6 +273,8 @@ if (!empty($CFG->alternateloginurl)) {
     redirect($loginurl);
 }
 
+// make sure we really are on the https page when https login required
+$PAGE->verify_https_required();
 
 /// Generate the login page with forms
 
@@ -311,14 +313,6 @@ foreach($authsequence as $authname) {
 $PAGE->set_title("$site->fullname: $loginsite");
 $PAGE->set_heading("$site->fullname");
 
-// make sure we are on the https page when https login required
-if (empty($CFG->sslproxy) and !empty($CFG->loginhttps)) {
-    if (strpos($FULLME, 'https:') !== 0) {
-        // this may lead to infinite redirect on misconfigured sites, in that case use $CFG->loginhttps=0; in /config.php 
-        redirect(get_login_url());
-    }
-}
-
 echo $OUTPUT->header();
 
 if (isloggedin() and !isguestuser()) {

login/signup.php

@@ -37,8 +37,9 @@ if (!$authplugin->can_signup()) {
     print_error('notlocalisederrormessage', 'error', '', 'Sorry, you may not use this page.');
 }
 
-//HTTPS is potentially required in this page
-httpsrequired();
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
+
 $PAGE->set_url('/login/signup.php');
 $PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));
 
@@ -60,6 +61,10 @@ if ($mform_signup->is_cancelled()) {
     exit; //never reached
 }
 
+// make sure we really are on the https page when https login required
+$PAGE->verify_https_required();
+
+
 $newaccount = get_string('newaccount');
 $login      = get_string('login');
 

user/edit.php

@@ -29,17 +29,14 @@ require_once($CFG->dirroot.'/user/edit_form.php');
 require_once($CFG->dirroot.'/user/editlib.php');
 require_once($CFG->dirroot.'/user/profile/lib.php');
 
-httpsrequired();
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
 
 $userid = optional_param('id', $USER->id, PARAM_INT);    // user id
 $course = optional_param('course', SITEID, PARAM_INT);   // course id (defaults to Site)
-$cancelemailchange = optional_param('cancelemailchange', false, PARAM_INT);   // course id (defaults to Site)
+$cancelemailchange = optional_param('cancelemailchange', 0, PARAM_INT);   // course id (defaults to Site)
 
-$url = new moodle_url('/user/edit.php', array('course'=>$course));
-if ($userid !== $USER->id) {
-    $url->param('id', $userid);
-}
-$PAGE->set_url($url);
+$PAGE->set_url('/user/edit.php', array('course'=>$course, 'id'=>$userid, 'cancelemailchange'=>$cancelemailchange));
 
 if (!$course = $DB->get_record('course', array('id'=>$course))) {
     print_error('invalidcourseid');
@@ -260,6 +257,9 @@ if ($usernew = $userform->get_data()) {
     }
 }
 
+// make sure we really are on the https page when https login required
+$PAGE->verify_https_required();
+
 
 /// Display page header
 $streditmyprofile = get_string('editmyprofile');

user/editadvanced.php

@@ -30,16 +30,13 @@ require_once($CFG->dirroot.'/user/editadvanced_form.php');
 require_once($CFG->dirroot.'/user/editlib.php');
 require_once($CFG->dirroot.'/user/profile/lib.php');
 
-httpsrequired();
+//HTTPS is required in this page when $CFG->loginhttps enabled
+$PAGE->https_required();
 
 $id     = optional_param('id', $USER->id, PARAM_INT);    // user id; -1 if creating new user
 $course = optional_param('course', SITEID, PARAM_INT);   // course id (defaults to Site)
 
-$url = new moodle_url('/user/editadvanced.php', array('course'=>$course));
-if ($id !== $USER->id) {
-    $url->param('id', $id);
-}
-$PAGE->set_url($url);
+$PAGE->set_url('/user/editadvanced.php', array('course'=>$course, 'id'=>$id));
 
 $course = $DB->get_record('course', array('id'=>$course), '*', MUST_EXIST);
 
@@ -235,6 +232,9 @@ if ($usernew = $userform->get_data()) {
     //never reached
 }
 
+// make sure we really are on the https page when https login required
+$PAGE->verify_https_required();
+
 
 /// Display page header
 if ($user->id == -1 or ($user->id != $USER->id)) {