mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-17 21:49:15 +01:00
Code Issues Projects Releases Wiki Activity

MDL-20700 coding style cleanup - cvs keywords removed, closign php tag removed, trailing whitespace cleanup

Browse Source
This commit is contained in:
Petr Skoda 2009-11-01 11:55:14 +00:00
parent 4a0e2e632f
commit 5117d59899
34 changed files with 224 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
auth/README.txt
View File

@ -120,7 +120,7 @@ They contain the same functions that were previously in each plugin's lib.php fi
but refactored to become class methods, and tweaked to reference the plugin's instantiated
config to get at the settings, rather than the global $CFG variable.
When creating new plugins you can either extend the abstract auth_plugin_base class
When creating new plugins you can either extend the abstract auth_plugin_base class
(defined in lib/authlib.php) or create a new one and implement all methods from
auth_plugin_base.

10
auth/cas/auth.php
View File

@ -122,7 +122,7 @@ class auth_plugin_cas extends auth_plugin_base {
$frm->password="guest";
return;
}
if ($this->config->multiauth) {
$authCAS = optional_param("authCAS", '', PARAM_RAW);
if ($authCAS=="NOCAS")
@ -443,7 +443,7 @@ if ( !is_object($PHPCAS_CLIENT) ) {
*/
function ldap_connect($binddn='',$bindpwd='') {
// Cache ldap connections (they are expensive to set up
// and can drain the TCP/IP ressources on the server if we
// and can drain the TCP/IP ressources on the server if we
// are syncing a lot of users (as we try to open a new connection
// to get the user details). This is the least invasive way
// to reuse existing connections without greater code surgery.
@ -488,7 +488,7 @@ if ( !is_object($PHPCAS_CLIENT) ) {
if ($bindresult) {
// Set the connection counter so we can call PHP's ldap_close()
// when we call $this->ldap_close() for the last 'open' connection.
$this->ldapconns = 1;
$this->ldapconns = 1;
$this->ldapconnection = $connresult;
return $connresult;
}
@ -695,7 +695,7 @@ if ( !is_object($PHPCAS_CLIENT) ) {
// find users in DB that aren't in ldap -- to be removed!
// this is still not as scalable (but how often do we mass delete?)
if (!empty($this->config->removeuser)) {
$sql = "SELECT u.id, u.username, u.email, u.auth
$sql = "SELECT u.id, u.username, u.email, u.auth
FROM {user} u
LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = ?)
WHERE u.auth='cas'
@ -1139,4 +1139,4 @@ if (!empty($this->config->attrcreators)) {
return $text;
}
}
?>

1
auth/cas/cas_ldap_sync_users.php
View File

@ -44,4 +44,3 @@ if (!is_enabled_auth('cas')) {
$casauth = get_auth_plugin('cas');
$casauth->sync_users(true);
?>

14
auth/cas/config.html
View File

@ -16,31 +16,31 @@
// set to defaults if undefined (CAS)
if (!isset ($config->hostname))
if (!isset ($config->hostname))
$config->hostname = '';
if (!isset ($config->port))
if (!isset ($config->port))
$config->port = '';
if (!isset ($config->casversion))
if (!isset ($config->casversion))
$config->casversion = '';
if (!isset ($config->baseuri))
if (!isset ($config->baseuri))
$config->baseuri = '';
if (!isset ($config->language))
if (!isset ($config->language))
$config->language = '';
if (!isset ($config->proxycas))
if (!isset ($config->proxycas))
$config->proxycas = '';
if (!isset ($config->logoutcas))
if (!isset ($config->logoutcas))
$config->logoutcas = '';

4
auth/cas/languages.php
View File

@ -1,7 +1,5 @@
<?PHP
// version $Id$
// List of CAS langages.
// You can add langages in /CAS/langage.
@ -13,5 +11,3 @@ $CASLANGUAGES = array (
"english" => "English",
"french" => "French");
?>

2
auth/db/auth.php
View File

@ -702,4 +702,4 @@ class auth_plugin_db extends auth_plugin_base {
}
}
?>

1
auth/db/auth_db_sync_users.php
View File

@ -43,4 +43,3 @@ if (!is_enabled_auth('db')) {
$dbauth = get_auth_plugin('db');
$dbauth->sync_users(true);
?>

14
auth/email/auth.php
View File

@ -76,13 +76,13 @@ class auth_plugin_email extends auth_plugin_base {
function user_signup($user, $notify=true) {
global $CFG, $DB;
require_once($CFG->dirroot.'/user/profile/lib.php');
$user->password = hash_internal_user_password($user->password);
if (! ($user->id = $DB->insert_record('user', $user)) ) {
print_error('auth_emailnoinsert','auth_email');
}
/// Save any custom profile field information
profile_save_data($user);
@ -201,15 +201,15 @@ class auth_plugin_email extends auth_plugin_base {
*/
function process_config($config) {
// set to defaults if undefined
if (!isset($config->recaptcha)) {
$config->recaptcha = false;
if (!isset($config->recaptcha)) {
$config->recaptcha = false;
}
// save settings
set_config('recaptcha', $config->recaptcha, 'auth/email');
return true;
}
/**
* Returns whether or not the captcha element is enabled, and the admin settings fulfil its requirements.
* @return bool
@ -221,4 +221,4 @@ class auth_plugin_email extends auth_plugin_base {
}
?>

2
auth/email/config.html
View File

@ -22,7 +22,7 @@
echo $OUTPUT->select(html_select::make($yesno, 'recaptcha', $config->recaptcha, false));
?></td>
<td><?php print_string('auth_emailrecaptcha', 'auth_email') ?></td>
</tr>
</tr>
<?php
print_auth_lock_options('email', $user_fields, get_string('auth_fieldlocks_help', 'auth'), false, false);

2
auth/fc/auth.php
View File

@ -236,4 +236,4 @@ class auth_plugin_fc extends auth_plugin_base {
}
?>

2
auth/imap/auth.php
View File

@ -151,4 +151,4 @@ class auth_plugin_imap extends auth_plugin_base {
}
?>

28
auth/ldap/auth.php
View File

@ -628,7 +628,7 @@ class auth_plugin_ldap extends auth_plugin_base {
// find users in DB that aren't in ldap -- to be removed!
// this is still not as scalable (but how often do we mass delete?)
if (!empty($this->config->removeuser)) {
$sql = "SELECT u.id, u.username, u.email, u.auth
$sql = "SELECT u.id, u.username, u.email, u.auth
FROM {user} u
LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = ?)
WHERE u.auth='ldap'
@ -1518,7 +1518,7 @@ class auth_plugin_ldap extends auth_plugin_base {
*/
function ldap_connect($binddn='',$bindpwd='') {
// Cache ldap connections (they are expensive to set up
// and can drain the TCP/IP ressources on the server if we
// and can drain the TCP/IP ressources on the server if we
// are syncing a lot of users (as we try to open a new connection
// to get the user details). This is the least invasive way
// to reuse existing connections without greater code surgery.
@ -1575,7 +1575,7 @@ class auth_plugin_ldap extends auth_plugin_base {
if ($bindresult) {
// Set the connection counter so we can call PHP's ldap_close()
// when we call $this->ldap_close() for the last 'open' connection.
$this->ldapconns = 1;
$this->ldapconns = 1;
$this->ldapconnection = $connresult;
return $connresult;
}
@ -1799,7 +1799,7 @@ class auth_plugin_ldap extends auth_plugin_base {
// HTTPS is potentially required
httpsrequired();
if (($_SERVER['REQUEST_METHOD'] === 'GET' // Only on initial GET of loginpage
|| ($_SERVER['REQUEST_METHOD'] === 'POST'
&& (get_referer() != strip_querystring(qualified_me()))))
@ -1834,7 +1834,7 @@ class auth_plugin_ldap extends auth_plugin_base {
redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_attempt.php');
}
}
// No NTLM SSO, Use the normal login page instead.
// If $SESSION->wantsurl is empty and we have a 'Referer:' header, the login
@ -1852,9 +1852,9 @@ class auth_plugin_ldap extends auth_plugin_base {
/**
* To be called from a page running under NTLM's
* "Integrated Windows Authentication".
* "Integrated Windows Authentication".
*
* If successful, it will set a special "cookie" (not an HTTP cookie!)
* If successful, it will set a special "cookie" (not an HTTP cookie!)
* in cache_flags under the "auth/ldap/ntlmsess" "plugin" and return true.
* The "cookie" will be picked up by ntlmsso_finish() to complete the
* process.
@ -1862,7 +1862,7 @@ class auth_plugin_ldap extends auth_plugin_base {
* On failure it will return false for the caller to display an appropriate
* error message (probably saying that Integrated Windows Auth isn't enabled!)
*
* NOTE that this code will execute under the OS user credentials,
* NOTE that this code will execute under the OS user credentials,
* so we MUST avoid dealing with files -- such as session files.
* (The caller should define('NO_MOODLE_COOKIES', true) before including config.php)
*
@ -1886,13 +1886,13 @@ class auth_plugin_ldap extends auth_plugin_base {
}
/**
* Find the session set by ntlmsso_magic(), validate it and
* Find the session set by ntlmsso_magic(), validate it and
* call authenticate_user_login() to authenticate the user through
* the auth machinery.
*
*
* It is complemented by a similar check in user_login().
*
* If it succeeds, it never returns.
*
* If it succeeds, it never returns.
*
*/
function ntlmsso_finish() {
@ -1932,7 +1932,7 @@ class auth_plugin_ldap extends auth_plugin_base {
}
// Should never reach here.
return false;
}
}
/**
* Sync roles for this user
@ -2236,4 +2236,4 @@ class auth_plugin_ldap extends auth_plugin_base {
}
?>

2
auth/ldap/auth_ldap_sync_users.php
View File

@ -42,4 +42,4 @@ if (!is_enabled_auth('ldap')) {
$ldapauth = get_auth_plugin('ldap');
$ldapauth->sync_users(true);
?>

2
auth/ldap/config.html
View File

@ -49,7 +49,7 @@
{$config->forcechangepassword = 0; }
if (!isset($config->stdchangepassword))
{$config->stdchangepassword = 0; }
if (!isset($config->passtype))
if (!isset($config->passtype))
{$config->passtype = 'plaintext';}
if (!isset($config->changepasswordurl))
{$config->changepasswordurl = ''; }

2
auth/ldap/ntlmsso_finish.php
View File

@ -31,6 +31,6 @@ if (!$authplugin->ntlmsso_finish()) {
$PAGE->set_title("$site->fullname: $loginsite");
$PAGE->set_heading($site->fullname);
echo $OUTPUT->header();
redirect($CFG->httpswwwroot . '/login/index.php?authldap_skipntlmsso=1',
redirect($CFG->httpswwwroot . '/login/index.php?authldap_skipntlmsso=1',
get_string('ntlmsso_failed','auth_ldap'), 3);
}

6
auth/ldap/ntlmsso_magic.php
View File

@ -24,14 +24,14 @@ if (empty($authplugin->config->ntlmsso_enabled)) {
$sesskey = required_param('sesskey', PARAM_RAW);
$file = $CFG->dirroot . '/pix/spacer.gif';
if ($authplugin->ntlmsso_magic($sesskey)
if ($authplugin->ntlmsso_magic($sesskey)
&& file_exists($file)) {
if (!empty($authplugin->config->ntlmsso_ie_fastpath)) {
if (check_browser_version('MSIE')) {
redirect($CFG->wwwroot . '/auth/ldap/ntlmsso_finish.php');
}
}
}
// Serve GIF
// Type
@ -47,4 +47,4 @@ if ($authplugin->ntlmsso_magic($sesskey)
print_error('ntlmsso_iwamagicnotenabled','auth_ldap');
}
?>

8
auth/manual/auth.php
View File

@ -121,10 +121,10 @@ class auth_plugin_manual extends auth_plugin_base {
/**
* Confirm the new user as registered. This should normally not be used,
* but it may be necessary if the user auth_method is changed to manual
* but it may be necessary if the user auth_method is changed to manual
* before the user is confirmed.
*/
function user_confirm($username, $confirmsecret = null) {
function user_confirm($username, $confirmsecret = null) {
global $DB;
$user = get_complete_user_data('username', $username);
@ -132,7 +132,7 @@ class auth_plugin_manual extends auth_plugin_base {
if (!empty($user)) {
if ($user->confirmed) {
return AUTH_CONFIRM_ALREADY;
} else {
} else {
if (!$DB->set_field("user", "confirmed", 1, array("id"=>$user->id))) {
return AUTH_CONFIRM_FAIL;
}
@ -148,4 +148,4 @@ class auth_plugin_manual extends auth_plugin_base {
}
?>

6
auth/mnet/auth.php
View File

@ -1,4 +1,4 @@
<?php // $Id$
<?php
/**
* @author Martin Dougiamas
@ -874,7 +874,7 @@ class auth_plugin_mnet extends auth_plugin_base {
unset($logEntryObj->username);
$logEntryObj = $this->trim_logline($logEntryObj);
$insertok = $DB->insert_record('mnet_log', $logEntryObj, false);
$insertok = $DB->insert_record('mnet_log', $logEntryObj, false);
if ($insertok) {
$MNET_REMOTE_CLIENT->last_log_id = $logEntryObj->remoteid;
@ -1349,5 +1349,3 @@ class auth_plugin_mnet extends auth_plugin_base {
}
?>

2
auth/mnet/jump.php
View File

@ -46,4 +46,4 @@ if (empty($url)) {
}
redirect($url);
?>

2
auth/mnet/land.php
View File

@ -49,4 +49,4 @@ if ($wantsremoteurl) {
}
redirect($CFG->wwwroot . $wantsurl);
?>

2
auth/nntp/auth.php
View File

@ -120,4 +120,4 @@ class auth_plugin_nntp extends auth_plugin_base {
}
?>

2
auth/nologin/auth.php
View File

@ -74,4 +74,4 @@ class auth_plugin_nologin extends auth_plugin_base {
}
?>

2
auth/none/auth.php
View File

@ -121,4 +121,4 @@ class auth_plugin_none extends auth_plugin_base {
}
?>

2
auth/pam/auth.php
View File

@ -117,4 +117,4 @@ class auth_plugin_pam extends auth_plugin_base {
}
?>

2
auth/pop3/auth.php
View File

@ -155,4 +155,4 @@ class auth_plugin_pop3 extends auth_plugin_base {
}
?>

2
auth/radius/auth.php
View File

@ -190,4 +190,4 @@ class auth_plugin_radius extends auth_plugin_base {
}
?>

108
auth/shibboleth/README.txt
View File

@ -21,9 +21,9 @@ Changes:
attributes on request of Markus Hagman
- 11. 2007: Integrated WAYF Service in Moodle
- 12. 2008: Shibboleth 2.x and Single Logout support added
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth
language files.
- 3. 2009: Added various improvements and bug fixes reported by Ina Müller from
- 3. 2009: Added various improvements and bug fixes reported by Ina M<EFBFBD>ller from
university Tuebingen and Peter Ellis of University of Washington
- 4. 2009: Added another requirement for logout regarding the call back script
- 6. 2009: Changed handler URL when integrated Discovery Service is used
@ -47,9 +47,9 @@ Moodle Configuration with Dual login
with something that fits your needs, e.g. 'require affiliation student'.
For IIS you have protect the auth/shibboleth directory directly in the
RequestMap of the Shibboleth configuration file (shibboleth.xml or
shibboleth2.xml).
RequestMap of the Shibboleth configuration file (shibboleth.xml or
shibboleth2.xml).
--
<Path name="moodle" requireSession="false" >
<Path name="auth/shibboleth/index.php" requireSession="true" >
@ -57,14 +57,14 @@ Moodle Configuration with Dual login
...
</AccessControl>
</Path>
</Path>
</Path>
--
Also see:
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper and
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and
click on the the 'Shibboleth' settings.
3. Fill in the fields of the form. The fields 'Username', 'First name',
@ -79,37 +79,37 @@ Moodle Configuration with Dual login
#############################################################################
Shibboleth Attributes needed by Moodle:
For Moodle to work properly Shibboleth should at least provide the attribute
that is used as username in Moodle. It has to be unique for all Shibboleth
that is used as username in Moodle. It has to be unique for all Shibboleth
Be aware that Moodle converts the username to lowercase. So, the overall
behaviour of the username will be case-insensitive.
All attributes used for moodle must obey a certain length, otherwise Moodle
cuts off the ends. Consult the Moodle documentation for further information
All attributes used for moodle must obey a certain length, otherwise Moodle
cuts off the ends. Consult the Moodle documentation for further information
on the maximum lengths for each field in the user profile.
#############################################################################
4.a If you want Shibboleth as your only authentication method with an external
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the
'Common settings' in 'Administrations >> Users >> Authentication Options'
to the the URL of the file 'moodle/auth/shibboleth/index.php'.
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the
'Common settings' in 'Administrations >> Users >> Authentication Options'
to the the URL of the file 'moodle/auth/shibboleth/index.php'.
This will enforce Shibboleth login.
4.b If you want to use the Moodle integrated WAYF service, you have to activate it
in the Moodle Shibboleth authentication settings by checking the
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the
'Identity Providers' textarea together with a name and an optional
SessionInitiator URL, which usually is an absolute or relative URL pointing
to the same host. If no SessionInitiator URL is given, the default one
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For
in the Moodle Shibboleth authentication settings by checking the
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the
'Identity Providers' textarea together with a name and an optional
SessionInitiator URL, which usually is an absolute or relative URL pointing
to the same host. If no SessionInitiator URL is given, the default one
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.
Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator
and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator
Important Note: If you upgraded from a previous version of Moodle and now
want to use the integrated WAYF, you have to make sure that
in step 1 only the index.php script in
moodle/auth/shibboleth/ is protected but *not* the other
in step 1 only the index.php script in
moodle/auth/shibboleth/ is protected but *not* the other
scripts and especially not the login.php script.
If you were using the integrated WAYF alread with Shibboleth 1.3, it could
be that the integrated WAYF is not working anymore after you updated Moodle.
The reason is that the implicitly set default SessionInitiator changed in
@ -120,12 +120,12 @@ Moodle Configuration with Dual login
5. Save the changes for the 'Shibboleth settings'.
Important Note: If you went for 4.b (integrated WAYF service), saving the
Important Note: If you went for 4.b (integrated WAYF service), saving the
settings will overwrite the Moodle Alternate Login URL
using the Moodle web root URL.
6. If you want to use Shibboleth in addition to another authentication method
not using the integrated WAYF service from 4.b, change the 'Instructions' in
not using the integrated WAYF service from 4.b, change the 'Instructions' in
'Administrations >> Users >> Manage authentication' to contain a link to the
moodle/auth/shibboleth/index.php file which is protected by
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.
@ -144,7 +144,7 @@ Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only
authentication method (see 4.a), this happens automatically when a user selects
his home organization in the Moodle WAYF service or if the alternate login URL
is configured to be the protected /auth/shibboleth/index.php
Otherwise, the user has to click on the link on the dual login page you
Otherwise, the user has to click on the link on the dual login page you
provided in step 5.b.
Moodle basically checks whether the Shibboleth attribute that you mapped
@ -169,11 +169,11 @@ authentication method unless they have two accounts in Moodle.
Shibboleth dual login with custom login page
--------------------------------------------------------------------------------
You can create a dual login page that better fits your needs. For this
to work, you have to set up the two authentication methods (e.g. 'Manual
to work, you have to set up the two authentication methods (e.g. 'Manual
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual
login page. On that page you basically need a link to the Shibboleth-protected
page ('/auth/shibboleth/index.php') for the Shibboleth login and a
form that sends 'username' and 'password' to moodle/login/index.php. Set this
form that sends 'username' and 'password' to moodle/login/index.php. Set this
web page then als alternate login page.
Consult the Moodle documentation for further instructions and requirements.
@ -209,16 +209,16 @@ Example file:
if ($_SERVER[$this->config->field_map_address] != '')
{
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'
// We want to split this up to get:
// We want to split this up to get:
// institution, street, zipcode, city and country
$address = $_SERVER[$this->config->field_map_address];
list($institution, $street, $zip_city) = split('\$', $address);
ereg(' (.+)',$zip_city, $regs);
$city = $regs[1];
ereg('(.+)-',$zip_city, $regs);
$country = $regs[1];
$result["address"] = $street;
$result["city"] = $city;
$result["country"] = $country;
@ -233,32 +233,32 @@ Example file:
How to upgrade your Service Provider to 2.x
-------------------------------------------------------------------------------
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact
that in version 2.0 the default behaviour regarding attribute propagation
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact
that in version 2.0 the default behaviour regarding attribute propagation
changed.
While the Service Provider 1.3.x published the Shibboleth attributes to the
web server environment as HTTP Request headers, the Service Provider 2.x
web server environment as HTTP Request headers, the Service Provider 2.x
publishes attributes as environment variables, which increases the security for
some platforms.
However, this change has the effect that the attribute names change.
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']
or depending on your /etc/shibboleth/attribute-map.xml file just as
or depending on your /etc/shibboleth/attribute-map.xml file just as
$_SERVER['sn'].
Because Moodle needs to know what Shibboleth attributes it shall map onto which
Moodle user profile field, one has to make sure the mapping is updated as well
after the Service Provider upgrade.
********************************************************************************
Because you risk locking yourself out of Moodle it is strongly
Because you risk locking yourself out of Moodle it is strongly
recommended to use the following approach when upgrading the Service Provider:
1. Enable manual authentication before the upgrade.
2. Make sure that you have at least one manual account with administration
1. Enable manual authentication before the upgrade.
2. Make sure that you have at least one manual account with administration
privileges working before upgrading your Service Provider to 2.x.
3. After the SP upgrade, use this account to log into Moodle and adapt the
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
3. After the SP upgrade, use this account to log into Moodle and adapt the
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
the changed attribute names.
You find the attribute names in the file /etc/shibboleth/attribute-map.xml
You find the attribute names in the file /etc/shibboleth/attribute-map.xml
listed as the 'id' value of an attribute definition.
4. If you are using the integrated WAYF, you may have to set the third parameter
of each entry to '/Shibboleth.sso/DS'
@ -268,8 +268,8 @@ recommended to use the following approach when upgrading the Service Provider:
How to add logout support
--------------------------------------------------------------------------------
In order make Moodle support Shibboleth logout, one has to make the Shibboleth
Service Provider (SP) aware of the Moodle logout capability. Only then the SP
In order make Moodle support Shibboleth logout, one has to make the Shibboleth
Service Provider (SP) aware of the Moodle logout capability. Only then the SP
can trigger Moodle's front or back channel logout handler.
To make the SP aware of the Moodle logout, you have to add the following to the
@ -277,17 +277,17 @@ Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)
just before the <MetadataProvider> element.
--
<Notify
<Notify
Channel="back"
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" />
--
Then restart the Shibboleth daemon and check the log file for errors. If there
were no errors, you can test the logout feature by accessing Moodle,
Then restart the Shibboleth daemon and check the log file for errors. If there
were no errors, you can test the logout feature by accessing Moodle,
authenticating via Shibboleth and the access the URL:
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard
Shibboleth installation). If everything worked well, you should see a Shibboleth
page saying that you were successfully logged out and if you go back to Moodle
page saying that you were successfully logged out and if you go back to Moodle
you also should be logged out from Moodle.
Requirements:
@ -318,14 +318,14 @@ As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support
Single Logout (SLO). Therefore, the single logout feature cannot be used yet
in a Shibboleth only setup but there may be other SAML2 products that could
be used as Identity Provider, e.g. SimpleSAML PHP.
One of the reasons why SLO isn't supported yet is because there aren't many
applications yet that were adapted to support front and back channel
logout. Hopefully, the Moodle logout helps to motivate the developers to
One of the reasons why SLO isn't supported yet is because there aren't many
applications yet that were adapted to support front and back channel
logout. Hopefully, the Moodle logout helps to motivate the developers to
implement SLO. On the other hand, the easiest and safest way to log out
still is to tell users to quit their web browsers :)
Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and
https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some
Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and
https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some
background information on this topic.
--------------------------------------------------------------------------------

86
auth/shibboleth/auth.php
View File

@ -68,7 +68,7 @@ class auth_plugin_shibboleth extends auth_plugin_base {
}
}
}
// Set shibboleth session ID for logout
$SESSION->shibboleth_session_id = $sessionkey;
@ -81,7 +81,7 @@ class auth_plugin_shibboleth extends auth_plugin_base {
}
/**
* Returns the user information for 'external' users. In this case the
* attributes provided by Shibboleth
@ -103,7 +103,7 @@ class auth_plugin_shibboleth extends auth_plugin_base {
$search_attribs = array();
foreach ($attrmap as $key=>$value) {
// Check if attribute is present
// Check if attribute is present
if (!isset($_SERVER[$value])){
$result[$key] = '';
continue;
@ -183,22 +183,22 @@ class auth_plugin_shibboleth extends auth_plugin_base {
return;
}
/**
* Hook for logout page
*
*/
function logoutpage_hook() {
global $redirect;
// Only do this if logout handler is defined
if (
isset($this->config->logout_handler)
isset($this->config->logout_handler)
&& !empty($this->config->logout_handler)
){
// Check if there is an alternative logout return url defined
if (
isset($this->config->logout_return_url)
isset($this->config->logout_return_url)
&& !empty($this->config->logout_return_url)
){
// Set temp_redirect to alternative return url
@ -207,7 +207,7 @@ class auth_plugin_shibboleth extends auth_plugin_base {
// Backup old redirect url
$temp_redirect = $redirect;
}
// Overwrite redirect in order to send user to Shibboleth logout page and let him return back
$redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect);
}
@ -246,15 +246,15 @@ class auth_plugin_shibboleth extends auth_plugin_base {
if (!isset ($config->convert_data)) {
$config->convert_data = '';
}
if (!isset($config->changepasswordurl)) {
$config->changepasswordurl = '';
}
if (!isset($config->login_name)) {
$config->login_name = 'Shibboleth Login';
}
// Clean idp list
if (isset($config->organization_selection) && !empty($config->organization_selection) && isset($config->alt_login) && $config->alt_login == 'on') {
$idp_list = get_idp_list($config->organization_selection);
@ -266,11 +266,11 @@ class auth_plugin_shibboleth extends auth_plugin_base {
$config->organization_selection .= $idp.', '.$value[0].', '.$value[1]."\n";
}
}
// save settings
set_config('user_attribute', $config->user_attribute, 'auth/shibboleth');
if (isset($config->organization_selection) && !empty($config->organization_selection)) {
set_config('organization_selection', $config->organization_selection, 'auth/shibboleth');
}
@ -280,27 +280,27 @@ class auth_plugin_shibboleth extends auth_plugin_base {
set_config('convert_data', $config->convert_data, 'auth/shibboleth');
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');
// Overwrite alternative login URL if integrated WAYF is used
if (isset($config->alt_login) && $config->alt_login == 'on'){
set_config('alt_login', $config->alt_login, 'auth/shibboleth');
set_config('alternateloginurl', $CFG->wwwroot.'/auth/shibboleth/login.php');
} else {
// Check if integrated WAYF was enabled and is now turned off
// If it was and only then, reset the Moodle alternate URL
// If it was and only then, reset the Moodle alternate URL
if ($this->config->alt_login == 'on'){
set_config('alt_login', 'off', 'auth/shibboleth');
set_config('alternateloginurl', '');
}
$config->alt_login = 'off';
}
// Check values and return false if something is wrong
// Patch Anyware Technologies (14/05/07)
if (($config->convert_data != '')&&(!file_exists($config->convert_data) || !is_readable($config->convert_data))){
return false;
}
// Check if there is at least one entry in the IdP list
if (isset($config->organization_selection) && empty($config->organization_selection) && isset($config->alt_login) && $config->alt_login == 'on'){
return false;
@ -322,7 +322,7 @@ class auth_plugin_shibboleth extends auth_plugin_base {
}
}
/**
* Sets the standard SAML domain cookie that is also used to preselect
* the right entry on the local wayf
@ -341,25 +341,25 @@ class auth_plugin_shibboleth extends auth_plugin_base {
$IDPArray = appendCookieValue($selectedIDP, $IDPArray);
setcookie ('_saml_idp', generate_cookie_value($IDPArray), time() + (100*24*3600));
}
/**
* Prints the option elements for the select element of the drop down list
* Prints the option elements for the select element of the drop down list
*
*/
function print_idp_list(){
$config = get_config('auth/shibboleth');
$IdPs = get_idp_list($config->organization_selection);
if (isset($_COOKIE['_saml_idp'])){
$idp_cookie = generate_cookie_array($_COOKIE['_saml_idp']);
do {
$selectedIdP = array_pop($idp_cookie);
} while (!isset($IdPs[$selectedIdP]) && count($idp_cookie) > 0);
} else {
$selectedIdP = '-';
}
foreach($IdPs as $IdP => $data){
if ($IdP == $selectedIdP){
echo '<option value="'.$IdP.'" selected="selected">'.$data[0].'</option>';
@ -368,80 +368,80 @@ class auth_plugin_shibboleth extends auth_plugin_base {
}
}
}
/**
* Generate array of IdPs from Moodle Shibboleth settings
*
* @param string Text containing tuble/triple of IdP entityId, name and (optionally) session initiator
* @return array Identifier of IdPs and their name/session initiator
* @return array Identifier of IdPs and their name/session initiator
*/
function get_idp_list($organization_selection) {
$idp_list = array();
$idp_raw_list = split("\n", $organization_selection);
foreach ($idp_raw_list as $idp_line){
$idp_data = split(',', $idp_line);
if (isset($idp_data[2]))
{
$idp_list[trim($idp_data[0])] = array(trim($idp_data[1]),trim($idp_data[2]));
$idp_list[trim($idp_data[0])] = array(trim($idp_data[1]),trim($idp_data[2]));
}
elseif(isset($idp_data[1]))
{
$idp_list[trim($idp_data[0])] = array(trim($idp_data[1]));
}
}
return $idp_list;
}
/**
* Generates an array of IDPs using the cookie value
*
* @param string Value of SAML domain cookie
* @return array Identifiers of IdPs
* @param string Value of SAML domain cookie
* @return array Identifiers of IdPs
*/
function generate_cookie_array($value) {
// Decodes and splits cookie value
$CookieArray = split(' ', $value);
$CookieArray = array_map('base64_decode', $CookieArray);
return $CookieArray;
}
/**
* Generate the value that is stored in the cookie using the list of IDPs
*
* @param array IdP identifiers
* @param array IdP identifiers
* @return string SAML domain cookie value
*/
function generate_cookie_value($CookieArray) {
// Merges cookie content and encodes it
$CookieArray = array_map('base64_encode', $CookieArray);
$value = implode(' ', $CookieArray);
return $value;
}
/**
* Append a value to the array of IDPs
*
* @param string IdP identifier
* @param array IdP identifiers
* @return array IdP identifiers with appended IdP
* @return array IdP identifiers with appended IdP
*/
function appendCookieValue($value, $CookieArray) {
array_push($CookieArray, $value);
$CookieArray = array_reverse($CookieArray);
$CookieArray = array_unique($CookieArray);
$CookieArray = array_reverse($CookieArray);
return $CookieArray;
}
?>

10
auth/shibboleth/config.html
View File

@ -47,7 +47,7 @@
<tr valign="top">
<td align="right"><?php print_string("auth_shib_integrated_wayf", "auth_shibboleth") ?>:</td>
<td>
<input name="alt_login" type="checkbox" <?php
<input name="alt_login" type="checkbox" <?php
if ( isset($config->alt_login) and $config->alt_login == 'on' ){
echo 'checked="checked"';
}
@ -60,7 +60,7 @@
<td align="right"><?php print_string("auth_shib_idp_list", "auth_shibboleth") ?>:</td>
<td>
<textarea name="organization_selection" rows="10" cols="30" style="overflow: auto; white-space: nowrap;"
><?php
><?php
if (!isset($config->organization_selection)){
echo 'urn:mace:organization1:providerID, Example Organization 1
https://another.idp-id.com/shibboleth, Other Example Organization, /Shibboleth.sso/DS/SWITCHaai
@ -84,7 +84,7 @@ urn:mace:organization2:providerID, Example Organization 2, /Shibboleth.sso/WAYF/
<tr valign="top">
<td align="right"><?php print_string("auth_shib_logout_url", "auth_shibboleth") ?>:</td>
<td>
<input name="logout_handler" type="text" size="30" value="<?php
<input name="logout_handler" type="text" size="30" value="<?php
if ( isset($config->logout_handler) and !empty($config->logout_handler)){
echo $config->logout_handler;
}
@ -96,7 +96,7 @@ urn:mace:organization2:providerID, Example Organization 2, /Shibboleth.sso/WAYF/
<tr valign="top">
<td align="right"><?php print_string("auth_shib_logout_return_url", "auth_shibboleth") ?>:</td>
<td>
<input name="logout_return_url" type="text" size="30" value="<?php
<input name="logout_return_url" type="text" size="30" value="<?php
if ( isset($config->logout_return_url) and !empty($config->logout_return_url)){
echo $config->logout_return_url;
}
@ -108,7 +108,7 @@ urn:mace:organization2:providerID, Example Organization 2, /Shibboleth.sso/WAYF/
<tr valign="top">
<td align="right"><?php print_string("auth_shib_auth_method", "auth_shibboleth") ?>:</td>
<td>
<input name="login_name" type="text" size="30" value="<?php
<input name="login_name" type="text" size="30" value="<?php
if ( isset($config->login_name) and !empty($config->login_name)){
echo htmlentities($config->login_name);
} else {

28
auth/shibboleth/index.php
View File

@ -17,12 +17,12 @@
}
redirect($urltogo);
}
$pluginconfig = get_config('auth/shibboleth');
$shibbolethauth = get_auth_plugin('shibboleth');
// Check whether Shibboleth is configured properly
if (empty($pluginconfig->user_attribute)) {
print_error('shib_not_set_up_error', 'auth');
@ -38,24 +38,24 @@
/// Check if the user has actually submitted login data to us
if ($shibbolethauth->user_login($frm->username, $frm->password)) {
$USER = authenticate_user_login($frm->username, $frm->password);
$USER->loggedin = true;
$USER->site = $CFG->wwwroot; // for added security, store the site in the
$USER->site = $CFG->wwwroot; // for added security, store the site in the
update_user_login_times();
// Don't show username on login page
set_moodle_cookie('nobody');
set_login_session_preferences();
unset($SESSION->lang);
$SESSION->justloggedin = true;
add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);
if (user_not_fully_set_up($USER)) {
$urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&amp;course='.SITEID;
// We don't delete $SESSION->wantsurl yet, so we get there later
@ -80,10 +80,10 @@
load_all_capabilities(); /// This is what lets the user do anything on the site :-)
redirect($urltogo);
exit;
}
}
else {
// For some weird reason the Shibboleth user couldn't be authenticated
}
@ -97,4 +97,4 @@
print_error('shib_not_set_up_error', 'auth');
}
?>

10
auth/shibboleth/index_form.html
View File

@ -10,8 +10,8 @@ if ($show_instructions) {
<div class="loginbox clearfix <?php echo $columns ?>">
<div class="loginpanel">
<!--<h2><?php print_string("returningtosite") ?></h2>-->
<h2><?php
<h2><?php
if (isset($config->login_name) && !empty($config->login_name)){
echo $config->login_name;
} else {
@ -31,7 +31,7 @@ if ($show_instructions) {
<div class="guestsub">
<p><?php print_string("auth_shibboleth_select_organization", "auth_shibboleth"); ?></p>
<form action="login.php" method="post" id="guestlogin">
<select name="idp">
<select name="idp">
<option value="-" ><?php print_string("auth_shibboleth_select_member", "auth_shibboleth"); ?></option>
<?php
print_idp_list();
@ -39,7 +39,7 @@ if ($show_instructions) {
</select><p><input type="submit" value="<?php print_string("select"); ?>" accesskey="s" /></p>
</form>
<p>
<?php
<?php
print_string("auth_shibboleth_contact_administrator", "auth_shibboleth");
echo '<a href="mailto:'.get_admin()->email.'"> Moodle Administrator</a>.';
?>
@ -70,7 +70,7 @@ if ($show_instructions) {
<div class="signuppanel">
<h2><?php print_string("firsttime") ?></h2>
<div class="subcontent">
<?php if (is_enabled_auth('none')) { // instructions override the rest for security reasons
<?php if (is_enabled_auth('none')) { // instructions override the rest for security reasons
print_string("loginstepsnone");
} else if ($CFG->registerauth == 'email') {
if (!empty($CFG->auth_instructions)) {

12
auth/shibboleth/login.php
View File

@ -2,7 +2,7 @@
require_once("../../config.php");
require_once($CFG->dirroot."/auth/shibboleth/auth.php");
//initialize variables
$errormsg = '';
@ -37,7 +37,7 @@ httpsrequired();
$loginurl = (!empty($CFG->alternateloginurl)) ? $CFG->alternateloginurl : '';
if (get_moodle_cookie() == '') {
if (get_moodle_cookie() == '') {
set_moodle_cookie('nobody'); // To help search for cookies
}
@ -49,13 +49,13 @@ httpsrequired();
// Set SAML domain cookie
$config = get_config('auth/shibboleth');
$IdPs = get_idp_list($config->organization_selection);
if (isset($_POST['idp']) && isset($IdPs[$_POST['idp']])){
$selectedIdP = $_POST['idp'];
set_saml_cookie($selectedIdP);
// Redirect to SessionInitiator with entityID as argument
if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])){
// For Shibbolet 1.x Service Providers
@ -83,9 +83,9 @@ httpsrequired();
$PAGE->set_heading($site->fullname);
$PAGE->set_focuscontrol('idp');
$PAGE->set_headingmenu('<div class="langmenu">'.$langmenu.'</div>');
echo $OUTPUT->header();
include("index_form.html");
echo $OUTPUT->footer();
?>

76
auth/shibboleth/logout.php
View File

@ -1,4 +1,4 @@
<?php // $Id$
<?php
// Implements logout for Shibboleth authenticated users according to:
// - https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator
@ -13,42 +13,42 @@ require_once($CFG->dirroot."/auth/shibboleth/auth.php");
$protocol = 'http://';
if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on'){
$protocol = 'https://';
}
}
// Front channel logout
if (
isset($_GET['return'])
isset($_GET['return'])
&& isset($_GET['action'])
&& $_GET['action'] == 'logout'
){
// Logout out user from application
// E.g. destroy application session/cookie etc
require_logout();
// Finally, send user to the return URL
redirect($_GET['return']);
}
// Back channel logout
elseif (!empty($HTTP_RAW_POST_DATA)) {
// Requires PHP 5
// Set SOAP header
$server = new SoapServer($protocol.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl');
$server->addFunction("LogoutNotification");
$server->handle();
}
}
// Return WSDL
else {
header('Content-Type: text/xml');
echo <<<WSDL
<?xml version ="1.0" encoding ="UTF-8" ?>
<definitions name="LogoutNotification"
@ -59,10 +59,10 @@ else {
<!--
This page either has to be called with the GET arguments 'action' and 'return' via
a redirect from the Shibboleth Service Provider logout handler (front-channel
logout) or via a SOAP request by a Shibboleth Service Provider (back-channel
a redirect from the Shibboleth Service Provider logout handler (front-channel
logout) or via a SOAP request by a Shibboleth Service Provider (back-channel
logout).
Because neither of these two variants seems to be the case, the WSDL file for
Because neither of these two variants seems to be the case, the WSDL file for
the web service is returned.
For more information see:
@ -74,43 +74,43 @@ For more information see:
<schema targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
xmlns="http://www.w3.org/2000/10/XMLSchema"
xmlns:notify="urn:mace:shibboleth:2.0:sp:notify">
<simpleType name="string">
<restriction base="string">
<minLength value="1"/>
</restriction>
</simpleType>
<element name="OK" type="notify:OKType"/>
<complexType name="OKType">
<sequence/>
</complexType>
</schema>
</types>
<message name="getLogoutNotificationRequest">
<part name="SessionID" type="notify:string" />
</message>
<message name="getLogoutNotificationResponse" >
<part name="OK"/>
</message>
<portType name="LogoutNotificationPortType">
<operation name="LogoutNotification">
<input message="getLogoutNotificationRequest"/>
<output message="getLogoutNotificationResponse"/>
</operation>
</portType>
<binding name="LogoutNotificationBinding" type="notify:LogoutNotificationPortType">
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="LogoutNotification">
<soap:operation soapAction="urn:xmethods-logout-notification#LogoutNotification"/>
</operation>
</binding>
<service name="LogoutNotificationService">
<port name="LogoutNotificationPort" binding="notify:LogoutNotificationBinding">
<soap:address location="{$protocol}{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}"/>
@ -125,12 +125,12 @@ WSDL;
/******************************************************************************/
function LogoutNotification($SessionID){
global $CFG, $SESSION, $DB;
// Delete session of user using $SessionID
if(empty($CFG->dbsessions)) {
// File session
$dir = $CFG->dataroot .'/sessions';
if (is_dir($dir)) {
@ -140,15 +140,15 @@ function LogoutNotification($SessionID){
// Check if it is a file
if (is_file($dir.'/'.$file)){
$session_key = ereg_replace('sess_', '', $file);
// Read session file data
$data = file($dir.'/'.$file);
if (isset($data[0])){
$user_session = unserializesession($data[0]);
// Check if we have found session that shall be deleted
// Check if we have found session that shall be deleted
if (isset($user_session['SESSION']) && isset($user_session['SESSION']->shibboleth_session_id)){
// If there is a match, delete file
if ($user_session['SESSION']->shibboleth_session_id == $SessionID){
// Delete session file
@ -168,15 +168,15 @@ function LogoutNotification($SessionID){
if (!empty($CFG->sessiontimeout)) {
$ADODB_SESS_LIFE = $CFG->sessiontimeout;
}
if ($user_session_data = $DB->get_records_sql('SELECT sesskey, sessdata FROM {sessions2} WHERE expiry > NOW()')) {
foreach ($user_session_data as $session_data) {
// Get user session
$user_session = adodb_unserialize( urldecode($session_data->sessdata) );
if (isset($user_session['SESSION']) && isset($user_session['SESSION']->shibboleth_session_id)){
// If there is a match, delete file
if ($user_session['SESSION']->shibboleth_session_id == $SessionID){
// Delete this session entry
@ -188,9 +188,9 @@ function LogoutNotification($SessionID){
}
}
}
// If now SoapFault was thrown the function will return OK as the SP assumes
}
/*****************************************************************************/
@ -204,5 +204,3 @@ function unserializesession( $serialized_string ){
}
return( $variables );
}
?>

4
auth/webservice/auth.php
View File

@ -146,11 +146,11 @@ class auth_plugin_webservice extends auth_plugin_base {
/**
* Confirm the new user as registered. This should normally not be used,
* but it may be necessary if the user auth_method is changed to manual
* but it may be necessary if the user auth_method is changed to manual
* before the user is confirmed.
*/
function user_confirm($username, $confirmsecret = null) {
return AUTH_CONFIRM_ERROR;
return AUTH_CONFIRM_ERROR;
}
}