From 6cee96c8afa756f1fb37dda0cd9a0e527b6eb1a6 Mon Sep 17 00:00:00 2001 From: Damyon Wiese Date: Wed, 5 Apr 2017 12:51:56 +0800 Subject: [PATCH] MDL-58220 oauth2: obey $CFG->authpreventaccountcreation --- auth/oauth2/classes/auth.php | 59 +++++++++++++++++++++++++++++ auth/oauth2/lang/en/auth_oauth2.php | 1 + 2 files changed, 60 insertions(+) diff --git a/auth/oauth2/classes/auth.php b/auth/oauth2/classes/auth.php index bd1fbf7c45b..fad6e1599e0 100644 --- a/auth/oauth2/classes/auth.php +++ b/auth/oauth2/classes/auth.php @@ -365,11 +365,23 @@ class auth extends \auth_plugin_base { $userinfo = $client->get_userinfo(); if (!$userinfo) { + // Trigger login failed event. + $failurereason = AUTH_LOGIN_NOUSER; + $event = \core\event\user_login_failed::create(['other' => ['username' => $userinfo['username'], + 'reason' => $failurereason]]); + $event->trigger(); + $errormsg = get_string('loginerror_nouserinfo', 'auth_oauth2'); $SESSION->loginerrormsg = $errormsg; redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php')); } if (empty($userinfo['username']) || empty($userinfo['email'])) { + // Trigger login failed event. + $failurereason = AUTH_LOGIN_NOUSER; + $event = \core\event\user_login_failed::create(['other' => ['username' => $userinfo['username'], + 'reason' => $failurereason]]); + $event->trigger(); + $errormsg = get_string('loginerror_userincomplete', 'auth_oauth2'); $SESSION->loginerrormsg = $errormsg; redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php')); @@ -403,17 +415,35 @@ class auth extends \auth_plugin_base { $userinfo = (array) $mappeduser; $userwasmapped = true; } else { + // Trigger login failed event. + $failurereason = AUTH_LOGIN_UNAUTHORISED; + $event = \core\event\user_login_failed::create(['other' => ['username' => $userinfo['username'], + 'reason' => $failurereason]]); + $event->trigger(); + $errormsg = get_string('confirmationpending', 'auth_oauth2'); $SESSION->loginerrormsg = $errormsg; redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php')); } } else if (!empty($linkedlogin)) { + // Trigger login failed event. + $failurereason = AUTH_LOGIN_UNAUTHORISED; + $event = \core\event\user_login_failed::create(['other' => ['username' => $userinfo['username'], + 'reason' => $failurereason]]); + $event->trigger(); + $errormsg = get_string('confirmationpending', 'auth_oauth2'); $SESSION->loginerrormsg = $errormsg; redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php')); } $issuer = $client->get_issuer(); if (!$issuer->is_valid_login_domain($userinfo['email'])) { + // Trigger login failed event. + $failurereason = AUTH_LOGIN_UNAUTHORISED; + $event = \core\event\user_login_failed::create(['other' => ['username' => $userinfo['username'], + 'reason' => $failurereason]]); + $event->trigger(); + $errormsg = get_string('notloggedindebug', 'auth_oauth2', get_string('loginerror_invaliddomain', 'auth_oauth2')); $SESSION->loginerrormsg = $errormsg; redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php')); @@ -439,6 +469,11 @@ class auth extends \auth_plugin_base { $exists = \core_user::get_user_by_username($userinfo['username']); // Creating a new user? if ($exists) { + // Trigger login failed event. + $failurereason = AUTH_LOGIN_FAILED; + $event = \core\event\user_login_failed::create(['other' => ['username' => $userinfo['username'], + 'reason' => $failurereason]]); + $event->trigger(); // The username exists but the emails don't match. Refuse to continue. $errormsg = get_string('accountexists', 'auth_oauth2'); @@ -447,6 +482,11 @@ class auth extends \auth_plugin_base { } if (email_is_not_allowed($userinfo['email'])) { + // Trigger login failed event. + $failurereason = AUTH_LOGIN_FAILED; + $event = \core\event\user_login_failed::create(['other' => ['username' => $userinfo['username'], + 'reason' => $failurereason]]); + $event->trigger(); // The username exists but the emails don't match. Refuse to continue. $reason = get_string('loginerror_invaliddomain', 'auth_oauth2'); $errormsg = get_string('notloggedindebug', 'auth_oauth2', $reason); @@ -454,6 +494,19 @@ class auth extends \auth_plugin_base { redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php')); } + if (!empty($CFG->authpreventaccountcreation)) { + // Trigger login failed event. + $failurereason = AUTH_LOGIN_UNAUTHORISED; + $event = \core\event\user_login_failed::create(['other' => ['username' => $userinfo['username'], + 'reason' => $failurereason]]); + $event->trigger(); + // The username does not exist and settings prevent creating new accounts. + $reason = get_string('loginerror_cannotcreateaccounts', 'auth_oauth2'); + $errormsg = get_string('notloggedindebug', 'auth_oauth2', $reason); + $SESSION->loginerrormsg = $errormsg; + redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php')); + } + $PAGE->set_url('/auth/oauth2/confirm-account.php'); $PAGE->set_context(context_system::instance()); @@ -478,6 +531,12 @@ class auth extends \auth_plugin_base { $this->update_picture($user); redirect($redirecturl); } + // Trigger login failed event. + $failurereason = AUTH_LOGIN_FAILED; + $event = \core\event\user_login_failed::create(['other' => ['username' => $userinfo['username'], + 'reason' => $failurereason]]); + $event->trigger(); + $errormsg = get_string('notloggedindebug', 'auth_oauth2', get_string('loginerror_authenticationfailed', 'auth_oauth2')); $SESSION->loginerrormsg = $errormsg; redirect(new moodle_url($CFG->httpswwwroot . '/login/index.php')); diff --git a/auth/oauth2/lang/en/auth_oauth2.php b/auth/oauth2/lang/en/auth_oauth2.php index 5e8fc620263..fb6e6c40014 100644 --- a/auth/oauth2/lang/en/auth_oauth2.php +++ b/auth/oauth2/lang/en/auth_oauth2.php @@ -77,6 +77,7 @@ $string['loginerror_userincomplete'] = 'The user information returned did not co $string['loginerror_nouserinfo'] = 'No user information was returned. The OAuth 2 service may be configured incorrectly.'; $string['loginerror_invaliddomain'] = 'The email address is not allowed at this site.'; $string['loginerror_authenticationfailed'] = 'The authentication process failed.'; +$string['loginerror_cannotcreateaccounts'] = 'The account does not exist and this site does not allow self-registration.'; $string['notloggedindebug'] = 'The login attempt failed. Reason: {$a}'; $string['notwhileloggedinas'] = 'Linked logins cannot be managed while logged in as another user.'; $string['oauth2:managelinkedlogins'] = 'Manage own linked login accounts';