From 81b58cc227cf96a1cd2e002cc210b7b3e376fd17 Mon Sep 17 00:00:00 2001 From: Petr Skoda Date: Mon, 14 Feb 2011 15:42:26 +0100 Subject: [PATCH] MDL-26389 improve profile and search engine privacy --- lib/sessionlib.php | 15 ++------------- lib/setuplib.php | 32 ++++++++++++++++++++++++++++++++ mod/forum/user.php | 5 ++--- user/profile.php | 5 +++-- user/view.php | 13 ++++++++++--- 5 files changed, 49 insertions(+), 21 deletions(-) diff --git a/lib/sessionlib.php b/lib/sessionlib.php index f6550686f4f..f52808249b7 100644 --- a/lib/sessionlib.php +++ b/lib/sessionlib.php @@ -216,19 +216,8 @@ abstract class session_stub implements moodle_session { $user = null; if (!empty($CFG->opentogoogle) and !NO_MOODLE_COOKIES) { - if (!empty($_SERVER['HTTP_USER_AGENT'])) { - // allow web spiders in as guest users - if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false ) { - $user = guest_user(); - } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'google.com') !== false ) { // Google - $user = guest_user(); - } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'Yahoo! Slurp') !== false ) { // Yahoo - $user = guest_user(); - } else if (strpos($_SERVER['HTTP_USER_AGENT'], '[ZSEBOT]') !== false ) { // Zoomspider - $user = guest_user(); - } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'MSNBOT') !== false ) { // MSN Search - $user = guest_user(); - } + if (is_web_crawler()) { + $user = guest_user(); } if (!empty($CFG->guestloginbutton) and !$user and !empty($_SERVER['HTTP_REFERER'])) { // automaticaly log in users coming from search engine results diff --git a/lib/setuplib.php b/lib/setuplib.php index 46028a71a6d..d86f1b8806b 100644 --- a/lib/setuplib.php +++ b/lib/setuplib.php @@ -1123,6 +1123,38 @@ function init_eaccelerator() { return false; } +/** + * Checks if current user is a web crawler. + * + * This list can not be made complete, this is not a security + * restriction, we make the list only to help these sites + * especially when automatic guest login is disabled. + * + * If admin needs security they should enable forcelogin + * and disable guest access!! + * + * @return bool + */ +function is_web_crawler() { + if (!empty($_SERVER['HTTP_USER_AGENT'])) { + if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false ) { + return true; + } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'google.com') !== false ) { // Google + return true; + } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'Yahoo! Slurp') !== false ) { // Yahoo + return true; + } else if (strpos($_SERVER['HTTP_USER_AGENT'], '[ZSEBOT]') !== false ) { // Zoomspider + return true; + } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'MSNBOT') !== false ) { // MSN Search + return true; + } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'Yandex') !== false ) { + return true; + } else if (strpos($_SERVER['HTTP_USER_AGENT'], 'AltaVista') !== false ) { + return true; + } + } + return false; +} /** * This class solves the problem of how to initialise $OUTPUT. diff --git a/mod/forum/user.php b/mod/forum/user.php index 6a03912a422..65760566bca 100644 --- a/mod/forum/user.php +++ b/mod/forum/user.php @@ -106,11 +106,10 @@ switch ($mode) { echo '
'; if ($course->id == SITEID) { - if (empty($CFG->forceloginforprofiles) || isloggedin()) { + $searchcourse = SITEID; + if (empty($CFG->forceloginforprofiles) or (isloggedin() and !isguestuser() and !is_web_crawler())) { // Search throughout the whole site. $searchcourse = 0; - } else { - $searchcourse = SITEID; } } else { // Search only for posts the user made in this course. diff --git a/user/profile.php b/user/profile.php index da41cb3bce9..a3730515c9e 100644 --- a/user/profile.php +++ b/user/profile.php @@ -42,9 +42,12 @@ require_once($CFG->libdir.'/filelib.php'); $userid = optional_param('id', 0, PARAM_INT); $edit = optional_param('edit', null, PARAM_BOOL); // Turn editing on and off +$PAGE->set_url('/user/profile.php', array('id'=>$userid)); + if (!empty($CFG->forceloginforprofiles)) { require_login(); if (isguestuser()) { + $SESSION->wantsurl = $PAGE->url->out(false); redirect(get_login_url()); } } else if (!empty($CFG->forcelogin)) { @@ -106,8 +109,6 @@ if (has_capability('moodle/user:viewhiddendetails', $context)) { // Start setting up the page $strpublicprofile = get_string('publicprofile'); -$params = array('id'=>$userid); -$PAGE->set_url('/user/profile.php', $params); $PAGE->blocks->add_region('content'); $PAGE->set_subpage($currentpage->id); $PAGE->set_title(fullname($user).": $strpublicprofile"); diff --git a/user/view.php b/user/view.php index e70df1ca32e..1cd701bb6d3 100644 --- a/user/view.php +++ b/user/view.php @@ -40,8 +40,7 @@ if ($courseid == SITEID) { // Since Moodle 2.0 all site-level profiles are sho redirect($CFG->wwwroot.'/user/profile.php?id='.$id); // Immediate redirect } -$url = new moodle_url('/user/view.php', array('id'=>$id,'course'=>$courseid)); -$PAGE->set_url($url); +$PAGE->set_url('/user/view.php', array('id'=>$id,'course'=>$courseid)); $user = $DB->get_record('user', array('id'=>$id), '*', MUST_EXIST); $course = $DB->get_record('course', array('id'=>$courseid), '*', MUST_EXIST); @@ -57,6 +56,14 @@ if (isguestuser($user)) { print_error('invaliduserid'); } +if (!empty($CFG->forceloginforprofiles)) { + require_login(); // we can not log in to course due to the parent hack bellow + if (isguestuser()) { + $SESSION->wantsurl = $PAGE->url->out(false); + redirect(get_login_url()); + } +} + $PAGE->set_context($coursecontext); $PAGE->set_course($course); $PAGE->set_pagetype('course-view-' . $course->format); // To get the blocks exactly like the course @@ -76,7 +83,7 @@ if (!$currentuser } else { // normal course require_login($course); - // what to do with users temporary accessing this course? shoudl they see the details? + // what to do with users temporary accessing this course? should they see the details? } $strpersonalprofile = get_string('personalprofile');