mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 05:58:34 +01:00
Code Issues Projects Releases Wiki Activity

MDL-17458 refactored guest and admin user creation + refactored roles install + added protection for installation hijacking + added reliable session test right before editting of admin account

Browse Source
This commit is contained in:
skodak 2009-01-29 22:54:41 +00:00
parent db9d4a3d0a
commit 88582df496
7 changed files with 121 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
admin/index.php
View File

@ -326,25 +326,56 @@
require_once("$CFG->dirroot/lib/locallib.php");
upgrade_local_db(); // Return here afterwards
/// indicate that this site is fully configured except the admin password
if (empty($CFG->rolesactive)) {
set_config('rolesactive', 1);
set_config('adminsetuppending', 1);
// we neeed this redirect to setup proper session
upgrade_finished("index.php?sessionstarted=1&lang=$CFG->lang");
}
/// make sure admin user is created - this is the last step because we need
/// session to be working properly in order to edit admin account
if (empty($CFG->rolesactive)) {
if (!empty($CFG->adminsetuppending)) {
$sessionstarted = optional_param('sessionstarted', 0, PARAM_BOOL);
if (!$sessionstarted) {
// we neeed this redirect to setup proper session
upgrade_finished("index.php?sessionstarted=1&lang=$CFG->lang");
redirect("index.php?sessionstarted=1&lang=$CFG->lang");
} else {
$sessionverify = optional_param('sessionverify', 0, PARAM_BOOL);
if (!$sessionverify) {
$SESSION->sessionverify = 1;
redirect("index.php?sessionstarted=1&sessionverify=1&lang=$CFG->lang");
} else {
if (empty($SESSION->sessionverify)) {
print_error('installsessionerror', 'admin', "index.php?sessionstarted=1&lang=$CFG->lang");
}
unset($SESSION->sessionverify);
}
}
$adminuser = get_complete_user_data('username', 'admin');
if ($adminuser->password === 'adminsetuppending') {
// prevent installation hijacking
if ($adminuser->lastip !== getremoteaddr()) {
print_error('installhijacked', 'admin');
}
// login user and let him set password and admin details
$adminuser->newadminuser = 1;
message_set_default_message_preferences($adminuser);
complete_user_login($adminuser, false);
redirect("$CFG->wwwroot/user/editadvanced.php?id=$adminuser->id"); // Edit thyself
} else {
unset_config('adminsetuppending');
}
$adminuser = create_admin_user();
$adminuser->newadminuser = 1;
complete_user_login($adminuser, false);
redirect("$CFG->wwwroot/user/editadvanced.php?id=$adminuser->id"); // Edit thyself
} else {
/// just make sure upgrade logging is properly terminated
upgrade_finished('upgradesettings.php');
}
// Turn xmlstrictheaders back on now.
// Turn xmlstrictheaders back on now.
$CFG->xmlstrictheaders = $origxmlstrictheaders;
unset($origxmlstrictheaders);

2
index.php
View File

@ -47,7 +47,7 @@
define('BLOCK_R_MAX_WIDTH', $rmax);
// check if major upgrade needed - also present in login/index.php
if (empty($CFG->version) or (int)$CFG->version < 2009011900) { //1.9 or older
if (empty($CFG->version) or (int)$CFG->version < 2009011900 or !empty($CFG->adminsetuppending)) { //1.9 or older
@require_logout();
redirect("$CFG->wwwroot/$CFG->admin/");
}

2
lang/en_utf8/admin.php
View File

@ -458,7 +458,9 @@ $string['importtimezonesfailed'] = 'No sources found! (Bad news)';
$string['includemoduleuserdata'] = 'Include module user data';
$string['incompatibleblocks'] = 'Incompatible blocks';
$string['install'] = 'Install selected language pack';
$string['installhijacked'] = 'Installation must be finished from the origianl IP address, sorry.';
$string['installedlangs'] = 'Installed language packs';
$string['installsessionerror'] = 'Can not initialise PHP session, please verify that your browser accepts cookies.';
$string['intcachemax'] = 'Int. cache max';
$string['invalidsection'] = 'Invalid section.';
$string['invaliduserchangeme'] = 'Username \"changeme\" is reserved -- you cannot create an account with it.';

65
lib/accesslib.php
View File

@ -1823,71 +1823,6 @@ function check_enrolment_plugins(&$user) {
unset($inprogress[$user->id]); // Unset the flag
}
/**
* Installs the roles system.
* This function runs on a fresh install only now
*/
function moodle_install_roles() {
global $DB;
/// Create a system wide context for assignemnt.
$systemcontext = $context = get_context_instance(CONTEXT_SYSTEM);
/// Create default/legacy roles and capabilities.
/// (1 legacy capability per legacy role at system level).
$adminrole = create_role(get_string('administrator'), 'admin',
get_string('administratordescription'), 'moodle/legacy:admin');
$coursecreatorrole = create_role(get_string('coursecreators'), 'coursecreator',
get_string('coursecreatorsdescription'), 'moodle/legacy:coursecreator');
$editteacherrole = create_role(get_string('defaultcourseteacher'), 'editingteacher',
get_string('defaultcourseteacherdescription'), 'moodle/legacy:editingteacher');
$noneditteacherrole = create_role(get_string('noneditingteacher'), 'teacher',
get_string('noneditingteacherdescription'), 'moodle/legacy:teacher');
$studentrole = create_role(get_string('defaultcoursestudent'), 'student',
get_string('defaultcoursestudentdescription'), 'moodle/legacy:student');
$guestrole = create_role(get_string('guest'), 'guest',
get_string('guestdescription'), 'moodle/legacy:guest');
$userrole = create_role(get_string('authenticateduser'), 'user',
get_string('authenticateduserdescription'), 'moodle/legacy:user');
/// Now is the correct moment to install capabilities - after creation of legacy roles, but before assigning of roles
$systemcontext = get_context_instance(CONTEXT_SYSTEM);
if (!assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $systemcontext->id)) {
print_error('cannotassignanthing');
}
update_capabilities('moodle');
/// Upgrade guest (only 1 entry).
if ($guestuser = $DB->get_record('user', array('username'=>'guest'))) {
role_assign($guestrole, $guestuser->id, 0, $systemcontext->id);
}
/// Insert the correct records for legacy roles
allow_assign($coursecreatorrole, $noneditteacherrole);
allow_assign($coursecreatorrole, $editteacherrole);
allow_assign($coursecreatorrole, $studentrole);
allow_assign($coursecreatorrole, $guestrole);
allow_assign($editteacherrole, $noneditteacherrole);
allow_assign($editteacherrole, $studentrole);
allow_assign($editteacherrole, $guestrole);
/// Set up default allow override matrix
//See MDL-15841 TODO FOR MOODLE 2.0 XXX
//allow_override($editteacherrole, $noneditteacherrole);
//allow_override($editteacherrole, $studentrole);
//allow_override($editteacherrole, $guestrole);
/// Set up the context levels where you can assign each role.
set_role_contextlevels($adminrole, get_default_contextlevels('admin'));
set_role_contextlevels($coursecreatorrole, get_default_contextlevels('coursecreator'));
set_role_contextlevels($editteacherrole, get_default_contextlevels('editingteacher'));
set_role_contextlevels($noneditteacherrole, get_default_contextlevels('teacher'));
set_role_contextlevels($studentrole, get_default_contextlevels('student'));
set_role_contextlevels($guestrole, get_default_contextlevels('guest'));
set_role_contextlevels($userrole, get_default_contextlevels('user'));
}
/**
* Returns array of all legacy roles.
*/

50
lib/adminlib.php
View File

@ -230,56 +230,6 @@ function set_cron_lock($name, $until, $ignorecurrent=false) {
return true;
}
function create_admin_user($user_input=NULL) {
global $CFG, $DB;
$user = new object();
$user->auth = 'manual';
$user->firstname = get_string('admin');
$user->lastname = get_string('user');
$user->username = 'admin';
$user->password = hash_internal_user_password('admin');
$user->email = 'root@localhost';
$user->confirmed = 1;
$user->mnethostid = $CFG->mnet_localhost_id;
$user->lang = $CFG->lang;
$user->maildisplay = 1;
$user->timemodified = time();
if ($user_input) { // do we want to override any defaults?
foreach ($user_input as $key=>$value) {
$user->$key = $value;
}
}
$user->id = $DB->insert_record('user', $user);
if (!$user = $DB->get_record('user', array('id'=>$user->id))) { // Double check.
print_error('invaliduserid');
}
// Assign the default admin roles to the new user.
if (!$adminroles = get_roles_with_capability('moodle/legacy:admin', CAP_ALLOW)) {
print_error('noadminrole', 'message');
}
$systemcontext = get_context_instance(CONTEXT_SYSTEM);
foreach ($adminroles as $adminrole) {
role_assign($adminrole->id, $user->id, 0, $systemcontext->id);
}
//set default message preferences
if (!message_set_default_message_preferences($user)){
print_error('cannotsavemessageprefs', 'message');
}
$user = get_complete_user_data('username', 'admin');
// indicate that this site is fully configured
set_config('rolesactive', 1);
return $user;
}
/**
* Test if and critical warnings are present
* @return bool

81
lib/db/install.php
View File

@ -105,6 +105,7 @@ function xmldb_main_install() {
$mnet_app->sso_jump_url = '/auth/xmlrpc/jump.php';
$DB->insert_record('mnet_application', $mnet_app);
/// insert log entries - replaces statements section in install.xml
update_log_display_entry('user', 'view', 'user', 'CONCAT(firstname,\' \',lastname)');
update_log_display_entry('course', 'user report', 'user', 'CONCAT(firstname,\' \',lastname)');
@ -127,9 +128,85 @@ function xmldb_main_install() {
/// Create guest record
create_guest_record();
$guest = new object();
$guest->auth = 'manual';
$guest->username = 'guest';
$guest->password = hash_internal_user_password('guest');
$guest->firstname = get_string('guestuser');
$guest->lastname = ' ';
$guest->email = 'root@localhost';
$guest->description = get_string('guestuserinfo');
$guest->mnethostid = $CFG->mnet_localhost_id;
$guest->confirmed = 1;
$guest->lang = $CFG->lang;
$guest->timemodified= time();
$guest->id = $DB->insert_record('user', $guest);
/// Now create admin user
$admin = new object();
$admin->auth = 'manual';
$admin->firstname = get_string('admin');
$admin->lastname = get_string('user');
$admin->username = 'admin';
$admin->password = 'adminsetuppending';
$admin->email = 'root@localhost';
$admin->confirmed = 1;
$admin->mnethostid = $CFG->mnet_localhost_id;
$admin->lang = $CFG->lang;
$admin->maildisplay = 1;
$admin->timemodified = time();
$admin->lastip = getremoteaddr(); // installation hijacking prevention
$admin->id = $DB->insert_record('user', $admin);
/// Install the roles system.
moodle_install_roles();
$adminrole = create_role(get_string('administrator'), 'admin',
get_string('administratordescription'), 'moodle/legacy:admin');
$coursecreatorrole = create_role(get_string('coursecreators'), 'coursecreator',
get_string('coursecreatorsdescription'), 'moodle/legacy:coursecreator');
$editteacherrole = create_role(get_string('defaultcourseteacher'), 'editingteacher',
get_string('defaultcourseteacherdescription'), 'moodle/legacy:editingteacher');
$noneditteacherrole = create_role(get_string('noneditingteacher'), 'teacher',
get_string('noneditingteacherdescription'), 'moodle/legacy:teacher');
$studentrole = create_role(get_string('defaultcoursestudent'), 'student',
get_string('defaultcoursestudentdescription'), 'moodle/legacy:student');
$guestrole = create_role(get_string('guest'), 'guest',
get_string('guestdescription'), 'moodle/legacy:guest');
$userrole = create_role(get_string('authenticateduser'), 'user',
get_string('authenticateduserdescription'), 'moodle/legacy:user');
/// Now is the correct moment to install capabilities - after creation of legacy roles, but before assigning of roles
assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $syscontext->id);
update_capabilities('moodle');
/// assign default roles
role_assign($guestrole, $guest->id, 0, $syscontext->id);
role_assign($adminrole, $admin->id, 0, $syscontext->id);
/// Insert the correct records for legacy roles
allow_assign($coursecreatorrole, $noneditteacherrole);
allow_assign($coursecreatorrole, $editteacherrole);
allow_assign($coursecreatorrole, $studentrole);
allow_assign($coursecreatorrole, $guestrole);
allow_assign($editteacherrole, $noneditteacherrole);
allow_assign($editteacherrole, $studentrole);
allow_assign($editteacherrole, $guestrole);
/// Set up default allow override matrix
//See MDL-15841 TODO FOR MOODLE 2.0 XXX
//allow_override($editteacherrole, $noneditteacherrole);
//allow_override($editteacherrole, $studentrole);
//allow_override($editteacherrole, $guestrole);
/// Set up the context levels where you can assign each role.
set_role_contextlevels($adminrole, get_default_contextlevels('admin'));
set_role_contextlevels($coursecreatorrole, get_default_contextlevels('coursecreator'));
set_role_contextlevels($editteacherrole, get_default_contextlevels('editingteacher'));
set_role_contextlevels($noneditteacherrole, get_default_contextlevels('teacher'));
set_role_contextlevels($studentrole, get_default_contextlevels('student'));
set_role_contextlevels($guestrole, get_default_contextlevels('guest'));
set_role_contextlevels($userrole, get_default_contextlevels('user'));
}

27
lib/moodlelib.php
View File

@ -2813,33 +2813,6 @@ function get_user_fieldnames() {
return $fieldarray;
}
/**
* Creates the default "guest" user. Used both from
* admin/index.php and login/index.php
* @return mixed user object created or boolean false if the creation has failed
*/
function create_guest_record() {
global $CFG, $DB;
$guest = new object();
$guest->auth = 'manual';
$guest->username = 'guest';
$guest->password = hash_internal_user_password('guest');
$guest->firstname = get_string('guestuser');
$guest->lastname = ' ';
$guest->email = 'root@localhost';
$guest->description = get_string('guestuserinfo');
$guest->mnethostid = $CFG->mnet_localhost_id;
$guest->confirmed = 1;
$guest->lang = $CFG->lang;
$guest->timemodified= time();
$id = $DB->insert_record('user', $guest);
$guest = $DB->get_record('user', array('id'=>$id));
return $guest;
}
/**
* Creates a bare-bones user record
*