mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-13 12:32:08 +02:00
Code Issues Projects Releases Wiki Activity

MDL-42834 admin: Remove loginhttps

Browse Source
This commit is contained in:
John Okely 2017-09-14 16:13:13 +08:00 committed by Mark Nelson
parent 12514bd573
commit b58764ff99
15 changed files with 18 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
admin/settings/security.php
View File

@ -124,7 +124,7 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page
// "httpsecurity" settingpage
$temp = new admin_settingpage('httpsecurity', new lang_string('httpsecurity', 'admin'));
$temp->add(new admin_setting_configcheckbox('loginhttps', new lang_string('loginhttps', 'admin'), new lang_string('configloginhttps', 'admin'), 0));
$temp->add(new admin_setting_configcheckbox('cookiesecure', new lang_string('cookiesecure', 'admin'), new lang_string('configcookiesecure', 'admin'), 1));
$temp->add(new admin_setting_configcheckbox('cookiehttponly', new lang_string('cookiehttponly', 'admin'), new lang_string('configcookiehttponly', 'admin'), 0));
$temp->add(new admin_setting_configcheckbox('allowframembedding', new lang_string('allowframembedding', 'admin'), new lang_string('allowframembedding_help', 'admin'), 0));

7
admin/settings/users.php
View File

@ -15,15 +15,10 @@ if ($hassiteconfig
or has_capability('moodle/cohort:view', $systemcontext)) { // speedup for non-admins, add all caps used on this page
if (empty($CFG->loginhttps)) {
$securewwwroot = $CFG->wwwroot;
} else {
$securewwwroot = str_replace('http:','https:',$CFG->wwwroot);
}
// stuff under the "accounts" subcategory
$ADMIN->add('accounts', new admin_externalpage('editusers', new lang_string('userlist','admin'), "$CFG->wwwroot/$CFG->admin/user.php", array('moodle/user:update', 'moodle/user:delete')));
$ADMIN->add('accounts', new admin_externalpage('userbulk', new lang_string('userbulk','admin'), "$CFG->wwwroot/$CFG->admin/user/user_bulk.php", array('moodle/user:update', 'moodle/user:delete')));
$ADMIN->add('accounts', new admin_externalpage('addnewuser', new lang_string('addnewuser'), "$securewwwroot/user/editadvanced.php?id=-1", 'moodle/user:create'));
$ADMIN->add('accounts', new admin_externalpage('addnewuser', new lang_string('addnewuser'), "$CFG->wwwroot/user/editadvanced.php?id=-1", 'moodle/user:create'));
// "User default preferences" settingpage.
$temp = new admin_settingpage('userdefaultpreferences', new lang_string('userdefaultpreferences', 'admin'));

10
admin/user.php
View File

@ -38,12 +38,6 @@
$strunlock = get_string('unlockaccount', 'admin');
$strconfirm = get_string('confirm');
if (empty($CFG->loginhttps)) {
$securewwwroot = $CFG->wwwroot;
} else {
$securewwwroot = str_replace('http:','https:',$CFG->wwwroot);
}
$returnurl = new moodle_url('/admin/user.php', array('sort' => $sort, 'dir' => $dir, 'perpage' => $perpage, 'page'=>$page));
// The $user variable is also used outside of these if statements.
@ -339,7 +333,7 @@
if (has_capability('moodle/user:update', $sitecontext)) {
// prevent editing of admins by non-admins
if (is_siteadmin($USER) or !is_siteadmin($user)) {
$url = new moodle_url($securewwwroot.'/user/editadvanced.php', array('id'=>$user->id, 'course'=>$site->id));
$url = new moodle_url($CFG->wwwroot.'/user/editadvanced.php', array('id'=>$user->id, 'course'=>$site->id));
$buttons[] = html_writer::link($url, $OUTPUT->pix_icon('t/edit', $stredit));
}
}
@ -398,7 +392,7 @@
echo $OUTPUT->paging_bar($usercount, $page, $perpage, $baseurl);
}
if (has_capability('moodle/user:create', $sitecontext)) {
$url = new moodle_url($securewwwroot . '/user/editadvanced.php', array('id' => -1));
$url = new moodle_url($CFG->wwwroot . '/user/editadvanced.php', array('id' => -1));
echo $OUTPUT->single_button($url, get_string('addnewuser'), 'get');
}

8
blocks/login/block_login.php
View File

@ -42,13 +42,7 @@ class block_login extends block_base {
return $this->content;
}
if (empty($CFG->loginhttps)) {
$wwwroot = $CFG->wwwroot;
} else {
// This actually is not so secure ;-), 'cause we're
// in unencrypted connection...
$wwwroot = str_replace("http://", "https://", $CFG->wwwroot);
}
$wwwroot = $CFG->wwwroot;
if (signup_is_enabled()) {
$signup = $wwwroot . '/login/signup.php';

8
enrol/paypal/lib.php
View File

@ -203,13 +203,7 @@ class enrol_paypal_plugin extends enrol_plugin {
$cost = format_float($cost, 2, false);
if (isguestuser()) { // force login only for guest user, not real users with guest role
if (empty($CFG->loginhttps)) {
$wwwroot = $CFG->wwwroot;
} else {
// This actually is not so secure ;-), 'cause we're
// in unencrypted connection...
$wwwroot = str_replace("http://", "https://", $CFG->wwwroot);
}
$wwwroot = $CFG->wwwroot;
echo '<div class="mdl-align"><p>'.get_string('paymentrequired').'</p>';
echo '<p><b>'.get_string('cost').": $instance->currency $localisedcost".'</b></p>';
echo '<p><a href="'.$wwwroot.'/login/">'.get_string('loginsite').'</a></p>';

4
lang/en/admin.php
View File

@ -258,7 +258,6 @@ $string['configlanglist'] = 'Leave this blank to allow users to choose from any
$string['configlangmenu'] = 'Choose whether or not you want to display the general-purpose language menu on the home page, login page etc. This does not affect the user\'s ability to set the preferred language in their own profile.';
$string['configlatinexcelexport'] = 'Choose the encoding for Excel exports.';
$string['configlocale'] = 'Choose a sitewide locale - this will override the format and language of dates for all language packs (though names of days in calendar are not affected). You need to have this locale data installed on your operating system (eg for linux en_US.UTF-8 or es_ES.UTF-8). In most cases this field should be left blank.';
$string['configloginhttps'] = 'Turning this on will make Moodle use a secure https connection just for the login page (providing a secure login), and then afterwards revert back to the normal http URL for general speed. CAUTION: this setting REQUIRES https to be specifically enabled on the web server - if it is not then YOU COULD LOCK YOURSELF OUT OF YOUR SITE.';
$string['configloglifetime'] = 'This specifies the length of time you want to keep logs about user activity. Logs that are older than this age are automatically deleted. It is best to keep logs as long as possible, in case you need them, but if you have a very busy server and are experiencing performance problems, then you may want to lower the log lifetime. Values lower than 30 are not recommended because statistics may not work properly.';
$string['configlookahead'] = 'Days to look ahead';
$string['configmailnewline'] = 'Newline characters used in mail messages. CRLF is required according to RFC 822bis, some mail servers do automatic conversion from LF to CRLF, other mail servers do incorrect conversion from CRLF to CRCRLF, yet others reject mails with bare LF (qmail for example). Try changing this setting if you are having problems with undelivered emails or double newlines.';
@ -680,7 +679,6 @@ $string['lockoutwindow_desc'] = 'Observation time for lockout threshold, if ther
$string['log'] = 'Logs';
$string['logguests'] = 'Log guest access';
$string['logguests_help'] = 'This setting enables logging of actions by guest account and not logged in users. High profile sites may want to disable this logging for performance reasons. It is recommended to keep this setting enabled on production sites.';
$string['loginhttps'] = 'Use HTTPS for logins';
$string['loginpageautofocus'] = 'Autofocus login page form';
$string['loginpageautofocus_help'] = 'Enabling this option improves usability of the login page, but automatically focusing fields may be considered an accessibility issue.';
$string['loglifetime'] = 'Keep logs for';
@ -1285,3 +1283,5 @@ $string['unoconvwarning'] = 'The version of unoconv you have installed is not su
// Deprecated since Moodle 3.4
$string['moodleorghubname'] = 'Moodle.net';
$string['hubs'] = 'Hubs';
$string['configloginhttps'] = 'Turning this on will make Moodle use a secure https connection just for the login page (providing a secure login), and then afterwards revert back to the normal http URL for general speed. CAUTION: this setting REQUIRES https to be specifically enabled on the web server - if it is not then YOU COULD LOCK YOURSELF OUT OF YOUR SITE.';
$string['loginhttps'] = 'Use HTTPS for logins';

2
lang/en/deprecated.txt
View File

@ -157,3 +157,5 @@ quickdownloadcalendar,core_calendar
ical,core_calendar
privacy,core_hub
privacy_help,core_hub
configloginhttps,core_admin
loginhttps,core_admin

22
lib/moodlelib.php
View File

@ -1051,19 +1051,12 @@ function clean_param($param, $type) {
$param = clean_param($param, PARAM_URL);
if (!empty($param)) {
// Simulate the HTTPS version of the site.
$httpswwwroot = str_replace('http://', 'https://', $CFG->wwwroot);
if ($param === $CFG->wwwroot) {
// Exact match;
} else if (!empty($CFG->loginhttps) && $param === $httpswwwroot) {
// Exact match;
} else if (preg_match(':^/:', $param)) {
// Root-relative, ok!
} else if (preg_match('/^' . preg_quote($CFG->wwwroot . '/', '/') . '/i', $param)) {
// Absolute, and matches our wwwroot.
} else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot . '/', '/') . '/i', $param)) {
// Absolute, and matches our httpswwwroot.
} else {
// Relative - let's make sure there are no tricks.
if (validateUrlSyntax('/' . $param, 's-u-P-a-p-f+q?r?')) {
@ -2491,13 +2484,7 @@ function dayofweek($day, $month, $year) {
function get_login_url() {
global $CFG;
$url = "$CFG->wwwroot/login/index.php";
if (!empty($CFG->loginhttps)) {
$url = str_replace('http:', 'https:', $url);
}
return $url;
return "$CFG->wwwroot/login/index.php";
}
/**
@ -2662,12 +2649,7 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
redirect($changeurl);
} else {
// Use moodle internal method.
if (empty($CFG->loginhttps)) {
redirect($CFG->wwwroot .'/login/change_password.php');
} else {
$wwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
redirect($wwwroot .'/login/change_password.php');
}
redirect($CFG->wwwroot .'/login/change_password.php');
}
} else if ($userauth->can_change_password()) {
throw new moodle_exception('forcepasswordchangenotice');

3
lib/sessionlib.php
View File

@ -96,9 +96,6 @@ function is_moodle_cookie_secure() {
if (!isset($CFG->cookiesecure)) {
return false;
}
if (!empty($CFG->loginhttps)) {
return false;
}
if (!is_https() and empty($CFG->sslproxy)) {
return false;
}

3
lib/setuplib.php
View File

@ -578,11 +578,8 @@ function get_exception_info($ex) {
// When printing an error the continue button should never link offsite.
// We cannot use clean_param() here as it is not guaranteed that it has been loaded yet.
$httpswwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
if (stripos($link, $CFG->wwwroot) === 0) {
// Internal HTTP, all good.
} else if (!empty($CFG->loginhttps) && stripos($link, $httpswwwroot) === 0) {
// Internal HTTPS, all good.
} else {
// External link spotted!
$link = $CFG->wwwroot . '/';

15
lib/tests/moodlelib_test.php
View File

@ -643,31 +643,20 @@ class core_moodlelib_testcase extends advanced_testcase {
// Local absolute HTTPS in a non HTTPS site.
$CFG->wwwroot = str_replace('https:', 'http:', $CFG->wwwroot); // Need to simulate non-https site.
$httpsroot = str_replace('http:', 'https:', $CFG->wwwroot);
$CFG->loginhttps = false; // Not allowed.
$this->assertSame('', clean_param($httpsroot, PARAM_LOCALURL));
$this->assertSame('', clean_param($httpsroot . '/with/something?else=true', PARAM_LOCALURL));
$CFG->loginhttps = true; // Allowed.
$this->assertSame($httpsroot, clean_param($httpsroot, PARAM_LOCALURL));
$this->assertSame($httpsroot . '/with/something?else=true',
clean_param($httpsroot . '/with/something?else=true', PARAM_LOCALURL));
// Local absolute HTTPS in a HTTPS site.
$CFG->wwwroot = str_replace('https:', 'http:', $CFG->wwwroot);
$CFG->wwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
$httpsroot = $CFG->wwwroot;
$CFG->loginhttps = false; // Always allowed.
$this->assertSame($httpsroot, clean_param($httpsroot, PARAM_LOCALURL));
$this->assertSame($httpsroot . '/with/something?else=true',
clean_param($httpsroot . '/with/something?else=true', PARAM_LOCALURL));
$CFG->loginhttps = true; // Always allowed.
$this->assertSame($httpsroot, clean_param($httpsroot, PARAM_LOCALURL));
$this->assertSame($httpsroot . '/with/something?else=true',
clean_param($httpsroot . '/with/something?else=true', PARAM_LOCALURL));
// Test open redirects are not possible.
$CFG->loginhttps = false;
$CFG->wwwroot = 'http://www.example.com';
$this->assertSame('', clean_param('http://www.example.com.evil.net/hack.php', PARAM_LOCALURL));
$CFG->loginhttps = true;
$CFG->wwwroot = 'https://www.example.com';
$this->assertSame('', clean_param('https://www.example.com.evil.net/hack.php', PARAM_LOCALURL));
}

7
lib/tests/sessionlib_test.php
View File

@ -167,7 +167,6 @@ class core_sessionlib_testcase extends advanced_testcase {
'wwwroot' => 'http://example.com',
'httpswwwroot' => 'http://example.com',
'sslproxy' => null,
'loginhttps' => null,
'cookiesecure' => null,
),
'secure' => false,
@ -178,7 +177,6 @@ class core_sessionlib_testcase extends advanced_testcase {
'wwwroot' => 'http://example.com',
'httpswwwroot' => 'http://example.com',
'sslproxy' => null,
'loginhttps' => null,
'cookiesecure' => false,
),
'secure' => false,
@ -189,7 +187,6 @@ class core_sessionlib_testcase extends advanced_testcase {
'wwwroot' => 'http://example.com',
'httpswwwroot' => 'http://example.com',
'sslproxy' => null,
'loginhttps' => null,
'cookiesecure' => true,
),
'secure' => false,
@ -200,7 +197,6 @@ class core_sessionlib_testcase extends advanced_testcase {
'wwwroot' => 'http://example.com',
'httpswwwroot' => 'http://example.com',
'sslproxy' => true,
'loginhttps' => null,
'cookiesecure' => false,
),
'secure' => false,
@ -211,7 +207,6 @@ class core_sessionlib_testcase extends advanced_testcase {
'wwwroot' => 'http://example.com',
'httpswwwroot' => 'http://example.com',
'sslproxy' => true,
'loginhttps' => null,
'cookiesecure' => true,
),
'secure' => true,
@ -222,7 +217,6 @@ class core_sessionlib_testcase extends advanced_testcase {
'wwwroot' => 'https://example.com',
'httpswwwroot' => 'https://example.com',
'sslproxy' => null,
'loginhttps' => null,
'cookiesecure' => false,
),
'secure' => false,
@ -233,7 +227,6 @@ class core_sessionlib_testcase extends advanced_testcase {
'wwwroot' => 'https://example.com',
'httpswwwroot' => 'https://example.com',
'sslproxy' => null,
'loginhttps' => null,
'cookiesecure' => true,
),
'secure' => true,

27
lib/tests/setuplib_test.php
View File

@ -357,7 +357,6 @@ class core_setuplib_testcase extends advanced_testcase {
public function test_get_exception_info_link() {
global $CFG, $SESSION;
$initialloginhttps = $CFG->loginhttps;
$httpswwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
// Simple local URL.
@ -372,8 +371,7 @@ class core_setuplib_testcase extends advanced_testcase {
$infos = $this->get_exception_info($exception);
$this->assertSame($CFG->wwwroot . '/', $infos->link);
// HTTPS URL when login HTTPS is not enabled and site is HTTP.
$CFG->loginhttps = false;
// HTTPS URL when login HTTPS is not enabled (default) and site is HTTP.
$CFG->wwwroot = str_replace('https:', 'http:', $CFG->wwwroot);
$url = $httpswwwroot . '/something/here?really=yes';
$exception = new moodle_exception('none', 'error', $url);
@ -387,21 +385,6 @@ class core_setuplib_testcase extends advanced_testcase {
$infos = $this->get_exception_info($exception);
$this->assertSame($url, $infos->link);
// HTTPS URL when login HTTPS enabled and site is HTTP.
$CFG->loginhttps = true;
$CFG->wwwroot = str_replace('https:', 'http:', $CFG->wwwroot);
$url = $httpswwwroot . '/something/here?really=yes';
$exception = new moodle_exception('none', 'error', $url);
$infos = $this->get_exception_info($exception);
$this->assertSame($url, $infos->link);
// HTTPS URL when login HTTPS enabled and site is HTTPS.
$CFG->wwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
$url = $httpswwwroot . '/something/here?really=yes';
$exception = new moodle_exception('none', 'error', $url);
$infos = $this->get_exception_info($exception);
$this->assertSame($url, $infos->link);
// External HTTP URL.
$url = 'http://moodle.org/something/here?really=yes';
$exception = new moodle_exception('none', 'error', $url);
@ -444,14 +427,6 @@ class core_setuplib_testcase extends advanced_testcase {
$infos = $this->get_exception_info($exception);
$this->assertSame($CFG->wwwroot . '/', $infos->link);
// External HTTPS link from fromurl with login HTTPS.
$CFG->loginhttps = true;
$SESSION->fromurl = 'https://moodle.org/something/here?really=yes';
$exception = new moodle_exception('none');
$infos = $this->get_exception_info($exception);
$this->assertSame($CFG->wwwroot . '/', $infos->link);
$CFG->loginhttps = $initialloginhttps;
$SESSION->fromurl = '';
}

2
lib/upgrade.txt
View File

@ -54,6 +54,8 @@ information provided here is intended especially for developers.
* Instead of checking the 'moodle/course:viewparticipants' and 'moodle/site:viewparticipants' capabilities use the
new functions course_can_view_participants() and course_require_view_participants().
* $stored_file->add_to_curl_request() now adds the filename to the curl request.
* The option for Login HTTPS (authentication-only SSL) has been removed
* $CFG->loginhttps is now deprecated, do not use it.
=== 3.3.1 ===

2
login/signup_form.php
View File

@ -93,7 +93,7 @@ class login_signup_form extends moodleform implements renderable, templatable {
profile_signup_fields($mform);
if (signup_captcha_enabled()) {
$mform->addElement('recaptcha', 'recaptcha_element', get_string('security_question', 'auth'), array('https' => $CFG->loginhttps));
$mform->addElement('recaptcha', 'recaptcha_element', get_string('security_question', 'auth'));
$mform->addHelpButton('recaptcha_element', 'recaptcha', 'auth');
$mform->closeHeaderBefore('recaptcha_element');
}