From c3c18bbb2034d46913418b719218f52c4c4d1d4a Mon Sep 17 00:00:00 2001 From: meirzamoodle Date: Thu, 10 Aug 2023 11:34:55 +0700 Subject: [PATCH] MDL-78969 oauth2: remove auto-login after successful confirmation With the new flow, users can go to the login page from the confirmed page, and if the user successfully logs in, the user will be directed to the confirmed page. To avoid that, the confirmed page can only be seen by users who are not logged in. --- auth/oauth2/confirm-account.php | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/auth/oauth2/confirm-account.php b/auth/oauth2/confirm-account.php index 955f44939eb..d5ecd4d344b 100644 --- a/auth/oauth2/confirm-account.php +++ b/auth/oauth2/confirm-account.php @@ -40,7 +40,7 @@ if (!\auth_oauth2\api::is_enabled()) { $confirmed = $auth->user_confirm($username, $usersecret); -if ($confirmed == AUTH_CONFIRM_ALREADY) { +if ($confirmed == AUTH_CONFIRM_ALREADY && !isloggedin()) { $user = get_complete_user_data('username', $username); $PAGE->navbar->add(get_string("alreadyconfirmed")); $PAGE->set_title(get_string("alreadyconfirmed")); @@ -61,11 +61,7 @@ if ($confirmed == AUTH_CONFIRM_ALREADY) { throw new \moodle_exception('cannotfinduser', '', '', s($username)); } - if (!$user->suspended) { - complete_user_login($user); - - \core\session\manager::apply_concurrent_login_limit($user->id, session_id()); - + if ($user->id == $USER->id) { // Check where to go, $redirect has a higher preference. if (empty($redirect) and !empty($SESSION->wantsurl) ) { $redirect = $SESSION->wantsurl; @@ -82,14 +78,20 @@ if ($confirmed == AUTH_CONFIRM_ALREADY) { $PAGE->set_heading($COURSE->fullname); echo $OUTPUT->header(); echo $OUTPUT->box_start('generalbox centerpara boxwidthnormal boxaligncenter'); - echo "

".get_string("thanks").", ". fullname($USER) . "

\n"; + echo "

".get_string("thanks").", ". fullname($user) . "

\n"; echo "

".get_string("confirmed")."

\n"; - echo $OUTPUT->single_button("$CFG->wwwroot/course/", get_string('courses')); + if (!isloggedin() || isguestuser()) { + echo $OUTPUT->single_button(get_login_url(), get_string('login')); + } else { + echo $OUTPUT->single_button("$CFG->wwwroot/login/logout.php", get_string('logout')); + } echo $OUTPUT->box_end(); echo $OUTPUT->footer(); exit; } else { - \core\notification::error(get_string('confirmationinvalid', 'auth_oauth2')); + if (!isloggedin()) { + \core\notification::error(get_string('confirmationinvalid', 'auth_oauth2')); + } } redirect("$CFG->wwwroot/");