From f5fd4347dd12007cb570980e149bfdf1bb5b400e Mon Sep 17 00:00:00 2001 From: skodak Date: Wed, 28 Mar 2007 08:28:02 +0000 Subject: [PATCH] MDL-8973 auth hooks final cleanup; merged from MOODLE_18_STABLE --- auth/README | 3 +- auth/cas/auth.php | 7 +++- auth/mnet/auth.php | 8 +++- auth/shibboleth/auth.php | 2 +- lib/authlib.php | 81 +++++++++++++++++++++++++++++----------- lib/moodlelib.php | 34 ++++++++++------- login/index.php | 2 +- login/logout.php | 2 +- sso/README.txt | 2 + 9 files changed, 99 insertions(+), 42 deletions(-) create mode 100644 sso/README.txt diff --git a/auth/README b/auth/README index 24575455f46..333c7d7bf61 100644 --- a/auth/README +++ b/auth/README @@ -125,8 +125,7 @@ When creating new plugins you can either extend the abstract auth_plugin_base cl auth_plugin_base. The new plugin architecture allows creating of more advanced types such as custom SSO -without the need to patch login and logout pages (see prelogin_hook() and prelogout_hook() -methods in existing plugins). +without the need to patch login and logout pages (see *_hook() methods in existing plugins). Configuration ----------------- diff --git a/auth/cas/auth.php b/auth/cas/auth.php index 4278b39e0c8..c49b83cc0f4 100644 --- a/auth/cas/auth.php +++ b/auth/cas/auth.php @@ -220,7 +220,7 @@ class auth_plugin_cas extends auth_plugin_base { return !empty($this->config->changepasswordurl); } - function prelogin_hook() { + function loginpage_hook() { // Load alternative login screens if necessary // TODO: fix the cas login screen return; @@ -230,6 +230,11 @@ class auth_plugin_cas extends auth_plugin_base { } } + function prelogout_hook() { + global $CFG; + + require($CFG->dirroot.'/auth/cas/logout.php'); + } /** * Prints a form for configuring this authentication plugin. diff --git a/auth/mnet/auth.php b/auth/mnet/auth.php index 4061fac508b..257491c816b 100644 --- a/auth/mnet/auth.php +++ b/auth/mnet/auth.php @@ -1003,8 +1003,12 @@ class auth_plugin_mnet extends auth_plugin_base { * * @return void */ - function logout() { + function prelogout_hook() { global $MNET, $CFG, $USER; + if ($USER->auth != 'mnet') { + return; + } + require_once $CFG->dirroot.'/mnet/xmlrpc/client.php'; // If the user is local to this Moodle: @@ -1334,7 +1338,7 @@ class auth_plugin_mnet extends auth_plugin_base { return $accessctrl == 'allow'; } - function prelogout_hook() { + function logoutpage_hook() { global $USER, $CFG, $redirect; if (!empty($USER->mnethostid) and $USER->mnethostid != $CFG->mnet_localhost_id) { diff --git a/auth/shibboleth/auth.php b/auth/shibboleth/auth.php index 4d1fd8a1c6a..c12b7e4807e 100644 --- a/auth/shibboleth/auth.php +++ b/auth/shibboleth/auth.php @@ -146,7 +146,7 @@ class auth_plugin_shibboleth extends auth_plugin_base { return false; } - function prelogin_hook() { + function loginpage_hook() { global $SESSION, $CFG; //TODO: fix the code diff --git a/lib/authlib.php b/lib/authlib.php index d701a2d2646..77964696c99 100644 --- a/lib/authlib.php +++ b/lib/authlib.php @@ -56,6 +56,11 @@ class auth_plugin_base { var $authtype; /** + + * This is the primary method that is used by the authenticate_user_login() + * function in moodlelib.php. This method should return a boolean indicating + * whether or not the username and password authenticate successfully. + * * Returns true if the username and password work and false if they are * wrong or don't exist. * @@ -69,7 +74,7 @@ class auth_plugin_base { } /** - * Returns true if this authentication plugin can change the user's + * Returns true if this authentication plugin can change the users' * password. * * @return bool @@ -80,8 +85,8 @@ class auth_plugin_base { } /** - * Returns the URL for changing the user's pw, or empty if the default can - * be used. + * Returns the URL for changing the users' passwords, or empty if the default + * URL can be used. This method is used if can_change_password() returns true. * * @return string */ @@ -91,7 +96,9 @@ class auth_plugin_base { } /** - * Returns true if this authentication plugin is 'internal'. + * Returns true if this authentication plugin is "internal" (which means that + * Moodle stores the users' passwords and other details in the local Moodle + * database). * * @return bool */ @@ -101,7 +108,9 @@ class auth_plugin_base { } /** - * Change a user's password + * Updates the user's password. In previous versions of Moodle, the function + * auth_user_update_password accepted a username as the first parameter. The + * revised function expects a user object. * * @param object $user User table object (with system magic quotes) * @param string $newpassword Plaintext password (with system magic quotes) @@ -237,6 +246,16 @@ class auth_plugin_base { return array(); } + /** + * Prints a form for configuring this authentication plugin. + * + * This function is called from admin/auth.php, and outputs a full page with + * a form for configuring this plugin. + */ + function config_form($config, $err, $user_fields) { + //override if needed + } + /** * A chance to validate form data, and last chance to * do stuff before it is inserted in config_plugin @@ -246,34 +265,54 @@ class auth_plugin_base { } /** - * Prelogin actions. + * Processes and stores configuration data for this authentication plugin. */ - function prelogin_hook() { + function process_config($config) { + //override if needed + return true; + } + + /** + * Hook for overriding behavior of login page. + * This method is called from login/index.php page for all enabled auth plugins. + */ + function loginpage_hook() { + global $frm; // can be used to override submitted login form + global $user; // can be used to replace authenticate_user_login() + //override if needed } /** * Post authentication hook. + * This method is called from authenticate_user_login() for all enabled auth plugins. + * + * @param object $user user object, later used for $USER + * @param string $username (with system magic quotes) + * @param string $password plain text password (with system magic quotes) */ - function user_authenticated_hook($user, $username, $password) { - /// TODO: review following code - looks hackish :-( mnet should obsole this, right? - /// Log in to a second system if necessary - global $CFG; - - if (!empty($CFG->sso)) { - include_once($CFG->dirroot .'/sso/'. $CFG->sso .'/lib.php'); - if (function_exists('sso_user_login')) { - if (!sso_user_login($username, $password)) { // Perform the signon process - notify('Second sign-on failed'); - } - } - } + function user_authenticated_hook(&$user, $username, $password) { + //override if needed } /** - * Prelogout actions. + * Pre logout hook. + * This method is called from require_logout() for all enabled auth plugins, */ function prelogout_hook() { + global $USER; // use $USER->auth to find the plugin used for login + + //override if needed + } + + /** + * Hook for overriding behavior of logout page. + * This method is called from login/logout.php page for all enabled auth plugins. + */ + function logoutpage_hook() { + global $USER; // use $USER->auth to find the plugin used for login + global $redirect; // can be used to override redirect after logout + //override if needed } } diff --git a/lib/moodlelib.php b/lib/moodlelib.php index c399bb0df25..9c0196274cd 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -1828,16 +1828,10 @@ function require_logout() { if (isloggedin()) { add_to_log(SITEID, "user", "logout", "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id); - //TODO: move following 2 ifs into auth plugins - add new logout hook - $authsequence = get_enabled_auth_plugins(); - - if (in_array('cas', $authsequence) and $USER->auth == 'cas' and !empty($CFG->cas_enabled)) { - require($CFG->dirroot.'/auth/cas/logout.php'); - } - - if (in_array('mnet', $authsequence) and $USER->auth == 'mnet') { - $authplugin = get_auth_plugin('mnet');; - $authplugin->logout(); + $authsequence = get_enabled_auth_plugins(); // auths, in sequence + foreach($authsequence as $authname) { + $authplugin = get_auth_plugin($authname); + $authplugin->prelogout_hook(); } } @@ -2613,8 +2607,8 @@ function guest_user() { * Uses auth_ functions from the currently active auth module * * @uses $CFG - * @param string $username User's username - * @param string $password User's password + * @param string $username User's username (with system magic quotes) + * @param string $password User's password (with system magic quotes) * @return user|flase A {@link $USER} object or false if error */ function authenticate_user_login($username, $password) { @@ -2670,7 +2664,21 @@ function authenticate_user_login($username, $password) { $authplugin->sync_roles($user); - $authplugin->user_authenticated_hook($user, $username, $password); + foreach ($authsenabled as $hau) { + $hauth = get_auth_plugin($hau); + $hauth->user_authenticated_hook($user, $username, $password); + } + + /// Log in to a second system if necessary + /// NOTICE: /sso/ will be moved to auth and deprecated soon; use user_authenticated_hook() instead + if (!empty($CFG->sso)) { + include_once($CFG->dirroot .'/sso/'. $CFG->sso .'/lib.php'); + if (function_exists('sso_user_login')) { + if (!sso_user_login($username, $password)) { // Perform the signon process + notify('Second sign-on failed'); + } + } + } return $user; diff --git a/login/index.php b/login/index.php index 317be9b830f..4e4d63a6e7c 100644 --- a/login/index.php +++ b/login/index.php @@ -58,7 +58,7 @@ $user = false; $authsequence = get_enabled_auth_plugins(true); // auths, in sequence foreach($authsequence as $authname) { $authplugin = get_auth_plugin($authname); - $authplugin->prelogin_hook(); + $authplugin->loginpage_hook(); } //HTTPS is potentially required in this page diff --git a/login/logout.php b/login/logout.php index 2883a333787..2d8c0e5ac49 100644 --- a/login/logout.php +++ b/login/logout.php @@ -18,7 +18,7 @@ $authsequence = get_enabled_auth_plugins(); // auths, in sequence foreach($authsequence as $authname) { $authplugin = get_auth_plugin($authname); - $authplugin->prelogout_hook(); + $authplugin->logoutpage_hook(); } require_logout(); diff --git a/sso/README.txt b/sso/README.txt new file mode 100644 index 00000000000..bcb69475970 --- /dev/null +++ b/sso/README.txt @@ -0,0 +1,2 @@ +NOTICE: +/sso/ will be moved to /auth/ and deprecated; use user_authenticated_hook() instead