Commit a757a430 authored by Iñaki Arenaza's avatar Iñaki Arenaza Committed by Nigel McNie

Initial version for the HTTPS login patch

There is a new optional setting called $cfg->httpswwwroot. The reason we
have a new setting instead of simply substituting 'http://' with
'https://' in $cfg->wwwroot, like Moodle currently does, is that this
prevents people from using non-standard ports in their HTTPS setups.
This may be necessary if you want to run both Moodle and Mahara on the
same host/ip and use HTTPS logins for both of them.
Signed-off-by: default avatarIñaki Arenaza <iarenaza@eps.mondragon.edu>
parent d539eb27
......@@ -1001,15 +1001,20 @@ function auth_get_login_form() {
// remembers the GET and POST data sent to it and resends that on
// afterwards.
$action = '';
if (get_config('httpswwwroot')) {
$action = rtrim(get_config('httpswwwroot'), '/') . hsc(strip_querystring(get_relative_script_path()));
}
if ($_GET) {
if (isset($_GET['logout'])) {
// You can log the user out on any particular page by appending
// ?logout to the URL. In this case, we don't want the "action"
// of the url to include that, or be blank, else the next time
// the user logs in they will be logged out again.
$action = hsc(substr($_SERVER['REQUEST_URI'], 0, strpos($_SERVER['REQUEST_URI'], '?')));
if ($action == '') {
$action = hsc(substr($_SERVER['REQUEST_URI'], 0, strpos($_SERVER['REQUEST_URI'], '?')));
}
} else {
$action = '?';
$action .= '?';
foreach ($_GET as $key => $value) {
if ($key != 'logout' && $key != 'login') {
$action .= hsc($key) . '=' . hsc($value) . '&amp;';
......@@ -1265,6 +1270,19 @@ function login_submit(Pieform $form, $values) {
// User is allowed to log in
//$USER->login($userdata);
auth_check_required_fields();
if (get_config('httpswwwroot') && !defined('JSON')) {
// If we are using HTTPS for logins we need to go back to
// non-HTTPS URLs. Otherwise, Javascript (and possibly CSS)
// breaks. Don't use get_full_script_path(), as it doesn't
// work if someone sets httpswwwroot to something like
// 'https://x.y.z.w:443/...' (unlikely, but
// possible). get_full_script_path() doesn't gives us the
// ':443' part and things break horribly.
$parts = parse_url(get_config('httpswwwroot'));
$httpsrequest = rtrim($parts['path'], '/');
redirect(hsc(substr(get_script_path(), strlen($httpsrequest))));
}
}
/**
......@@ -1477,6 +1495,10 @@ function auth_generate_login_form() {
if (!get_config('installed')) {
return;
}
$action='';
if (get_config('httpswwwroot')) {
$action = rtrim(get_config('httpswwwroot'), '/') . hsc(strip_querystring(get_relative_script_path()));
}
require_once('pieforms/pieform.php');
if (count_records('institution', 'registerallowed', 1, 'suspended', 0)) {
$registerlink = '<a href="' . get_config('wwwroot') . 'register.php" tabindex="2">' . get_string('register') . '</a><br>';
......@@ -1488,6 +1510,7 @@ function auth_generate_login_form() {
'name' => 'login',
'renderer' => 'div',
'submit' => false,
'action' => $action,
'plugintype' => 'auth',
'pluginname' => 'internal',
'autofocus' => false,
......
......@@ -57,6 +57,11 @@ $cfg->dbprefix = '';
// then try specifying it here
//$cfg->wwwroot = 'http://myhost.com/mahara/';
// You will only need to specify this if you want to use HTTPS for
// logins, but not for regular pages. If you want to serve all of your
// Mahara content via HTTPS, just set $cfg->wwwroot to use HTTPS instead.
//$cfg->httpswwwroot = 'https://myhost.com/mahara';
// dataroot - uploaded files are stored here
// This is a ABSOLUTE FILESYSTEM PATH. This is NOT a URL.
// For example, valid paths are:
......
......@@ -182,6 +182,11 @@ if (!isset($CFG->wwwroot) && isset($_SERVER['HTTP_HOST'])) {
$CFG->wwwroot = $wwwroot;
}
}
if (isset($CFG->httpswwwroot)) {
if (substr($CFG->httpswwwroot, -1, 1) != '/') {
$CFG->httpswwwroot .= '/';
}
}
if (!isset($CFG->noreplyaddress) && isset($_SERVER['HTTP_HOST'])) {
$noreplyaddress = 'noreply@';
$host = (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER['HTTP_HOST'];
......
......@@ -45,6 +45,7 @@ function &smarty_core() {
$smarty->assign('THEME', $THEME);
$smarty->assign('WWWROOT', get_config('wwwroot'));
$smarty->assign('HTTPSWWWROOT', get_config('httpswwwroot'));
$theme_list = array();
foreach ($themepaths['mahara'] as $themepath) {
......@@ -2235,8 +2236,8 @@ function get_script_path() {
}
/**
* Like {@link me()} but returns a full URL
* @see me()
* Like {@link get_script_path()} but returns a full URL
* @see get_script_path()
* @return string
*/
function get_full_script_path() {
......@@ -2282,6 +2283,17 @@ function get_full_script_path() {
return $url_prefix . get_script_path();
}
/**
* Like {@link get_script_path()} but returns a URI relative to WWWROOT
* @see get_script_path()
* @return string
*/
function get_relative_script_path() {
$maharadir = get_mahara_install_subdirectory();
// $maharadir always has a trailing '/'
return substr(get_script_path(), strlen($maharadir) - 1);
}
/**
* Remove query string from url
*
......
......@@ -2,7 +2,7 @@
<div id="main-nav">
<ul>{strip}
{foreach from=$MAINNAV item=item}
<li{if $item.selected}{assign var=MAINNAVSELECTED value=$item} class="selected"{/if}><a href="{$WWWROOT}{$item.url|escape}">{$item.title|escape}</a></li>
<li{if $item.selected}{assign var=MAINNAVSELECTED value=$item} class="selected"{/if}><a href="{if get_config('httpswwwroot') && $item.url=='account/'}{$HTTPSWWWROOT}{else}{$WWWROOT}{/if}{$item.url|escape}">{$item.title|escape}</a></li>
{/foreach}
{if $LOGGEDIN}{if $USER->get('admin') || $USER->is_institutional_admin()}
{if $ADMIN || $INSTITUTIONALADMIN}
......@@ -21,7 +21,7 @@
{if $MAINNAVSELECTED.submenu}
<ul>{strip}
{foreach from=$MAINNAVSELECTED.submenu item=item}
<li{if $item.selected} class="selected"{/if}><a href="{$WWWROOT}{$item.url|escape}">{$item.title|escape}</a></li>
<li{if $item.selected} class="selected"{/if}><a href="{if get_config('httpswwwroot') && $item.url=='account/'}{$HTTPSWWWROOT}{else}{$WWWROOT}{/if}{$item.url|escape}">{$item.title|escape}</a></li>
{/foreach}
{/strip}</ul>
{/if}
......
......@@ -57,7 +57,7 @@
</ul>
<div class="controls center">
<a href="{$WWWROOT}?logout" class="btn-link" id="btn-logout">{str tag="logout"}</a>&nbsp;
<a href="{$WWWROOT}account/" class="btn-link">{str tag="settings"}</a>
<a href="{if get_config('httpswwwroot')}{$HTTPSWWWROOT}{else}{$WWWROOT}{/if}account/" class="btn-link">{str tag="settings"}</a>
</div>
{if $USERMASQUERADING} <div id="changeuser">{$becomeyouagain}</div>
{/if}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment