Initial version for the HTTPS login patch

There is a new optional setting called $cfg->httpswwwroot. The reason we have a new setting instead of simply substituting 'http://' with 'https://' in $cfg->wwwroot, like Moodle currently does, is that this prevents people from using non-standard ports in their HTTPS setups. This may be necessary if you want to run both Moodle and Mahara on the same host/ip and use HTTPS logins for both of them. Signed-off-by: Iñaki Arenaza <iarenaza@eps.mondragon.edu>

Initial version for the HTTPS login patch
There is a new optional setting called $cfg->httpswwwroot. The reason we have a new setting instead of simply substituting 'http://' with 'https://' in $cfg->wwwroot, like Moodle currently does, is that this prevents people from using non-standard ports in their HTTPS setups. This may be necessary if you want to run both Moodle and Mahara on the same host/ip and use HTTPS logins for both of them. Signed-off-by: Iñaki Arenaza <iarenaza@eps.mondragon.edu>
a757a430 · Iñaki Arenaza · Nigel McNie · d539eb27 · a757a430 · a757a430
Commit a757a430 authored Oct 14, 2009 by Iñaki Arenaza Committed by Nigel McNie Oct 14, 2009
6 changed files
--- a/htdocs/auth/lib.php
+++ b/htdocs/auth/lib.php
@@ -1001,15 +1001,20 @@ function auth_get_login_form() {
    // remembers the GET and POST data sent to it and resends that on
    // afterwards. 
    $action = '';
+    if (get_config('httpswwwroot')) {
+        $action = rtrim(get_config('httpswwwroot'), '/') . hsc(strip_querystring(get_relative_script_path()));
+    }
    if ($_GET) {
        if (isset($_GET['logout'])) {
            // You can log the user out on any particular page by appending
            // ?logout to the URL. In this case, we don't want the "action"
            // of the url to include that, or be blank, else the next time
            // the user logs in they will be logged out again.
-            $action = hsc(substr($_SERVER['REQUEST_URI'], 0, strpos($_SERVER['REQUEST_URI'], '?')));
+            if ($action == '') {
+                $action = hsc(substr($_SERVER['REQUEST_URI'], 0, strpos($_SERVER['REQUEST_URI'], '?')));
+            }
        } else {
-            $action = '?';
+            $action .= '?';
            foreach ($_GET as $key => $value) {
                if ($key != 'logout' && $key != 'login') {
                    $action .= hsc($key) . '=' . hsc($value) . '&amp;';
@@ -1265,6 +1270,19 @@ function login_submit(Pieform $form, $values) {
    // User is allowed to log in
    //$USER->login($userdata);
    auth_check_required_fields();
+
+    if (get_config('httpswwwroot') && !defined('JSON')) {
+        // If we are using HTTPS for logins we need to go back to
+        // non-HTTPS URLs. Otherwise, Javascript (and possibly CSS)
+        // breaks. Don't use get_full_script_path(), as it doesn't
+        // work if someone sets httpswwwroot to something like
+        // 'https://x.y.z.w:443/...'  (unlikely, but
+        // possible). get_full_script_path() doesn't gives us the
+        // ':443' part and things break horribly.
+        $parts = parse_url(get_config('httpswwwroot'));
+        $httpsrequest = rtrim($parts['path'], '/');
+        redirect(hsc(substr(get_script_path(), strlen($httpsrequest))));
+    }
 }

 /**
@@ -1477,6 +1495,10 @@ function auth_generate_login_form() {
    if (!get_config('installed')) {
        return;
    }
+    $action='';
+    if (get_config('httpswwwroot')) {
+        $action = rtrim(get_config('httpswwwroot'), '/') . hsc(strip_querystring(get_relative_script_path()));
+    }
    require_once('pieforms/pieform.php');
    if (count_records('institution', 'registerallowed', 1, 'suspended', 0)) {
        $registerlink = '<a href="' . get_config('wwwroot') . 'register.php" tabindex="2">' . get_string('register') . '</a><br>';
@@ -1488,6 +1510,7 @@ function auth_generate_login_form() {
        'name'       => 'login',
        'renderer'   => 'div',
        'submit'     => false,
+        'action'     => $action,
        'plugintype' => 'auth',
        'pluginname' => 'internal',
        'autofocus'  => false,

--- a/htdocs/config-dist.php
+++ b/htdocs/config-dist.php
@@ -57,6 +57,11 @@ $cfg->dbprefix = '';
 // then try specifying it here
 //$cfg->wwwroot = 'http://myhost.com/mahara/';

+// You will only need to specify this if you want to use HTTPS for
+// logins, but not for regular pages. If you want to serve all of your
+// Mahara content via HTTPS, just set $cfg->wwwroot to use HTTPS instead.
+//$cfg->httpswwwroot = 'https://myhost.com/mahara';
+
 // dataroot - uploaded files are stored here
 // This is a ABSOLUTE FILESYSTEM PATH. This is NOT a URL.
 // For example, valid paths are:

--- a/htdocs/init.php
+++ b/htdocs/init.php
@@ -182,6 +182,11 @@ if (!isset($CFG->wwwroot) && isset($_SERVER['HTTP_HOST'])) {
        $CFG->wwwroot = $wwwroot;
    }
 }
+if (isset($CFG->httpswwwroot)) {
+    if (substr($CFG->httpswwwroot, -1, 1) != '/') {
+        $CFG->httpswwwroot .= '/';
+    }
+}
 if (!isset($CFG->noreplyaddress) && isset($_SERVER['HTTP_HOST'])) {
    $noreplyaddress = 'noreply@';
    $host  =  (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER['HTTP_HOST'];

--- a/htdocs/lib/web.php
+++ b/htdocs/lib/web.php
@@ -45,6 +45,7 @@ function &smarty_core() {

    $smarty->assign('THEME', $THEME);
    $smarty->assign('WWWROOT', get_config('wwwroot'));
+    $smarty->assign('HTTPSWWWROOT', get_config('httpswwwroot'));

    $theme_list = array();
    foreach ($themepaths['mahara'] as $themepath) {
@@ -2235,8 +2236,8 @@ function get_script_path() {
 }

 /**
- * Like {@link me()} but returns a full URL
- * @see me()
+ * Like {@link get_script_path()} but returns a full URL
+ * @see get_script_path()
 * @return string
 */
 function get_full_script_path() {
@@ -2282,6 +2283,17 @@ function get_full_script_path() {
    return $url_prefix . get_script_path();
 }

+/**
+ * Like {@link get_script_path()} but returns a URI relative to WWWROOT
+ * @see get_script_path()
+ * @return string
+ */
+function get_relative_script_path() {
+    $maharadir = get_mahara_install_subdirectory();
+    // $maharadir always has a trailing '/'
+    return substr(get_script_path(), strlen($maharadir) - 1);
+}
+
 /**
 * Remove query string from url
 *

--- a/htdocs/theme/raw/templates/header/navigation.tpl
+++ b/htdocs/theme/raw/templates/header/navigation.tpl
@@ -2,7 +2,7 @@
        <div id="main-nav">
            <ul>{strip}
 {foreach from=$MAINNAV item=item}
-                <li{if $item.selected}{assign var=MAINNAVSELECTED value=$item} class="selected"{/if}><a href="{$WWWROOT}{$item.url|escape}">{$item.title|escape}</a></li>
+                <li{if $item.selected}{assign var=MAINNAVSELECTED value=$item} class="selected"{/if}><a href="{if get_config('httpswwwroot') && $item.url=='account/'}{$HTTPSWWWROOT}{else}{$WWWROOT}{/if}{$item.url|escape}">{$item.title|escape}</a></li>
 {/foreach}
 {if $LOGGEDIN}{if $USER->get('admin') || $USER->is_institutional_admin()}
 {if $ADMIN || $INSTITUTIONALADMIN}
@@ -21,7 +21,7 @@
 {if $MAINNAVSELECTED.submenu}
            <ul>{strip}
 {foreach from=$MAINNAVSELECTED.submenu item=item}
-                <li{if $item.selected} class="selected"{/if}><a href="{$WWWROOT}{$item.url|escape}">{$item.title|escape}</a></li>
+                <li{if $item.selected} class="selected"{/if}><a href="{if get_config('httpswwwroot') && $item.url=='account/'}{$HTTPSWWWROOT}{else}{$WWWROOT}{/if}{$item.url|escape}">{$item.title|escape}</a></li>
 {/foreach}
            {/strip}</ul>
 {/if}

--- a/htdocs/theme/raw/templates/sideblocks/profile.tpl
+++ b/htdocs/theme/raw/templates/sideblocks/profile.tpl
@@ -57,7 +57,7 @@
        </ul>
        <div class="controls center">
            <a href="{$WWWROOT}?logout" class="btn-link" id="btn-logout">{str tag="logout"}</a>&nbsp;
-            <a href="{$WWWROOT}account/" class="btn-link">{str tag="settings"}</a>
+            <a href="{if get_config('httpswwwroot')}{$HTTPSWWWROOT}{else}{$WWWROOT}{/if}account/" class="btn-link">{str tag="settings"}</a>
        </div>
 {if $USERMASQUERADING}        <div id="changeuser">{$becomeyouagain}</div>
 {/if}