local.inc.php 69 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607
  1. <?php
  2. /* For licensing terms, see /license.txt */
  3. use Chamilo\CoreBundle\Component\Utils\ChamiloApi;
  4. use ChamiloSession as Session;
  5. /**
  6. * SCRIPT PURPOSE.
  7. *
  8. * This script initializes and manages Chamilo session information. It
  9. * keeps available session information up to date.
  10. *
  11. * You can request a course id. It will check if the course Id requested is the
  12. * same as the current one. If it isn't it will update session information from
  13. * the database. You can also force the course reset if you want ($cidReset).
  14. *
  15. * All the course information is stored in the $_course array.
  16. *
  17. * You can request a group id. The script will check if the group id requested is the
  18. * same as the current one. If it isn't it will update session information from
  19. * the database. You can also force the course reset if you want ($gidReset).
  20. *
  21. * The course id is stored in $_cid session variable.
  22. * The group id is stored in $_gid session variable.
  23. *
  24. *
  25. * VARIABLES AFFECTING THE SCRIPT BEHAVIOR
  26. *
  27. * string $login
  28. * string $password
  29. * boolean $logout
  30. *
  31. * string $cidReq : course id requested
  32. * boolean $cidReset : ask for a course Reset, if no $cidReq is provided in the
  33. * same time, all course informations is removed from the
  34. * current session
  35. *
  36. * int $gidReq : group Id requested
  37. * boolean $gidReset : ask for a group Reset, if no $gidReq is provided in the
  38. * same time, all group informations is removed from the
  39. * current session
  40. *
  41. *
  42. * VARIABLES SET AND RETURNED BY THE SCRIPT
  43. *
  44. * All the variables below are set and returned by this script.
  45. *
  46. * USER VARIABLES
  47. *
  48. * string $_user ['firstName' ]
  49. * string $_user ['lastName' ]
  50. * string $_user ['mail' ]
  51. * string $_user ['lastLogin' ]
  52. * string $_user ['official_code']
  53. * string $_user ['picture_uri' ]
  54. * string $_user['user_id']
  55. *
  56. * boolean $is_platformAdmin
  57. * boolean $is_allowedCreateCourse
  58. *
  59. * COURSE VARIABLES
  60. * see the function get_course_info_with_category
  61. * boolean $is_courseMember
  62. * boolean $is_courseTutor
  63. * boolean $is_courseAdmin
  64. *
  65. *
  66. * GROUP VARIABLES
  67. *
  68. * int $_gid (the group id)
  69. *
  70. *
  71. * IMPORTANT ADVICE FOR DEVELOPERS
  72. *
  73. * We strongly encourage developers to use a connection layer at the top of
  74. * their scripts rather than use these variables, as they are, inside the core
  75. * of their scripts. It will make code maintenance much easier.
  76. *
  77. * Many if the functions you need you can already find in the
  78. * main_api.lib.php
  79. *
  80. * We encourage you to use functions to access these global "kernel" variables.
  81. * You can add them to e.g. the main API library.
  82. *
  83. *
  84. * SCRIPT STRUCTURE
  85. *
  86. * 1. The script determines if there is an authentication attempt. This part
  87. * only chek if the login name and password are valid. Afterwards, it set the
  88. * $_user['user_id'] (user id) and the $uidReset flag. Other user informations are retrieved
  89. * later. It's also in this section that optional external authentication
  90. * devices step in.
  91. *
  92. * 2. The script determines what other session informations have to be set or
  93. * reset, setting correctly $cidReset (for course) and $gidReset (for group).
  94. *
  95. * 3. If needed, the script retrieves the other user informations (first name,
  96. * last name, ...) and stores them in session.
  97. *
  98. * 4. If needed, the script retrieves the course information and stores them
  99. * in session
  100. *
  101. * 5. The script initializes the user permission status and permission for the
  102. * course level
  103. *
  104. * 6. If needed, the script retrieves group informations an store them in
  105. * session.
  106. *
  107. * 7. The script initializes the user status and permission for the group level.
  108. *
  109. * @package chamilo.include
  110. */
  111. // Verified if exists the username and password in session current
  112. // Facebook connexion, if activated
  113. if (api_is_facebook_auth_activated() && !api_get_user_id()) {
  114. require_once api_get_path(SYS_PATH).'main/auth/external_login/facebook.inc.php';
  115. if (isset($facebook_config['appId']) && isset($facebook_config['secret'])) {
  116. facebookConnect();
  117. }
  118. }
  119. // Conditional login
  120. if (isset($_SESSION['conditional_login']['uid']) && $_SESSION['conditional_login']['can_login'] === true) {
  121. $uData = api_get_user_info($_SESSION['conditional_login']['uid']);
  122. ConditionalLogin::check_conditions($uData);
  123. $_user['user_id'] = $_SESSION['conditional_login']['uid'];
  124. $_user['status'] = $uData['status'];
  125. Session::write('_user', $_user);
  126. Session::erase('conditional_login');
  127. $uidReset = true;
  128. Event::eventLogin($_user['user_id']);
  129. }
  130. // parameters passed via GET
  131. $logout = isset($_GET['logout']) ? $_GET['logout'] : '';
  132. $gidReq = isset($_GET['gidReq']) ? (int) $_GET['gidReq'] : '';
  133. // Keep a trace of the course and session from which we are getting out, to
  134. // enable proper course logout tracking in courseLogout()
  135. $logoutInfo = [];
  136. if (!empty($logout) || !empty($cidReset)) {
  137. $uid = 0;
  138. if (!empty($_SESSION['_user']) && !empty($_SESSION['_user']['user_id'])) {
  139. $uid = $_SESSION['_user']['user_id'];
  140. }
  141. $cid = 0;
  142. if (!empty($_SESSION['_cid'])) {
  143. $cid = api_get_course_int_id($_SESSION['_cid']);
  144. }
  145. $logoutInfo = [
  146. 'uid' => $uid,
  147. 'cid' => $cid,
  148. 'sid' => api_get_session_id(),
  149. ];
  150. }
  151. $courseCodeFromSession = api_get_course_id();
  152. // $cidReq can be set in URL-parameter
  153. $cidReq = isset($_GET['cidReq']) ? Database::escape_string($_GET['cidReq']) : '';
  154. $cidReset = isset($cidReset) ? (bool) $cidReset : false;
  155. // $cDir is a special url param sent from a redirection from /courses/[DIR]/index.php...
  156. // It replaces cidReq in some opportunities
  157. $cDir = isset($_GET['cDir']) && !empty($_GET['cDir']) ? $_GET['cDir'] : '';
  158. // if there is a cDir parameter in the URL and $cidReq could not be determined
  159. if (!empty($cDir) && empty($cidReq)) {
  160. $courseCode = CourseManager::getCourseCodeFromDirectory($cDir);
  161. if (!empty($courseCode)) {
  162. $cidReq = $courseCode;
  163. }
  164. }
  165. if (empty($cidReq) && !empty($courseCodeFromSession)) {
  166. $cidReq = $courseCodeFromSession;
  167. }
  168. if (empty($cidReset)) {
  169. if ($courseCodeFromSession != $cidReq) {
  170. $cidReset = true;
  171. }
  172. } else {
  173. $cidReq = null;
  174. }
  175. $gidReset = isset($gidReset) ? $gidReset : '';
  176. // $gidReset can be set in URL-parameter
  177. // parameters passed via POST
  178. $login = isset($_POST["login"]) ? $_POST["login"] : '';
  179. // register if the user is just logging in, in order to redirect him
  180. $logging_in = false;
  181. /* MAIN CODE */
  182. if (!empty($_SESSION['_user']['user_id']) && !($login || $logout)) {
  183. // uid is in session => login already done, continue with this value
  184. $_user['user_id'] = $_SESSION['_user']['user_id'];
  185. //Check if we have to reset user data
  186. //This param can be used to reload user data if user has been logged by external script
  187. if (isset($_SESSION['_user']['uidReset']) && $_SESSION['_user']['uidReset']) {
  188. $uidReset = true;
  189. }
  190. } else {
  191. if (isset($_user['user_id'])) {
  192. unset($_user['user_id']);
  193. }
  194. $termsAndCondition = Session::read('term_and_condition');
  195. // Platform legal terms and conditions
  196. if (api_get_setting('allow_terms_conditions') === 'true' &&
  197. api_get_setting('load_term_conditions_section') === 'login'
  198. ) {
  199. if (isset($_POST['login']) && isset($_POST['password']) &&
  200. isset($termsAndCondition['user_id'])
  201. ) {
  202. // user id
  203. $user_id = $termsAndCondition['user_id'];
  204. // Update the terms & conditions
  205. $legal_type = null;
  206. //verify type of terms and conditions
  207. if (isset($_POST['legal_info'])) {
  208. $info_legal = explode(':', $_POST['legal_info']);
  209. $legal_type = LegalManager::get_type_of_terms_and_conditions(
  210. $info_legal[0],
  211. $info_legal[1]
  212. );
  213. }
  214. // is necessary verify check
  215. if ($legal_type == 1) {
  216. if ((isset($_POST['legal_accept']) && $_POST['legal_accept'] == '1')) {
  217. $legal_option = true;
  218. } else {
  219. $legal_option = false;
  220. }
  221. }
  222. // no is check option
  223. if ($legal_type == 0) {
  224. $legal_option = true;
  225. }
  226. if (isset($_POST['legal_accept_type']) && $legal_option === true) {
  227. $cond_array = explode(':', $_POST['legal_accept_type']);
  228. if (!empty($cond_array[0]) && !empty($cond_array[1])) {
  229. $time = time();
  230. $condition_to_save = intval($cond_array[0]).':'.intval($cond_array[1]).':'.$time;
  231. UserManager::update_extra_field_value(
  232. $user_id,
  233. 'legal_accept',
  234. $condition_to_save
  235. );
  236. }
  237. }
  238. }
  239. }
  240. // IF cas is activated and user isn't logged in
  241. if (api_get_setting('cas_activate') == 'true') {
  242. $cas_activated = true;
  243. } else {
  244. $cas_activated = false;
  245. }
  246. $cas_login = false;
  247. if ($cas_activated && !isset($_user['user_id']) && !isset($_POST['login']) && !$logout) {
  248. require_once api_get_path(SYS_PATH).'main/auth/cas/authcas.php';
  249. $cas_login = cas_is_authenticated();
  250. }
  251. if ((isset($_POST['login']) && isset($_POST['password'])) || ($cas_login)) {
  252. // $login && $password are given to log in
  253. if ($cas_login && empty($_POST['login'])) {
  254. $login = $cas_login;
  255. } else {
  256. $login = $_POST['login'];
  257. $password = $_POST['password'];
  258. }
  259. $userManager = UserManager::getManager();
  260. $userRepository = UserManager::getRepository();
  261. // Lookup the user in the main database
  262. $user_table = Database::get_main_table(TABLE_MAIN_USER);
  263. $sql = "SELECT user_id, username, password, auth_source, active, expiration_date, status, salt
  264. FROM $user_table
  265. WHERE username = '".Database::escape_string($login)."'";
  266. $result = Database::query($sql);
  267. $captchaValidated = true;
  268. $captcha = api_get_setting('allow_captcha');
  269. $allowCaptcha = $captcha == 'true';
  270. if (Database::num_rows($result) > 0) {
  271. $uData = Database::fetch_array($result, 'ASSOC');
  272. if ($allowCaptcha) {
  273. // Checking captcha
  274. if (isset($_POST['captcha'])) {
  275. // Check captcha
  276. $captchaText = $_POST['captcha'];
  277. /** @var Text_CAPTCHA $obj */
  278. $obj = isset($_SESSION['template.lib']) ? $_SESSION['template.lib'] : null;
  279. if ($obj) {
  280. $obj->getPhrase();
  281. if ($obj->getPhrase() != $captchaText) {
  282. $captchaValidated = false;
  283. } else {
  284. $captchaValidated = true;
  285. }
  286. }
  287. if (isset($_SESSION['captcha_question'])) {
  288. $captcha_question = $_SESSION['captcha_question'];
  289. $captcha_question->destroy();
  290. }
  291. }
  292. // Redirect to login page
  293. if ($captchaValidated == false) {
  294. $loginFailed = true;
  295. Session::erase('_uid');
  296. Session::write('loginFailed', '1');
  297. header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=wrong_captcha');
  298. exit;
  299. }
  300. // Check if account is blocked by captcha user extra field see function api_block_account_captcha()
  301. $blockedUntilDate = api_get_user_blocked_by_captcha($login);
  302. if (isset($blockedUntilDate) && !empty($blockedUntilDate)) {
  303. if (time() > api_strtotime($blockedUntilDate, 'UTC')) {
  304. api_clean_account_captcha($login);
  305. } else {
  306. $loginFailed = true;
  307. Session::erase('_uid');
  308. Session::write('loginFailed', '1');
  309. header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=blocked_by_captcha');
  310. exit;
  311. }
  312. }
  313. }
  314. if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE ||
  315. $uData['auth_source'] == CAS_AUTH_SOURCE
  316. ) {
  317. $validPassword = UserManager::isPasswordValid(
  318. $uData['password'],
  319. $password,
  320. $uData['salt']
  321. );
  322. $checkUserFromExternalWebservice = false;
  323. // If user can't connect directly to chamilo then check the webservice setting
  324. if ($validPassword === false) {
  325. // Use external webservice to
  326. $options = api_get_configuration_value('webservice_validation');
  327. if (!empty($options) && isset($options['options']) && !empty($options['options'])) {
  328. $options = $options['options'];
  329. $soapclient = new nusoap_client($options['wsdl']);
  330. $function = $options['check_login_function'];
  331. $params = [
  332. 'login' => $uData['username'],
  333. 'password' => $password,
  334. ];
  335. $result = $soapclient->call($function, [serialize($params)]);
  336. if ($error = $soapclient->getError()) {
  337. error_log('error');
  338. error_log(print_r($error, 1));
  339. } elseif ((int) $result === 1) {
  340. $checkUserFromExternalWebservice = true;
  341. }
  342. }
  343. }
  344. // Check the user's password
  345. if (($validPassword || $cas_login || $checkUserFromExternalWebservice) &&
  346. (trim($login) == $uData['username'])
  347. ) {
  348. // Means that the login was loaded in a different page than index.php
  349. // we force the reload of the course access using cidReset just in case
  350. if (isset($_REQUEST['redirect_after_not_allow_page']) &&
  351. $_REQUEST['redirect_after_not_allow_page'] == 1
  352. ) {
  353. $cidReset = true;
  354. }
  355. $update_type = UserManager::get_extra_user_data_by_field(
  356. $uData['user_id'],
  357. 'update_type'
  358. );
  359. $update_type = isset($update_type['update_type']) ? $update_type['update_type'] : '';
  360. if (!empty($extAuthSource[$update_type]['updateUser'])
  361. && file_exists($extAuthSource[$update_type]['updateUser'])
  362. ) {
  363. include_once $extAuthSource[$update_type]['updateUser'];
  364. }
  365. // Check if the account is active (not locked)
  366. if ($uData['active'] == '1') {
  367. // Check if the expiration date has not been reached
  368. if ($uData['expiration_date'] > date('Y-m-d H:i:s')
  369. || empty($uData['expiration_date'])
  370. ) {
  371. global $_configuration;
  372. if (api_is_multiple_url_enabled()) {
  373. // Check if user is an admin
  374. $my_user_is_admin = UserManager::is_admin($uData['user_id']);
  375. // This user is subscribed in these sites => $my_url_list
  376. $my_url_list = api_get_access_url_from_user($uData['user_id']);
  377. //Check the access_url configuration setting if
  378. // the user is registered in the access_url_rel_user table
  379. //Getting the current access_url_id of the platform
  380. $current_access_url_id = api_get_current_access_url_id();
  381. if ($my_user_is_admin === false) {
  382. // the user have the permissions to enter at this site
  383. if (is_array($my_url_list) &&
  384. in_array($current_access_url_id, $my_url_list)
  385. ) {
  386. ConditionalLogin::check_conditions($uData);
  387. $_user['user_id'] = $uData['user_id'];
  388. $_user['status'] = $uData['status'];
  389. Session::write('_user', $_user);
  390. Event::eventLogin($_user['user_id']);
  391. $logging_in = true;
  392. } else {
  393. $loginFailed = true;
  394. Session::erase('_uid');
  395. Session::write('loginFailed', '1');
  396. // Fix cas redirection loop
  397. // https://support.chamilo.org/issues/6124
  398. $location = api_get_path(WEB_PATH)
  399. .'index.php?loginFailed=1&error=access_url_inactive';
  400. if ($cas_login) {
  401. cas_logout(null, $location);
  402. Event::courseLogout($logoutInfo);
  403. } else {
  404. header('Location: '.$location);
  405. }
  406. exit;
  407. }
  408. } else {
  409. //Only admins of the "main" (first) Chamilo portal can login wherever they want
  410. if (in_array(1, $my_url_list)) {
  411. //Check if this admin have the access_url_id = 1 which means the principal
  412. ConditionalLogin::check_conditions($uData);
  413. $_user['user_id'] = $uData['user_id'];
  414. $_user['status'] = $uData['status'];
  415. Session::write('_user', $_user);
  416. Event::eventLogin($_user['user_id']);
  417. $logging_in = true;
  418. } else {
  419. //This means a secondary admin wants to login so we check as he's a normal user
  420. if (in_array($current_access_url_id, $my_url_list)) {
  421. $_user['user_id'] = $uData['user_id'];
  422. $_user['status'] = $uData['status'];
  423. Session::write('_user', $_user);
  424. Event::eventLogin($_user['user_id']);
  425. $logging_in = true;
  426. } else {
  427. $loginFailed = true;
  428. Session::erase('_uid');
  429. Session::write('loginFailed', '1');
  430. header(
  431. 'Location: '.api_get_path(WEB_PATH)
  432. .'index.php?loginFailed=1&error=access_url_inactive'
  433. );
  434. exit;
  435. }
  436. }
  437. }
  438. } else {
  439. ConditionalLogin::check_conditions($uData);
  440. $_user['user_id'] = $uData['user_id'];
  441. $_user['status'] = $uData['status'];
  442. Session::write('_user', $_user);
  443. Event::eventLogin($uData['user_id']);
  444. $logging_in = true;
  445. }
  446. } else {
  447. $loginFailed = true;
  448. Session::erase('_uid');
  449. Session::write('loginFailed', '1');
  450. header(
  451. 'Location: '.api_get_path(WEB_PATH)
  452. .'index.php?loginFailed=1&error=account_expired'
  453. );
  454. exit;
  455. }
  456. } else {
  457. $loginFailed = true;
  458. Session::erase('_uid');
  459. Session::write('loginFailed', '1');
  460. header(
  461. 'Location: '.api_get_path(WEB_PATH)
  462. .'index.php?loginFailed=1&error=account_inactive'
  463. );
  464. exit;
  465. }
  466. } else {
  467. // login failed: username or password incorrect
  468. $loginFailed = true;
  469. Session::erase('_uid');
  470. Session::write('loginFailed', '1');
  471. if ($allowCaptcha) {
  472. if (isset($_SESSION['loginFailedCount'])) {
  473. $_SESSION['loginFailedCount']++;
  474. } else {
  475. $_SESSION['loginFailedCount'] = 1;
  476. }
  477. $numberMistakesToBlockAccount = api_get_setting('captcha_number_mistakes_to_block_account');
  478. if (isset($_SESSION['loginFailedCount'])) {
  479. if ($_SESSION['loginFailedCount'] >= $numberMistakesToBlockAccount) {
  480. api_block_account_captcha($login);
  481. }
  482. }
  483. }
  484. header(
  485. 'Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=user_password_incorrect'
  486. );
  487. exit;
  488. }
  489. if (isset($uData['creator_id']) && $_user['user_id'] != $uData['creator_id']) {
  490. //first login for a not self registred
  491. //e.g. registered by a teacher
  492. //do nothing (code may be added later)
  493. }
  494. } elseif (!empty($extAuthSource[$uData['auth_source']]['login'])
  495. && file_exists($extAuthSource[$uData['auth_source']]['login'])
  496. ) {
  497. /*
  498. * Process external authentication
  499. * on the basis of the given login name
  500. */
  501. $loginFailed = true; // Default initialisation. It could
  502. // change after the external authentication
  503. $key = $uData['auth_source']; //'ldap','shibboleth'...
  504. // Check if organisationemail email exist for this user and replace the current login with
  505. $extraFieldValue = new ExtraFieldValue('user');
  506. $newLogin = $extraFieldValue->get_values_by_handler_and_field_variable(
  507. $uData['user_id'],
  508. 'organisationemail'
  509. );
  510. if (!empty($newLogin) && isset($newLogin['value'])) {
  511. $login = $newLogin['value'];
  512. }
  513. /* >>>>>>>> External authentication modules <<<<<<<<< */
  514. // see configuration.php to define these
  515. include_once $extAuthSource[$key]['login'];
  516. /* >>>>>>>> External authentication modules <<<<<<<<< */
  517. } else { // no standard Chamilo login - try external authentification
  518. //huh... nothing to do... we shouldn't get here
  519. error_log(
  520. 'Chamilo Authentication file defined in'.
  521. ' $extAuthSource could not be found - this might prevent'.
  522. ' your system from doing the corresponding authentication'.
  523. ' process',
  524. 0
  525. );
  526. }
  527. } else {
  528. $extraFieldValue = new ExtraFieldValue('user');
  529. $uData = $extraFieldValue->get_item_id_from_field_variable_and_field_value(
  530. 'organisationemail',
  531. $login
  532. );
  533. if (!empty($uData)) {
  534. $uData = api_get_user_info($uData['item_id']);
  535. if (!empty($extAuthSource[$uData['auth_source']]['login'])
  536. && file_exists($extAuthSource[$uData['auth_source']]['login'])
  537. ) {
  538. /*
  539. * Process external authentication
  540. * on the basis of the given login name
  541. */
  542. $loginFailed = true; // Default initialisation. It could
  543. // change after the external authentication
  544. $key = $uData['auth_source']; //'ldap','shibboleth'...
  545. /* >>>>>>>> External authentication modules <<<<<<<<< */
  546. // see configuration.php to define these
  547. include_once $extAuthSource[$key]['login'];
  548. }
  549. } else {
  550. // change after the external authentication
  551. // login failed, Database::num_rows($result) <= 0
  552. $loginFailed = true; // Default initialisation. It could
  553. }
  554. // login failed, Database::num_rows($result) <= 0
  555. $loginFailed = true; // Default initialisation. It could
  556. // change after the external authentication
  557. /*
  558. * In this section:
  559. * there is no entry for the $login user in the Chamilo
  560. * database. This also means there is no auth_source for the user.
  561. * We let all external procedures attempt to add him/her
  562. * to the system.
  563. *
  564. * Process external login on the basis
  565. * of the authentication source list
  566. * provided by the configuration settings.
  567. * If the login succeeds, for going further,
  568. * Chamilo needs the $_user['user_id'] variable to be
  569. * set and registered in the session. It's the
  570. * responsability of the external login script
  571. * to provide this $_user['user_id'].
  572. */
  573. if (isset($extAuthSource) && is_array($extAuthSource)) {
  574. foreach ($extAuthSource as $thisAuthSource) {
  575. if (!empty($thisAuthSource['login']) && file_exists($thisAuthSource['login'])) {
  576. include_once $thisAuthSource['login'];
  577. }
  578. if (isset($thisAuthSource['newUser']) && file_exists($thisAuthSource['newUser'])) {
  579. include_once $thisAuthSource['newUser'];
  580. } else {
  581. error_log(
  582. 'Chamilo Authentication external file'.
  583. ' could not be found - this might prevent your system from using'.
  584. ' the authentication process in the user creation process',
  585. 0
  586. );
  587. }
  588. }
  589. } //end if is_array($extAuthSource)
  590. $checkUserInfo = Session::read('_user');
  591. if ($loginFailed && empty($checkUserInfo)) {
  592. //If we are here username given is wrong
  593. Session::write('loginFailed', '1');
  594. header(
  595. 'Location: '.api_get_path(WEB_PATH)
  596. .'index.php?loginFailed=1&error=user_password_incorrect'
  597. );
  598. exit;
  599. }
  600. } //end else login failed
  601. } elseif (api_get_setting('sso_authentication') === 'true'
  602. && !in_array('webservices', explode('/', $_SERVER['REQUEST_URI']))
  603. ) {
  604. /**
  605. * TODO:
  606. * - Work on a better validation for webservices paths. Current is very poor and exit.
  607. */
  608. $subsso = api_get_setting('sso_authentication_subclass');
  609. if (!empty($subsso)) {
  610. require_once api_get_path(SYS_CODE_PATH).'auth/sso/sso.'.$subsso.'.class.php';
  611. $subsso = 'sso'.$subsso;
  612. $osso = new $subsso(); //load the subclass
  613. } else {
  614. $osso = new sso();
  615. }
  616. if (isset($_SESSION['_user']['user_id'])) {
  617. if ($logout) {
  618. // Make custom redirect after logout
  619. online_logout($_SESSION['_user']['user_id'], false);
  620. Event::courseLogout($logoutInfo);
  621. $osso->logout(); //redirects and exits
  622. }
  623. } elseif (!$logout) {
  624. // Handle cookie from Master Server
  625. $forceSsoRedirect = api_get_setting('sso_force_redirect');
  626. if ($forceSsoRedirect === 'true') {
  627. // all users to be redirected unless they are connected (removed req on sso_cookie)
  628. $redirectToMasterConditions = !isset($_REQUEST['sso_referer']) && !isset($_GET['loginFailed']);
  629. } else {
  630. // Users to still see the homepage without connecting
  631. $redirectToMasterConditions = !isset($_REQUEST['sso_referer']) && !isset($_GET['loginFailed']) && isset($_GET['sso_cookie']);
  632. }
  633. if ($redirectToMasterConditions) {
  634. // Redirect to master server
  635. $osso->ask_master();
  636. } elseif (isset($_REQUEST['sso_cookie'])) {
  637. // Here we are going to check the origin of
  638. // what the call says should be used for
  639. // authentication, and ensure we know it
  640. $matches_domain = false;
  641. if (isset($_REQUEST['sso_referer'])) {
  642. $protocol = api_get_setting('sso_authentication_protocol');
  643. // sso_authentication_domain can list
  644. // several, comma-separated, domains
  645. $master_urls = preg_split('/,/', api_get_setting('sso_authentication_domain'));
  646. if (!empty($master_urls)) {
  647. $master_auth_uri = api_get_setting('sso_authentication_auth_uri');
  648. foreach ($master_urls as $mu) {
  649. if (empty($mu)) {
  650. continue;
  651. }
  652. // For each URL, check until we find *one* that matches the $_GET['sso_referer'],
  653. // then skip other possibilities
  654. // Do NOT compare the whole referer, as this might cause confusing errors with friendly urls,
  655. // like in Drupal /?q=user& vs /user?
  656. $referrer = substr($_REQUEST['sso_referer'], 0, strrpos($_REQUEST['sso_referer'], '/'));
  657. if ($protocol.trim($mu) === $referrer) {
  658. $matches_domain = true;
  659. break;
  660. }
  661. }
  662. } else {
  663. error_log(
  664. 'Your sso_authentication_master param is empty. '.
  665. 'Check the platform configuration, security section. '.
  666. 'It can be a list of comma-separated domains'
  667. );
  668. }
  669. }
  670. if ($matches_domain) {
  671. //make all the process of checking
  672. //if the user exists (delegated to the sso class)
  673. $osso->check_user();
  674. } else {
  675. error_log('Check the sso_referer URL in your script, it doesn\'t match any of the possibilities');
  676. //Request comes from unknown source
  677. $loginFailed = true;
  678. Session::erase('_uid');
  679. Session::write('loginFailed', '1');
  680. header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=unrecognize_sso_origin');
  681. exit;
  682. }
  683. }
  684. //end logout ... else ... login
  685. } elseif ($logout) {
  686. //if there was an attempted logout without a previous login, log
  687. // this anonymous user out as well but avoid redirect
  688. online_logout(null, false);
  689. Event::courseLogout($logoutInfo);
  690. $osso->logout(); //redirects and exits
  691. }
  692. } elseif (api_get_setting('openid_authentication') == 'true') {
  693. if (!empty($_POST['openid_url'])) {
  694. include api_get_path(SYS_CODE_PATH).'auth/openid/login.php';
  695. openid_begin(trim($_POST['openid_url']), api_get_path(WEB_PATH).'index.php');
  696. //this last function should trigger a redirect, so we can die here safely
  697. die('Openid login redirection should be in progress');
  698. } elseif (!empty($_GET['openid_identity'])) { //it's usual for PHP to replace '.' (dot) by '_' (underscore) in URL parameters
  699. include api_get_path(SYS_CODE_PATH).'auth/openid/login.php';
  700. $res = openid_complete($_GET);
  701. if ($res['status'] == 'success') {
  702. $id1 = Database::escape_string($res['openid.identity']);
  703. //have another id with or without the final '/'
  704. $id2 = (substr($id1, -1, 1) == '/' ? substr($id1, 0, -1) : $id1.'/');
  705. //lookup the user in the main database
  706. $user_table = Database::get_main_table(TABLE_MAIN_USER);
  707. $sql = "SELECT user_id, username, password, auth_source, active, expiration_date
  708. FROM $user_table
  709. WHERE openid = '$id1'
  710. OR openid = '$id2' ";
  711. $result = Database::query($sql);
  712. if ($result !== false) {
  713. if (Database::num_rows($result) > 0) {
  714. $uData = Database::fetch_array($result);
  715. if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE) {
  716. //the authentification of this user is managed by Chamilo itself
  717. // check if the account is active (not locked)
  718. if ($uData['active'] == '1') {
  719. // check if the expiration date has not been reached
  720. if ($uData['expiration_date'] > date('Y-m-d H:i:s')
  721. || empty($uData['expiration_date'])
  722. ) {
  723. $_user['user_id'] = $uData['user_id'];
  724. $_user['status'] = $uData['status'];
  725. Session::write('_user', $_user);
  726. Event::eventLogin($_user['user_id']);
  727. } else {
  728. $loginFailed = true;
  729. Session::erase('_uid');
  730. Session::write('loginFailed', '1');
  731. header('Location: index.php?loginFailed=1&error=account_expired');
  732. exit;
  733. }
  734. } else {
  735. $loginFailed = true;
  736. Session::erase('_uid');
  737. Session::write('loginFailed', '1');
  738. header('Location: index.php?loginFailed=1&error=account_inactive');
  739. exit;
  740. }
  741. if (isset($uData['creator_id']) && $_user['user_id'] != $uData['creator_id']) {
  742. //first login for a not self registred
  743. //e.g. registered by a teacher
  744. //do nothing (code may be added later)
  745. }
  746. }
  747. } else {
  748. // Redirect to the subscription form
  749. Session::write('loginFailed', '1');
  750. header(
  751. 'Location: '.api_get_path(WEB_CODE_PATH)
  752. .'auth/inscription.php?username='.$res['openid.sreg.nickname']
  753. .'&email='.$res['openid.sreg.email']
  754. .'&openid='.$res['openid.identity']
  755. .'&openid_msg=idnotfound'
  756. );
  757. exit;
  758. //$loginFailed = true;
  759. }
  760. } else {
  761. $loginFailed = true;
  762. }
  763. } else {
  764. $loginFailed = true;
  765. }
  766. }
  767. } elseif (KeyAuth::is_enabled()) {
  768. $success = KeyAuth::instance()->login();
  769. if ($success) {
  770. $use_anonymous = false;
  771. }
  772. }
  773. $uidReset = true;
  774. // $cidReset = true;
  775. // $gidReset = true;
  776. } // end else
  777. $maxAnons = api_get_configuration_value('max_anonymous_users');
  778. // Now check for anonymous user mode
  779. if (isset($use_anonymous) && $use_anonymous) {
  780. //if anonymous mode is set, then try to set the current user as anonymous
  781. //if he doesn't have a login yet
  782. $anonResult = api_set_anonymous();
  783. if ($maxAnons >= 2 && $anonResult) {
  784. $uidReset = true;
  785. Event::eventLogin($_user['user_id']);
  786. }
  787. } else {
  788. //if anonymous mode is not set, then check if this user is anonymous. If it
  789. //is, clean it from being anonymous (make him a nobody :-))
  790. api_clear_anonymous();
  791. }
  792. // if the requested course is different from the course in session
  793. if (!empty($cidReq) && (!isset($_SESSION['_cid']) ||
  794. (isset($_SESSION['_cid']) && $cidReq != $_SESSION['_cid']))
  795. ) {
  796. $cidReset = true;
  797. $gidReset = true; // As groups depend from courses, group id is reset
  798. }
  799. /* USER INIT */
  800. if (isset($uidReset) && $uidReset) {
  801. // session data refresh requested
  802. unset($_SESSION['_user']['uidReset']);
  803. $is_platformAdmin = false;
  804. $is_allowedCreateCourse = false;
  805. $isAnonymous = api_is_anonymous();
  806. if ($maxAnons >= 2) {
  807. $isAnonymous = false;
  808. }
  809. if (isset($_user['user_id']) && $_user['user_id'] && !$isAnonymous) {
  810. // a uid is given (log in succeeded)
  811. $_SESSION['loginFailed'] = false;
  812. unset($_SESSION['loginFailedCount']);
  813. unset($_SESSION['loginToBlock']);
  814. $user_table = Database::get_main_table(TABLE_MAIN_USER);
  815. $admin_table = Database::get_main_table(TABLE_MAIN_ADMIN);
  816. $track_e_login = Database::get_main_table(TABLE_STATISTIC_TRACK_E_LOGIN);
  817. $sql = "SELECT user.*, a.user_id is_admin, login.login_date
  818. FROM $user_table
  819. LEFT JOIN $admin_table a
  820. ON user.user_id = a.user_id
  821. LEFT JOIN $track_e_login login
  822. ON user.user_id = login.login_user_id
  823. WHERE user.user_id = '".$_user['user_id']."'
  824. ORDER BY login.login_date DESC LIMIT 1";
  825. $result = Database::query($sql);
  826. if (Database::num_rows($result) > 0) {
  827. // Extracting the user data
  828. $uData = Database::fetch_array($result);
  829. $_user = _api_format_user($uData, false);
  830. $is_platformAdmin = (bool) (!is_null($uData['is_admin']));
  831. $is_allowedCreateCourse = (bool) (($uData['status'] == COURSEMANAGER) || (api_get_setting('drhCourseManagerRights') && $uData['status'] == DRH));
  832. ConditionalLogin::check_conditions($uData);
  833. Session::write('_user', $_user);
  834. UserManager::update_extra_field_value($_user['user_id'], 'already_logged_in', 'true');
  835. Session::write('is_platformAdmin', $is_platformAdmin);
  836. Session::write('is_allowedCreateCourse', $is_allowedCreateCourse);
  837. } else {
  838. header('Location:'.api_get_path(WEB_PATH));
  839. exit;
  840. //exit("WARNING UNDEFINED UID !! ");
  841. }
  842. } else {
  843. if (!api_is_anonymous()) {
  844. // no uid => logout or Anonymous
  845. Session::erase('_user');
  846. Session::erase('_uid');
  847. }
  848. }
  849. Session::write('is_platformAdmin', $is_platformAdmin);
  850. Session::write('is_allowedCreateCourse', $is_allowedCreateCourse);
  851. } else { // continue with the previous values
  852. $_user = $_SESSION['_user'];
  853. $is_platformAdmin = isset($_SESSION['is_platformAdmin']) ? $_SESSION['is_platformAdmin'] : false;
  854. $is_allowedCreateCourse = isset($_SESSION['is_allowedCreateCourse']) ? $_SESSION['is_allowedCreateCourse'] : false;
  855. }
  856. $logoutCourseCalled = false;
  857. if (!isset($_SESSION['login_as'])) {
  858. $save_course_access = true;
  859. $_course = Session::read('_course');
  860. if ($_course && isset($_course['real_id'])) {
  861. // The value $_dont_save_user_course_access should be added before
  862. // the call of global.inc.php see the main/inc/chat.ajax.php file
  863. // Disables the updates in the TRACK_E_COURSE_ACCESS table
  864. if (isset($_dont_save_user_course_access) && $_dont_save_user_course_access == true) {
  865. $save_course_access = false;
  866. } else {
  867. $logoutCourseCalled = true;
  868. Event::courseLogout($logoutInfo);
  869. }
  870. }
  871. }
  872. $sessionIdFromGet = isset($_GET['id_session']) ? (int) $_GET['id_session'] : false;
  873. // if a session id has been given in url, we store the session if course was set:
  874. $sessionIdFromSession = api_get_session_id();
  875. $checkFromDatabase = false;
  876. // User change from session id
  877. if (($sessionIdFromGet !== false && $sessionIdFromGet !== $sessionIdFromSession) || $cidReset) {
  878. $cidReset = true;
  879. $checkFromDatabase = true;
  880. Session::erase('session_name');
  881. Session::erase('id_session');
  882. // Deleting session from $_SESSION means also deleting $_SESSION['_course'] and group info
  883. Session::erase('_real_cid');
  884. Session::erase('_cid');
  885. Session::erase('_course');
  886. Session::erase('_gid');
  887. }
  888. if ($checkFromDatabase && !empty($sessionIdFromGet)) {
  889. $sessionInfo = api_get_session_info($sessionIdFromGet);
  890. if (!empty($sessionInfo)) {
  891. Session::write('session_name', $sessionInfo['name']);
  892. Session::write('id_session', $sessionInfo['id']);
  893. } else {
  894. $cidReset = true;
  895. $gidReset = true;
  896. Session::erase('session_name');
  897. Session::erase('id_session');
  898. // Deleting session from $_SESSION means also deleting $_SESSION['_course'] and group info
  899. Session::erase('_real_cid');
  900. Session::erase('_cid');
  901. Session::erase('_course');
  902. Session::erase('_gid');
  903. api_not_allowed(true);
  904. }
  905. }
  906. /* COURSE INIT */
  907. if ($cidReset) {
  908. // Course session data refresh requested or empty data
  909. if ($cidReq) {
  910. $_course = api_get_course_info($cidReq);
  911. if (!empty($_course)) {
  912. //@TODO real_cid should be cid, for working with numeric course id
  913. $_real_cid = $_course['real_id'];
  914. $_cid = $_course['code'];
  915. Session::write('_real_cid', $_real_cid);
  916. Session::write('_cid', $_cid);
  917. Session::write('_course', $_course);
  918. if (!empty($_GET['gidReq'])) {
  919. $_SESSION['_gid'] = (int) $_GET['gidReq'];
  920. } else {
  921. Session::erase('_gid');
  922. }
  923. // Course login
  924. if (isset($_user['user_id'])) {
  925. Event::eventCourseLogin(
  926. api_get_course_int_id(),
  927. api_get_user_id(),
  928. api_get_session_id()
  929. );
  930. }
  931. } else {
  932. //exit("WARNING UNDEFINED CID !! ");
  933. header('Location:'.api_get_path(WEB_PATH));
  934. exit;
  935. }
  936. } else {
  937. // Leave a logout time in the track_e_course_access table if we were in a course
  938. if ($logoutCourseCalled == false) {
  939. Event::courseLogout($logoutInfo);
  940. }
  941. Session::erase('_cid');
  942. Session::erase('_real_cid');
  943. Session::erase('_course');
  944. Session::erase('session_name');
  945. Session::erase('id_session');
  946. if (!empty($_SESSION)) {
  947. foreach ($_SESSION as $key => $session_item) {
  948. if (strpos($key, 'lp_autolaunch_') === false) {
  949. continue;
  950. } else {
  951. if (isset($_SESSION[$key])) {
  952. Session::erase($key);
  953. }
  954. }
  955. }
  956. }
  957. if (api_get_group_id()) {
  958. Session::erase('_gid');
  959. }
  960. if (api_is_in_gradebook()) {
  961. api_remove_in_gradebook();
  962. }
  963. }
  964. } else {
  965. // Continue with the previous values
  966. if (empty($_SESSION['_course']) && !empty($_SESSION['_cid'])) {
  967. //Just in case $_course is empty we try to load if the c_id still exists
  968. $_course = api_get_course_info($_SESSION['_cid']);
  969. if (!empty($_course)) {
  970. $_real_cid = $_course['real_id'];
  971. $_cid = $_course['code'];
  972. Session::write('_real_cid', $_real_cid);
  973. Session::write('_cid', $_cid);
  974. Session::write('_course', $_course);
  975. }
  976. }
  977. if (empty($_SESSION['_course']) || empty($_SESSION['_cid'])) { //no previous values...
  978. $_cid = -1; // Set default values
  979. $_course = -1;
  980. } else {
  981. $_cid = $_SESSION['_cid'];
  982. $_course = $_SESSION['_course'];
  983. if (!empty($_REQUEST['gidReq'])) {
  984. $_SESSION['_gid'] = (int) $_REQUEST['gidReq'];
  985. $group_table = Database::get_course_table(TABLE_GROUP);
  986. $sql = "SELECT * FROM $group_table
  987. WHERE c_id = ".$_course['real_id']." AND id = '$gidReq'";
  988. $result = Database::query($sql);
  989. if (Database::num_rows($result) > 0) { // This group has recorded status related to this course
  990. $gpData = Database::fetch_array($result);
  991. $_gid = $gpData['id'];
  992. Session::write('_gid', $_gid);
  993. }
  994. } else {
  995. Session::write('_gid', 0);
  996. }
  997. }
  998. }
  999. /* COURSE / USER REL. INIT */
  1000. $session_id = api_get_session_id();
  1001. $user_id = isset($_user['user_id']) ? $_user['user_id'] : null;
  1002. //Course permissions
  1003. //if this code is uncommented in some platforms the is_courseAdmin is not correctly saved see BT#5789
  1004. /*$is_courseAdmin = false; //course teacher
  1005. $is_courseTutor = false; //course teacher - some rights
  1006. $is_courseMember = false; //course student
  1007. $is_session_general_coach = false; //course coach
  1008. */
  1009. // Course - User permissions
  1010. $is_sessionAdmin = false;
  1011. $is_session_general_coach = false; //course coach
  1012. $is_courseAdmin = false;
  1013. $is_courseTutor = false;
  1014. $is_courseMember = false;
  1015. if ((isset($uidReset) && $uidReset) || $cidReset) {
  1016. if (isset($_cid) && $_cid) {
  1017. $my_user_id = isset($user_id) ? (int) $user_id : 0;
  1018. $variable = 'accept_legal_'.$my_user_id.'_'.$_course['real_id'].'_'.$session_id;
  1019. $user_pass_open_course = false;
  1020. if (api_check_user_access_to_legal($_course['visibility']) && Session::read($variable)) {
  1021. $user_pass_open_course = true;
  1022. }
  1023. // Checking if the user filled the course legal agreement
  1024. if ($_course['activate_legal'] == 1 && !api_is_platform_admin() && !api_is_anonymous()) {
  1025. $user_is_subscribed = CourseManager::is_user_accepted_legal(
  1026. $user_id,
  1027. $_course['id'],
  1028. $session_id
  1029. ) || $user_pass_open_course;
  1030. if (!$user_is_subscribed) {
  1031. $url = api_get_path(WEB_CODE_PATH).'course_info/legal.php?course_code='.$_course['code'].'&session_id='.$session_id;
  1032. header('Location: '.$url);
  1033. exit;
  1034. }
  1035. }
  1036. // Platform legal terms and conditions
  1037. if (api_get_setting('allow_terms_conditions') === 'true' &&
  1038. api_get_setting('load_term_conditions_section') === 'course'
  1039. ) {
  1040. $termAndConditionStatus = api_check_term_condition($user_id);
  1041. // @todo not sure why we need the login password and update_term_status
  1042. if ($termAndConditionStatus === false) {
  1043. Session::write('term_and_condition', ['user_id' => $user_id]);
  1044. } else {
  1045. Session::erase('term_and_condition');
  1046. }
  1047. $termsAndCondition = Session::read('term_and_condition');
  1048. if (isset($termsAndCondition['user_id'])) {
  1049. // user id
  1050. $user_id = $termsAndCondition['user_id'];
  1051. // Update the terms & conditions
  1052. $legal_type = null;
  1053. // Verify type of terms and conditions
  1054. if (isset($_POST['legal_info'])) {
  1055. $info_legal = explode(':', $_POST['legal_info']);
  1056. $legal_type = LegalManager::get_type_of_terms_and_conditions(
  1057. $info_legal[0],
  1058. $info_legal[1]
  1059. );
  1060. }
  1061. // is necessary verify check
  1062. if ($legal_type === 1) {
  1063. if (isset($_POST['legal_accept']) && $_POST['legal_accept'] == '1') {
  1064. $legal_option = true;
  1065. } else {
  1066. $legal_option = false;
  1067. }
  1068. }
  1069. // no is check option
  1070. if ($legal_type == 0) {
  1071. $legal_option = true;
  1072. }
  1073. if (isset($_POST['legal_accept_type']) && $legal_option === true) {
  1074. $cond_array = explode(':', $_POST['legal_accept_type']);
  1075. if (!empty($cond_array[0]) && !empty($cond_array[1])) {
  1076. $time = time();
  1077. $condition_to_save = intval($cond_array[0]).':'.intval($cond_array[1]).':'.$time;
  1078. UserManager::update_extra_field_value(
  1079. $user_id,
  1080. 'legal_accept',
  1081. $condition_to_save
  1082. );
  1083. }
  1084. }
  1085. $redirect = true;
  1086. $allow = api_get_configuration_value('allow_public_course_with_no_terms_conditions');
  1087. if ($allow === true &&
  1088. isset($_course['visibility']) &&
  1089. $_course['visibility'] == COURSE_VISIBILITY_OPEN_WORLD
  1090. ) {
  1091. $redirect = false;
  1092. }
  1093. if ($redirect && !api_is_platform_admin()) {
  1094. $url = api_get_path(WEB_CODE_PATH).'auth/inscription.php';
  1095. header('Location:'.$url);
  1096. exit;
  1097. }
  1098. }
  1099. }
  1100. }
  1101. if (isset($user_id) && $user_id && isset($_real_cid) && $_real_cid) {
  1102. // Check if user is subscribed in a course
  1103. $course_user_table = Database::get_main_table(TABLE_MAIN_COURSE_USER);
  1104. $sql = "SELECT * FROM $course_user_table
  1105. WHERE
  1106. user_id = '".$user_id."' AND
  1107. relation_type <> ".COURSE_RELATION_TYPE_RRHH." AND
  1108. c_id = '$_real_cid'";
  1109. $result = Database::query($sql);
  1110. $cuData = null;
  1111. if (Database::num_rows($result) > 0) { // this user have a recorded state for this course
  1112. $cuData = Database::fetch_array($result, 'ASSOC');
  1113. $is_courseAdmin = $cuData['status'] == 1;
  1114. $is_courseTutor = $cuData['is_tutor'] == 1;
  1115. $is_courseMember = true;
  1116. }
  1117. // We are in a session course? Check session permissions
  1118. if (!empty($session_id)) {
  1119. if (!empty($session_id) && !empty($_course)) {
  1120. if (!SessionManager::relation_session_course_exist($session_id, $_course['real_id'])) {
  1121. api_not_allowed(true);
  1122. }
  1123. }
  1124. // I'm not the teacher of the course
  1125. if ($is_courseAdmin == false) {
  1126. // This user has no status related to this course
  1127. // The user is subscribed in a session? The user is a Session coach a Session admin?
  1128. $tbl_session = Database::get_main_table(TABLE_MAIN_SESSION);
  1129. $tbl_session_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE);
  1130. $tbl_session_course_user = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
  1131. // Session coach, session admin or course coach admin
  1132. $sql = "SELECT session.id_coach, session_admin_id, session_rcru.user_id
  1133. FROM $tbl_session session, $tbl_session_course_user session_rcru
  1134. WHERE
  1135. session_rcru.session_id = session.id AND
  1136. session_rcru.c_id = '$_real_cid' AND
  1137. session_rcru.user_id = '$user_id' AND
  1138. session_rcru.session_id = $session_id AND
  1139. session_rcru.status = 2
  1140. ";
  1141. $result = Database::query($sql);
  1142. $row = Database::store_result($result);
  1143. // Am I a session admin?
  1144. if (isset($row) && isset($row[0]) && $row[0]['session_admin_id'] == $user_id) {
  1145. $is_courseMember = false;
  1146. $is_courseTutor = false;
  1147. $is_courseAdmin = false;
  1148. $is_session_general_coach = false;
  1149. $is_sessionAdmin = true;
  1150. } else {
  1151. // Am I a session coach for this session?
  1152. $sql = "SELECT session.id, session.id_coach
  1153. FROM $tbl_session session
  1154. INNER JOIN $tbl_session_course sc
  1155. ON sc.session_id = session.id
  1156. WHERE session.id = $session_id
  1157. AND session.id_coach = $user_id
  1158. AND sc.c_id = '$_real_cid'";
  1159. $result = Database::query($sql);
  1160. if (Database::num_rows($result)) {
  1161. $is_courseMember = true;
  1162. $is_courseTutor = false;
  1163. $is_session_general_coach = true;
  1164. $is_sessionAdmin = false;
  1165. } else {
  1166. // Am I a course coach or a student?
  1167. $sql = "SELECT cu.user_id, cu.status
  1168. FROM $tbl_session_course_user cu
  1169. WHERE
  1170. c_id = '$_real_cid' AND
  1171. cu.user_id = '".$user_id."' AND
  1172. cu.session_id = '".$session_id."'
  1173. LIMIT 1";
  1174. $result = Database::query($sql);
  1175. if (Database::num_rows($result)) {
  1176. $row = Database::fetch_array($result, 'ASSOC');
  1177. $session_course_status = $row['status'];
  1178. switch ($session_course_status) {
  1179. case '2': // coach - teacher
  1180. $is_courseMember = true;
  1181. $is_courseTutor = true;
  1182. $is_session_general_coach = false;
  1183. $is_sessionAdmin = false;
  1184. if (api_get_setting('extend_rights_for_coach') == 'true') {
  1185. $is_courseAdmin = true;
  1186. } else {
  1187. $is_courseAdmin = false;
  1188. }
  1189. break;
  1190. case '0': //Student
  1191. $is_courseMember = true;
  1192. $is_courseTutor = false;
  1193. $is_courseAdmin = false;
  1194. $is_session_general_coach = false;
  1195. $is_sessionAdmin = false;
  1196. break;
  1197. default:
  1198. //unregister user
  1199. $is_courseMember = false;
  1200. $is_courseTutor = false;
  1201. $is_courseAdmin = false;
  1202. $is_sessionAdmin = false;
  1203. $is_session_general_coach = false;
  1204. break;
  1205. }
  1206. } else {
  1207. // Unregister user
  1208. $is_courseMember = false;
  1209. $is_courseTutor = false;
  1210. $is_courseAdmin = false;
  1211. $is_sessionAdmin = false;
  1212. $is_session_general_coach = false;
  1213. }
  1214. }
  1215. }
  1216. // Drh can enter to a course as an student see BT#6770
  1217. if (api_drh_can_access_all_session_content()) {
  1218. $sessionInfo = SessionManager::getSessionFollowedByDrh($user_id, $session_id);
  1219. if (!empty($sessionInfo) && !empty($sessionInfo['course_list'])) {
  1220. if (isset($sessionInfo['course_list'][$_course['real_id']])) {
  1221. $is_courseMember = true;
  1222. $is_courseTutor = false;
  1223. $is_session_general_coach = false;
  1224. $is_sessionAdmin = false;
  1225. }
  1226. }
  1227. }
  1228. }
  1229. // If I'm the admin platform i'm a teacher of the course
  1230. if ($is_platformAdmin) {
  1231. $is_courseAdmin = true;
  1232. }
  1233. } else {
  1234. // User has not access to the course
  1235. // This will check if the course was added in one of his sessions
  1236. // Then it will be redirected to that course-session
  1237. if ($is_courseMember == false) {
  1238. // Search session
  1239. $courseSession = SessionManager::searchCourseInSessionsFromUser(
  1240. $user_id,
  1241. $_course['real_id']
  1242. );
  1243. $priorityList = [];
  1244. if (!empty($courseSession)) {
  1245. foreach ($courseSession as $courseSessionItem) {
  1246. if (isset($courseSessionItem['session_id'])) {
  1247. $customSessionId = $courseSessionItem['session_id'];
  1248. $visibility = api_get_session_visibility($customSessionId, $_course['real_id']);
  1249. if ($visibility == SESSION_INVISIBLE) {
  1250. continue;
  1251. }
  1252. switch ($visibility) {
  1253. case SESSION_AVAILABLE:
  1254. $priorityList[1][] = $customSessionId;
  1255. break;
  1256. case SESSION_VISIBLE:
  1257. $priorityList[2][] = $customSessionId;
  1258. break;
  1259. case SESSION_VISIBLE_READ_ONLY:
  1260. $priorityList[3][] = $customSessionId;
  1261. break;
  1262. }
  1263. }
  1264. }
  1265. }
  1266. if (!empty($priorityList)) {
  1267. ksort($priorityList);
  1268. foreach ($priorityList as $sessionList) {
  1269. if (empty($sessionList)) {
  1270. continue;
  1271. }
  1272. foreach ($sessionList as $customSessionId) {
  1273. $currentUrl = htmlentities($_SERVER['REQUEST_URI']);
  1274. $currentUrl = str_replace('id_session=0', '', $currentUrl);
  1275. $currentUrl = str_replace('&amp;', '&', $currentUrl);
  1276. if (strpos($currentUrl, '?') !== false) {
  1277. $currentUrl = rtrim($currentUrl, '&');
  1278. $url = $currentUrl.'&id_session='.$customSessionId;
  1279. } else {
  1280. $url = $currentUrl.'?id_session='.$customSessionId;
  1281. }
  1282. $url = str_replace('&&', '&', $url);
  1283. //$url = $_course['course_public_url'].'?id_session='.$customSessionId;
  1284. Session::erase('_real_cid');
  1285. Session::erase('_cid');
  1286. Session::erase('_course');
  1287. header('Location: '.$url);
  1288. exit;
  1289. }
  1290. }
  1291. }
  1292. }
  1293. }
  1294. } else { // keys missing => not anymore in the course - user relation
  1295. // course
  1296. $is_courseMember = false;
  1297. $is_courseAdmin = false;
  1298. $is_courseTutor = false;
  1299. $is_session_general_coach = false;
  1300. $is_sessionAdmin = false;
  1301. }
  1302. // Checking the course access
  1303. $is_allowed_in_course = false;
  1304. if (isset($_course) && isset($_course['visibility'])) {
  1305. switch ($_course['visibility']) {
  1306. case COURSE_VISIBILITY_OPEN_WORLD: //3
  1307. $is_allowed_in_course = true;
  1308. break;
  1309. case COURSE_VISIBILITY_OPEN_PLATFORM: //2
  1310. $userAccess = api_get_configuration_value('block_registered_users_access_to_open_course_contents');
  1311. // If this setting is not set or equals false, allow registered users to access content from any open
  1312. // course
  1313. if ($userAccess == false) {
  1314. if (isset($user_id) && !api_is_anonymous($user_id)) {
  1315. $is_allowed_in_course = true;
  1316. }
  1317. } else {
  1318. // If the setting == true, then only allow users to access the content of an open course if they are
  1319. // directly subscribed to the course (so first check the registration to the course)
  1320. $courseCode = $_course['code'];
  1321. $isUserSubscribedInCourse = CourseManager::is_user_subscribed_in_course(
  1322. $user_id,
  1323. $courseCode,
  1324. $session_id
  1325. );
  1326. if (isset($user_id) && ($is_platformAdmin || $isUserSubscribedInCourse === true) && !api_is_anonymous($user_id)) {
  1327. $is_allowed_in_course = true;
  1328. }
  1329. }
  1330. break;
  1331. case COURSE_VISIBILITY_REGISTERED: //1
  1332. if ($is_platformAdmin || $is_courseMember) {
  1333. $is_allowed_in_course = true;
  1334. }
  1335. break;
  1336. case COURSE_VISIBILITY_CLOSED: //0
  1337. if ($is_platformAdmin || $is_courseAdmin) {
  1338. $is_allowed_in_course = true;
  1339. }
  1340. break;
  1341. case COURSE_VISIBILITY_HIDDEN: //4
  1342. if ($is_platformAdmin) {
  1343. $is_allowed_in_course = true;
  1344. }
  1345. break;
  1346. }
  1347. }
  1348. if (!$is_platformAdmin) {
  1349. if (!$is_courseMember &&
  1350. isset($_course['registration_code']) &&
  1351. !empty($_course['registration_code']) &&
  1352. !Session::read('course_password_'.$_course['real_id'], false)
  1353. ) {
  1354. // if we are here we try to access to a course requiring password
  1355. if ($is_allowed_in_course) {
  1356. // the course visibility allows to access the course
  1357. // with a password
  1358. $url = api_get_path(WEB_CODE_PATH).'auth/set_temp_password.php?course_id='.$_course['real_id'].'&session_id='.$session_id;
  1359. header('Location: '.$url);
  1360. exit;
  1361. } else {
  1362. $is_courseMember = false;
  1363. $is_courseAdmin = false;
  1364. $is_courseTutor = false;
  1365. $is_session_general_coach = false;
  1366. $is_sessionAdmin = false;
  1367. $is_allowed_in_course = false;
  1368. }
  1369. }
  1370. } // check the session visibility
  1371. if ($is_allowed_in_course == true) {
  1372. //if I'm in a session
  1373. if ($session_id != 0) {
  1374. if (!$is_platformAdmin) {
  1375. // admin is not affected to the invisible session mode
  1376. $session_visibility = api_get_session_visibility($session_id);
  1377. switch ($session_visibility) {
  1378. case SESSION_INVISIBLE:
  1379. $is_allowed_in_course = false;
  1380. break;
  1381. }
  1382. }
  1383. }
  1384. }
  1385. // save the states
  1386. if (isset($is_courseAdmin)) {
  1387. Session::write('is_courseAdmin', $is_courseAdmin);
  1388. if ($is_courseAdmin) {
  1389. $is_allowed_in_course = true;
  1390. }
  1391. }
  1392. if (isset($is_courseMember)) {
  1393. Session::write('is_courseMember', $is_courseMember);
  1394. }
  1395. if (isset($is_courseTutor)) {
  1396. Session::write('is_courseTutor', $is_courseTutor);
  1397. if ($is_courseTutor) {
  1398. $is_allowed_in_course = true;
  1399. }
  1400. }
  1401. Session::write('is_session_general_coach', $is_session_general_coach);
  1402. Session::write('is_allowed_in_course', $is_allowed_in_course);
  1403. Session::write('is_sessionAdmin', $is_sessionAdmin);
  1404. } else {
  1405. // Continue with the previous values
  1406. $is_courseAdmin = isset($_SESSION['is_courseAdmin']) ? $_SESSION['is_courseAdmin'] : false;
  1407. $is_courseTutor = isset($_SESSION['is_courseTutor']) ? $_SESSION['is_courseTutor'] : false;
  1408. $is_session_general_coach = isset($_SESSION['is_session_general_coach']) ? $_SESSION['is_session_general_coach'] : false;
  1409. $is_courseMember = isset($_SESSION['is_courseMember']) ? $_SESSION['is_courseMember'] : false;
  1410. $is_allowed_in_course = isset($_SESSION['is_allowed_in_course']) ? $_SESSION['is_allowed_in_course'] : false;
  1411. }
  1412. //set variable according to student_view_enabled choices
  1413. if (api_get_setting('student_view_enabled') == "true") {
  1414. if (isset($_GET['isStudentView'])) {
  1415. if ($_GET['isStudentView'] == 'true') {
  1416. if (isset($_SESSION['studentview'])) {
  1417. if (!empty($_SESSION['studentview'])) {
  1418. // switching to studentview
  1419. $_SESSION['studentview'] = 'studentview';
  1420. }
  1421. }
  1422. } elseif ($_GET['isStudentView'] == 'false') {
  1423. if (isset($_SESSION['studentview'])) {
  1424. if (!empty($_SESSION['studentview'])) {
  1425. // switching to teacherview
  1426. $_SESSION['studentview'] = 'teacherview';
  1427. }
  1428. }
  1429. }
  1430. } elseif (!empty($_SESSION['studentview'])) {
  1431. //all is fine, no change to that, obviously
  1432. } elseif (empty($_SESSION['studentview'])) {
  1433. // We are in teacherview here
  1434. $_SESSION['studentview'] = 'teacherview';
  1435. }
  1436. }
  1437. if (isset($_cid)) {
  1438. $tbl_course = Database::get_main_table(TABLE_MAIN_COURSE);
  1439. $time = api_get_utc_datetime();
  1440. $sql = "UPDATE $tbl_course SET last_visit = '$time' WHERE code='$_cid'";
  1441. Database::query($sql);
  1442. }
  1443. // direct login to course
  1444. if ((isset($cas_login) && $cas_login && exist_firstpage_parameter()) ||
  1445. ($logging_in && exist_firstpage_parameter())
  1446. ) {
  1447. $redirectCourseDir = api_get_firstpage_parameter();
  1448. api_delete_firstpage_parameter(); // delete the cookie
  1449. if (!isset($_SESSION['request_uri'])) {
  1450. if (CourseManager::getCourseCodeFromDirectory($redirectCourseDir)) {
  1451. $_SESSION['noredirection'] = false;
  1452. $_SESSION['request_uri'] = api_get_path(WEB_COURSE_PATH).$redirectCourseDir.'/';
  1453. }
  1454. }
  1455. } elseif (api_user_is_login() && exist_firstpage_parameter()) {
  1456. $redirectCourseDir = api_get_firstpage_parameter();
  1457. api_delete_firstpage_parameter(); // delete the cookie
  1458. if (CourseManager::getCourseCodeFromDirectory($redirectCourseDir)) {
  1459. $_SESSION['noredirection'] = false;
  1460. $_SESSION['request_uri'] = api_get_path(WEB_COURSE_PATH).$redirectCourseDir.'/';
  1461. }
  1462. }
  1463. Event::eventCourseLoginUpdate(
  1464. api_get_course_int_id(),
  1465. api_get_user_id(),
  1466. api_get_session_id()
  1467. );
  1468. Redirect::session_request_uri($logging_in, $user_id);
  1469. if (!ChamiloApi::isAjaxRequest() && api_get_configuration_value('allow_mandatory_survey')) {
  1470. SurveyManager::protectByMandatory();
  1471. }