Skip to content

Commit

Permalink
Bug #1, security fixes for user/ajax PHP [iet:8488642]
Browse files Browse the repository at this point in the history
* `isloggedin()` function tests; CORS HTTP header
  • Loading branch information
nfreear committed Mar 28, 2017
1 parent ff2100d commit 07362c0
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 8 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@

*.css
!login.css
/style/less/
*.csv

#/bin
Expand Down
2 changes: 1 addition & 1 deletion db/User.php
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ public static function getRoles()
$roles = get_user_roles($context, $USER->id, false);

self::debug([ __FUNCTION__, $roles, $USER->id ]);
return (object) [ 'is_admin' => is_siteadmin(), 'roles' => $roles ];
return (object) [ 'is_admin' => is_siteadmin(), 'roles' => $roles, 'is_loggedin' => isloggedin() ];
}

// ====================================================================
Expand Down
3 changes: 2 additions & 1 deletion lang/en/auth_ouopenid.php
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@
This will redirect you to the TeSLA pilot.';
$string[ 'login_label' ] = 'Open University username (<abbr title="{$a}">OUCU</abbr>)';
$string[ 'login_label_abbr' ] = 'Open University computer username';
$string[ 'login_field_help' ] = 'Your OUCU — 2 to 4 letters, followed by 1 to 7 numbers.'; // Title attribute.
// Form validation - title attribute - 'login_field_help'.
$string[ 'login_field_help' ] = 'Your OUCU — 2 to 4 letters, followed by 1 to 7 numbers.';
$string[ 'login_submit' ] = 'Sign in';
$string[ 'login_footer' ] = '© 2017 The Open University';
$string[ 'login_footer_link' ] = 'https://www.open.ac.uk/';
Expand Down
13 changes: 7 additions & 6 deletions user/ajax.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@

require_once __DIR__ . '/../../../config.php';
require_once __DIR__ . '/../../../vendor/autoload.php';
//require_once __DIR__ . '/../lang/en/auth_ouopenid.php';

define('DEBUG', filter_input(INPUT_GET, 'debug'));
define('USER_LOGGED_IN', isloggedin()); // Was: 0 !== $USER->id;

if (DEBUG) {
$CFG->debug = DEBUG_DEVELOPER;
Expand All @@ -21,7 +21,7 @@

use IET_OU\Moodle\Auth\Ouopenid\Db\User as OuUser;

global $USER; //, $string; // Moodle global.
global $USER; // Moodle global.

$fields = [ 'auth', 'email', 'firstname', 'id', 'lastip', 'lastname', 'username', 'currentcourseaccess' ];

Expand All @@ -34,19 +34,20 @@

$oucu = preg_match(OuUser::USERNAME_REGEX, $user->username, $matches) ? $matches[ 1 ] : $user->username;
$stat = $oucu ? 'ok' : 'warn';
$msg = (0 === $USER->id) ? 'Not logged in.' : '';
$msg = USER_LOGGED_IN ? '' : 'Not logged in.';

if (DEBUG) {
OuUser::debug($USER);
}

header('Access-Control-Allow-Origin: ' . $CFG->wwwroot); // Security.
header('Content-Type: application/json; charset=utf-8');
echo json_encode([
'stat' => $stat, 'msg' => $msg, 'debug' => OuUser::debugLevel(), 'user' => $user, 'profile' => $prof->profile, 'body_class' => $prof->body_class,
'user_roles' => OuUser::getRoles(),
'redirect_url' => $prof->redirect_url,
'consent_embed_url' => OuUser::getConsentEmbedUrl(),
'strings' => OuUser::getStringsAjax(),
'redirect_url' => USER_LOGGED_IN ? $prof->redirect_url : null,
'consent_embed_url' => USER_LOGGED_IN ? OuUser::getConsentEmbedUrl() : null,
'strings' => USER_LOGGED_IN ? OuUser::getStringsAjax() : [],
]);

//End.

0 comments on commit 07362c0

Please sign in to comment.