MDL-42834 admin: Deprecate https_required and verify_https_required

mpetrowi · Oct 23, 2017 · 4b501ec · 4b501ec
1 parent b58764f
commit 4b501ec
Show file tree

Hide file tree

Showing 15 changed files with 12 additions and 107 deletions.
diff --git a/admin/tool/mobile/autologin.php b/admin/tool/mobile/autologin.php
@@ -31,8 +31,6 @@
 
 $context = context_system::instance();
 $PAGE->set_context($context);
-// Force https.
-$PAGE->https_required();
 
 // Check if the user is already logged-in.
 if (isloggedin() and !isguestuser()) {

diff --git a/auth/ldap/ntlmsso_attempt.php b/auth/ldap/ntlmsso_attempt.php
@@ -2,9 +2,6 @@
 
 require(__DIR__.'/../../config.php');
 
-//HTTPS is required in this page when $CFG->loginhttps enabled
-$PAGE->https_required();
-
 $PAGE->set_url('/auth/ldap/ntlmsso_attempt.php');
 $PAGE->set_context(context_system::instance());
 
@@ -33,7 +30,6 @@
 $PAGE->set_heading($site->fullname);
 echo $OUTPUT->header();
 
-// $PAGE->https_required() up above takes care of what $CFG->httpswwwroot should be.
 $msg = '<p>'.get_string('ntlmsso_attempting', 'auth_ldap').'</p>'
     . '<img width="1", height="1" '
     . ' src="' . $CFG->httpswwwroot . '/auth/ldap/ntlmsso_magic.php?sesskey='

diff --git a/auth/ldap/ntlmsso_finish.php b/auth/ldap/ntlmsso_finish.php
@@ -2,9 +2,6 @@
 
 require(__DIR__.'/../../config.php');
 
-//HTTPS is required in this page when $CFG->loginhttps enabled
-$PAGE->https_required();
-
 $PAGE->set_url('/auth/ldap/ntlmsso_finish.php');
 $PAGE->set_context(context_system::instance());
 

diff --git a/auth/ldap/ntlmsso_magic.php b/auth/ldap/ntlmsso_magic.php
@@ -8,9 +8,6 @@
 
 require(__DIR__.'/../../config.php');
 
-//HTTPS is required in this page when $CFG->loginhttps enabled
-$PAGE->https_required();
-
 $PAGE->set_context(context_system::instance());
 
 $authsequence = get_enabled_auth_plugins(true); // auths, in sequence
@@ -29,7 +26,6 @@
 if ($authplugin->ntlmsso_magic($sesskey) && file_exists($file)) {
     if (!empty($authplugin->config->ntlmsso_ie_fastpath)) {
         if (core_useragent::is_ie()) {
-            // $PAGE->https_required() up above takes care of what $CFG->httpswwwroot should be.
             redirect($CFG->httpswwwroot.'/auth/ldap/ntlmsso_finish.php');
         }
     }

diff --git a/auth/shibboleth/login.php b/auth/shibboleth/login.php
@@ -15,9 +15,6 @@
     }
 
 
-//HTTPS is required in this page when $CFG->loginhttps enabled
-$PAGE->https_required();
-
 /// Define variables used in page
     $site = get_site();
 

diff --git a/lib/deprecatedlib.php b/lib/deprecatedlib.php
@@ -501,10 +501,10 @@ function filter_text($text, $courseid = NULL) {
 }
 
 /**
- * @deprecated use $PAGE->https_required() instead
+ * @deprecated Loginhttps is no longer supported
  */
 function httpsrequired() {
-    throw new coding_exception('httpsrequired() can not be used any more use $PAGE->https_required() instead.');
+    throw new coding_exception('httpsrequired() can not be used any more. Loginhttps is no longer supported.');
 }
 
 /**

diff --git a/lib/pagelib.php b/lib/pagelib.php
@@ -1461,71 +1461,28 @@ public function reload_theme() {
 
     /**
      * This function indicates that current page requires the https when $CFG->loginhttps enabled.
+     * Since loginhttps was removed this is no longer required or functional.
      *
-     * By using this function properly, we can ensure 100% https-ized pages
-     * at our entire discretion (login, forgot_password, change_password)
+     * @deprecated since Moodle 3.4 MDL-42834 - please do not use this function any more.
+     * @todo MDL-46267 This will be deleted in Moodle 3.8
      *
-     * @return void
      * @throws coding_exception
      */
     public function https_required() {
-        global $CFG;
-
-        if (!is_null($this->_url)) {
-            throw new coding_exception('https_required() must be used before setting page url!');
-        }
-
-        $this->ensure_theme_not_set();
-
-        $this->_https_login_required = true;
-
-        if (!empty($CFG->loginhttps)) {
-            $CFG->httpswwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
-        } else {
-            $CFG->httpswwwroot = $CFG->wwwroot;
-        }
+        debugging('https_required() has been deprecated. It no longer needs to be called.', DEBUG_DEVELOPER);
     }
 
     /**
      * Makes sure that page previously marked with https_required() is really using https://, if not it redirects to https://
+     * Since loginhttps was removed this is no longer required or functional.
+     *
+     * @deprecated since Moodle 3.4 MDL-42834 - please do not use this function any more.
+     * @todo MDL-46267 This will be deleted in Moodle 3.8
      *
-     * @return void (may redirect to https://self)
      * @throws coding_exception
      */
     public function verify_https_required() {
-        global $CFG, $FULLME;
-
-        if (is_null($this->_url)) {
-            throw new coding_exception('verify_https_required() must be called after setting page url!');
-        }
-
-        if (!$this->_https_login_required) {
-            throw new coding_exception('verify_https_required() must be called only after https_required()!');
-        }
-
-        if (empty($CFG->loginhttps)) {
-            // Https not required, so stop checking.
-            return;
-        }
-
-        if (strpos($this->_url, 'https://')) {
-            // Detect if incorrect PAGE->set_url() used, it is recommended to use root-relative paths there.
-            throw new coding_exception('Invalid page url. It must start with https:// for pages that set https_required()!');
-        }
-
-        if (!empty($CFG->sslproxy)) {
-            // It does not make much sense to use sslproxy and loginhttps at the same time.
-            return;
-        }
-
-        // Now the real test and redirect!
-        // NOTE: do NOT use this test for detection of https on current page because this code is not compatible with SSL proxies,
-        //       instead use is_https().
-        if (strpos($FULLME, 'https:') !== 0) {
-            // This may lead to infinite redirect on an incorrectly configured site.
-            // In that case set $CFG->loginhttps=0; within /config.php.
-            redirect($this->_url);
-        }
+        debugging('verify_https_required() has been deprecated. It no longer needs to be called.', DEBUG_DEVELOPER);
     }
 
     // Initialisation methods =====================================================

diff --git a/lib/upgrade.txt b/lib/upgrade.txt
@@ -56,6 +56,7 @@ information provided here is intended especially for developers.
 * $stored_file->add_to_curl_request() now adds the filename to the curl request.
 * The option for Login HTTPS (authentication-only SSL) has been removed
 * $CFG->loginhttps is now deprecated, do not use it.
+* $PAGE->https_required and $PAGE->verify_https_required() are now deprecated. They are no longer used and will throw a coding_exception.
 
 === 3.3.1 ===
 

diff --git a/login/change_password.php b/login/change_password.php
@@ -35,9 +35,6 @@
 
 $systemcontext = context_system::instance();
 
-//HTTPS is required in this page when $CFG->loginhttps enabled
-$PAGE->https_required();
-
 $PAGE->set_url('/login/change_password.php', array('id'=>$id));
 
 $PAGE->set_context($systemcontext);
@@ -148,9 +145,6 @@
     exit;
 }
 
-// make sure we really are on the https page when https login required
-$PAGE->verify_https_required();
-
 $strchangepassword = get_string('changepassword');
 
 $fullname = fullname($USER, true);

diff --git a/login/forgot_password.php b/login/forgot_password.php
@@ -41,9 +41,6 @@
 
 $token = optional_param('token', false, PARAM_ALPHANUM);
 
-//HTTPS is required in this page when $CFG->loginhttps enabled
-$PAGE->https_required();
-
 $PAGE->set_url('/login/forgot_password.php');
 $systemcontext = context_system::instance();
 $PAGE->set_context($systemcontext);

diff --git a/login/index.php b/login/index.php
@@ -37,9 +37,6 @@
     redirect(new moodle_url('/'));
 }
 
-//HTTPS is required in this page when $CFG->loginhttps enabled
-$PAGE->https_required();
-
 $context = context_system::instance();
 $PAGE->set_url("$CFG->httpswwwroot/login/index.php");
 $PAGE->set_context($context);
@@ -305,9 +302,6 @@
     redirect($loginurl->out(false));
 }
 
-// make sure we really are on the https page when https login required
-$PAGE->verify_https_required();
-
 /// Generate the login page with forms
 
 if (!isset($frm) or !is_object($frm)) {

diff --git a/login/lib.php b/login/lib.php
@@ -58,9 +58,6 @@ function core_login_process_password_reset_request() {
         die; // Never reached.
     }
 
-    // Make sure we really are on the https page when https login required.
-    $PAGE->verify_https_required();
-
     // DISPLAY FORM.
 
     echo $OUTPUT->header();
@@ -253,7 +250,6 @@ function core_login_process_password_set($token) {
         $setdata->username2 = $user->username;
         $setdata->token = $user->token;
         $mform->set_data($setdata);
-        $PAGE->verify_https_required();
         echo $OUTPUT->header();
         echo $OUTPUT->box(get_string('setpasswordinstructions'), 'generalbox boxwidthnormal boxaligncenter');
         $mform->display();

diff --git a/login/signup.php b/login/signup.php
@@ -32,9 +32,6 @@
     print_error('notlocalisederrormessage', 'error', '', 'Sorry, you may not use this page.');
 }
 
-//HTTPS is required in this page when $CFG->loginhttps enabled
-$PAGE->https_required();
-
 $PAGE->set_url('/login/signup.php');
 $PAGE->set_context(context_system::instance());
 
@@ -75,9 +72,6 @@
     exit; //never reached
 }
 
-// make sure we really are on the https page when https login required
-$PAGE->verify_https_required();
-
 
 $newaccount = get_string('newaccount');
 $login      = get_string('login');

diff --git a/user/edit.php b/user/edit.php
@@ -29,9 +29,6 @@
 require_once($CFG->dirroot.'/user/profile/lib.php');
 require_once($CFG->dirroot.'/user/lib.php');
 
-// HTTPS is required in this page when $CFG->loginhttps enabled.
-$PAGE->https_required();
-
 $userid = optional_param('id', $USER->id, PARAM_INT);    // User id.
 $course = optional_param('course', SITEID, PARAM_INT);   // Course id (defaults to Site).
 $returnto = optional_param('returnto', null, PARAM_ALPHA);  // Code determining where to return to after save.
@@ -304,9 +301,6 @@
     }
 }
 
-// Make sure we really are on the https page when https login required.
-$PAGE->verify_https_required();
-
 
 // Display page header.
 $streditmyprofile = get_string('editmyprofile');

diff --git a/user/editadvanced.php b/user/editadvanced.php
@@ -31,9 +31,6 @@
 require_once($CFG->dirroot.'/user/lib.php');
 require_once($CFG->dirroot.'/webservice/lib.php');
 
-// HTTPS is required in this page when $CFG->loginhttps enabled.
-$PAGE->https_required();
-
 $id     = optional_param('id', $USER->id, PARAM_INT);    // User id; -1 if creating new user.
 $course = optional_param('course', SITEID, PARAM_INT);   // Course id (defaults to Site).
 $returnto = optional_param('returnto', null, PARAM_ALPHA);  // Code determining where to return to after save.
@@ -313,9 +310,6 @@
     // Never reached..
 }
 
-// Make sure we really are on the https page when https login required.
-$PAGE->verify_https_required();
-
 
 // Display page header.
 if ($user->id == -1 or ($user->id != $USER->id)) {