MDL-42834 admin: Remove loginhttps

mpetrowi · Oct 23, 2017 · b58764f · b58764f
1 parent 12514bd
commit b58764f
Show file tree

Hide file tree

Showing 15 changed files with 18 additions and 104 deletions.
diff --git a/admin/settings/security.php b/admin/settings/security.php
@@ -124,7 +124,7 @@
 
     // "httpsecurity" settingpage
     $temp = new admin_settingpage('httpsecurity', new lang_string('httpsecurity', 'admin'));
-    $temp->add(new admin_setting_configcheckbox('loginhttps', new lang_string('loginhttps', 'admin'), new lang_string('configloginhttps', 'admin'), 0));
+
     $temp->add(new admin_setting_configcheckbox('cookiesecure', new lang_string('cookiesecure', 'admin'), new lang_string('configcookiesecure', 'admin'), 1));
     $temp->add(new admin_setting_configcheckbox('cookiehttponly', new lang_string('cookiehttponly', 'admin'), new lang_string('configcookiehttponly', 'admin'), 0));
     $temp->add(new admin_setting_configcheckbox('allowframembedding', new lang_string('allowframembedding', 'admin'), new lang_string('allowframembedding_help', 'admin'), 0));

diff --git a/admin/settings/users.php b/admin/settings/users.php
@@ -15,15 +15,10 @@
  or has_capability('moodle/cohort:view', $systemcontext)) { // speedup for non-admins, add all caps used on this page
 
 
-    if (empty($CFG->loginhttps)) {
-        $securewwwroot = $CFG->wwwroot;
-    } else {
-        $securewwwroot = str_replace('http:','https:',$CFG->wwwroot);
-    }
     // stuff under the "accounts" subcategory
     $ADMIN->add('accounts', new admin_externalpage('editusers', new lang_string('userlist','admin'), "$CFG->wwwroot/$CFG->admin/user.php", array('moodle/user:update', 'moodle/user:delete')));
     $ADMIN->add('accounts', new admin_externalpage('userbulk', new lang_string('userbulk','admin'), "$CFG->wwwroot/$CFG->admin/user/user_bulk.php", array('moodle/user:update', 'moodle/user:delete')));
-    $ADMIN->add('accounts', new admin_externalpage('addnewuser', new lang_string('addnewuser'), "$securewwwroot/user/editadvanced.php?id=-1", 'moodle/user:create'));
+    $ADMIN->add('accounts', new admin_externalpage('addnewuser', new lang_string('addnewuser'), "$CFG->wwwroot/user/editadvanced.php?id=-1", 'moodle/user:create'));
 
     // "User default preferences" settingpage.
     $temp = new admin_settingpage('userdefaultpreferences', new lang_string('userdefaultpreferences', 'admin'));

diff --git a/admin/user.php b/admin/user.php
@@ -38,12 +38,6 @@
     $strunlock = get_string('unlockaccount', 'admin');
     $strconfirm = get_string('confirm');
 
-    if (empty($CFG->loginhttps)) {
-        $securewwwroot = $CFG->wwwroot;
-    } else {
-        $securewwwroot = str_replace('http:','https:',$CFG->wwwroot);
-    }
-
     $returnurl = new moodle_url('/admin/user.php', array('sort' => $sort, 'dir' => $dir, 'perpage' => $perpage, 'page'=>$page));
 
     // The $user variable is also used outside of these if statements.
@@ -339,7 +333,7 @@
             if (has_capability('moodle/user:update', $sitecontext)) {
                 // prevent editing of admins by non-admins
                 if (is_siteadmin($USER) or !is_siteadmin($user)) {
-                    $url = new moodle_url($securewwwroot.'/user/editadvanced.php', array('id'=>$user->id, 'course'=>$site->id));
+                    $url = new moodle_url($CFG->wwwroot.'/user/editadvanced.php', array('id'=>$user->id, 'course'=>$site->id));
                     $buttons[] = html_writer::link($url, $OUTPUT->pix_icon('t/edit', $stredit));
                 }
             }
@@ -398,7 +392,7 @@
         echo $OUTPUT->paging_bar($usercount, $page, $perpage, $baseurl);
     }
     if (has_capability('moodle/user:create', $sitecontext)) {
-        $url = new moodle_url($securewwwroot . '/user/editadvanced.php', array('id' => -1));
+        $url = new moodle_url($CFG->wwwroot . '/user/editadvanced.php', array('id' => -1));
         echo $OUTPUT->single_button($url, get_string('addnewuser'), 'get');
     }
 

diff --git a/blocks/login/block_login.php b/blocks/login/block_login.php
@@ -42,13 +42,7 @@ function get_content () {
             return $this->content;
         }
 
-        if (empty($CFG->loginhttps)) {
-            $wwwroot = $CFG->wwwroot;
-        } else {
-            // This actually is not so secure ;-), 'cause we're
-            // in unencrypted connection...
-            $wwwroot = str_replace("http://", "https://", $CFG->wwwroot);
-        }
+        $wwwroot = $CFG->wwwroot;
 
         if (signup_is_enabled()) {
             $signup = $wwwroot . '/login/signup.php';

diff --git a/enrol/paypal/lib.php b/enrol/paypal/lib.php
@@ -203,13 +203,7 @@ function enrol_page_hook(stdClass $instance) {
             $cost = format_float($cost, 2, false);
 
             if (isguestuser()) { // force login only for guest user, not real users with guest role
-                if (empty($CFG->loginhttps)) {
-                    $wwwroot = $CFG->wwwroot;
-                } else {
-                    // This actually is not so secure ;-), 'cause we're
-                    // in unencrypted connection...
-                    $wwwroot = str_replace("http://", "https://", $CFG->wwwroot);
-                }
+                $wwwroot = $CFG->wwwroot;
                 echo '<div class="mdl-align"><p>'.get_string('paymentrequired').'</p>';
                 echo '<p><b>'.get_string('cost').": $instance->currency $localisedcost".'</b></p>';
                 echo '<p><a href="'.$wwwroot.'/login/">'.get_string('loginsite').'</a></p>';

diff --git a/lang/en/admin.php b/lang/en/admin.php
@@ -258,7 +258,6 @@
 $string['configlangmenu'] = 'Choose whether or not you want to display the general-purpose language menu on the home page, login page etc.  This does not affect the user\'s ability to set the preferred language in their own profile.';
 $string['configlatinexcelexport'] = 'Choose the encoding for Excel exports.';
 $string['configlocale'] = 'Choose a sitewide locale - this will override the format and language of dates for all language packs (though names of days in calendar are not affected). You need to have this locale data installed on your operating system (eg for linux en_US.UTF-8 or es_ES.UTF-8). In most cases this field should be left blank.';
-$string['configloginhttps'] = 'Turning this on will make Moodle use a secure https connection just for the login page (providing a secure login), and then afterwards revert back to the normal http URL for general speed.  CAUTION: this setting REQUIRES https to be specifically enabled on the web server - if it is not then YOU COULD LOCK YOURSELF OUT OF YOUR SITE.';
 $string['configloglifetime'] = 'This specifies the length of time you want to keep logs about user activity.  Logs that are older than this age are automatically deleted.  It is best to keep logs as long as possible, in case you need them, but if you have a very busy server and are experiencing performance problems, then you may want to lower the log lifetime. Values lower than 30 are not recommended because statistics may not work properly.';
 $string['configlookahead'] = 'Days to look ahead';
 $string['configmailnewline'] = 'Newline characters used in mail messages. CRLF is required according to RFC 822bis, some mail servers do automatic conversion from LF to CRLF, other mail servers do incorrect conversion from CRLF to CRCRLF, yet others reject mails with bare LF (qmail for example). Try changing this setting if you are having problems with undelivered emails or double newlines.';
@@ -680,7 +679,6 @@
 $string['log'] = 'Logs';
 $string['logguests'] = 'Log guest access';
 $string['logguests_help'] = 'This setting enables logging of actions by guest account and not logged in users. High profile sites may want to disable this logging for performance reasons. It is recommended to keep this setting enabled on production sites.';
-$string['loginhttps'] = 'Use HTTPS for logins';
 $string['loginpageautofocus'] = 'Autofocus login page form';
 $string['loginpageautofocus_help'] = 'Enabling this option improves usability of the login page, but automatically focusing fields may be considered an accessibility issue.';
 $string['loglifetime'] = 'Keep logs for';
@@ -1285,3 +1283,5 @@
 // Deprecated since Moodle 3.4
 $string['moodleorghubname'] = 'Moodle.net';
 $string['hubs'] = 'Hubs';
+$string['configloginhttps'] = 'Turning this on will make Moodle use a secure https connection just for the login page (providing a secure login), and then afterwards revert back to the normal http URL for general speed.  CAUTION: this setting REQUIRES https to be specifically enabled on the web server - if it is not then YOU COULD LOCK YOURSELF OUT OF YOUR SITE.';
+$string['loginhttps'] = 'Use HTTPS for logins';
diff --git a/lang/en/deprecated.txt b/lang/en/deprecated.txt
@@ -157,3 +157,5 @@ quickdownloadcalendar,core_calendar
 ical,core_calendar
 privacy,core_hub
 privacy_help,core_hub
+configloginhttps,core_admin
+loginhttps,core_admin
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
@@ -1051,19 +1051,12 @@ function clean_param($param, $type) {
             $param = clean_param($param, PARAM_URL);
             if (!empty($param)) {
 
-                // Simulate the HTTPS version of the site.
-                $httpswwwroot = str_replace('http://', 'https://', $CFG->wwwroot);
-
                 if ($param === $CFG->wwwroot) {
                     // Exact match;
-                } else if (!empty($CFG->loginhttps) && $param === $httpswwwroot) {
-                    // Exact match;
                 } else if (preg_match(':^/:', $param)) {
                     // Root-relative, ok!
                 } else if (preg_match('/^' . preg_quote($CFG->wwwroot . '/', '/') . '/i', $param)) {
                     // Absolute, and matches our wwwroot.
-                } else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot . '/', '/') . '/i', $param)) {
-                    // Absolute, and matches our httpswwwroot.
                 } else {
                     // Relative - let's make sure there are no tricks.
                     if (validateUrlSyntax('/' . $param, 's-u-P-a-p-f+q?r?')) {
@@ -2491,13 +2484,7 @@ function dayofweek($day, $month, $year) {
 function get_login_url() {
     global $CFG;
 
-    $url = "$CFG->wwwroot/login/index.php";
-
-    if (!empty($CFG->loginhttps)) {
-        $url = str_replace('http:', 'https:', $url);
-    }
-
-    return $url;
+    return "$CFG->wwwroot/login/index.php";
 }
 
 /**
@@ -2662,12 +2649,7 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
                 redirect($changeurl);
             } else {
                 // Use moodle internal method.
-                if (empty($CFG->loginhttps)) {
-                    redirect($CFG->wwwroot .'/login/change_password.php');
-                } else {
-                    $wwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
-                    redirect($wwwroot .'/login/change_password.php');
-                }
+                redirect($CFG->wwwroot .'/login/change_password.php');
             }
         } else if ($userauth->can_change_password()) {
             throw new moodle_exception('forcepasswordchangenotice');

diff --git a/lib/sessionlib.php b/lib/sessionlib.php
@@ -96,9 +96,6 @@ function is_moodle_cookie_secure() {
     if (!isset($CFG->cookiesecure)) {
         return false;
     }
-    if (!empty($CFG->loginhttps)) {
-        return false;
-    }
     if (!is_https() and empty($CFG->sslproxy)) {
         return false;
     }

diff --git a/lib/setuplib.php b/lib/setuplib.php
@@ -578,11 +578,8 @@ function get_exception_info($ex) {
 
     // When printing an error the continue button should never link offsite.
     // We cannot use clean_param() here as it is not guaranteed that it has been loaded yet.
-    $httpswwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
     if (stripos($link, $CFG->wwwroot) === 0) {
         // Internal HTTP, all good.
-    } else if (!empty($CFG->loginhttps) && stripos($link, $httpswwwroot) === 0) {
-        // Internal HTTPS, all good.
     } else {
         // External link spotted!
         $link = $CFG->wwwroot . '/';

diff --git a/lib/tests/moodlelib_test.php b/lib/tests/moodlelib_test.php
@@ -643,31 +643,20 @@ public function test_clean_param_localurl() {
         // Local absolute HTTPS in a non HTTPS site.
         $CFG->wwwroot = str_replace('https:', 'http:', $CFG->wwwroot); // Need to simulate non-https site.
         $httpsroot = str_replace('http:', 'https:', $CFG->wwwroot);
-        $CFG->loginhttps = false; // Not allowed.
         $this->assertSame('', clean_param($httpsroot, PARAM_LOCALURL));
         $this->assertSame('', clean_param($httpsroot . '/with/something?else=true', PARAM_LOCALURL));
-        $CFG->loginhttps = true; // Allowed.
-        $this->assertSame($httpsroot, clean_param($httpsroot, PARAM_LOCALURL));
-        $this->assertSame($httpsroot . '/with/something?else=true',
-            clean_param($httpsroot . '/with/something?else=true', PARAM_LOCALURL));
 
         // Local absolute HTTPS in a HTTPS site.
-        $CFG->wwwroot = str_replace('https:', 'http:', $CFG->wwwroot);
+        $CFG->wwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
         $httpsroot = $CFG->wwwroot;
-        $CFG->loginhttps = false; // Always allowed.
-        $this->assertSame($httpsroot, clean_param($httpsroot, PARAM_LOCALURL));
-        $this->assertSame($httpsroot . '/with/something?else=true',
-            clean_param($httpsroot . '/with/something?else=true', PARAM_LOCALURL));
-        $CFG->loginhttps = true; // Always allowed.
         $this->assertSame($httpsroot, clean_param($httpsroot, PARAM_LOCALURL));
         $this->assertSame($httpsroot . '/with/something?else=true',
             clean_param($httpsroot . '/with/something?else=true', PARAM_LOCALURL));
 
         // Test open redirects are not possible.
-        $CFG->loginhttps = false;
         $CFG->wwwroot = 'http://www.example.com';
         $this->assertSame('', clean_param('http://www.example.com.evil.net/hack.php', PARAM_LOCALURL));
-        $CFG->loginhttps = true;
+        $CFG->wwwroot = 'https://www.example.com';
         $this->assertSame('', clean_param('https://www.example.com.evil.net/hack.php', PARAM_LOCALURL));
     }
 

diff --git a/lib/tests/sessionlib_test.php b/lib/tests/sessionlib_test.php
@@ -167,7 +167,6 @@ public function moodle_cookie_secure_provider() {
                     'wwwroot'       => 'http://example.com',
                     'httpswwwroot'  => 'http://example.com',
                     'sslproxy'      => null,
-                    'loginhttps'    => null,
                     'cookiesecure'  => null,
                 ),
                 'secure' => false,
@@ -178,7 +177,6 @@ public function moodle_cookie_secure_provider() {
                     'wwwroot'       => 'http://example.com',
                     'httpswwwroot'  => 'http://example.com',
                     'sslproxy'      => null,
-                    'loginhttps'    => null,
                     'cookiesecure'  => false,
                 ),
                 'secure' => false,
@@ -189,7 +187,6 @@ public function moodle_cookie_secure_provider() {
                     'wwwroot'       => 'http://example.com',
                     'httpswwwroot'  => 'http://example.com',
                     'sslproxy'      => null,
-                    'loginhttps'    => null,
                     'cookiesecure'  => true,
                 ),
                 'secure' => false,
@@ -200,7 +197,6 @@ public function moodle_cookie_secure_provider() {
                     'wwwroot'       => 'http://example.com',
                     'httpswwwroot'  => 'http://example.com',
                     'sslproxy'      => true,
-                    'loginhttps'    => null,
                     'cookiesecure'  => false,
                 ),
                 'secure' => false,
@@ -211,7 +207,6 @@ public function moodle_cookie_secure_provider() {
                     'wwwroot'       => 'http://example.com',
                     'httpswwwroot'  => 'http://example.com',
                     'sslproxy'      => true,
-                    'loginhttps'    => null,
                     'cookiesecure'  => true,
                 ),
                 'secure' => true,
@@ -222,7 +217,6 @@ public function moodle_cookie_secure_provider() {
                     'wwwroot'       => 'https://example.com',
                     'httpswwwroot'  => 'https://example.com',
                     'sslproxy'      => null,
-                    'loginhttps'    => null,
                     'cookiesecure'  => false,
                 ),
                 'secure' => false,
@@ -233,7 +227,6 @@ public function moodle_cookie_secure_provider() {
                     'wwwroot'       => 'https://example.com',
                     'httpswwwroot'  => 'https://example.com',
                     'sslproxy'      => null,
-                    'loginhttps'    => null,
                     'cookiesecure'  => true,
                 ),
                 'secure' => true,

diff --git a/lib/tests/setuplib_test.php b/lib/tests/setuplib_test.php
@@ -357,7 +357,6 @@ public function test_merge_query_params() {
     public function test_get_exception_info_link() {
         global $CFG, $SESSION;
 
-        $initialloginhttps = $CFG->loginhttps;
         $httpswwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
 
         // Simple local URL.
@@ -372,8 +371,7 @@ public function test_get_exception_info_link() {
         $infos = $this->get_exception_info($exception);
         $this->assertSame($CFG->wwwroot . '/', $infos->link);
 
-        // HTTPS URL when login HTTPS is not enabled and site is HTTP.
-        $CFG->loginhttps = false;
+        // HTTPS URL when login HTTPS is not enabled (default) and site is HTTP.
         $CFG->wwwroot = str_replace('https:', 'http:', $CFG->wwwroot);
         $url = $httpswwwroot . '/something/here?really=yes';
         $exception = new moodle_exception('none', 'error', $url);
@@ -387,21 +385,6 @@ public function test_get_exception_info_link() {
         $infos = $this->get_exception_info($exception);
         $this->assertSame($url, $infos->link);
 
-        // HTTPS URL when login HTTPS enabled and site is HTTP.
-        $CFG->loginhttps = true;
-        $CFG->wwwroot = str_replace('https:', 'http:', $CFG->wwwroot);
-        $url = $httpswwwroot . '/something/here?really=yes';
-        $exception = new moodle_exception('none', 'error', $url);
-        $infos = $this->get_exception_info($exception);
-        $this->assertSame($url, $infos->link);
-
-        // HTTPS URL when login HTTPS enabled and site is HTTPS.
-        $CFG->wwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
-        $url = $httpswwwroot . '/something/here?really=yes';
-        $exception = new moodle_exception('none', 'error', $url);
-        $infos = $this->get_exception_info($exception);
-        $this->assertSame($url, $infos->link);
-
         // External HTTP URL.
         $url = 'http://moodle.org/something/here?really=yes';
         $exception = new moodle_exception('none', 'error', $url);
@@ -444,14 +427,6 @@ public function test_get_exception_info_link() {
         $infos = $this->get_exception_info($exception);
         $this->assertSame($CFG->wwwroot . '/', $infos->link);
 
-        // External HTTPS link from fromurl with login HTTPS.
-        $CFG->loginhttps = true;
-        $SESSION->fromurl = 'https://moodle.org/something/here?really=yes';
-        $exception = new moodle_exception('none');
-        $infos = $this->get_exception_info($exception);
-        $this->assertSame($CFG->wwwroot . '/', $infos->link);
-
-        $CFG->loginhttps = $initialloginhttps;
         $SESSION->fromurl = '';
     }
 

diff --git a/lib/upgrade.txt b/lib/upgrade.txt
@@ -54,6 +54,8 @@ information provided here is intended especially for developers.
 * Instead of checking the 'moodle/course:viewparticipants' and 'moodle/site:viewparticipants' capabilities use the
   new functions course_can_view_participants() and course_require_view_participants().
 * $stored_file->add_to_curl_request() now adds the filename to the curl request.
+* The option for Login HTTPS (authentication-only SSL) has been removed
+* $CFG->loginhttps is now deprecated, do not use it.
 
 === 3.3.1 ===
 

diff --git a/login/signup_form.php b/login/signup_form.php
@@ -93,7 +93,7 @@ function definition() {
         profile_signup_fields($mform);
 
         if (signup_captcha_enabled()) {
-            $mform->addElement('recaptcha', 'recaptcha_element', get_string('security_question', 'auth'), array('https' => $CFG->loginhttps));
+            $mform->addElement('recaptcha', 'recaptcha_element', get_string('security_question', 'auth'));
             $mform->addHelpButton('recaptcha_element', 'recaptcha', 'auth');
             $mform->closeHeaderBefore('recaptcha_element');
         }