Skip to content

Commit

Permalink
New setting in require_login() to avoid certain scripts (file.php)
Browse files Browse the repository at this point in the history
to mess $SESSION->wantsurl. MDL-14495 ; merged from 19_STABLE
  • Loading branch information
stronk7 committed Apr 25, 2008
1 parent d00adf8 commit f4013c1
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 10 deletions.
10 changes: 6 additions & 4 deletions file.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,23 +53,25 @@
}

// security: login to course if necessary
// Note: file.php always calls require_login() with $setwantsurltome=false
// in order to avoid messing redirects. MDL-14495
if ($args[0] == 'blog') {
if (empty($CFG->bloglevel)) {
print_error('Blogging is disabled!');
} else if ($CFG->bloglevel < BLOG_GLOBAL_LEVEL) {
require_login();
require_login(0, true, null, false);
} else if ($CFG->forcelogin) {
require_login();
require_login(0, true, null, false);
}
} else if ($course->id != SITEID) {
require_login($course->id);
require_login($course->id, true, null, false);
} else if ($CFG->forcelogin) {
if (!empty($CFG->sitepolicy)
and ($CFG->sitepolicy == $CFG->wwwroot.'/file.php'.$relativepath
or $CFG->sitepolicy == $CFG->wwwroot.'/file.php?file='.$relativepath)) {
//do not require login for policy file
} else {
require_login();
require_login(0, true, null, false);
}
}

Expand Down
20 changes: 14 additions & 6 deletions lib/moodlelib.php
Original file line number Diff line number Diff line change
Expand Up @@ -1843,8 +1843,11 @@ function course_setup($courseorid=0) {
* @param mixed $courseorid id of the course or course object
* @param bool $autologinguest
* @param object $cm course module object
* @param bool $setwantsurltome Define if we want to set $SESSION->wantsurl, defaults to
* true. Used to avoid (=false) some scripts (file.php...) to set that variable,
* in order to keep redirects working properly. MDL-14495
*/
function require_login($courseorid=0, $autologinguest=true, $cm=null) {
function require_login($courseorid=0, $autologinguest=true, $cm=null, $setwantsurltome=true) {

global $CFG, $SESSION, $USER, $COURSE, $FULLME;

Expand All @@ -1855,7 +1858,9 @@ function require_login($courseorid=0, $autologinguest=true, $cm=null) {
if (!isloggedin()) {
//NOTE: $USER->site check was obsoleted by session test cookie,
// $USER->confirmed test is in login/index.php
$SESSION->wantsurl = $FULLME;
if ($setwantsurltome) {
$SESSION->wantsurl = $FULLME;
}
if (!empty($_SERVER['HTTP_REFERER'])) {
$SESSION->fromurl = $_SERVER['HTTP_REFERER'];
}
Expand Down Expand Up @@ -2120,16 +2125,19 @@ function require_logout() {
* @param mixed $courseorid The course object or id in question
* @param bool $autologinguest Allow autologin guests if that is wanted
* @param object $cm Course activity module if known
* @param bool $setwantsurltome Define if we want to set $SESSION->wantsurl, defaults to
* true. Used to avoid (=false) some scripts (file.php...) to set that variable,
* in order to keep redirects working properly. MDL-14495
*/
function require_course_login($courseorid, $autologinguest=true, $cm=null) {
function require_course_login($courseorid, $autologinguest=true, $cm=null, $setwantsurltome=true) {
global $CFG;
if (!empty($CFG->forcelogin)) {
// login required for both SITE and courses
require_login($courseorid, $autologinguest, $cm);
require_login($courseorid, $autologinguest, $cm, $setwantsurltome);

} else if (!empty($cm) and !$cm->visible) {
// always login for hidden activities
require_login($courseorid, $autologinguest, $cm);
require_login($courseorid, $autologinguest, $cm, $setwantsurltome);

} else if ((is_object($courseorid) and $courseorid->id == SITEID)
or (!is_object($courseorid) and $courseorid == SITEID)) {
Expand All @@ -2139,7 +2147,7 @@ function require_course_login($courseorid, $autologinguest=true, $cm=null) {

} else {
// course login always required
require_login($courseorid, $autologinguest, $cm);
require_login($courseorid, $autologinguest, $cm, $setwantsurltome);
}
}

Expand Down

0 comments on commit f4013c1

Please sign in to comment.