Moodle 4.3 XRef and Diffs

Search moodle.org's
Developer Documentation
Bug fixes for general core bugs in 4.3.x will end 7 October 2024 (12 months).
Bug fixes for security issues in 4.3.x will end 21 April 2025 (18 months).
PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.2.x is supported too.
Moodle 4.3 Database Schema (by Marcus Green)
/admin/tool/mfa/factor/email/ -> email.php (source)
   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Page to revoke and disable an email code.
  19   *
  20   * @package     factor_email
  21   * @author      Peter Burnett <peterburnett@catalyst-au.net>
  22   * @copyright   Catalyst IT
  23   * @license     http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  24   */
  25  // Ignore coding standards for login check, this page does not require login.
  26  // @codingStandardsIgnoreStart
  27  require_once(__DIR__ . '../../../../../../config.php');
  28  $instanceid = required_param('instance', PARAM_INT);
  29  $pass = optional_param('pass', '0', PARAM_INT);
  30  $secret = optional_param('secret', 0, PARAM_INT);
  31  // @codingStandardsIgnoreEnds
  32  
  33  $context = context_system::instance();
  34  $PAGE->set_context($context);
  35  $url = new moodle_url('/admin/tool/mfa/factor/email/email.php',
  36      ['instance' => $instanceid, 'pass' => $pass, 'secret' => $secret]);
  37  $PAGE->set_url($url);
  38  $PAGE->set_pagelayout('secure');
  39  $PAGE->set_title(get_string('unauthemail', 'factor_email'));
  40  $PAGE->set_cacheable(false);
  41  $instance = $DB->get_record('tool_mfa', ['id' => $instanceid]);
  42  $factor = \tool_mfa\plugininfo\factor::get_factor('email');
  43  
  44  // If pass is set, require login to force $SESSION and user, and pass for that session.
  45  if (!empty($instance) && $pass != 0 && $secret != 0) {
  46      require_login();
  47      if ($factor->get_state() === \tool_mfa\plugininfo\factor::STATE_LOCKED) {
  48          // Redirect through to auth, this will bounce them to the next factor.
  49          redirect(new moodle_url('/admin/tool/mfa/auth.php'));
  50      }
  51      // Check the code with the same measures on the page entry.
  52      if ($instance->secret != $secret) {
  53          \tool_mfa\manager::sleep_timer();
  54          $factor->increment_lock_counter();
  55          throw new moodle_exception('error:parameters', 'factor_email');
  56      }
  57      $factor = \tool_mfa\plugininfo\factor::get_factor('email');
  58      $factor->set_state(\tool_mfa\plugininfo\factor::STATE_PASS);
  59      // If wantsurl is already set in session, go to it.
  60      if (!empty($SESSION->wantsurl)) {
  61          redirect($SESSION->wantsurl);
  62      } else {
  63          redirect(new moodle_url('/'));
  64      }
  65  }
  66  
  67  $form = new \factor_email\form\email($url);
  68  
  69  if ($form->is_cancelled()) {
  70      redirect(new moodle_url('/'));
  71  } else if ($fromform = $form->get_data()) {
  72      if (empty($instance)) {
  73          $message = get_string('error:badcode', 'factor_email');
  74      } else {
  75          $user = $DB->get_record('user', ['id' => $instance->userid]);
  76  
  77          // Stop attacker from using email factor at all, by revoking all email until admin fixes.
  78          $DB->set_field('tool_mfa', 'revoked', 1, ['userid' => $user->id, 'factor' => 'email']);
  79  
  80          // Remotely logout all sessions for user.
  81          $manager = \core\session\manager::kill_user_sessions($instance->userid);
  82  
  83          // Log event.
  84          $ip = $instance->createdfromip;
  85          $useragent = $instance->label;
  86          $event = \factor_email\event\unauth_email::unauth_email_event($user, $ip, $useragent);
  87          $event->trigger();
  88  
  89          // Suspend user account.
  90          if (get_config('factor_email', 'suspend')) {
  91              $DB->set_field('user', 'suspended', 1, ['id' => $user->id]);
  92          }
  93  
  94          $message = get_string('email:revokesuccess', 'factor_email', fullname($user));
  95      }
  96  }
  97  
  98  echo $OUTPUT->header();
  99  echo $OUTPUT->heading(get_string('unauthemail', 'factor_email'));
 100  if (!empty($message)) {
 101      echo $message;
 102  } else {
 103      $form->display();
 104  }
 105  echo $OUTPUT->footer();