Commit 7ea77a57 authored by Petr Skoda's avatar Petr Skoda
Browse files

MDL-26381 prevent security warning when changing password and loginhttps is enabled

parent d911c72b
...@@ -27,19 +27,29 @@ ...@@ -27,19 +27,29 @@
require('../config.php'); require('../config.php');
require_once('change_password_form.php'); require_once('change_password_form.php');
$id = optional_param('id', SITEID, PARAM_INT); // current course $id = optional_param('id', SITEID, PARAM_INT); // current course
$return = optional_param('return', 0, PARAM_BOOL); // redirect after password change
//HTTPS is required in this page when $CFG->loginhttps enabled //HTTPS is required in this page when $CFG->loginhttps enabled
$PAGE->https_required(); $PAGE->https_required();
$uparams = array(); $PAGE->set_url('/login/change_password.php', array('id'=>$id));
if ($id != SITEID) {
$uparams['id'] = $id;
}
$PAGE->set_url('/login/change_password.php', $uparams);
$PAGE->set_context(get_context_instance(CONTEXT_SYSTEM)); $PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));
if ($return) {
// this redirect prevents security warning because https can not POST to http pages
if (empty($SESSION->wantsurl)
or stripos(str_replace('https://', 'http://', $SESSION->wantsurl), str_replace('https://', 'http://', $CFG->wwwroot.'/login/change_password.php') === 0)) {
$returnto = "$CFG->wwwroot/user/view.php?id=$USER->id&course=$id";
} else {
$returnto = $SESSION->wantsurl;
}
unset($SESSION->wantsurl);
redirect($returnto);
}
$strparticipants = get_string('participants'); $strparticipants = get_string('participants');
$systemcontext = get_context_instance(CONTEXT_SYSTEM); $systemcontext = get_context_instance(CONTEXT_SYSTEM);
...@@ -115,14 +125,7 @@ if ($mform->is_cancelled()) { ...@@ -115,14 +125,7 @@ if ($mform->is_cancelled()) {
$PAGE->set_heading($COURSE->fullname); $PAGE->set_heading($COURSE->fullname);
echo $OUTPUT->header(); echo $OUTPUT->header();
if (empty($SESSION->wantsurl) or $SESSION->wantsurl == $CFG->httpswwwroot.'/login/change_password.php') { notice($strpasswordchanged, new moodle_url($PAGE->url, array('return'=>1)));
$returnto = "$CFG->wwwroot/user/view.php?id=$USER->id&course=$id";
} else {
$returnto = $SESSION->wantsurl;
}
unset($SESSION->wantsurl);
notice($strpasswordchanged, $returnto);
echo $OUTPUT->footer(); echo $OUTPUT->footer();
exit; exit;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment