Commit 7ea77a57 authored by Petr Skoda's avatar Petr Skoda
Browse files

MDL-26381 prevent security warning when changing password and loginhttps is enabled

parent d911c72b
......@@ -28,18 +28,28 @@ require('../config.php');
require_once('change_password_form.php');
$id = optional_param('id', SITEID, PARAM_INT); // current course
$return = optional_param('return', 0, PARAM_BOOL); // redirect after password change
//HTTPS is required in this page when $CFG->loginhttps enabled
$PAGE->https_required();
$uparams = array();
if ($id != SITEID) {
$uparams['id'] = $id;
}
$PAGE->set_url('/login/change_password.php', $uparams);
$PAGE->set_url('/login/change_password.php', array('id'=>$id));
$PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));
if ($return) {
// this redirect prevents security warning because https can not POST to http pages
if (empty($SESSION->wantsurl)
or stripos(str_replace('https://', 'http://', $SESSION->wantsurl), str_replace('https://', 'http://', $CFG->wwwroot.'/login/change_password.php') === 0)) {
$returnto = "$CFG->wwwroot/user/view.php?id=$USER->id&course=$id";
} else {
$returnto = $SESSION->wantsurl;
}
unset($SESSION->wantsurl);
redirect($returnto);
}
$strparticipants = get_string('participants');
$systemcontext = get_context_instance(CONTEXT_SYSTEM);
......@@ -115,14 +125,7 @@ if ($mform->is_cancelled()) {
$PAGE->set_heading($COURSE->fullname);
echo $OUTPUT->header();
if (empty($SESSION->wantsurl) or $SESSION->wantsurl == $CFG->httpswwwroot.'/login/change_password.php') {
$returnto = "$CFG->wwwroot/user/view.php?id=$USER->id&course=$id";
} else {
$returnto = $SESSION->wantsurl;
}
unset($SESSION->wantsurl);
notice($strpasswordchanged, $returnto);
notice($strpasswordchanged, new moodle_url($PAGE->url, array('return'=>1)));
echo $OUTPUT->footer();
exit;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment