diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php index 5ae7085..a8d4132 100644 --- a/auth/ldap/auth.php +++ b/auth/ldap/auth.php @@ -1787,15 +1787,29 @@ class auth_plugin_ldap extends auth_plugin_base { * */ function loginpage_hook() { - global $CFG; - - if ($_SERVER['REQUEST_METHOD'] === 'GET' // Only on initial GET - // of loginpage - &&!empty($this->config->ntlmsso_enabled)// SSO enabled - && !empty($this->config->ntlmsso_subnet)// have a subnet to test for - && empty($_GET['authldap_skipntlmsso']) // haven't failed it yet - && (isguestuser() || !isloggedin()) // guestuser or not-logged-in users + global $CFG, $SESSION; + + if (($_SERVER['REQUEST_METHOD'] === 'GET' // Only on initial GET of loginpage + || ($_SERVER['REQUEST_METHOD'] === 'POST' + && (get_referer() != strip_querystring(qualified_me())))) + // Or when POSTed from another place + // See MDL-14071 + && !empty($this->config->ntlmsso_enabled) // SSO enabled + && !empty($this->config->ntlmsso_subnet) // have a subnet to test for + && empty($_GET['authldap_skipntlmsso']) // haven't failed it yet + && (isguestuser() || !isloggedin()) // guestuser or not-logged-in users && address_in_subnet($_SERVER['REMOTE_ADDR'],$this->config->ntlmsso_subnet)) { + + // First, let's remember where the user was trying to get to before they got here + if (empty($SESSION->wantsurl)) { + $SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) && + $_SERVER['HTTP_REFERER'] != $CFG->wwwroot && + $_SERVER['HTTP_REFERER'] != $CFG->wwwroot.'/' && + $_SERVER['HTTP_REFERER'] != $CFG->httpswwwroot.'/login/' && + $_SERVER['HTTP_REFERER'] != $CFG->httpswwwroot.'/login/index.php') + ? $_SERVER['HTTP_REFERER'] : NULL; + } + // Now start the whole NTLM machinery. redirect("{$CFG->wwwroot}/auth/ldap/ntlmsso_attempt.php"); } }