areAuthorizationChecksDisabled() public method

Returns TRUE if authorization should be ignored, otherwise FALSE This is mainly useful to fetch records without Content Security to kick in (e.g. for AuthenticationProviders)
See also: withoutAuthorizationChecks()
 /**
  * The policy enforcement advice. This advices applies the security enforcement interceptor to all methods configured in the policy.
  * Note: If we have some kind of "run as" functionality in the future, we would have to manipulate the security context
  * before calling the policy enforcement interceptor
  *
  * @Flow\Around("filter(Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilegePointcutFilter)")
  * @param JoinPointInterface $joinPoint The current joinpoint
  * @return mixed The result of the target method if it has not been intercepted
  */
 public function enforcePolicy(JoinPointInterface $joinPoint)
 {
     if ($this->securityContext->areAuthorizationChecksDisabled() !== true) {
         $this->policyEnforcementInterceptor->setJoinPoint($joinPoint);
         $this->policyEnforcementInterceptor->invoke();
     }
     return $joinPoint->getAdviceChain()->proceed($joinPoint);
 }
 /**
  * Gets the SQL query part to add to a query.
  *
  * @param ClassMetaData $targetEntity Metadata object for the target entity to be filtered
  * @param string $targetTableAlias The target table alias used in the current query
  * @return string The constraint SQL if there is available, empty string otherwise
  */
 public function addFilterConstraint(ClassMetadata $targetEntity, $targetTableAlias)
 {
     $this->initializeDependencies();
     /*
      * TODO: Instead of checking for class account we could introduce some interface for white listing entities from entity security checks
      * Problem with checking the Account is, that this filter calls getRoles() on the security context while accounts are not
      * yet fully initialized. By this we get a half built account object that will end up in access denied exception,
      * as it has no roles (and other properties) set
      */
     if ($this->securityContext->areAuthorizationChecksDisabled() || $targetEntity->getName() === Account::class) {
         return '';
     }
     if (!$this->securityContext->isInitialized()) {
         if (!$this->securityContext->canBeInitialized()) {
             return '';
         }
         $this->securityContext->initialize();
     }
     // This is needed to include the current context of roles into query cache identifier
     $this->setParameter('__contextHash', $this->securityContext->getContextHash(), 'string');
     $sqlConstraints = [];
     $grantedConstraints = [];
     $deniedConstraints = [];
     foreach ($this->securityContext->getRoles() as $role) {
         $entityPrivileges = $role->getPrivilegesByType(EntityPrivilegeInterface::class);
         /** @var EntityPrivilegeInterface $privilege */
         foreach ($entityPrivileges as $privilege) {
             if (!$privilege->matchesEntityType($targetEntity->getName())) {
                 continue;
             }
             $sqlConstraint = $privilege->getSqlConstraint($targetEntity, $targetTableAlias);
             if ($sqlConstraint === null) {
                 continue;
             }
             $sqlConstraints[] = ' NOT (' . $sqlConstraint . ')';
             if ($privilege->isGranted()) {
                 $grantedConstraints[] = ' NOT (' . $sqlConstraint . ')';
             } elseif ($privilege->isDenied()) {
                 $deniedConstraints[] = ' NOT (' . $sqlConstraint . ')';
             }
         }
     }
     $grantedConstraints = array_diff($grantedConstraints, $deniedConstraints);
     $effectiveConstraints = array_diff($sqlConstraints, $grantedConstraints);
     if (count($effectiveConstraints) > 0) {
         return ' (' . implode(') AND (', $effectiveConstraints) . ') ';
     }
     return '';
 }
 /**
  * Matches a \Neos\Flow\Mvc\RequestInterface against the configured CSRF pattern rules and
  * searches for invalid csrf tokens. If this returns TRUE, the request is invalid!
  *
  * @param RequestInterface $request The request that should be matched
  * @return boolean TRUE if the pattern matched, FALSE otherwise
  * @throws AuthenticationRequiredException
  */
 public function matchRequest(RequestInterface $request)
 {
     if (!$request instanceof ActionRequest || $request->getHttpRequest()->isMethodSafe()) {
         $this->systemLogger->log('CSRF: No token required, safe request', LOG_DEBUG);
         return false;
     }
     if ($this->authenticationManager->isAuthenticated() === false) {
         $this->systemLogger->log('CSRF: No token required, not authenticated', LOG_DEBUG);
         return false;
     }
     if ($this->securityContext->areAuthorizationChecksDisabled() === true) {
         $this->systemLogger->log('CSRF: No token required, authorization checks are disabled', LOG_DEBUG);
         return false;
     }
     $controllerClassName = $this->objectManager->getClassNameByObjectName($request->getControllerObjectName());
     $actionMethodName = $request->getControllerActionName() . 'Action';
     if (!$this->hasPolicyEntryForMethod($controllerClassName, $actionMethodName)) {
         $this->systemLogger->log(sprintf('CSRF: No token required, method %s::%s() is not restricted by a policy.', $controllerClassName, $actionMethodName), LOG_DEBUG);
         return false;
     }
     if ($this->reflectionService->isMethodTaggedWith($controllerClassName, $actionMethodName, 'skipcsrfprotection')) {
         $this->systemLogger->log(sprintf('CSRF: No token required, method %s::%s() is tagged with a "skipcsrfprotection" annotation', $controllerClassName, $actionMethodName), LOG_DEBUG);
         return false;
     }
     $httpRequest = $request->getHttpRequest();
     if ($httpRequest->hasHeader('X-Flow-Csrftoken')) {
         $csrfToken = $httpRequest->getHeader('X-Flow-Csrftoken');
     } else {
         $internalArguments = $request->getMainRequest()->getInternalArguments();
         $csrfToken = isset($internalArguments['__csrfToken']) ? $internalArguments['__csrfToken'] : null;
     }
     if (empty($csrfToken)) {
         $this->systemLogger->log(sprintf('CSRF: token was empty but a valid token is required for %s::%s()', $controllerClassName, $actionMethodName), LOG_DEBUG);
         return true;
     }
     if (!$this->securityContext->hasCsrfProtectionTokens()) {
         throw new AuthenticationRequiredException(sprintf('CSRF: No CSRF tokens in security context, possible session timeout. A valid token is required for %s::%s()', $controllerClassName, $actionMethodName), 1317309673);
     }
     if ($this->securityContext->isCsrfProtectionTokenValid($csrfToken) === false) {
         $this->systemLogger->log(sprintf('CSRF: token was invalid but a valid token is required for %s::%s()', $controllerClassName, $actionMethodName), LOG_DEBUG);
         return true;
     }
     $this->systemLogger->log(sprintf('CSRF: Successfully verified token for %s::%s()', $controllerClassName, $actionMethodName), LOG_DEBUG);
     return false;
 }