/** * Add the Annotated Method to the Navigation * * @param \TYPO3\FLOW3\AOP\JoinPointInterface $joinPoint * @FLOW3\Before("method(public .*\Controller\.*Controller->.*Action(.*))") * @return void */ public function addNavigationitem(\TYPO3\FLOW3\AOP\JoinPointInterface $joinPoint) { $currentClassName = $joinPoint->getClassName(); $currentMethodName = $joinPoint->getMethodName(); $controllers = $this->reflectionService->getAllSubClassNamesForClass("\\TYPO3\\FLOW3\\MVC\\Controller\\ActionController"); foreach ($controllers as $className) { $methods = get_class_methods($className); if (is_array($methods)) { foreach ($methods as $methodName) { if ($this->reflectionService->isMethodAnnotatedWith($className, $methodName, "Admin\\Annotations\\Navigation")) { $annotations = $this->reflectionService->getMethodAnnotations($className, $methodName, "Admin\\Annotations\\Navigation"); foreach ($annotations as $annotation) { $action = str_replace("Action", "", $methodName); $controller = $this->helper->getControllerByClassName($className); $package = $this->objectManager->getPackageKeyByObjectName($className); $arguments = array("action" => $action, "controller" => $controller, "package" => $package); $title = !is_null($annotation->title) ? $annotation->title : sprintf("%s (%s)", $controller, $action); \Admin\Core\API::addNavigationitem($title, $annotation->position, $arguments, $annotation->priority, $annotation->parent); } } } } } $settings = $this->helper->getSettings("Admin.Navigation"); foreach ($settings as $position => $items) { foreach ($items as $title => $conf) { $priority = isset($conf["priority"]) ? $conf["priority"] : 100; $arguments = $conf["Arguments"]; \Admin\Core\API::addNavigationitem($title, strtolower($position), $arguments, $priority); } } }
/** * Adds a CSRF token as argument in the URI builder * * @FLOW3\Before("setting(TYPO3.FLOW3.security.enable) && method(TYPO3\FLOW3\Mvc\Routing\UriBuilder->build())") * @param \TYPO3\FLOW3\Aop\JoinPointInterface $joinPoint The current join point * @return void */ public function addCsrfTokenToUri(\TYPO3\FLOW3\Aop\JoinPointInterface $joinPoint) { $uriBuilder = $joinPoint->getProxy(); $arguments = $joinPoint->getMethodArgument('arguments'); $packageKey = isset($arguments['@package']) ? $arguments['@package'] : ''; $subpackageKey = isset($arguments['@subpackage']) ? $arguments['@subpackage'] : ''; $controllerName = isset($arguments['@controller']) ? $arguments['@controller'] : 'Standard'; $actionName = (isset($arguments['@action']) ? $arguments['@action'] : 'index') . 'Action'; $possibleObjectName = '@package\\@subpackage\\Controller\\@controllerController'; $possibleObjectName = str_replace('@package', str_replace('.', '\\', $packageKey), $possibleObjectName); $possibleObjectName = str_replace('@subpackage', $subpackageKey, $possibleObjectName); $possibleObjectName = str_replace('@controller', $controllerName, $possibleObjectName); $possibleObjectName = str_replace('\\\\', '\\', $possibleObjectName); $lowercaseObjectName = strtolower($possibleObjectName); $className = $this->objectManager->getClassNameByObjectName($this->objectManager->getCaseSensitiveObjectName($lowercaseObjectName)); if ($this->policyService->hasPolicyEntryForMethod($className, $actionName) && !$this->reflectionService->isMethodAnnotatedWith($className, $actionName, 'TYPO3\\FLOW3\\Annotations\\SkipCsrfProtection')) { $internalArguments = $uriBuilder->getArguments(); $internalArguments['__csrfToken'] = $this->securityContext->getCsrfProtectionToken(); $uriBuilder->setArguments($internalArguments); } }
/** * Advices the dispatch method so that illegal requests are blocked before invoking * any controller. * * @FLOW3\Around("method(TYPO3\FLOW3\MVC\Dispatcher->dispatch())") * @param \TYPO3\FLOW3\AOP\JoinPointInterface $joinPoint The current joinpoint * @return mixed Result of the advice chain */ public function checkAccess(\TYPO3\FLOW3\AOP\JoinPointInterface $joinPoint) { $this->securityManager->setRequest($joinPoint->getMethodArgument('request')); $this->securityManager->setResponse($joinPoint->getMethodArgument('response')); $request = $joinPoint->getMethodArgument('request'); if (is_a($request, "\\TYPO3\\FLOW3\\MVC\\Web\\Request")) { $className = $request->getControllerObjectName(); $methodName = $request->getControllerActionName() . 'Action'; try { if (!empty($className) && $this->reflectionService->isMethodAnnotatedWith($className, $methodName, "Admin\\Annotations\\Access")) { $annotation = $this->reflectionService->getMethodAnnotation($className, $methodName, "Admin\\Annotations\\Access"); if (!is_object($user = $this->securityManager->getUser())) { return $this->securityManager->redirectToLogin($joinPoint); } if ($annotation->admin && !$user->isAdmin()) { return $this->securityManager->redirectToLogin($joinPoint); } if ($annotation->role !== null) { $hasRole = false; foreach ($user->getRoles() as $role) { if ($role->getName() == $annotation->role) { $hasRole = true; } } if (!$hasRole) { $message = new \TYPO3\FLOW3\Error\Error("You don't have access to this page!"); $this->flashMessageContainer->addMessage($message); return $this->securityManager->redirectToLogin($joinPoint); } } } } catch (\Exception $e) { } } if (is_object($adviceChain = $joinPoint->getAdviceChain())) { $result = $adviceChain->proceed($joinPoint); return $result; } }