/**
* Log a message if a post is deleted
*
* @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint
* @Flow\Around("method(TYPO3\Neos\View\TypoScriptView->render())")
* @return void
*/
public function replacePlaceholdersIfNecessary(\TYPO3\Flow\Aop\JoinPointInterface $joinPoint)
{
$result = $joinPoint->getAdviceChain()->proceed($joinPoint);
/* @var $typoScriptView TypoScriptView */
$typoScriptView = $joinPoint->getProxy();
$viewVariables = ObjectAccess::getProperty($typoScriptView, 'variables', TRUE);
if (!isset($viewVariables['value']) || !$viewVariables['value']->getNodeType()->isOfType('Sandstorm.Newsletter:Newsletter')) {
// No newsletter, so logic does not apply
return $result;
}
/* @var $httpRequest Request */
$httpRequest = $this->controllerContext->getRequest()->getHttpRequest();
$arguments = $httpRequest->getUri()->getArguments();
if (!isset($arguments['hmac'])) {
if ($this->securityContext->isInitialized() && $this->securityContext->hasRole('TYPO3.Neos:Editor')) {
// Logged into backend, so we don't need to do anything.
return $result;
} else {
// No HMAC sent -- so we return the email INCLUDING placeholders (as per customer's request)
return $result;
//return '<h1>Error: HMAC not included in the link.</h1>';
}
}
$actualHmac = $arguments['hmac'];
$uriWithoutHmac = str_replace('&hmac=' . $actualHmac, '', (string) $httpRequest->getUri());
$expectedHmac = hash_hmac('sha1', urldecode($uriWithoutHmac), $this->hmacUrlSecret);
if ($expectedHmac !== $actualHmac) {
return '<h1>Error: Wrong link clicked.</h1>Please contact your administrator for help';
}
$result = preg_replace_callback(ReplacePlaceholdersInLiveImplementation::PLACEHOLDER_REGEX, function ($element) use($arguments) {
return ObjectAccess::getPropertyPath($arguments, $element[1]);
}, $result);
return $result;
}
/**
* Gets the SQL query part to add to a query.
*
* @param ClassMetaData $targetEntity Metadata object for the target entity to be filtered
* @param string $targetTableAlias The target table alias used in the current query
* @return string The constraint SQL if there is available, empty string otherwise
*/
public function addFilterConstraint(ClassMetadata $targetEntity, $targetTableAlias)
{
$this->initializeDependencies();
/*
* TODO: Instead of checking for class account we could introduce some interface for white listing entities from entity security checks
* Problem with checking the Account is, that this filter calls getRoles() on the security context while accounts are not
* yet fully initialized. By this we get a half built account object that will end up in access denied exception,
* as it has no roles (and other properties) set
*/
if ($this->securityContext->areAuthorizationChecksDisabled() || $targetEntity->getName() === \TYPO3\Flow\Security\Account::class) {
return '';
}
if (!$this->securityContext->isInitialized()) {
if (!$this->securityContext->canBeInitialized()) {
return '';
}
$this->securityContext->initialize();
}
// This is needed to include the current context of roles into query cache identifier
$this->setParameter('__contextHash', $this->securityContext->getContextHash(), 'string');
$sqlConstraints = array();
$grantedConstraints = array();
$deniedConstraints = array();
foreach ($this->securityContext->getRoles() as $role) {
$entityPrivileges = $role->getPrivilegesByType(\TYPO3\Flow\Security\Authorization\Privilege\Entity\EntityPrivilegeInterface::class);
/** @var EntityPrivilegeInterface $privilege */
foreach ($entityPrivileges as $privilege) {
if (!$privilege->matchesEntityType($targetEntity->getName())) {
continue;
}
$sqlConstraint = $privilege->getSqlConstraint($targetEntity, $targetTableAlias);
if ($sqlConstraint === null) {
continue;
}
$sqlConstraints[] = ' NOT (' . $sqlConstraint . ')';
if ($privilege->isGranted()) {
$grantedConstraints[] = ' NOT (' . $sqlConstraint . ')';
} elseif ($privilege->isDenied()) {
$deniedConstraints[] = ' NOT (' . $sqlConstraint . ')';
}
}
}
$grantedConstraints = array_diff($grantedConstraints, $deniedConstraints);
$effectiveConstraints = array_diff($sqlConstraints, $grantedConstraints);
if (count($effectiveConstraints) > 0) {
return ' (' . implode(') AND (', $effectiveConstraints) . ') ';
}
return '';
}
/**
* Checks, if the current policy allows the retrieval of the object fetched by getObjectDataByIdentifier()
*
* @Flow\Around("within(TYPO3\Flow\Persistence\PersistenceManagerInterface) && method(.*->getObjectByIdentifier()) && setting(TYPO3.Flow.security.enable)")
* @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint The current joinpoint
* @return array The object data of the original object, or NULL if access is not permitted
*/
public function checkAccessAfterFetchingAnObjectByIdentifier(JoinPointInterface $joinPoint)
{
$result = $joinPoint->getAdviceChain()->proceed($joinPoint);
if ($this->securityContext->areAuthorizationChecksDisabled() === TRUE || $this->policyService->hasPolicyEntriesForEntities() === FALSE) {
return $result;
}
if ($this->securityContext->isInitialized() === FALSE) {
if ($this->securityContext->canBeInitialized() === TRUE) {
$this->securityContext->initialize();
} else {
return $result;
}
}
$authenticatedRoles = $this->securityContext->getRoles();
$entityType = $this->reflectionService->getClassNameByObject($result);
if ($this->policyService->hasPolicyEntryForEntityType($entityType, $authenticatedRoles)) {
if ($this->policyService->isGeneralAccessForEntityTypeGranted($entityType, $authenticatedRoles) === FALSE) {
return NULL;
}
$policyConstraintsDefinition = $this->policyService->getResourcesConstraintsForEntityTypeAndRoles($entityType, $authenticatedRoles);
if ($this->checkConstraintDefinitionsOnResultObject($policyConstraintsDefinition, $result) === FALSE) {
return NULL;
}
}
return $result;
}
/**
* Render the a hidden field with a CSRF token
*
* @return string the CSRF token field
*/
protected function renderCsrfTokenField()
{
if (!$this->securityContext->isInitialized()) {
return '';
}
$csrfToken = $this->securityContext->getCsrfProtectionToken();
return '<input type="hidden" name="__csrfToken" value="' . htmlspecialchars($csrfToken) . '" />' . chr(10);
}
/**
* Render the a hidden field with a CSRF token
*
* @return string the CSRF token field
*/
protected function renderCsrfTokenField()
{
if (strtolower($this->arguments['method']) === 'get') {
return '';
}
if (!$this->securityContext->isInitialized() || !$this->authenticationManager->isAuthenticated()) {
return '';
}
$csrfToken = $this->securityContext->getCsrfProtectionToken();
return '<input type="hidden" name="__csrfToken" value="' . htmlspecialchars($csrfToken) . '" />' . chr(10);
}
/**
* @test
*/
public function securityContextIsSetToInitialized()
{
$this->assertFalse($this->securityContext->isInitialized());
$this->securityContext->initialize();
$this->assertTrue($this->securityContext->isInitialized());
}
/**
* @param \Exception $exception
* @return void
*/
public function logException(\Exception $exception)
{
if (!isset($this->settings['host']) || strlen($this->settings['host']) === 0) {
return;
}
$statusCode = NULL;
if ($exception instanceof FlowException) {
$statusCode = $exception->getStatusCode();
}
// skip exceptions with status codes matching "skipStatusCodes" setting
if (isset($this->settings['skipStatusCodes']) && in_array($statusCode, $this->settings['skipStatusCodes'])) {
return;
}
$host = $this->settings['host'];
$port = isset($this->settings['port']) ? $this->settings['port'] : UdpTransport::DEFAULT_PORT;
// set chunk size option to wan (default) or lan
if (isset($this->settings['chunksize']) && strtolower($this->settings['chunksize']) === 'lan') {
$chunkSize = UdpTransport::CHUNK_SIZE_LAN;
} else {
$chunkSize = UdpTransport::CHUNK_SIZE_WAN;
}
// setup connection to graylog server
$transport = new UdpTransport($host, $port, $chunkSize);
$publisher = new Publisher();
$publisher->addTransport($transport);
// set logLevel depending on http status code
$logLevel = 4;
// warning
if ($statusCode === 500) {
$logLevel = 3;
// error
}
// build message context
$messageContext = array('full_message' => $exception->getTraceAsString(), 'reference_code' => $exception instanceof FlowException ? $exception->getReferenceCode() : NULL, 'response_status' => $statusCode, 'short_message' => sprintf('%d %s', $statusCode, Response::getStatusMessageByCode($statusCode)), 'code' => $exception->getCode(), 'file' => $exception->getFile(), 'line' => $exception->getLine());
if ($this->securityContext !== NULL && $this->securityContext->isInitialized()) {
$account = $this->securityContext->getAccount();
if ($account !== NULL) {
$messageContext['authenticated_account'] = $account->getAccountIdentifier() . ' (' . $this->persistenceManager->getIdentifierByObject($account) . ')';
$messageContext['authenticated_roles'] = implode(', ', array_keys($this->securityContext->getRoles()));
if ($this->objectManager->isRegistered(PartyService::class)) {
/** @var PartyService $partyService */
$partyService = $this->objectManager->get(PartyService::class);
$person = $partyService->getAssignedPartyOfAccount($account);
if ($person instanceof Person) {
$messageContext['authenticated_person'] = (string) $person->getName() . ' (' . $this->persistenceManager->getIdentifierByObject($person) . ')';
}
}
}
}
// prepare request details
if (Bootstrap::$staticObjectManager instanceof ObjectManagerInterface) {
$bootstrap = Bootstrap::$staticObjectManager->get('TYPO3\\Flow\\Core\\Bootstrap');
/* @var Bootstrap $bootstrap */
$requestHandler = $bootstrap->getActiveRequestHandler();
if ($requestHandler instanceof HttpRequestHandlerInterface) {
$request = $requestHandler->getHttpRequest();
$requestData = array('request_domain' => $request->getHeader('Host'), 'request_remote_addr' => $request->getClientIpAddress(), 'request_path' => $request->getRelativePath(), 'request_uri' => $request->getUri()->getPath(), 'request_user_agent' => $request->getHeader('User-Agent'), 'request_method' => $request->getMethod(), 'request_port' => $request->getPort());
$messageContext = array_merge($messageContext, $requestData);
}
}
// send message to graylog server
$logger = new Logger($publisher);
$logger->log($logLevel, $exception->getMessage(), $messageContext);
}
