/** * Checks the given token for validity and sets the token authentication status * accordingly (success, wrong credentials or no credentials given). * * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated * @return void * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof UsernamePassword) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['username'])) { $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); } if (is_object($account)) { if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * Add the current node and all parent identifiers to be used for cache entry tagging * * @Flow\Before("method(TYPO3\Flow\Mvc\Routing\RouterCachingService->extractUuids())") * @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint The current join point * @return void */ public function addCurrentNodeIdentifier(JoinPointInterface $joinPoint) { $values = $joinPoint->getMethodArgument('values'); if (!isset($values['node']) || strpos($values['node'], '@') === false) { return; } // Build context explicitly without authorization checks because the security context isn't available yet // anyway and any Entity Privilege targeted on Workspace would fail at this point: $this->securityContext->withoutAuthorizationChecks(function () use($joinPoint, $values) { $contextPathPieces = NodePaths::explodeContextPath($values['node']); $context = $this->contextFactory->create(['workspaceName' => $contextPathPieces['workspaceName'], 'dimensions' => $contextPathPieces['dimensions'], 'invisibleContentShown' => true]); $node = $context->getNode($contextPathPieces['nodePath']); if (!$node instanceof NodeInterface) { return; } $values['node-identifier'] = $node->getIdentifier(); $node = $node->getParent(); $values['node-parent-identifier'] = array(); while ($node !== null) { $values['node-parent-identifier'][] = $node->getIdentifier(); $node = $node->getParent(); } $joinPoint->setMethodArgument('values', $values); }); }
/** * Sets isAuthenticated to TRUE for all tokens. * * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated * @return void * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof Typo3OrgSsoToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } /** @var $account \TYPO3\Flow\Security\Account */ $account = null; $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['username'])) { $providerName = $this->name; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, &$account) { $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); } if (is_object($account)) { $authenticationData = 'version=' . $credentials['version'] . '&user='******'username'] . '&tpa_id=' . $credentials['tpaId'] . '&expires=' . $credentials['expires'] . '&action=' . $credentials['action'] . '&flags=' . $credentials['flags'] . '&userdata=' . $credentials['userdata']; if ($this->rsaWalletService->verifySignature($authenticationData, $credentials['signature'], $this->options['rsaKeyUuid']) && $credentials['expires'] > time()) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * Exports the node data of all nodes in the given sub-tree * by writing them to the given XMLWriter. * * @param string $startingPointNodePath path to the root node of the sub-tree to export. The specified node will not be included, only its sub nodes. * @param string $workspaceName * @param \XMLWriter $xmlWriter * @param boolean $tidy * @param boolean $endDocument * @param string $resourceSavePath * @param string $nodeTypeFilter Filter the node type of the nodes, allows complex expressions (e.g. "TYPO3.Neos:Page", "!TYPO3.Neos:Page,TYPO3.Neos:Text") * @return \XMLWriter */ public function export($startingPointNodePath = '/', $workspaceName = 'live', \XMLWriter $xmlWriter = null, $tidy = true, $endDocument = true, $resourceSavePath = null, $nodeTypeFilter = null) { $this->propertyMappingConfiguration = new ImportExportPropertyMappingConfiguration($resourceSavePath); $this->exceptionsDuringExport = array(); $this->exportedNodePaths = array(); if ($startingPointNodePath !== '/') { $startingPointParentPath = substr($startingPointNodePath, 0, strrpos($startingPointNodePath, '/')); $this->exportedNodePaths[$startingPointParentPath] = true; } $this->xmlWriter = $xmlWriter; if ($this->xmlWriter === null) { $this->xmlWriter = new \XMLWriter(); $this->xmlWriter->openMemory(); $this->xmlWriter->setIndent($tidy); $this->xmlWriter->startDocument('1.0', 'UTF-8'); } $this->securityContext->withoutAuthorizationChecks(function () use($startingPointNodePath, $workspaceName, $nodeTypeFilter) { $nodeDataList = $this->findNodeDataListToExport($startingPointNodePath, $workspaceName, $nodeTypeFilter); $this->exportNodeDataList($nodeDataList); }); if ($endDocument) { $this->xmlWriter->endDocument(); } $this->handleExceptionsDuringExport(); return $this->xmlWriter; }
/** * Returns the static value of the given operand, this might be also a global object * * @param mixed $expression The expression string representing the operand * @return mixed The calculated value */ public function getValueForOperand($expression) { if (is_array($expression)) { $result = array(); foreach ($expression as $expressionEntry) { $result[] = $this->getValueForOperand($expressionEntry); } return $result; } elseif (is_numeric($expression)) { return $expression; } elseif ($expression === true) { return true; } elseif ($expression === false) { return false; } elseif ($expression === null) { return null; } elseif (strpos($expression, 'context.') === 0) { $objectAccess = explode('.', $expression, 3); $globalObjectsRegisteredClassName = $this->globalObjects[$objectAccess[1]]; $globalObject = $this->objectManager->get($globalObjectsRegisteredClassName); $this->securityContext->withoutAuthorizationChecks(function () use($globalObject, $objectAccess, &$globalObjectValue) { $globalObjectValue = $this->getObjectValueByPath($globalObject, $objectAccess[2]); }); return $globalObjectValue; } else { return trim($expression, '"\''); } }
/** * @test */ public function getContextHashReturnsStaticStringIfAuthorizationChecksAreDisabled() { $self = $this; $this->securityContext->withoutAuthorizationChecks(function () use($self) { $self->assertSame(Context::CONTEXT_HASH_UNINITIALIZED, $self->securityContext->getContextHash()); }); }
/** * Checks the given token for validity and sets the token authentication status * accordingly (success, wrong credentials or no credentials given). * * @param TokenInterface $authenticationToken The token to be authenticated * @return void * @throws UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof JwtToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1417040168); } /** @var $account Account */ $account = NULL; $credentials = $authenticationToken->getCredentials(); if (!is_array($credentials) || !isset($credentials['token'])) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); return; } $hmac = $this->hashService->generateHmac($this->signature); $payload = NULL; try { $payload = (array) JWT::decode($credentials['token'], $hmac, array('HS256')); } catch (\Exception $exception) { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } if (isset($credentials['username'])) { $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); return; } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); return; } } if ($credentials['user_agent'] === $payload['user_agent'] && $credentials['ip_address'] === $payload['ip_address']) { $this->securityContext->withoutAuthorizationChecks(function () use($payload, &$account) { $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($payload['identifier'], $this->name); }); } if (is_object($account)) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); return; } $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); return; }
/** * Authenticates against a crowd instance. * * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated * @return void * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof UsernamePassword) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339845); } $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['username']) && isset($credentials['password'])) { $crowdAuthenticationResponse = $this->crowdClient->authenticate($credentials['username'], $credentials['password']); if ($crowdAuthenticationResponse !== NULL) { /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); if ($account === NULL) { $account = new Account(); $account->setAuthenticationProviderName($providerName); $account->setAccountIdentifier($credentials['username']); $this->accountRepository->add($account); } $authenticateRole = $this->policyService->getRole($this->options['authenticateRole']); if ($account->hasRole($authenticateRole) === FALSE) { $account->addRole($authenticateRole); } $crowdUser = $this->partyService->getAssignedPartyOfAccount($account); if ($crowdUser instanceof Person) { if ($crowdUser->getName()->getFirstName() !== $crowdAuthenticationResponse['first-name']) { $crowdUser->getName()->setFirstName($crowdAuthenticationResponse['first-name']); $this->partyRepository->update($crowdUser); } if ($crowdUser->getName()->getLastName() !== $crowdAuthenticationResponse['last-name']) { $crowdUser->getName()->setLastName($crowdAuthenticationResponse['last-name']); $this->partyRepository->update($crowdUser); } if ($crowdUser->getPrimaryElectronicAddress()->getIdentifier() !== $crowdAuthenticationResponse['email']) { $crowdUser->getPrimaryElectronicAddress()->setIdentifier($crowdAuthenticationResponse['email']); $this->partyRepository->update($crowdUser); } } else { $crowdUser = new Person(); $crowdUser->setName(new PersonName('', $crowdAuthenticationResponse['first-name'], '', $crowdAuthenticationResponse['last-name'])); $email = new ElectronicAddress(); $email->setIdentifier($crowdAuthenticationResponse['email']); $email->setType(ElectronicAddress::TYPE_EMAIL); $crowdUser->setPrimaryElectronicAddress($email); $this->partyRepository->add($crowdUser); $this->partyService->assignAccountToParty($account, $crowdUser); } $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * @param string $nodeIdentifier * @return NodeInterface */ protected function getNodeByIdentifier($nodeIdentifier) { $context = $this->contextFactory->create(); $node = null; $this->securityContext->withoutAuthorizationChecks(function () use($nodeIdentifier, $context, &$node) { $node = $context->getNodeByIdentifier($nodeIdentifier); }); $context->getFirstLevelNodeCache()->setByIdentifier($nodeIdentifier, null); return $node; }
/** * Tries to authenticate the given token. Sets isAuthenticated to TRUE if authentication succeeded. * * @param TokenInterface $authenticationToken The token to be authenticated * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException * @return void */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof AbstractClientToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1383754993); } $credentials = $authenticationToken->getCredentials(); // Inspect the received access token as documented in https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/ $tokenInformation = $this->facebookTokenEndpoint->requestValidatedTokenInformation($credentials['accessToken']); if ($tokenInformation === FALSE) { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); return; } // Check if the permitted scopes suffice: $necessaryScopes = $this->options['scopes']; $scopesHavingPermissionFor = $tokenInformation['scopes']; $requiredButNotPermittedScopes = array_diff($necessaryScopes, $scopesHavingPermissionFor); if (count($requiredButNotPermittedScopes) > 0) { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); $this->securityLogger->log('The permitted scopes do not satisfy the required once.', LOG_NOTICE, array('necessaryScopes' => $necessaryScopes, 'allowedScopes' => $scopesHavingPermissionFor)); return; } // From here, we surely know the user is considered authenticated against the remote service, // yet to check if there is an immanent account present. $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($tokenInformation, $providerName, $accountRepository, &$account) { $account = $accountRepository->findByAccountIdentifierAndAuthenticationProviderName($tokenInformation['user_id'], $providerName); }); if ($account === NULL) { $account = new Account(); $account->setAccountIdentifier($tokenInformation['user_id']); $account->setAuthenticationProviderName($providerName); $this->accountRepository->add($account); } $authenticationToken->setAccount($account); // request long-live token and attach that to the account $longLivedToken = $this->facebookTokenEndpoint->requestLongLivedToken($credentials['accessToken']); $account->setCredentialsSource($longLivedToken); $this->accountRepository->update($account); }
/** * Tries to authenticate the given token. Sets isAuthenticated to TRUE if authentication succeeded. * * @param TokenInterface $authenticationToken The token to be authenticated * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException * @return void */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof AbstractClientToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1383754993); } $credentials = $authenticationToken->getCredentials(); // There is no way to validate the Token or check the scopes at the moment apart from "trying" (and possibly receiving an access denied) // we could check the validity of the Token and the scopes here in the future when Instagram provides that // Only check if an access Token is present at this time and do a single test call if (isset($credentials['accessToken']) && $credentials['accessToken'] !== NULL) { // check if a secure request is possible (https://www.instagram.com/developer/secure-api-requests/) $userInfo = $this->instagramTokenEndpoint->validateSecureRequestCapability($credentials['accessToken']); if ($userInfo === FALSE) { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); $this->securityLogger->log('A secure call to the API with the provided accessToken and clientSecret was not possible', LOG_NOTICE); return FALSE; } } else { } // From here, we surely know the user is considered authenticated against the remote service, // yet to check if there is an immanent account present. $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($userInfo, $providerName, $accountRepository, &$account) { $account = $accountRepository->findByAccountIdentifierAndAuthenticationProviderName($userInfo['id'], $providerName); }); if ($account === NULL) { $account = new Account(); $account->setAccountIdentifier($userInfo['id']); $account->setAuthenticationProviderName($providerName); $this->accountRepository->add($account); } $authenticationToken->setAccount($account); // the access token is valid for an "undefined time" according to instagram (so we cannot know when the user needs to log in again) $account->setCredentialsSource($credentials['accessToken']); $this->accountRepository->update($account); // check if a user is already attached to this account if ($this->partyService->getAssignedPartyOfAccount($account) === null || count($this->partyService->getAssignedPartyOfAccount($account)) < 1) { $user = $this->userService->getCurrentUser(); if ($user !== null) { $user->addAccount($account); $this->userService->updateUser($user); $this->persistenceManager->whitelistObject($user); } else { $this->securityLogger->logException(new Exception("The InstagramProvider was unable to determine the backend user, make sure the configuration Typo3BackendProvider requestPattern matches the Instagram Controller and the authentication strategy is set to 'atLeastOne' Token")); } } // persistAll is called automatically at the end of this function, account gets whitelisted to allow // persisting for an object thats tinkered with via a GET request $this->persistenceManager->whitelistObject($account); }
/** * Find out if the given path exists anywhere in the CR. (internal) * If you need this functionality use \TYPO3\TYPO3CR\Domain\Service\NodeService::nodePathExistsInAnyContext() * * @param string $nodePath * @return boolean */ public function pathExists($nodePath) { $nodePath = strtolower($nodePath); $result = null; /** @var QueryBuilder $queryBuilder */ $queryBuilder = $this->entityManager->createQueryBuilder(); $this->securityContext->withoutAuthorizationChecks(function () use($nodePath, $queryBuilder, &$result) { $queryBuilder->select('n.identifier')->from('TYPO3\\TYPO3CR\\Domain\\Model\\NodeData', 'n')->where('n.pathHash = :pathHash')->setParameter('pathHash', md5($nodePath)); $result = count($queryBuilder->getQuery()->getResult()) > 0 ? true : false; }); return $result; }
/** * Tries to authenticate the tokens in the security context (in the given order) * with the available authentication providers, if needed. * If the authentication strategy is set to "allTokens", all tokens have to be authenticated. * If the strategy is set to "oneToken", only one token needs to be authenticated, but the * authentication will stop after the first authenticated token. The strategy * "atLeastOne" will try to authenticate at least one and as many tokens as possible. * * @return void * @throws \TYPO3\Flow\Security\Exception * @throws \TYPO3\Flow\Security\Exception\AuthenticationRequiredException */ public function authenticate() { $this->isAuthenticated = false; $anyTokenAuthenticated = false; if ($this->securityContext === null) { throw new Exception('Cannot authenticate because no security context has been set.', 1232978667); } $tokens = $this->securityContext->getAuthenticationTokens(); if (count($tokens) === 0) { throw new NoTokensAuthenticatedException('The security context contained no tokens which could be authenticated.', 1258721059); } /** @var $token TokenInterface */ foreach ($tokens as $token) { /** @var $provider AuthenticationProviderInterface */ foreach ($this->providers as $provider) { if ($provider->canAuthenticate($token) && $token->getAuthenticationStatus() === TokenInterface::AUTHENTICATION_NEEDED) { $provider->authenticate($token); if ($token->isAuthenticated()) { $this->emitAuthenticatedToken($token); } break; } } if ($token->isAuthenticated()) { if (!$token instanceof SessionlessTokenInterface) { if (!$this->session->isStarted()) { $this->session->start(); } $account = $token->getAccount(); if ($account !== null) { $this->securityContext->withoutAuthorizationChecks(function () use($account) { $this->session->addTag('TYPO3-Flow-Security-Account-' . md5($account->getAccountIdentifier())); }); } } if ($this->securityContext->getAuthenticationStrategy() === Context::AUTHENTICATE_ONE_TOKEN) { $this->isAuthenticated = true; $this->securityContext->refreshRoles(); return; } $anyTokenAuthenticated = true; } else { if ($this->securityContext->getAuthenticationStrategy() === Context::AUTHENTICATE_ALL_TOKENS) { throw new AuthenticationRequiredException('Could not authenticate all tokens, but authenticationStrategy was set to "all".', 1222203912); } } } if (!$anyTokenAuthenticated && $this->securityContext->getAuthenticationStrategy() !== Context::AUTHENTICATE_ANY_TOKEN) { throw new NoTokensAuthenticatedException('Could not authenticate any token. Might be missing or wrong credentials or no authentication provider matched.', 1222204027); } $this->isAuthenticated = $anyTokenAuthenticated; $this->securityContext->refreshRoles(); }
/** * Calls a behat step method * * @Flow\Internal * @param string $testHelperObjectName * @param string $methodName * @param boolean $withoutSecurityChecks */ public function callBehatStepCommand($testHelperObjectName, $methodName, $withoutSecurityChecks = FALSE) { $testHelper = $this->objectManager->get($testHelperObjectName); $rawMethodArguments = $this->request->getExceedingArguments(); $mappedArguments = array(); for ($i = 0; $i < count($rawMethodArguments); $i += 2) { $mappedArguments[] = $this->propertyMapper->convert($rawMethodArguments[$i + 1], $rawMethodArguments[$i]); } $result = NULL; try { if ($withoutSecurityChecks === TRUE) { $this->securityContext->withoutAuthorizationChecks(function () use($testHelper, $methodName, $mappedArguments, &$result) { $result = call_user_func_array(array($testHelper, $methodName), $mappedArguments); }); } else { $result = call_user_func_array(array($testHelper, $methodName), $mappedArguments); } } catch (\Exception $exception) { $this->outputLine('EXCEPTION: %s %d %s in %s:%s %s', array(get_class($exception), $exception->getCode(), $exception->getMessage(), $exception->getFile(), $exception->getLine(), $exception->getTraceAsString())); return; } $this->output('SUCCESS: %s', array($result)); }
/** * Filter a node by the current context. * Will either return the node or NULL if it is not permitted in current context. * * @param NodeInterface $node * @param Context $context * @return \TYPO3\TYPO3CR\Domain\Model\NodeInterface|NULL */ protected function filterNodeByContext(NodeInterface $node, Context $context) { $this->securityContext->withoutAuthorizationChecks(function () use(&$node, $context) { if (!$context->isRemovedContentShown() && $node->isRemoved()) { $node = null; return; } if (!$context->isInvisibleContentShown() && !$node->isVisible()) { $node = null; return; } if (!$context->isInaccessibleContentShown() && !$node->isAccessible()) { $node = null; } }); return $node; }
/** * Imports the sub-tree from the xml reader into the given target path. * * The root node of the imported tree becomes a child of the node specified as the target path, * as the following example illustrates: * * 1. Existing Nodes Before Import: * * path * - to * - - my * - - - targetNode * - - - - A * - other * - - nodes * * 2. Sub-tree in xml to import to 'path/to/my/targetNode': * * <B> * - <B1/> * </B> * * 3. existing nodes after the import: * * path * - to * - - my * - - - targetNode * - - - - A * - - - - B * - - - - - B1 * - another * - - sub-tree * * @param \XMLReader $xmlReader The XML input to import - must be either XML as a string or a prepared \XMLReader instance containing XML data * @param string $targetPath path to the node which becomes parent of the root of the imported sub-tree * @param string $resourceLoadPath * @throws ImportException * @return void */ public function import(\XMLReader $xmlReader, $targetPath, $resourceLoadPath = null) { $this->propertyMappingConfiguration = new ImportExportPropertyMappingConfiguration($resourceLoadPath); $this->nodeNameStack = $targetPath === '/' ? array() : array_map(function ($pathSegment) { return Utility::renderValidNodeName($pathSegment); }, explode('/', $targetPath)); $formatVersion = $this->determineFormatVersion($xmlReader); switch ($formatVersion) { case self::SUPPORTED_FORMAT_VERSION: $this->securityContext->withoutAuthorizationChecks(function () use($xmlReader) { $this->importSubtree($xmlReader); }); break; case null: throw new ImportException('Failed to recognize format of the Node Data XML to import. Please make sure that you use a valid Node Data XML structure.', 1409059346); default: throw new ImportException('Failed to import Node Data XML: The format with version ' . $formatVersion . ' is not supported, only version ' . self::SUPPORTED_FORMAT_VERSION . ' is supported.', 1409059352); } }
/** * @param Token $token * @return void */ public function onetimeLoginAction(Token $token) { $username = $token->getMeta()['name']; /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $providerName = $this->authenticationProviderName; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($username, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName); }); foreach ($this->securityContext->getAuthenticationTokens() as $authenticationToken) { if ($authenticationToken->getAuthenticationProviderName() === $providerName) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); break; } } $this->redirect('resetForm'); }
/** * @param string $username Crowd Username * @param string $providerName Name of the authentication provider, this account should be used with * @return Account */ public function getLocalAccountForCrowdUser($username, $providerName) { $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($username, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName); }); if ($account === NULL) { if ($this->getUser($username) === NULL) { return NULL; } $account = new Account(); $account->setAuthenticationProviderName($providerName); $account->setAccountIdentifier($username); $roleIdentifier = $this->configurationManager->getConfiguration(ConfigurationManager::CONFIGURATION_TYPE_SETTINGS, 'TYPO3.Flow.security.authentication.providers.' . $providerName . '.providerOptions.authenticateRole'); $account->addRole($this->policyService->getRole($roleIdentifier)); $this->accountRepository->add($account); $this->persistenceManager->persistAll(); } return $account; }
/** * Matches a frontend URI pointing to a node (for example a page). * * This function tries to find a matching node by the given request path. If one was found, its * absolute context node path is set in $this->value and TRUE is returned. * * Note that this matcher does not check if access to the resolved workspace or node is allowed because at the point * in time the route part handler is invoked, the security framework is not yet fully initialized. * * @param string $requestPath The request path (without leading "/", relative to the current Site Node) * @return boolean TRUE if the $requestPath could be matched, otherwise FALSE * @throws \Exception * @throws Exception\NoHomepageException if no node could be found on the homepage (empty $requestPath) */ protected function matchValue($requestPath) { try { /** @var NodeInterface $node */ $node = null; // Build context explicitly without authorization checks because the security context isn't available yet // anyway and any Entity Privilege targeted on Workspace would fail at this point: $this->securityContext->withoutAuthorizationChecks(function () use(&$node, $requestPath) { $node = $this->convertRequestPathToNode($requestPath); }); } catch (Exception $exception) { $this->systemLogger->log('FrontendNodeRoutePartHandler matchValue(): ' . $exception->getMessage(), LOG_DEBUG); if ($requestPath === '') { throw new Exception\NoHomepageException('Homepage could not be loaded. Probably you haven\'t imported a site yet', 1346950755, $exception); } return false; } if ($this->onlyMatchSiteNodes() && $node !== $node->getContext()->getCurrentSiteNode()) { return false; } $this->value = $node->getContextPath(); return true; }