/** * @return void */ public function indexAction() { // check is a user is authenticated if ($this->authenticationManager->isAuthenticated()) { if ($this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:ProjectManager')) { $this->forward('dashboard', 'Standard'); } if ($this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:Administrator')) { $this->forward('index', 'Admin'); } } }
/** * index action, does only display the form * @param string $username * @return void */ public function loginAction($username = NULL) { if ($this->authenticationManager->isAuthenticated()) { if (isset($this->settings['Redirect']['signedIn'])) { $redirect = $this->settings['Redirect']['signedIn']; $this->redirect($redirect['actionName'], $redirect['controllerName'], $redirect['packageKey']); } $this->redirect('index', 'Dashboard'); } $this->view->assign('username', $username); $this->view->assign('hostname', $this->request->getHttpRequest()->getBaseUri()->getHost()); $this->view->assign('date', new \DateTime()); }
/** * Adds a NotEmptyValidator to the current element if the "trigger" value is not empty. * The trigger can be configured with $this->properties['triggerPropertyPath'] * * @param \TYPO3\Form\Core\Runtime\FormRuntime $formRuntime * @return void */ protected function requireIfTriggerIsSet(\TYPO3\Form\Core\Runtime\FormRuntime $formRuntime) { if ($formRuntime->getRequest()->getParentRequest()->getControllerActionName() == 'newDataSheet') { if ($this->authenticationManager->isAuthenticated() && $this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:Administrator')) { $this->addValidator(new \TYPO3\Flow\Validation\Validator\NotEmptyValidator()); } elseif (!$this->authenticationManager->isAuthenticated()) { $this->addValidator(new \TYPO3\Flow\Validation\Validator\NotEmptyValidator()); } else { return; } } elseif ($formRuntime->getRequest()->getParentRequest()->getControllerActionName() == 'editDataSheet') { return; } }
/** * @Flow\SkipCsrfProtection * @return void|string */ public function authenticateAction() { try { $this->authenticationManager->authenticate(); if ($this->authenticationManager->isAuthenticated()) { $profile = $this->profileService->getCurrentPartyProfile(); $this->redirect('show', 'Frontend\\Node', 'TYPO3.Neos', ['node' => $profile->getPath()]); } else { $this->addFlashMessage('Gebruikersnaam of wachtwoord is niet correct'); $this->forwardToReferringRequest(); } } catch (\Exception $e) { $this->addFlashMessage('Gebruikersnaam of wachtwoord is niet correct'); $this->forwardToReferringRequest(); } }
/** * Matches a \TYPO3\Flow\Mvc\RequestInterface against the configured CSRF pattern rules and * searches for invalid csrf tokens. If this returns TRUE, the request is invalid! * * @param RequestInterface $request The request that should be matched * @return boolean TRUE if the pattern matched, FALSE otherwise * @throws AuthenticationRequiredException */ public function matchRequest(RequestInterface $request) { if (!$request instanceof ActionRequest || $request->getHttpRequest()->isMethodSafe()) { $this->systemLogger->log('CSRF: No token required, safe request', LOG_DEBUG); return false; } if ($this->authenticationManager->isAuthenticated() === false) { $this->systemLogger->log('CSRF: No token required, not authenticated', LOG_DEBUG); return false; } if ($this->securityContext->areAuthorizationChecksDisabled() === true) { $this->systemLogger->log('CSRF: No token required, authorization checks are disabled', LOG_DEBUG); return false; } $controllerClassName = $this->objectManager->getClassNameByObjectName($request->getControllerObjectName()); $actionMethodName = $request->getControllerActionName() . 'Action'; if (!$this->hasPolicyEntryForMethod($controllerClassName, $actionMethodName)) { $this->systemLogger->log(sprintf('CSRF: No token required, method %s::%s() is not restricted by a policy.', $controllerClassName, $actionMethodName), LOG_DEBUG); return false; } if ($this->reflectionService->isMethodTaggedWith($controllerClassName, $actionMethodName, 'skipcsrfprotection')) { $this->systemLogger->log(sprintf('CSRF: No token required, method %s::%s() is tagged with a "skipcsrfprotection" annotation', $controllerClassName, $actionMethodName), LOG_DEBUG); return false; } $httpRequest = $request->getHttpRequest(); if ($httpRequest->hasHeader('X-Flow-Csrftoken')) { $csrfToken = $httpRequest->getHeader('X-Flow-Csrftoken'); } else { $internalArguments = $request->getMainRequest()->getInternalArguments(); $csrfToken = isset($internalArguments['__csrfToken']) ? $internalArguments['__csrfToken'] : null; } if (empty($csrfToken)) { $this->systemLogger->log(sprintf('CSRF: token was empty but a valid token is required for %s::%s()', $controllerClassName, $actionMethodName), LOG_DEBUG); return true; } if (!$this->securityContext->hasCsrfProtectionTokens()) { throw new AuthenticationRequiredException(sprintf('CSRF: No CSRF tokens in security context, possible session timeout. A valid token is required for %s::%s()', $controllerClassName, $actionMethodName), 1317309673); } if ($this->securityContext->isCsrfProtectionTokenValid($csrfToken) === false) { $this->systemLogger->log(sprintf('CSRF: token was invalid but a valid token is required for %s::%s()', $controllerClassName, $actionMethodName), LOG_DEBUG); return true; } $this->systemLogger->log(sprintf('CSRF: Successfully verified token for %s::%s()', $controllerClassName, $actionMethodName), LOG_DEBUG); return false; }
/** * Matches a \TYPO3\Flow\Mvc\RequestInterface against the configured CSRF pattern rules and * searches for invalid csrf tokens. If this returns TRUE, the request is invalid! * * @param \TYPO3\Flow\Mvc\RequestInterface $request The request that should be matched * @return boolean TRUE if the pattern matched, FALSE otherwise * @throws \TYPO3\Flow\Security\Exception\AuthenticationRequiredException */ public function matchRequest(\TYPO3\Flow\Mvc\RequestInterface $request) { if (!$request instanceof ActionRequest || $request->getHttpRequest()->isMethodSafe()) { $this->systemLogger->log('No CSRF required, safe request', LOG_DEBUG); return FALSE; } if ($this->authenticationManager->isAuthenticated() === FALSE) { $this->systemLogger->log('No CSRF required, not authenticated', LOG_DEBUG); return FALSE; } if ($this->securityContext->areAuthorizationChecksDisabled() === TRUE) { $this->systemLogger->log('No CSRF required, authorization checks are disabled', LOG_DEBUG); return FALSE; } $controllerClassName = $this->objectManager->getClassNameByObjectName($request->getControllerObjectName()); $actionName = $request->getControllerActionName() . 'Action'; if (!$this->policyService->hasPolicyEntryForMethod($controllerClassName, $actionName)) { $this->systemLogger->log(sprintf('CSRF protection filter: allowed %s request without requiring CSRF token because action "%s" in controller "%s" is not restricted by a policy.', $request->getHttpRequest()->getMethod(), $actionName, $controllerClassName), LOG_NOTICE); return FALSE; } if ($this->reflectionService->isMethodTaggedWith($controllerClassName, $actionName, 'skipcsrfprotection')) { return FALSE; } $httpRequest = $request->getHttpRequest(); if ($httpRequest->hasHeader('X-Flow-Csrftoken')) { $csrfToken = $httpRequest->getHeader('X-Flow-Csrftoken'); } else { $internalArguments = $request->getMainRequest()->getInternalArguments(); $csrfToken = isset($internalArguments['__csrfToken']) ? $internalArguments['__csrfToken'] : NULL; } if (empty($csrfToken)) { $this->systemLogger->log('CSRF token was empty', LOG_DEBUG); return TRUE; } if (!$this->securityContext->hasCsrfProtectionTokens()) { throw new \TYPO3\Flow\Security\Exception\AuthenticationRequiredException('No tokens in security context, possible session timeout', 1317309673); } if ($this->securityContext->isCsrfProtectionTokenValid($csrfToken) === FALSE) { $this->systemLogger->log('CSRF token was invalid', LOG_DEBUG); return TRUE; } // the CSRF token was necessary and is valid return FALSE; }
/** * Calls the authentication manager to authenticate all active tokens * and redirects to the original intercepted request on success if there * is one stored in the security context. If no intercepted request is * found, the function simply returns. * * If authentication fails, the result of calling the defined * $errorMethodName is returned. * * Note: Usually there is no need to override this action. You should use * the according callback methods instead (onAuthenticationSuccess() and * onAuthenticationFailure()). * * @return string * @Flow\SkipCsrfProtection */ public function authenticateAction() { $authenticationException = null; try { $this->authenticationManager->authenticate(); } catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) { $authenticationException = $exception; } if ($this->authenticationManager->isAuthenticated()) { $storedRequest = $this->securityContext->getInterceptedRequest(); if ($storedRequest !== null) { $this->securityContext->setInterceptedRequest(null); } return $this->onAuthenticationSuccess($storedRequest); } else { $this->onAuthenticationFailure($authenticationException); return call_user_func(array($this, $this->errorMethodName)); } }
/** * Render the a hidden field with a CSRF token * * @return string the CSRF token field */ protected function renderCsrfTokenField() { if (strtolower($this->arguments['method']) === 'get') { return ''; } if (!$this->securityContext->isInitialized() || !$this->authenticationManager->isAuthenticated()) { return ''; } $csrfToken = $this->securityContext->getCsrfProtectionToken(); return '<input type="hidden" name="__csrfToken" value="' . htmlspecialchars($csrfToken) . '" />' . chr(10); }
/** * Receive an SSO authentication callback and trigger authentication * through the SingleSignOnProvider. * * GET /sso/authentication/callback?... * * @param string $callbackUri * @return void */ public function callbackAction($callbackUri) { try { $this->authenticationManager->authenticate(); } catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) { $authenticationException = $exception; } if ($this->authenticationManager->isAuthenticated()) { $storedRequest = $this->securityContext->getInterceptedRequest(); if ($storedRequest !== NULL) { $this->securityContext->setInterceptedRequest(NULL); $this->redirectToRequest($storedRequest); } else { // TODO Do we have to check the URI? $this->redirectToUri($callbackUri); } } else { throw new \Flowpack\SingleSignOn\Client\Exception('Could not authenticate in callbackAction triggered by the SSO server.', 1366613161, isset($authenticationException) ? $authenticationException : NULL); } }
/** * Returns TRUE, if at least one of the currently authenticated accounts holds * a role with the given identifier, also recursively. * * @param string $roleIdentifier The string representation of the role to search for * @return boolean TRUE, if a role with the given string representation was found */ public function hasRole($roleIdentifier) { if ($roleIdentifier === 'TYPO3.Flow:Everybody') { return true; } if ($roleIdentifier === 'TYPO3.Flow:Anonymous') { return !$this->authenticationManager->isAuthenticated(); } if ($roleIdentifier === 'TYPO3.Flow:AuthenticatedUser') { return $this->authenticationManager->isAuthenticated(); } $roles = $this->getRoles(); return isset($roles[$roleIdentifier]); }
/** * Executes this finisher * @see AbstractFinisher::execute() * * @return void * @throws \TYPO3\Flow\Mvc\Exception\StopActionException(); */ protected function executeInternal() { /** @var \TYPO3\Form\Core\Runtime\FormRuntime $formRuntime */ $formRuntime = $this->finisherContext->getFormRuntime(); $formValueArray = $formRuntime->getFormState()->getFormValues(); if ($formRuntime->getRequest()->getParentRequest()->getControllerActionName() == 'editDataSheet') { // we need to update the data sheet, we assume that the person is authenticated because a data sheet can only be edited by a authenticated user /** @var \GIB\GradingTool\Domain\Model\Project $project */ $project = $this->projectRepository->findByIdentifier($formRuntime->getRequest()->getParentRequest()->getArgument('project')); // make a HTML representation of a diff of the old and new data $diffContent = DiffUtility::arrayDiffRecursive($project->getDataSheetContentArray(), $formValueArray); // store changes to project $project->setDataSheetContent($formValueArray); $project->setLastUpdated(new \TYPO3\Flow\Utility\Now()); // update e-mail address (could have changed in the data sheet) $projectManagerElectronicAddress = new \TYPO3\Party\Domain\Model\ElectronicAddress(); $projectManagerElectronicAddress->setIdentifier($formValueArray['projectManagerEmail']); $projectManagerElectronicAddress->setType(\TYPO3\Party\Domain\Model\ElectronicAddress::TYPE_EMAIL); $project->getProjectManager()->setPrimaryElectronicAddress($projectManagerElectronicAddress); $this->partyRepository->update($project->getProjectManager()); $this->projectRepository->update($project); $this->persistenceManager->persistAll(); // send a notification mail to the Administrator containing the changes $templateIdentifierOverlay = $this->templateService->getTemplateIdentifierOverlay('editDataSheetNotification', $project); $this->notificationMailService->sendNotificationMail($templateIdentifierOverlay, $project, NULL, '', '', $diffContent); // add a flash message $message = new \TYPO3\Flow\Error\Message('Your data sheet for project "%s" was successfully edited.', \TYPO3\Flow\Error\Message::SEVERITY_OK, array($project->getProjectTitle())); $this->flashMessageContainer->addMessage($message); } else { // we need to add a new data sheet /** @var \GIB\GradingTool\Domain\Model\Project $project */ $project = new \GIB\GradingTool\Domain\Model\Project(); $project->setProjectTitle($formValueArray['projectTitle']); $project->setDataSheetFormIdentifier($this->settings['forms']['dataSheet']['default']); $project->setSubmissionFormIdentifier($this->settings['forms']['submission']['default']); // store identifier=userName and password for later usage $identifier = $formValueArray['userName']; $password = $formValueArray['password']; // remove userName and password from data array so it doesn't get saved unencrypted unset($formValueArray['userName']); unset($formValueArray['password']); $project->setDataSheetContent($formValueArray); $project->setCreated(new \TYPO3\Flow\Utility\Now()); $this->projectRepository->add($project); // add a flash message $message = new \TYPO3\Flow\Error\Message('Your data sheet for project "%s" was successfully submitted.', \TYPO3\Flow\Error\Message::SEVERITY_OK, array($formValueArray['projectTitle'])); $this->flashMessageContainer->addMessage($message); if (!$this->authenticationManager->isAuthenticated() || $this->authenticationManager->isAuthenticated() && $this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:Administrator')) { // the product manager (supposedly) doesn't have an account yet, so we create one $projectManager = new \GIB\GradingTool\Domain\Model\ProjectManager(); $projectManagerName = new \TYPO3\Party\Domain\Model\PersonName('', $formValueArray['projectManagerFirstName'], '', $formValueArray['projectManagerLastName']); $projectManager->setName($projectManagerName); $projectManagerElectronicAddress = new \TYPO3\Party\Domain\Model\ElectronicAddress(); $projectManagerElectronicAddress->setIdentifier($formValueArray['projectManagerEmail']); $projectManagerElectronicAddress->setType(\TYPO3\Party\Domain\Model\ElectronicAddress::TYPE_EMAIL); $projectManager->addElectronicAddress($projectManagerElectronicAddress); $projectManager->setPrimaryElectronicAddress($projectManagerElectronicAddress); // add account $roles = array('GIB.GradingTool:ProjectManager'); $authenticationProviderName = 'DefaultProvider'; $account = $this->accountFactory->createAccountWithPassword($identifier, $password, $roles, $authenticationProviderName); $this->accountRepository->add($account); // add account to ProjectManager $projectManager->addAccount($account); // add project to ProjectManager $projectManager->addProject($project); // finally add the complete ProjectManager $this->partyRepository->add($projectManager); if (!$this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:Administrator')) { // authenticate user if no Administrator is authenticated $authenticationTokens = $this->securityContext->getAuthenticationTokensOfType('TYPO3\\Flow\\Security\\Authentication\\Token\\UsernamePassword'); if (count($authenticationTokens) === 1) { $authenticationTokens[0]->setAccount($account); $authenticationTokens[0]->setAuthenticationStatus(\TYPO3\Flow\Security\Authentication\TokenInterface::AUTHENTICATION_SUCCESSFUL); } // add a flash message $message = new \TYPO3\Flow\Error\Message('The account "%s" was created and you were successfully logged in.', \TYPO3\Flow\Error\Message::SEVERITY_OK, array($identifier)); $this->flashMessageContainer->addMessage($message); } } elseif ($this->authenticationManager->isAuthenticated() && $this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:ProjectManager')) { // a productManager is adding a new project to his account /** @var \GIB\GradingTool\Domain\Model\ProjectManager $projectManager */ $projectManager = $this->authenticationManager->getSecurityContext()->getParty(); $projectManager->addProject($project); $this->partyRepository->update($projectManager); } $this->persistenceManager->persistAll(); // send notification mail to project manager (bcc to team) $templateIdentifierOverlay = $this->templateService->getTemplateIdentifierOverlay('newDataSheetProjectManagerNotification', $project); $this->notificationMailService->sendNotificationMail($templateIdentifierOverlay, $project, $projectManager, $formValueArray['projectManagerFirstName'] . ' ' . $formValueArray['projectManagerLastName'], $formValueArray['projectManagerEmail']); // send notification mail to the GIB team $templateIdentifierOverlay = $this->templateService->getTemplateIdentifierOverlay('newDataSheetTeamNotification', $project); $dataSheetArray = $this->dataSheetService->getProcessedDataSheet($project); $this->notificationMailService->sendNotificationMail($templateIdentifierOverlay, $project, $projectManager, '', '', $dataSheetArray); } $this->persistenceManager->persistAll(); // redirect to dashboard $formRuntime = $this->finisherContext->getFormRuntime(); $request = $formRuntime->getRequest()->getMainRequest(); $uriBuilder = new \TYPO3\Flow\Mvc\Routing\UriBuilder(); $uriBuilder->setRequest($request); $uriBuilder->reset(); $uri = $uriBuilder->uriFor('editDatasheet', array('project' => $project), 'Project'); $response = $formRuntime->getResponse(); $mainResponse = $response; while ($response = $response->getParentResponse()) { $mainResponse = $response; } $mainResponse->setStatus(303); $mainResponse->setHeader('Location', (string) $uri); throw new \TYPO3\Flow\Mvc\Exception\StopActionException(); }