/**
* @test
*/
public function tokenFromSessionDataIsAvailableForValidateToken()
{
$sessionToken = '881ffea2159ac72182557b79dc0c723f5a8d20136f9fab56cdd4f8b3a1dbcfcd';
$formName = 'foo';
$action = 'edit';
$formInstanceName = '42';
$tokenId = \TYPO3\CMS\Core\Utility\GeneralUtility::hmac($formName . $action . $formInstanceName . $sessionToken);
$this->getBackendUser()->expects($this->atLeastOnce())->method('getSessionData')->with('formSessionToken')->will($this->returnValue($sessionToken));
$this->subject->_call('retrieveSessionToken');
$this->assertTrue($this->subject->validateToken($tokenId, $formName, $action, $formInstanceName));
}
/**
* @test
*/
public function tokenFromSessionDataIsAvailableForValidateToken()
{
$sessionToken = '881ffea2159ac72182557b79dc0c723f5a8d20136f9fab56cdd4f8b3a1dbcfcd';
$formName = 'foo';
$action = 'edit';
$formInstanceName = '42';
$tokenId = \t3lib_div::hmac($formName . $action . $formInstanceName . $sessionToken);
$GLOBALS['BE_USER']->expects($this->atLeastOnce())->method('getSessionData')->with('formSessionToken')->will($this->returnValue($sessionToken));
$this->fixture->retrieveSessionToken();
$this->assertTrue($this->fixture->validateToken($tokenId, $formName, $action, $formInstanceName));
}
/**
* If settings are submitted to _POST[DATA], store them
* NOTICE: This method is called before the template.php is included. See
* bottom of document.
*/
public function storeIncomingData()
{
// First check if something is submitted in the data-array from POST vars
$d = \TYPO3\CMS\Core\Utility\GeneralUtility::_POST('data');
$columns = $GLOBALS['TYPO3_USER_SETTINGS']['columns'];
$beUserId = $GLOBALS['BE_USER']->user['uid'];
$storeRec = array();
$fieldList = $this->getFieldsFromShowItem();
if (is_array($d) && $this->formProtection->validateToken((string) \TYPO3\CMS\Core\Utility\GeneralUtility::_POST('formToken'), 'BE user setup', 'edit')) {
// UC hashed before applying changes
$save_before = md5(serialize($GLOBALS['BE_USER']->uc));
// PUT SETTINGS into the ->uc array:
// Reload left frame when switching BE language
if (isset($d['lang']) && $d['lang'] != $GLOBALS['BE_USER']->uc['lang']) {
$this->languageUpdate = TRUE;
}
// Reload pagetree if the title length is changed
if (isset($d['titleLen']) && $d['titleLen'] !== $GLOBALS['BE_USER']->uc['titleLen']) {
$this->pagetreeNeedsRefresh = TRUE;
}
if ($d['setValuesToDefault']) {
// If every value should be default
$GLOBALS['BE_USER']->resetUC();
$this->settingsAreResetToDefault = TRUE;
} elseif ($d['clearSessionVars']) {
foreach ($GLOBALS['BE_USER']->uc as $key => $value) {
if (!isset($columns[$key])) {
unset($GLOBALS['BE_USER']->uc[$key]);
}
}
$this->tempDataIsCleared = TRUE;
} elseif ($d['save']) {
// Save all submitted values if they are no array (arrays are with table=be_users) and exists in $GLOBALS['TYPO3_USER_SETTINGS'][columns]
foreach ($columns as $field => $config) {
if (!in_array($field, $fieldList)) {
continue;
}
if ($config['table']) {
if ($config['table'] == 'be_users' && !in_array($field, array('password', 'password2', 'email', 'realName', 'admin'))) {
if (!isset($config['access']) || $this->checkAccess($config) && $GLOBALS['BE_USER']->user[$field] !== $d['be_users'][$field]) {
$storeRec['be_users'][$beUserId][$field] = $d['be_users'][$field];
$GLOBALS['BE_USER']->user[$field] = $d['be_users'][$field];
}
}
}
if ($config['type'] == 'check') {
$GLOBALS['BE_USER']->uc[$field] = isset($d[$field]) ? 1 : 0;
} else {
$GLOBALS['BE_USER']->uc[$field] = htmlspecialchars($d[$field]);
}
}
// Personal data for the users be_user-record (email, name, password...)
// If email and name is changed, set it in the users record:
$be_user_data = $d['be_users'];
// Possibility to modify the transmitted values. Useful to do transformations, like RSA password decryption
if (is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ext/setup/mod/index.php']['modifyUserDataBeforeSave'])) {
foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ext/setup/mod/index.php']['modifyUserDataBeforeSave'] as $function) {
$params = array('be_user_data' => &$be_user_data);
\TYPO3\CMS\Core\Utility\GeneralUtility::callUserFunction($function, $params, $this);
}
}
$this->passwordIsSubmitted = strlen($be_user_data['password']) > 0;
$passwordIsConfirmed = $this->passwordIsSubmitted && $be_user_data['password'] === $be_user_data['password2'];
// Update the real name:
if ($be_user_data['realName'] !== $GLOBALS['BE_USER']->user['realName']) {
$GLOBALS['BE_USER']->user['realName'] = $storeRec['be_users'][$beUserId]['realName'] = substr($be_user_data['realName'], 0, 80);
}
// Update the email address:
if ($be_user_data['email'] !== $GLOBALS['BE_USER']->user['email']) {
$GLOBALS['BE_USER']->user['email'] = $storeRec['be_users'][$beUserId]['email'] = substr($be_user_data['email'], 0, 80);
}
// Update the password:
if ($passwordIsConfirmed) {
$storeRec['be_users'][$beUserId]['password'] = $be_user_data['password2'];
$this->passwordIsUpdated = TRUE;
}
$this->saveData = TRUE;
}
// Inserts the overriding values.
$GLOBALS['BE_USER']->overrideUC();
$save_after = md5(serialize($GLOBALS['BE_USER']->uc));
// If something in the uc-array of the user has changed, we save the array...
if ($save_before != $save_after) {
$GLOBALS['BE_USER']->writeUC($GLOBALS['BE_USER']->uc);
$GLOBALS['BE_USER']->writelog(254, 1, 0, 1, 'Personal settings changed', array());
$this->setupIsUpdated = TRUE;
}
// If the temporary data has been cleared, lets make a log note about it
if ($this->tempDataIsCleared) {
$GLOBALS['BE_USER']->writelog(254, 1, 0, 1, $GLOBALS['LANG']->getLL('tempDataClearedLog'), array());
}
// Persist data if something has changed:
if (count($storeRec) && $this->saveData) {
// Make instance of TCE for storing the changes.
$tce = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\DataHandling\\DataHandler');
$tce->stripslashes_values = 0;
$tce->start($storeRec, array(), $GLOBALS['BE_USER']);
// This is so the user can actually update his user record.
$tce->admin = 1;
// This is to make sure that the users record can be updated even if in another workspace. This is tolerated.
$tce->bypassWorkspaceRestrictions = TRUE;
$tce->process_datamap();
unset($tce);
if (!$this->passwordIsUpdated || count($storeRec['be_users'][$beUserId]) > 1) {
$this->setupIsUpdated = TRUE;
}
}
}
}
/**
* If settings are submitted to _POST[DATA], store them
* NOTICE: This method is called before the \TYPO3\CMS\Backend\Template\DocumentTemplate
* is included. See bottom of document.
*
* @see \TYPO3\CMS\Backend\Template\DocumentTemplate
*/
public function storeIncomingData()
{
// First check if something is submitted in the data-array from POST vars
$d = GeneralUtility::_POST('data');
$columns = $GLOBALS['TYPO3_USER_SETTINGS']['columns'];
$beUser = $this->getBackendUser();
$beUserId = $beUser->user['uid'];
$storeRec = array();
$fieldList = $this->getFieldsFromShowItem();
if (is_array($d) && $this->formProtection->validateToken((string) GeneralUtility::_POST('formToken'), 'BE user setup', 'edit')) {
// UC hashed before applying changes
$save_before = md5(serialize($beUser->uc));
// PUT SETTINGS into the ->uc array:
// Reload left frame when switching BE language
if (isset($d['lang']) && $d['lang'] != $beUser->uc['lang']) {
$this->languageUpdate = true;
}
// Reload pagetree if the title length is changed
if (isset($d['titleLen']) && $d['titleLen'] !== $beUser->uc['titleLen']) {
$this->pagetreeNeedsRefresh = true;
}
if ($d['setValuesToDefault']) {
// If every value should be default
$beUser->resetUC();
$this->settingsAreResetToDefault = true;
} elseif ($d['save']) {
// Save all submitted values if they are no array (arrays are with table=be_users) and exists in $GLOBALS['TYPO3_USER_SETTINGS'][columns]
foreach ($columns as $field => $config) {
if (!in_array($field, $fieldList)) {
continue;
}
if ($config['table']) {
if ($config['table'] === 'be_users' && !in_array($field, array('password', 'password2', 'passwordCurrent', 'email', 'realName', 'admin', 'avatar'))) {
if (!isset($config['access']) || $this->checkAccess($config) && $beUser->user[$field] !== $d['be_users'][$field]) {
if ($config['type'] === 'check') {
$fieldValue = isset($d['be_users'][$field]) ? 1 : 0;
} else {
$fieldValue = $d['be_users'][$field];
}
$storeRec['be_users'][$beUserId][$field] = $fieldValue;
$beUser->user[$field] = $fieldValue;
}
}
}
if ($config['type'] === 'check') {
$beUser->uc[$field] = isset($d[$field]) ? 1 : 0;
} else {
$beUser->uc[$field] = htmlspecialchars($d[$field]);
}
}
// Personal data for the users be_user-record (email, name, password...)
// If email and name is changed, set it in the users record:
$be_user_data = $d['be_users'];
// Possibility to modify the transmitted values. Useful to do transformations, like RSA password decryption
if (is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ext/setup/mod/index.php']['modifyUserDataBeforeSave'])) {
foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ext/setup/mod/index.php']['modifyUserDataBeforeSave'] as $function) {
$params = array('be_user_data' => &$be_user_data);
GeneralUtility::callUserFunction($function, $params, $this);
}
}
$this->passwordIsSubmitted = (string) $be_user_data['password'] !== '';
$passwordIsConfirmed = $this->passwordIsSubmitted && $be_user_data['password'] === $be_user_data['password2'];
// Update the real name:
if ($be_user_data['realName'] !== $beUser->user['realName']) {
$beUser->user['realName'] = $storeRec['be_users'][$beUserId]['realName'] = substr($be_user_data['realName'], 0, 80);
}
// Update the email address:
if ($be_user_data['email'] !== $beUser->user['email']) {
$beUser->user['email'] = $storeRec['be_users'][$beUserId]['email'] = substr($be_user_data['email'], 0, 80);
}
// Update the password:
if ($passwordIsConfirmed) {
$currentPasswordHashed = $GLOBALS['BE_USER']->user['password'];
$saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($currentPasswordHashed);
if ($saltFactory->checkPassword($be_user_data['passwordCurrent'], $currentPasswordHashed)) {
$this->passwordIsUpdated = self::PASSWORD_UPDATED;
$storeRec['be_users'][$beUserId]['password'] = $be_user_data['password'];
} else {
$this->passwordIsUpdated = self::PASSWORD_OLD_WRONG;
}
} else {
$this->passwordIsUpdated = self::PASSWORD_NOT_THE_SAME;
}
$this->setAvatarFileUid($beUserId, $be_user_data['avatar'], $storeRec);
$this->saveData = true;
}
// Inserts the overriding values.
$beUser->overrideUC();
$save_after = md5(serialize($beUser->uc));
// If something in the uc-array of the user has changed, we save the array...
if ($save_before != $save_after) {
$beUser->writeUC($beUser->uc);
$beUser->writelog(254, 1, 0, 1, 'Personal settings changed', array());
$this->setupIsUpdated = true;
}
// Persist data if something has changed:
if (!empty($storeRec) && $this->saveData) {
// Make instance of TCE for storing the changes.
/** @var DataHandler $dataHandler */
$dataHandler = GeneralUtility::makeInstance(DataHandler::class);
$dataHandler->stripslashes_values = false;
// This is so the user can actually update his user record.
$isAdmin = $beUser->user['admin'];
$beUser->user['admin'] = 1;
$dataHandler->start($storeRec, array(), $beUser);
// This is to make sure that the users record can be updated even if in another workspace. This is tolerated.
$dataHandler->bypassWorkspaceRestrictions = true;
$dataHandler->process_datamap();
unset($tce);
if ($this->passwordIsUpdated === self::PASSWORD_NOT_UPDATED || count($storeRec['be_users'][$beUserId]) > 1) {
$this->setupIsUpdated = true;
}
// Restore admin status after processing
$beUser->user['admin'] = $isAdmin;
}
}
}
/**
* @test
* @expectedException \Exception
* @expectedExceptionCode 1442592030
*/
public function failingTokenValidationInvokesFailingTokenClosure()
{
$this->subject->validateToken('foo', 'bar');
}
