public function setUp() { $this->mockSecurityContext = $this->getMockBuilder(Context::class)->disableOriginalConstructor()->getMock(); $this->mockSecurityContext->expects($this->any())->method('withoutAuthorizationChecks')->will($this->returnCallback(function ($callback) { return $callback->__invoke(); })); }
/** * @param \SKL\Post\Domain\Model\Author $author * @return void */ public function editAction(Author $author) { $account = $this->securityContext->getAccount(); $this->view->assign('usrname', $account->getAccountIdentifier()); $this->view->assign('listCategories', $this->categoryRepository->findAll()); $this->view->assign('author', $author); }
/** * Log a message if a post is deleted * * @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint * @Flow\Around("method(TYPO3\Neos\View\TypoScriptView->render())") * @return void */ public function replacePlaceholdersIfNecessary(\TYPO3\Flow\Aop\JoinPointInterface $joinPoint) { $result = $joinPoint->getAdviceChain()->proceed($joinPoint); /* @var $typoScriptView TypoScriptView */ $typoScriptView = $joinPoint->getProxy(); $viewVariables = ObjectAccess::getProperty($typoScriptView, 'variables', TRUE); if (!isset($viewVariables['value']) || !$viewVariables['value']->getNodeType()->isOfType('Sandstorm.Newsletter:Newsletter')) { // No newsletter, so logic does not apply return $result; } /* @var $httpRequest Request */ $httpRequest = $this->controllerContext->getRequest()->getHttpRequest(); $arguments = $httpRequest->getUri()->getArguments(); if (!isset($arguments['hmac'])) { if ($this->securityContext->isInitialized() && $this->securityContext->hasRole('TYPO3.Neos:Editor')) { // Logged into backend, so we don't need to do anything. return $result; } else { // No HMAC sent -- so we return the email INCLUDING placeholders (as per customer's request) return $result; //return '<h1>Error: HMAC not included in the link.</h1>'; } } $actualHmac = $arguments['hmac']; $uriWithoutHmac = str_replace('&hmac=' . $actualHmac, '', (string) $httpRequest->getUri()); $expectedHmac = hash_hmac('sha1', urldecode($uriWithoutHmac), $this->hmacUrlSecret); if ($expectedHmac !== $actualHmac) { return '<h1>Error: Wrong link clicked.</h1>Please contact your administrator for help'; } $result = preg_replace_callback(ReplacePlaceholdersInLiveImplementation::PLACEHOLDER_REGEX, function ($element) use($arguments) { return ObjectAccess::getPropertyPath($arguments, $element[1]); }, $result); return $result; }
/** * Add the current node and all parent identifiers to be used for cache entry tagging * * @Flow\Before("method(TYPO3\Flow\Mvc\Routing\RouterCachingService->extractUuids())") * @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint The current join point * @return void */ public function addCurrentNodeIdentifier(JoinPointInterface $joinPoint) { $values = $joinPoint->getMethodArgument('values'); if (!isset($values['node']) || strpos($values['node'], '@') === false) { return; } // Build context explicitly without authorization checks because the security context isn't available yet // anyway and any Entity Privilege targeted on Workspace would fail at this point: $this->securityContext->withoutAuthorizationChecks(function () use($joinPoint, $values) { $contextPathPieces = NodePaths::explodeContextPath($values['node']); $context = $this->contextFactory->create(['workspaceName' => $contextPathPieces['workspaceName'], 'dimensions' => $contextPathPieces['dimensions'], 'invisibleContentShown' => true]); $node = $context->getNode($contextPathPieces['nodePath']); if (!$node instanceof NodeInterface) { return; } $values['node-identifier'] = $node->getIdentifier(); $node = $node->getParent(); $values['node-parent-identifier'] = array(); while ($node !== null) { $values['node-parent-identifier'][] = $node->getIdentifier(); $node = $node->getParent(); } $joinPoint->setMethodArgument('values', $values); }); }
/** * Get the account of the first authenticated token. * * @return \TYPO3\Flow\Security\Account|NULL */ public function getAccount() { if ($this->securityContext->canBeInitialized()) { return $this->securityContext->getAccount(); } return NULL; }
/** * This is the default Policy voter, it votes for the access privilege for the given resource * * @param \TYPO3\Flow\Security\Context $securityContext The current security context * @param string $resource The resource to vote for * @return integer One of: VOTE_GRANT, VOTE_ABSTAIN, VOTE_DENY */ public function voteForResource(\TYPO3\Flow\Security\Context $securityContext, $resource) { $accessGrants = 0; $accessDenies = 0; foreach ($securityContext->getRoles() as $role) { try { $privilege = $this->policyService->getPrivilegeForResource($role, $resource); } catch (\TYPO3\Flow\Security\Exception\NoEntryInPolicyException $e) { return self::VOTE_ABSTAIN; } if ($privilege === NULL) { continue; } if ($privilege === \TYPO3\Flow\Security\Policy\PolicyService::PRIVILEGE_GRANT) { $accessGrants++; } elseif ($privilege === \TYPO3\Flow\Security\Policy\PolicyService::PRIVILEGE_DENY) { $accessDenies++; } } if ($accessDenies > 0) { return self::VOTE_DENY; } if ($accessGrants > 0) { return self::VOTE_GRANT; } return self::VOTE_ABSTAIN; }
/** * Checks the given token for validity and sets the token authentication status * accordingly (success, wrong credentials or no credentials given). * * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated * @return void * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof UsernamePassword) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['username'])) { $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); } if (is_object($account)) { if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * @return void */ public function indexAction() { $account = $this->securityContext->getAccount(); $this->view->assign('usrname', $account->getAccountIdentifier()); $this->view->assign('setups', $this->setupRepository->findAll()); $this->view->assign('listCategories', $this->categoryRepository->findAll()); }
/** * Sets isAuthenticated to TRUE for all tokens. * * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated * @return void * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof Typo3OrgSsoToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } /** @var $account \TYPO3\Flow\Security\Account */ $account = null; $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['username'])) { $providerName = $this->name; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, &$account) { $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); } if (is_object($account)) { $authenticationData = 'version=' . $credentials['version'] . '&user='******'username'] . '&tpa_id=' . $credentials['tpaId'] . '&expires=' . $credentials['expires'] . '&action=' . $credentials['action'] . '&flags=' . $credentials['flags'] . '&userdata=' . $credentials['userdata']; if ($this->rsaWalletService->verifySignature($authenticationData, $credentials['signature'], $this->options['rsaKeyUuid']) && $credentials['expires'] > time()) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * The policy enforcement advice. This advices applies the security enforcement interceptor to all methods configured in the policy. * Note: If we have some kind of "run as" functionality in the future, we would have to manipulate the security context * before calling the policy enforcement interceptor * * @Flow\Around("filter(TYPO3\Flow\Security\Authorization\Privilege\Method\MethodPrivilegePointcutFilter)") * @param JoinPointInterface $joinPoint The current joinpoint * @return mixed The result of the target method if it has not been intercepted */ public function enforcePolicy(JoinPointInterface $joinPoint) { if ($this->securityContext->areAuthorizationChecksDisabled() !== true) { $this->policyEnforcementInterceptor->setJoinPoint($joinPoint); $this->policyEnforcementInterceptor->invoke(); } return $joinPoint->getAdviceChain()->proceed($joinPoint); }
/** * Returns the currently logged in user, if any * * @return User The currently logged in user, or NULL */ public function getCurrentUser() { $account = $this->securityContext->getAccount(); if ($account === NULL) { return NULL; } return $this->userRepository->findOneHavingAccount($account); }
/** * Returns the name of the currently logged in user's personal workspace (even if that might not exist at that time). * If no user is logged in this method returns "live". * * @return string */ public function getUserWorkspaceName() { $account = $this->securityContext->getAccount(); if ($account === NULL) { return 'live'; } return 'user-' . preg_replace('/[^a-z0-9]/i', '', $account->getAccountIdentifier()); }
/** * Initializes the controller before invoking an action method. * */ public function initializeAction() { if ($this->securityContext->canBeInitialized()) { $account = $this->securityContext->getAccount(); $this->bearbeiterObj = $this->bearbeiterRepository->findOneByAccount($account); } $this->cacheInterface = $this->cacheManager->getCache('GermaniaSacra_GermaniaCache'); }
/** * @param string $title * @param string $uri * @param string $identifier */ public function disqusAction($title, $uri, $identifier) { $this->view->assign('title', $title); $this->view->assign('uri', $uri); $this->view->assign('identifier', $identifier); if ($account = $this->securityContext->getAccount()) { $this->view->assign('remoteAuth', $this->disqusRemoteAuthService->generateDisqusRemoteAuth($account)); } }
/** * Try to set the current account identifier emitting the events, if possible * * @return void */ protected function initializeAccountIdentifier() { if ($this->securityContext->canBeInitialized()) { $account = $this->securityContext->getAccount(); if ($account !== NULL) { $this->eventEmittingService->setCurrentAccountIdentifier($account->getAccountIdentifier()); } } }
/** * Initializes some basic stuff that will basically be needed for each and * every action that is executed later on. */ public function initializeAction() { // get the account of the authenticated user $this->account = $this->securityContext->getAccount(); // set the locale $this->locale = $this->localeDetector->detectLocaleFromLocaleTag($this->settings['defaultLanguage']); if ($this->l18nService->getConfiguration()->getCurrentLocale() !== $this->locale) { $this->l18nService->getConfiguration()->setCurrentLocale($this->locale); } }
/** * This returns the (first) *authenticated* OAuth token which doesn't have a party attached. * *@return AbstractClientToken */ public function getChargedAuthenticatedTokenHavingNoPartyAttached() { /** @var $token AbstractClientToken */ foreach ((array) $this->securityContext->getAuthenticationTokensOfType($this->getTokenClassName()) as $token) { if ($token->getAuthenticationStatus() === TokenInterface::AUTHENTICATION_SUCCESSFUL && ($token->getAccount() === NULL || $token->getAccount()->getParty() === NULL)) { return $token; } } return NULL; }
/** * The policy enforcement advice. This advices applies the security enforcement interceptor to all methods configured in the policy. * Note: If we have some kind of "run as" functionality in the future, we would have to manipulate the security context * before calling the policy enforcement interceptor * * @Flow\Around("setting(TYPO3.Flow.security.enable) && filter(TYPO3\Flow\Security\Policy\PolicyService)") * @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint The current joinpoint * @return mixed The result of the target method if it has not been intercepted */ public function enforcePolicy(\TYPO3\Flow\Aop\JoinPointInterface $joinPoint) { if ($this->securityContext->areAuthorizationChecksDisabled() !== TRUE) { $this->policyEnforcementInterceptor->setJoinPoint($joinPoint); $this->policyEnforcementInterceptor->invoke(); } $result = $joinPoint->getAdviceChain()->proceed($joinPoint); // @TODO Once we use the AfterInvocation again, it needs to be invoked here and its result returned instead. return $result; }
/** * @param string $propertyPath * @return string */ public function render($propertyPath = 'party.name') { $tokens = $this->securityContext->getAuthenticationTokens(); foreach ($tokens as $token) { if ($token->isAuthenticated()) { return (string) \TYPO3\Flow\Reflection\ObjectAccess::getPropertyPath($token->getAccount(), $propertyPath); } } return ''; }
/** * Returns TRUE, if at least one of the currently authenticated accounts holds * a role with the given identifier, also recursively. * * @param string $roleIdentifier The string representation of the role to search for * @return boolean TRUE, if a role with the given string representation was found */ public function hasRole($roleIdentifier) { if ($roleIdentifier === 'TYPO3.Flow:Everybody') { return true; } if ($this->securityContext->canBeInitialized()) { return $this->securityContext->hasRole($roleIdentifier); } return false; }
/** * Renders <f:then> child if any account is currently authenticated, otherwise renders <f:else> child. * * @return string the rendered string * @api */ public function render() { $activeTokens = $this->securityContext->getAuthenticationTokens(); /** @var $token TokenInterface */ foreach ($activeTokens as $token) { if ($token->isAuthenticated()) { return $this->renderThenChild(); } } return $this->renderElseChild(); }
/** * @param string $session */ public function deleteAction($session) { $account = $this->securityContext->getAccount(); /** @var \T3DD\Backend\Domain\Model\Vote $vote */ $vote = $this->voteRepository->getVoteForAccountAndSession($session, $account); if (!$vote) { $this->response->setStatus(404); return; } $this->voteRepository->remove($vote); }
/** * Renders <f:then> child if any account is currently authenticated, otherwise renders <f:else> child. * * @param string $authenticationProviderName * @return string the rendered string * @api */ public function render($authenticationProviderName = 'Sandstorm.UserManagement:Login') { $activeTokens = $this->securityContext->getAuthenticationTokens(); /** @var $token TokenInterface */ foreach ($activeTokens as $token) { if ($token->getAuthenticationProviderName() === $authenticationProviderName && $token->isAuthenticated()) { return $this->renderThenChild(); } } return $this->renderElseChild(); }
/** * @throws \TYPO3\Flow\Security\Exception\AuthenticationRequiredException * @throws \TYPO3\Flow\Security\Exception\AccessDeniedException * @return void */ public function authenticateAction() { try { $this->authenticationManager->authenticate(); $account = $this->securityContext->getAccount(); $this->redirect('index', 'Dashboard', NULL, array('user' => $account)); } catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) { $this->flashMessageContainer->addMessage(new \TYPO3\Flow\Error\Error('Bitte die korrekten Benutzerdaten eingeben.')); //$this->flashMessageContainer->addMessage(new \TYPO3\Flow\Error\Error($exception->getMessage())); throw $exception; } }
/** * Create an action request from stored route match values and dispatch to that * * @param ComponentContext $componentContext * @return void */ public function handle(ComponentContext $componentContext) { $httpRequest = $componentContext->getHttpRequest(); /** @var $actionRequest ActionRequest */ $actionRequest = $this->objectManager->get(ActionRequest::class, $httpRequest); $this->securityContext->setRequest($actionRequest); $routingMatchResults = $componentContext->getParameter(Routing\RoutingComponent::class, 'matchResults'); $actionRequest->setArguments($this->mergeArguments($httpRequest, $routingMatchResults)); $this->setDefaultControllerAndActionNameIfNoneSpecified($actionRequest); $componentContext->setParameter(self::class, 'actionRequest', $actionRequest); $this->dispatcher->dispatch($actionRequest, $componentContext->getHttpResponse()); }
/** * @param Participant $participant */ public function updateAction(Participant $participant) { $participantEntity = $participant->getPayload(); if ($participantEntity->getAccount() !== NULL && $participantEntity->getAccount() !== $this->securityContext->getAccount() && !$this->securityContext->hasRole('T3DD.Backend:Administrator')) { $this->response->setStatus(403); return; } if (!$participantEntity->isCompleted()) { $participantEntity->setCompleted(TRUE); $participantEntity->setAccount($this->securityContext->getAccount()); } $this->participantRepository->update($participantEntity); $this->view->assign('value', $participant); }
/** * Update/adds a user preference * * @param string $key The key of the preference to update/add * @param string $value The value of the preference * @return void */ public function updateAction($key, $value) { /** @var $user User */ $user = $this->securityContext->getPartyByType('TYPO3\\Neos\\Domain\\Model\\User'); // TODO: This should be done in an earlier stage (TypeConverter ?) if (strtolower($value) === 'false') { $value = FALSE; } elseif (strtolower($value) === 'true') { $value = TRUE; } $user->getPreferences()->set($key, $value); $this->partyRepository->update($user); $this->throwStatus(204, 'User preferences have been updated'); }
/** * Notify SSO servers about the logged out client * * All active authentication tokens of type SingleSignOnToken will be * used to get the registered global session id and send a request * to the session service on the SSO server. * * @return void */ public function logout() { $allConfiguration = $this->configurationManager->getConfiguration(\TYPO3\Flow\Configuration\ConfigurationManager::CONFIGURATION_TYPE_SETTINGS, 'TYPO3.Flow'); $tokens = $this->securityContext->getAuthenticationTokensOfType('Flowpack\\SingleSignOn\\Client\\Security\\SingleSignOnToken'); foreach ($tokens as $token) { $providerName = $token->getAuthenticationProviderName(); $serverIdentifier = \TYPO3\Flow\Utility\Arrays::getValueByPath($allConfiguration, 'security.authentication.providers.' . $providerName . '.providerOptions.server'); if ($serverIdentifier !== NULL) { $ssoClient = $this->ssoClientFactory->create(); $ssoServer = $this->ssoServerFactory->create($serverIdentifier); $ssoServer->destroySession($ssoClient, $token->getGlobalSessionId()); } } }
/** * @param NodeInterface $node * @return string * @throws NeosException */ public function render(NodeInterface $node) { if ($this->privilegeManager->isPrivilegeTargetGranted('TYPO3.Neos:Backend.GeneralAccess') === false) { return ''; } /** @var $actionRequest ActionRequest */ $actionRequest = $this->controllerContext->getRequest(); $innerView = new StandaloneView($actionRequest); $innerView->setTemplatePathAndFilename('resource://TYPO3.Neos/Private/Templates/Backend/Content/Container.html'); $innerView->setFormat('html'); $innerView->setPartialRootPath('resource://TYPO3.Neos/Private/Partials'); $user = $this->securityContext->getPartyByType('TYPO3\\Neos\\Domain\\Model\\User'); $innerView->assignMultiple(array('node' => $node, 'modules' => $this->menuHelper->buildModuleList($this->controllerContext), 'sites' => $this->menuHelper->buildSiteList($this->controllerContext), 'user' => $user)); return $innerView->render(); }
/** * Initialize view action * * @param \TYPO3\Flow\Mvc\View\ViewInterface $view * @return void */ protected function initializeView(\TYPO3\Flow\Mvc\View\ViewInterface $view) { $loggedUser = $this->securityContext->getAccount(); $currentUrl = $this->request->getHttpRequest()->getUri(); $view->assign('currentpage', $currentUrl); $view->assign('state', $this->base64UrlEncode($currentUrl)); if ($loggedUser != NULL) { $view->assign('loggedInUser', $this->securityContext->getAccount()->getAccountIdentifier()); $view->assign('currentUser', $this->securityContext->getAccount()->getParty()); } $facebook_appid = $this->facebookService->getAppId(); $facebook_redirecturi = $this->facebookService->getRedirectUri(); $vkLoginUrl = $this->vkService->getAuthorizationUri(); $this->view->assignMultiple(array('vk_url' => $vkLoginUrl, 'google_url' => $this->googlePlusService->getAuthorizationUri(), 'facebook_appid' => $facebook_appid, 'facebook_redirecturi' => $facebook_redirecturi)); }