/**
* {@inheritDoc}
*/
public function redirect($url, $status = null)
{
if (Router::normalize($this->Auth->config('loginAction')) == Router::normalize($url)) {
return $this->Api->response(ApiReturnCode::NOT_AUTHENTICATED);
}
return parent::redirect($url, $status);
}
protected function getExistingUser(Request $request)
{
$login_url = isset($this->_config['login_url']) ? $this->_config['login_url'] : null;
$server_unique_id_field = $this->_config['unique_id'];
$user_unique_id_field = $this->_config['mapping'][$server_unique_id_field];
/*
* Check if the Shibboleth authentication must be done on the current URL
*/
$do_login = false;
if (empty($login_url)) {
/*
* By default, Shibboleth login is done on every urls
*/
$do_login = true;
} else {
/*
* A specific url is given for login. Check if it matches the current request
*/
/*
* When CsrfComponent is used, a '_csrfToken' key exist in $request->params and it prevents urls comparison
* -> remove it
*
* Since CakePHP 3.2.11 a '_matchedRoute' key may exist in $request->params, also preventing urls comparison
* -> remove it
*/
$request_params = $request->params;
unset($request_params['_csrfToken']);
unset($request_params['_matchedRoute']);
$normalized_login_url = StringTool::remove_trailing(Router::normalize(Router::url($login_url)), '?');
$normalized_current_url = StringTool::remove_trailing(Router::normalize(Router::url($request_params)), '?');
if ($normalized_login_url == $normalized_current_url) {
$do_login = true;
}
}
if ($do_login) {
$this->_config['fields']['username'] = $user_unique_id_field;
$user = $this->_findUser($this->get_server_value($request, $server_unique_id_field));
if (!empty($user)) {
$user = $this->updateUserAttributes($request, $user);
if (!empty($user)) {
return $user->toArray();
}
} else {
if (isset($this->_config['create_new_user']) && $this->_config['create_new_user']) {
$user = $this->createNewUser($request);
if (!empty($user)) {
return $user->toArray();
}
}
}
}
return false;
}
/**
* test that the returned URL doesn't contain the base URL.
*
* @see https://cakephp.lighthouseapp.com/projects/42648/tickets/3922-authcomponentredirecturl-prepends-appbaseurl
*
* @return void This test method doesn't return anything.
*/
public function testRedirectUrlWithBaseSet()
{
$App = Configure::read('App');
Configure::write('App', ['dir' => APP_DIR, 'webroot' => 'webroot', 'base' => false, 'baseUrl' => '/cake/index.php']);
$url = '/users/login';
$this->Auth->request = $this->Controller->request = new Request($url);
$this->Auth->request->addParams(Router::parse($url));
$this->Auth->request->url = Router::normalize($url);
Router::setRequestInfo($this->Auth->request);
$this->Auth->config('loginAction', ['controller' => 'users', 'action' => 'login']);
$this->Auth->config('loginRedirect', ['controller' => 'users', 'action' => 'home']);
$result = $this->Auth->redirectUrl();
$this->assertEquals('/users/home', $result);
$this->assertFalse($this->Auth->session->check('Auth.redirect'));
Configure::write('App', $App);
Router::reload();
}
/**
* testUrlNormalization method
*
* @return void
*/
public function testUrlNormalization()
{
Router::connect('/:controller/:action');
$expected = '/users/logout';
$result = Router::normalize('/users/logout/');
$this->assertEquals($expected, $result);
$result = Router::normalize('//users//logout//');
$this->assertEquals($expected, $result);
$result = Router::normalize('users/logout');
$this->assertEquals($expected, $result);
$result = Router::normalize(array('controller' => 'users', 'action' => 'logout'));
$this->assertEquals($expected, $result);
$result = Router::normalize('/');
$this->assertEquals('/', $result);
$result = Router::normalize('http://google.com/');
$this->assertEquals('http://google.com/', $result);
$result = Router::normalize('http://google.com//');
$this->assertEquals('http://google.com//', $result);
$result = Router::normalize('/users/login/scope://foo');
$this->assertEquals('/users/login/scope:/foo', $result);
$result = Router::normalize('/recipe/recipes/add');
$this->assertEquals('/recipe/recipes/add', $result);
$request = new Request();
$request->base = '/us';
Router::setRequestInfo($request);
$result = Router::normalize('/us/users/logout/');
$this->assertEquals('/users/logout', $result);
Router::reload();
$request = new Request();
$request->base = '/cake_12';
Router::setRequestInfo($request);
$result = Router::normalize('/cake_12/users/logout/');
$this->assertEquals('/users/logout', $result);
Router::reload();
$_back = Configure::read('App.fullBaseUrl');
Configure::write('App.fullBaseUrl', '/');
$request = new Request();
$request->base = '/';
Router::setRequestInfo($request);
$result = Router::normalize('users/login');
$this->assertEquals('/users/login', $result);
Configure::write('App.fullBaseUrl', $_back);
Router::reload();
$request = new Request();
$request->base = 'beer';
Router::setRequestInfo($request);
$result = Router::normalize('beer/admin/beers_tags/add');
$this->assertEquals('/admin/beers_tags/add', $result);
$result = Router::normalize('/admin/beers_tags/add');
$this->assertEquals('/admin/beers_tags/add', $result);
}
/**
* Calls a controller's method from any location. Can be used to connect controllers together
* or tie plugins into a main application. requestAction can be used to return rendered views
* or fetch the return value from controller actions.
*
* Under the hood this method uses Router::reverse() to convert the $url parameter into a string
* URL. You should use URL formats that are compatible with Router::reverse()
*
* ### Examples
*
* A basic example getting the return value of the controller action:
*
* ```
* $variables = $this->requestAction('/articles/popular');
* ```
*
* A basic example of request action to fetch a rendered page without the layout.
*
* ```
* $viewHtml = $this->requestAction('/articles/popular', ['return']);
* ```
*
* You can also pass the URL as an array:
*
* ```
* $vars = $this->requestAction(['controller' => 'articles', 'action' => 'popular']);
* ```
*
* ### Passing other request data
*
* You can pass POST, GET, COOKIE and other data into the request using the appropriate keys.
* Cookies can be passed using the `cookies` key. Get parameters can be set with `query` and post
* data can be sent using the `post` key.
*
* ```
* $vars = $this->requestAction('/articles/popular', [
* 'query' => ['page' => 1],
* 'cookies' => ['remember_me' => 1],
* ]);
* ```
*
* ### Sending environment or header values
*
* By default actions dispatched with this method will use the global $_SERVER and $_ENV
* values. If you want to override those values for a request action, you can specify the values:
*
* ```
* $vars = $this->requestAction('/articles/popular', [
* 'environment' => ['CONTENT_TYPE' => 'application/json']
* ]);
* ```
*
* ### Transmitting the session
*
* By default actions dispatched with this method will use the standard session object.
* If you want a particular session instance to be used, you need to specify it.
*
* ```
* $vars = $this->requestAction('/articles/popular', [
* 'session' => new Session($someSessionConfig)
* ]);
* ```
*
* @param string|array $url String or array-based url. Unlike other url arrays in CakePHP, this
* url will not automatically handle passed arguments in the $url parameter.
* @param array $extra if array includes the key "return" it sets the autoRender to true. Can
* also be used to submit GET/POST data, and passed arguments.
* @return mixed Boolean true or false on success/failure, or contents
* of rendered action if 'return' is set in $extra.
* @deprecated 3.3.0 You should refactor your code to use View Cells instead of this method.
*/
public function requestAction($url, array $extra = [])
{
if (empty($url)) {
return false;
}
if (($index = array_search('return', $extra)) !== false) {
$extra['return'] = 0;
$extra['autoRender'] = 1;
unset($extra[$index]);
}
$extra += ['autoRender' => 0, 'return' => 1, 'bare' => 1, 'requested' => 1];
$baseUrl = Configure::read('App.fullBaseUrl');
if (is_string($url) && strpos($url, $baseUrl) === 0) {
$url = Router::normalize(str_replace($baseUrl, '', $url));
}
if (is_string($url)) {
$params = ['url' => $url];
} elseif (is_array($url)) {
$defaultParams = ['plugin' => null, 'controller' => null, 'action' => null];
$params = ['params' => $url + $defaultParams, 'base' => false, 'url' => Router::reverse($url)];
if (empty($params['params']['pass'])) {
$params['params']['pass'] = [];
}
}
$current = Router::getRequest();
if ($current) {
$params['base'] = $current->base;
$params['webroot'] = $current->webroot;
}
$params['post'] = $params['query'] = [];
if (isset($extra['post'])) {
$params['post'] = $extra['post'];
}
if (isset($extra['query'])) {
$params['query'] = $extra['query'];
}
if (isset($extra['cookies'])) {
$params['cookies'] = $extra['cookies'];
}
if (isset($extra['environment'])) {
$params['environment'] = $extra['environment'] + $_SERVER + $_ENV;
}
unset($extra['environment'], $extra['post'], $extra['query']);
$params['session'] = isset($extra['session']) ? $extra['session'] : new Session();
$request = new Request($params);
$request->addParams($extra);
$dispatcher = DispatcherFactory::create();
// If an application is using PSR7 middleware,
// we need to 'fix' their missing dispatcher filters.
$needed = ['routing' => RoutingFilter::class, 'controller' => ControllerFactoryFilter::class];
foreach ($dispatcher->filters() as $filter) {
if ($filter instanceof RoutingFilter) {
unset($needed['routing']);
}
if ($filter instanceof ControllerFactoryFilter) {
unset($needed['controller']);
}
}
foreach ($needed as $class) {
$dispatcher->addFilter(new $class());
}
$result = $dispatcher->dispatch($request, new Response());
Router::popRequest();
return $result;
}
/**
* Get the URL a user should be redirected to upon login.
*
* Pass a URL in to set the destination a user should be redirected to upon
* logging in.
*
* If no parameter is passed, gets the authentication redirect URL. The URL
* returned is as per following rules:
*
* - Returns the normalized URL from session Auth.redirect value if it is
* present and for the same domain the current app is running on.
* - If there is no session value and there is a config `loginRedirect`, the
* `loginRedirect` value is returned.
* - If there is no session and no `loginRedirect`, / is returned.
*
* @param string|array $url Optional URL to write as the login redirect URL.
* @return string Redirect URL
*/
public function redirectUrl($url = null)
{
if ($url !== null) {
$redir = $url;
$this->session->write('Auth.redirect', $redir);
} elseif ($this->session->check('Auth.redirect')) {
$redir = $this->session->read('Auth.redirect');
$this->session->delete('Auth.redirect');
if (Router::normalize($redir) === Router::normalize($this->_config['loginAction'])) {
$redir = $this->_config['loginRedirect'];
}
} elseif ($this->_config['loginRedirect']) {
$redir = $this->_config['loginRedirect'];
} else {
$redir = '/';
}
if (is_array($redir)) {
return Router::url($redir + ['_base' => false]);
}
return $redir;
}
/**
* Get the URL a user should be redirected to upon login.
*
* Pass a URL in to set the destination a user should be redirected to upon
* logging in.
*
* If no parameter is passed, gets the authentication redirect URL. The URL
* returned is as per following rules:
*
* - Returns the normalized redirect URL from storage if it is
* present and for the same domain the current app is running on.
* - If there is no URL returned from storage and there is a config
* `loginRedirect`, the `loginRedirect` value is returned.
* - If there is no session and no `loginRedirect`, / is returned.
*
* @param string|array $url Optional URL to write as the login redirect URL.
* @return string Redirect URL
*/
public function redirectUrl($url = null)
{
if ($url !== null) {
$redir = $url;
$this->storage()->redirectUrl($redir);
} elseif ($redir = $this->storage()->redirectUrl()) {
$this->storage()->redirectUrl(false);
if (Router::normalize($redir) === Router::normalize($this->_config['loginAction'])) {
$redir = $this->_config['loginRedirect'];
}
} elseif ($this->_config['loginRedirect']) {
$redir = $this->_config['loginRedirect'];
} else {
$redir = '/';
}
if (is_array($redir)) {
return Router::url($redir + ['_base' => false]);
}
return $redir;
}
/**
* Gets content's details page URL.
*
* Content's details URL's follows the syntax below:
*
* http://example.com/{content-type-slug}/{content-slug}{CONTENT_EXTENSION}
*
* Example:
*
* http://example.com/blog-article/my-first-article.html
*
* @return string
*/
protected function _getUrl()
{
$url = Router::getRequest()->base;
if (option('url_locale_prefix')) {
$url .= '/' . I18n::locale();
}
$url .= "/{$this->content_type_slug}/{$this->slug}";
return Router::normalize($url) . CONTENT_EXTENSION;
}
/**
* Calls a controller's method from any location. Can be used to connect controllers together
* or tie plugins into a main application. requestAction can be used to return rendered views
* or fetch the return value from controller actions.
*
* Under the hood this method uses Router::reverse() to convert the $url parameter into a string
* URL. You should use URL formats that are compatible with Router::reverse()
*
* ### Examples
*
* A basic example getting the return value of the controller action:
*
* ```
* $variables = $this->requestAction('/articles/popular');
* ```
*
* A basic example of request action to fetch a rendered page without the layout.
*
* ```
* $viewHtml = $this->requestAction('/articles/popular', ['return']);
* ```
*
* You can also pass the URL as an array:
*
* ```
* $vars = $this->requestAction(['controller' => 'articles', 'action' => 'popular']);
* ```
*
* ### Passing other request data
*
* You can pass POST, GET, COOKIE and other data into the request using the appropriate keys.
* Cookies can be passed using the `cookies` key. Get parameters can be set with `query` and post
* data can be sent using the `post` key.
*
* ```
* $vars = $this->requestAction('/articles/popular', [
* 'query' => ['page' => 1],
* 'cookies' => ['remember_me' => 1],
* ]);
* ```
*
* ### Sending environment or header values
*
* By default actions dispatched with this method will use the global $_SERVER and $_ENV
* values. If you want to override those values for a request action, you can specify the values:
*
* ```
* $vars = $this->requestAction('/articles/popular', [
* 'environment' => ['CONTENT_TYPE' => 'application/json']
* ]);
* ```
*
* ### Transmitting the session
*
* By default actions dispatched with this method will use the standard session object.
* If you want a particular session instance to be used, you need to specify it.
*
* ```
* $vars = $this->requestAction('/articles/popular', [
* 'session' => new Session($someSessionConfig)
* ]);
* ```
*
* @param string|array $url String or array-based url. Unlike other url arrays in CakePHP, this
* url will not automatically handle passed arguments in the $url parameter.
* @param array $extra if array includes the key "return" it sets the autoRender to true. Can
* also be used to submit GET/POST data, and passed arguments.
* @return mixed Boolean true or false on success/failure, or contents
* of rendered action if 'return' is set in $extra.
*/
public function requestAction($url, array $extra = [])
{
if (empty($url)) {
return false;
}
if (($index = array_search('return', $extra)) !== false) {
$extra['return'] = 0;
$extra['autoRender'] = 1;
unset($extra[$index]);
}
$extra += ['autoRender' => 0, 'return' => 1, 'bare' => 1, 'requested' => 1];
$baseUrl = Configure::read('App.fullBaseUrl');
if (is_string($url) && strpos($url, $baseUrl) === 0) {
$url = Router::normalize(str_replace($baseUrl, '', $url));
}
if (is_string($url)) {
$params = ['url' => $url];
} elseif (is_array($url)) {
$defaultParams = ['plugin' => null, 'controller' => null, 'action' => null];
$params = ['params' => $url + $defaultParams, 'base' => false, 'url' => Router::reverse($url)];
if (empty($params['params']['pass'])) {
$params['params']['pass'] = [];
}
}
$current = Router::getRequest();
if ($current) {
$params['base'] = $current->base;
$params['webroot'] = $current->webroot;
}
$params['post'] = $params['query'] = [];
if (isset($extra['post'])) {
$params['post'] = $extra['post'];
}
if (isset($extra['query'])) {
$params['query'] = $extra['query'];
}
if (isset($extra['cookies'])) {
$params['cookies'] = $extra['cookies'];
}
if (isset($extra['environment'])) {
$params['environment'] = $extra['environment'] + $_SERVER + $_ENV;
}
unset($extra['environment'], $extra['post'], $extra['query']);
$params['session'] = isset($extra['session']) ? $extra['session'] : new Session();
$request = new Request($params);
$request->addParams($extra);
$dispatcher = DispatcherFactory::create();
$result = $dispatcher->dispatch($request, new Response());
Router::popRequest();
return $result;
}
/**
* Check if a given url is authorized
*
* @param Event $event event
*
* @return bool
*/
public function isUrlAuthorized(Event $event)
{
$url = Hash::get((array) $event->data, 'url');
if (empty($url)) {
return false;
}
if (is_array($url)) {
$requestUrl = Router::reverse($url);
$requestParams = Router::parse($requestUrl);
} else {
try {
//remove base from $url if exists
$normalizedUrl = Router::normalize($url);
$requestParams = Router::parse($normalizedUrl);
} catch (MissingRouteException $ex) {
//if it's a url pointing to our own app
if (substr($normalizedUrl, 0, 1) === '/') {
throw $ex;
}
return true;
}
$requestUrl = $url;
}
// check if controller action is allowed
if ($this->_isActionAllowed($requestParams)) {
return true;
}
// check we are logged in
$user = $this->_registry->getController()->Auth->user();
if (empty($user)) {
return false;
}
$request = new Request($requestUrl);
$request->params = $requestParams;
$isAuthorized = $this->_registry->getController()->Auth->isAuthorized(null, $request);
return $isAuthorized;
}
public function isLinkActive($url)
{
//TODO: Maybe more intelligent active link detection
$currentUrl = Router::url($this->request->params);
if (!empty($this->request->base) || $this->request->base != '/') {
$currentUrl = str_replace($this->request->base, '', $currentUrl);
}
if (!is_array($url)) {
$url = Router::parse($url);
}
if ($this->request->params['controller'] == $url['controller']) {
$url = Router::normalize($url);
return (bool) preg_match("/^(" . preg_quote($url, "/") . ")/", trim($currentUrl));
}
}
/**
* Calls a controller's method from any location. Can be used to connect controllers together
* or tie plugins into a main application. requestAction can be used to return rendered views
* or fetch the return value from controller actions.
*
* Under the hood this method uses Router::reverse() to convert the $url parameter into a string
* URL. You should use URL formats that are compatible with Router::reverse()
*
* ### Examples
*
* A basic example getting the return value of the controller action:
*
* {{{
* $variables = $this->requestAction('/articles/popular');
* }}}
*
* A basic example of request action to fetch a rendered page without the layout.
*
* {{{
* $viewHtml = $this->requestAction('/articles/popular', ['return']);
* }}}
*
* You can also pass the URL as an array:
*
* {{{
* $vars = $this->requestAction(['controller' => 'articles', 'action' => 'popular']);
* }}}
*
* ### Passing other request data
*
* You can pass POST, GET, COOKIE and other data into the request using the apporpriate keys.
* Cookies can be passed using the `cookies` key. Get parameters can be set with `query` and post
* data can be sent using the `post` key.
*
* {{{
* $vars = $this->requestAction('/articles/popular', [
* 'query' => ['page' = > 1],
* 'cookies' => ['remember_me' => 1],
* ]);
* }}}
*
* @param string|array $url String or array-based url. Unlike other url arrays in CakePHP, this
* url will not automatically handle passed arguments in the $url parameter.
* @param array $extra if array includes the key "return" it sets the autoRender to true. Can
* also be used to submit GET/POST data, and passed arguments.
* @return mixed Boolean true or false on success/failure, or contents
* of rendered action if 'return' is set in $extra.
*/
public function requestAction($url, array $extra = array())
{
if (empty($url)) {
return false;
}
if (($index = array_search('return', $extra)) !== false) {
$extra['return'] = 0;
$extra['autoRender'] = 1;
unset($extra[$index]);
}
$extra = array_merge(['autoRender' => 0, 'return' => 1, 'bare' => 1, 'requested' => 1], $extra);
$post = $query = [];
if (isset($extra['post'])) {
$post = $extra['post'];
}
if (isset($extra['query'])) {
$query = $extra['query'];
}
unset($extra['post'], $extra['query']);
if (is_string($url) && strpos($url, Configure::read('App.fullBaseUrl')) === 0) {
$url = Router::normalize(str_replace(Configure::read('App.fullBaseUrl'), '', $url));
}
if (is_string($url)) {
$params = ['url' => $url];
} elseif (is_array($url)) {
$params = array_merge($url, ['pass' => [], 'base' => false, 'url' => Router::reverse($url)]);
}
if (!empty($post)) {
$params['post'] = $post;
}
if (!empty($query)) {
$params['query'] = $query;
}
$request = new Request($params);
$dispatcher = new Dispatcher();
$result = $dispatcher->dispatch($request, new Response(), $extra);
Router::popRequest();
return $result;
}
/**
* Checks whether the user is allowed to access a specific URL
*
* @param array $user user to check with
* @param array|string $url url to check
* @return void
*/
public function urlAllowed($user, $url)
{
if (empty($url)) {
return false;
}
if (is_array($url)) {
// prevent plugin confusion
$url = Hash::merge(['plugin' => null], $url);
$url = Router::url($url);
// strip off the base path
$url = Router::normalize($url);
}
$route = Router::parse($url);
if (empty($route['controller']) || empty($route['action'])) {
return false;
}
return $this->isAuthorized($user, $route['plugin'], $route['controller'], $route['action']);
}
