/** * Log a message if a post is deleted * * @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint * @Flow\Around("method(TYPO3\Neos\View\TypoScriptView->render())") * @return void */ public function replacePlaceholdersIfNecessary(\TYPO3\Flow\Aop\JoinPointInterface $joinPoint) { $result = $joinPoint->getAdviceChain()->proceed($joinPoint); /* @var $typoScriptView TypoScriptView */ $typoScriptView = $joinPoint->getProxy(); $viewVariables = ObjectAccess::getProperty($typoScriptView, 'variables', TRUE); if (!isset($viewVariables['value']) || !$viewVariables['value']->getNodeType()->isOfType('Sandstorm.Newsletter:Newsletter')) { // No newsletter, so logic does not apply return $result; } /* @var $httpRequest Request */ $httpRequest = $this->controllerContext->getRequest()->getHttpRequest(); $arguments = $httpRequest->getUri()->getArguments(); if (!isset($arguments['hmac'])) { if ($this->securityContext->isInitialized() && $this->securityContext->hasRole('TYPO3.Neos:Editor')) { // Logged into backend, so we don't need to do anything. return $result; } else { // No HMAC sent -- so we return the email INCLUDING placeholders (as per customer's request) return $result; //return '<h1>Error: HMAC not included in the link.</h1>'; } } $actualHmac = $arguments['hmac']; $uriWithoutHmac = str_replace('&hmac=' . $actualHmac, '', (string) $httpRequest->getUri()); $expectedHmac = hash_hmac('sha1', urldecode($uriWithoutHmac), $this->hmacUrlSecret); if ($expectedHmac !== $actualHmac) { return '<h1>Error: Wrong link clicked.</h1>Please contact your administrator for help'; } $result = preg_replace_callback(ReplacePlaceholdersInLiveImplementation::PLACEHOLDER_REGEX, function ($element) use($arguments) { return ObjectAccess::getPropertyPath($arguments, $element[1]); }, $result); return $result; }
/** * Gets the SQL query part to add to a query. * * @param ClassMetaData $targetEntity Metadata object for the target entity to be filtered * @param string $targetTableAlias The target table alias used in the current query * @return string The constraint SQL if there is available, empty string otherwise */ public function addFilterConstraint(ClassMetadata $targetEntity, $targetTableAlias) { $this->initializeDependencies(); /* * TODO: Instead of checking for class account we could introduce some interface for white listing entities from entity security checks * Problem with checking the Account is, that this filter calls getRoles() on the security context while accounts are not * yet fully initialized. By this we get a half built account object that will end up in access denied exception, * as it has no roles (and other properties) set */ if ($this->securityContext->areAuthorizationChecksDisabled() || $targetEntity->getName() === \TYPO3\Flow\Security\Account::class) { return ''; } if (!$this->securityContext->isInitialized()) { if (!$this->securityContext->canBeInitialized()) { return ''; } $this->securityContext->initialize(); } // This is needed to include the current context of roles into query cache identifier $this->setParameter('__contextHash', $this->securityContext->getContextHash(), 'string'); $sqlConstraints = array(); $grantedConstraints = array(); $deniedConstraints = array(); foreach ($this->securityContext->getRoles() as $role) { $entityPrivileges = $role->getPrivilegesByType(\TYPO3\Flow\Security\Authorization\Privilege\Entity\EntityPrivilegeInterface::class); /** @var EntityPrivilegeInterface $privilege */ foreach ($entityPrivileges as $privilege) { if (!$privilege->matchesEntityType($targetEntity->getName())) { continue; } $sqlConstraint = $privilege->getSqlConstraint($targetEntity, $targetTableAlias); if ($sqlConstraint === null) { continue; } $sqlConstraints[] = ' NOT (' . $sqlConstraint . ')'; if ($privilege->isGranted()) { $grantedConstraints[] = ' NOT (' . $sqlConstraint . ')'; } elseif ($privilege->isDenied()) { $deniedConstraints[] = ' NOT (' . $sqlConstraint . ')'; } } } $grantedConstraints = array_diff($grantedConstraints, $deniedConstraints); $effectiveConstraints = array_diff($sqlConstraints, $grantedConstraints); if (count($effectiveConstraints) > 0) { return ' (' . implode(') AND (', $effectiveConstraints) . ') '; } return ''; }
/** * Checks, if the current policy allows the retrieval of the object fetched by getObjectDataByIdentifier() * * @Flow\Around("within(TYPO3\Flow\Persistence\PersistenceManagerInterface) && method(.*->getObjectByIdentifier()) && setting(TYPO3.Flow.security.enable)") * @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint The current joinpoint * @return array The object data of the original object, or NULL if access is not permitted */ public function checkAccessAfterFetchingAnObjectByIdentifier(JoinPointInterface $joinPoint) { $result = $joinPoint->getAdviceChain()->proceed($joinPoint); if ($this->securityContext->areAuthorizationChecksDisabled() === TRUE || $this->policyService->hasPolicyEntriesForEntities() === FALSE) { return $result; } if ($this->securityContext->isInitialized() === FALSE) { if ($this->securityContext->canBeInitialized() === TRUE) { $this->securityContext->initialize(); } else { return $result; } } $authenticatedRoles = $this->securityContext->getRoles(); $entityType = $this->reflectionService->getClassNameByObject($result); if ($this->policyService->hasPolicyEntryForEntityType($entityType, $authenticatedRoles)) { if ($this->policyService->isGeneralAccessForEntityTypeGranted($entityType, $authenticatedRoles) === FALSE) { return NULL; } $policyConstraintsDefinition = $this->policyService->getResourcesConstraintsForEntityTypeAndRoles($entityType, $authenticatedRoles); if ($this->checkConstraintDefinitionsOnResultObject($policyConstraintsDefinition, $result) === FALSE) { return NULL; } } return $result; }
/** * Render the a hidden field with a CSRF token * * @return string the CSRF token field */ protected function renderCsrfTokenField() { if (!$this->securityContext->isInitialized()) { return ''; } $csrfToken = $this->securityContext->getCsrfProtectionToken(); return '<input type="hidden" name="__csrfToken" value="' . htmlspecialchars($csrfToken) . '" />' . chr(10); }
/** * Render the a hidden field with a CSRF token * * @return string the CSRF token field */ protected function renderCsrfTokenField() { if (strtolower($this->arguments['method']) === 'get') { return ''; } if (!$this->securityContext->isInitialized() || !$this->authenticationManager->isAuthenticated()) { return ''; } $csrfToken = $this->securityContext->getCsrfProtectionToken(); return '<input type="hidden" name="__csrfToken" value="' . htmlspecialchars($csrfToken) . '" />' . chr(10); }
/** * @test */ public function securityContextIsSetToInitialized() { $this->assertFalse($this->securityContext->isInitialized()); $this->securityContext->initialize(); $this->assertTrue($this->securityContext->isInitialized()); }
/** * @param \Exception $exception * @return void */ public function logException(\Exception $exception) { if (!isset($this->settings['host']) || strlen($this->settings['host']) === 0) { return; } $statusCode = NULL; if ($exception instanceof FlowException) { $statusCode = $exception->getStatusCode(); } // skip exceptions with status codes matching "skipStatusCodes" setting if (isset($this->settings['skipStatusCodes']) && in_array($statusCode, $this->settings['skipStatusCodes'])) { return; } $host = $this->settings['host']; $port = isset($this->settings['port']) ? $this->settings['port'] : UdpTransport::DEFAULT_PORT; // set chunk size option to wan (default) or lan if (isset($this->settings['chunksize']) && strtolower($this->settings['chunksize']) === 'lan') { $chunkSize = UdpTransport::CHUNK_SIZE_LAN; } else { $chunkSize = UdpTransport::CHUNK_SIZE_WAN; } // setup connection to graylog server $transport = new UdpTransport($host, $port, $chunkSize); $publisher = new Publisher(); $publisher->addTransport($transport); // set logLevel depending on http status code $logLevel = 4; // warning if ($statusCode === 500) { $logLevel = 3; // error } // build message context $messageContext = array('full_message' => $exception->getTraceAsString(), 'reference_code' => $exception instanceof FlowException ? $exception->getReferenceCode() : NULL, 'response_status' => $statusCode, 'short_message' => sprintf('%d %s', $statusCode, Response::getStatusMessageByCode($statusCode)), 'code' => $exception->getCode(), 'file' => $exception->getFile(), 'line' => $exception->getLine()); if ($this->securityContext !== NULL && $this->securityContext->isInitialized()) { $account = $this->securityContext->getAccount(); if ($account !== NULL) { $messageContext['authenticated_account'] = $account->getAccountIdentifier() . ' (' . $this->persistenceManager->getIdentifierByObject($account) . ')'; $messageContext['authenticated_roles'] = implode(', ', array_keys($this->securityContext->getRoles())); if ($this->objectManager->isRegistered(PartyService::class)) { /** @var PartyService $partyService */ $partyService = $this->objectManager->get(PartyService::class); $person = $partyService->getAssignedPartyOfAccount($account); if ($person instanceof Person) { $messageContext['authenticated_person'] = (string) $person->getName() . ' (' . $this->persistenceManager->getIdentifierByObject($person) . ')'; } } } } // prepare request details if (Bootstrap::$staticObjectManager instanceof ObjectManagerInterface) { $bootstrap = Bootstrap::$staticObjectManager->get('TYPO3\\Flow\\Core\\Bootstrap'); /* @var Bootstrap $bootstrap */ $requestHandler = $bootstrap->getActiveRequestHandler(); if ($requestHandler instanceof HttpRequestHandlerInterface) { $request = $requestHandler->getHttpRequest(); $requestData = array('request_domain' => $request->getHeader('Host'), 'request_remote_addr' => $request->getClientIpAddress(), 'request_path' => $request->getRelativePath(), 'request_uri' => $request->getUri()->getPath(), 'request_user_agent' => $request->getHeader('User-Agent'), 'request_method' => $request->getMethod(), 'request_port' => $request->getPort()); $messageContext = array_merge($messageContext, $requestData); } } // send message to graylog server $logger = new Logger($publisher); $logger->log($logLevel, $exception->getMessage(), $messageContext); }