‪TYPO3CMS  10.4
FileMetadataPermissionsAspect.php
Go to the documentation of this file.
1 <?php
2 
3 /*
4  * This file is part of the TYPO3 CMS project.
5  *
6  * It is free software; you can redistribute it and/or modify it under
7  * the terms of the GNU General Public License, either version 2
8  * of the License, or any later version.
9  *
10  * For the full copyright and license information, please read the
11  * LICENSE.txt file that was distributed with this source code.
12  *
13  * The TYPO3 project - inspiring people to share!
14  */
15 
16 namespace ‪TYPO3\CMS\Core\Resource\Security;
17 
18 use ‪TYPO3\CMS\Backend\Utility\BackendUtility;
19 use ‪TYPO3\CMS\Core\DataHandling\DataHandler;
20 use ‪TYPO3\CMS\Core\DataHandling\DataHandlerCheckModifyAccessListHookInterface;
21 use ‪TYPO3\CMS\Core\Resource\ResourceFactory;
22 use ‪TYPO3\CMS\Core\SingletonInterface;
23 use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
24 use ‪TYPO3\CMS\Core\Utility\MathUtility;
25 
31 class ‪FileMetadataPermissionsAspect implements ‪DataHandlerCheckModifyAccessListHookInterface, ‪SingletonInterface
32 {
43  public function ‪checkRecordUpdateAccess($table, $id, $fileMetadataRecord, $otherHookGrantedAccess, ‪DataHandler $dataHandler)
44  {
45  $accessAllowed = $otherHookGrantedAccess;
46  if ($table === 'sys_file_metadata' && $accessAllowed !== 0) {
47  $existingFileMetadataRecord = ‪BackendUtility::getRecord('sys_file_metadata', $id);
48  if ($existingFileMetadataRecord === null || (empty($existingFileMetadataRecord['file']) && !empty($fileMetadataRecord['file']))) {
49  $existingFileMetadataRecord = $fileMetadataRecord;
50  }
51  $accessAllowed = $this->‪checkFileWriteAccessForFileMetaData($existingFileMetadataRecord) ? 1 : 0;
52  }
53 
54  return $accessAllowed;
55  }
56 
67  public function ‪checkModifyAccessList(&$accessAllowed, $table, ‪DataHandler $parent)
68  {
69  if ($table === 'sys_file_metadata') {
70  if (isset($parent->cmdmap[$table]) && is_array($parent->cmdmap[$table])) {
71  foreach ($parent->cmdmap[$table] as $id => $command) {
72  if (empty($id) || !‪MathUtility::canBeInterpretedAsInteger($id)) {
73  throw new \UnexpectedValueException(
74  'Integer expected for data manipulation command.
75  This can only happen in the case of an attack attempt or when something went horribly wrong.
76  To not compromise security, we exit here.',
77  1399982816
78  );
79  }
80 
81  $fileMetadataRecord = (array)‪BackendUtility::getRecord('sys_file_metadata', (int)$id);
82  $accessAllowed = $this->‪checkFileWriteAccessForFileMetaData($fileMetadataRecord);
83  if (!$accessAllowed) {
84  // If for any item in the array, access is not allowed, we deny the whole operation
85  break;
86  }
87  }
88  }
89 
90  if (isset($parent->datamap[$table]) && is_array($parent->datamap[$table])) {
91  foreach ($parent->datamap[$table] as $id => $data) {
92  $recordAccessAllowed = false;
93 
94  if (strpos((string)$id, 'NEW') === false) {
95  $fileMetadataRecord = ‪BackendUtility::getRecord('sys_file_metadata', $id);
96  if ($fileMetadataRecord !== null) {
97  if ($parent->isImporting && empty($fileMetadataRecord['file'])) {
98  // When importing the record was added with an empty file relation as first step
99  $recordAccessAllowed = true;
100  } else {
101  $recordAccessAllowed = $this->‪checkFileWriteAccessForFileMetaData($fileMetadataRecord);
102  }
103  }
104  } else {
105  // For new records record access is allowed
106  $recordAccessAllowed = true;
107  }
108 
109  if (isset($data['file'])) {
110  if ($parent->isImporting && empty($data['file'])) {
111  // When importing the record will be created with an empty file relation as first step
112  $dataAccessAllowed = true;
113  } elseif (empty($data['file'])) {
114  $dataAccessAllowed = false;
115  } else {
116  $dataAccessAllowed = $this->‪checkFileWriteAccessForFileMetaData($data);
117  }
118  } else {
119  $dataAccessAllowed = true;
120  }
121 
122  if (!$recordAccessAllowed || !$dataAccessAllowed) {
123  // If for any item in the array, access is not allowed, we deny the whole operation
124  $accessAllowed = false;
125  break;
126  }
127  }
128  }
129  }
130  }
131 
138  public function ‪isAllowedToShowEditForm(array $parameters)
139  {
140  $table = $parameters['table'];
141  $uid = $parameters['uid'];
142  $cmd = $parameters['cmd'];
143  $accessAllowed = $parameters['hasAccess'];
144 
145  if ($accessAllowed && $table === 'sys_file_metadata' && $cmd === 'edit') {
146  $fileMetadataRecord = (array)‪BackendUtility::getRecord('sys_file_metadata', $uid);
147  $accessAllowed = $this->‪checkFileWriteAccessForFileMetaData($fileMetadataRecord);
148  }
149  return $accessAllowed;
150  }
151 
158  protected function ‪checkFileWriteAccessForFileMetaData($fileMetadataRecord)
159  {
160  $accessAllowed = false;
161  if (is_array($fileMetadataRecord) && !empty($fileMetadataRecord['file'])) {
162  $file = $fileMetadataRecord['file'];
163  // The file relation could be written as sys_file_[uid], strip this off before checking the rights
164  if (strpos($file, 'sys_file_') !== false) {
165  $file = substr($file, strlen('sys_file_'));
166  }
167  $fileObject = GeneralUtility::makeInstance(ResourceFactory::class)->getFileObject((int)$file);
168  $accessAllowed = $fileObject->checkActionPermission('editMeta');
169  }
170  return $accessAllowed;
171  }
172 }
‪TYPO3\CMS\Core\DataHandling\DataHandler
Definition: DataHandler.php:84
‪TYPO3\CMS\Core\Utility\MathUtility\canBeInterpretedAsInteger
‪static bool canBeInterpretedAsInteger($var)
Definition: MathUtility.php:74
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect\isAllowedToShowEditForm
‪bool isAllowedToShowEditForm(array $parameters)
Definition: FileMetadataPermissionsAspect.php:138
‪TYPO3\CMS\Core\Resource\Security
Definition: FileMetadataPermissionsAspect.php:16
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect\checkRecordUpdateAccess
‪int null checkRecordUpdateAccess($table, $id, $fileMetadataRecord, $otherHookGrantedAccess, DataHandler $dataHandler)
Definition: FileMetadataPermissionsAspect.php:43
‪TYPO3\CMS\Core\Resource\ResourceFactory
Definition: ResourceFactory.php:41
‪TYPO3\CMS\Backend\Utility\BackendUtility
Definition: BackendUtility.php:75
‪TYPO3\CMS\Backend\Utility\BackendUtility\getRecord
‪static array null getRecord($table, $uid, $fields=' *', $where='', $useDeleteClause=true)
Definition: BackendUtility.php:95
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect\checkModifyAccessList
‪checkModifyAccessList(&$accessAllowed, $table, DataHandler $parent)
Definition: FileMetadataPermissionsAspect.php:67
‪TYPO3\CMS\Core\SingletonInterface
Definition: SingletonInterface.php:23
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect\checkFileWriteAccessForFileMetaData
‪bool checkFileWriteAccessForFileMetaData($fileMetadataRecord)
Definition: FileMetadataPermissionsAspect.php:158
‪TYPO3\CMS\Core\Utility\MathUtility
Definition: MathUtility.php:22
‪TYPO3\CMS\Core\DataHandling\DataHandlerCheckModifyAccessListHookInterface
Definition: DataHandlerCheckModifyAccessListHookInterface.php:22
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:46
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect
Definition: FileMetadataPermissionsAspect.php:32