‪TYPO3CMS  10.4
RouteDispatcher.php
Go to the documentation of this file.
1 <?php
2 
3 /*
4  * This file is part of the TYPO3 CMS project.
5  *
6  * It is free software; you can redistribute it and/or modify it under
7  * the terms of the GNU General Public License, either version 2
8  * of the License, or any later version.
9  *
10  * For the full copyright and license information, please read the
11  * LICENSE.txt file that was distributed with this source code.
12  *
13  * The TYPO3 project - inspiring people to share!
14  */
15 
17 
18 use Psr\Http\Message\ResponseInterface;
19 use Psr\Http\Message\ServerRequestInterface;
31 
36 {
45  public function ‪dispatch(ServerRequestInterface $request): ResponseInterface
46  {
47  $router = GeneralUtility::makeInstance(Router::class);
48  $route = $router->matchRequest($request);
49  $request = $request->withAttribute('route', $route);
50  $request = $request->withAttribute('target', $route->getOption('target'));
51 
52  $enforceReferrerResponse = $this->‪enforceReferrer($request);
53  if ($enforceReferrerResponse instanceof ResponseInterface) {
54  return $enforceReferrerResponse;
55  }
56  if (!$this->‪isValidRequest($request)) {
57  throw new ‪InvalidRequestTokenException('Invalid request for route "' . $route->getPath() . '"', 1425389455);
58  }
59 
60  if ($route->getOption('module')) {
61  $this->‪addAndValidateModuleConfiguration($request, $route);
62  }
63  $targetIdentifier = $route->getOption('target');
64  $target = $this->‪getCallableFromTarget($targetIdentifier);
65  $arguments = [$request];
66  return call_user_func_array($target, $arguments);
67  }
68 
74  protected function ‪getFormProtection()
75  {
77  }
78 
87  protected function ‪enforceReferrer(ServerRequestInterface $request): ?ResponseInterface
88  {
90  $features = GeneralUtility::makeInstance(Features::class);
91  if (!$features->isFeatureEnabled('security.backend.enforceReferrer')) {
92  return null;
93  }
95  $route = $request->getAttribute('route');
96  $referrerFlags = ‪GeneralUtility::trimExplode(',', $route->getOption('referrer') ?? '', true);
97  if (!in_array('required', $referrerFlags, true)) {
98  return null;
99  }
101  $referrerEnforcer = GeneralUtility::makeInstance(ReferrerEnforcer::class, $request);
102  return $referrerEnforcer->handle([
103  'flags' => $referrerFlags,
104  'subject' => $route->getPath(),
105  ]);
106  }
107 
117  protected function ‪isValidRequest($request)
118  {
119  $route = $request->getAttribute('route');
120  if ($route->getOption('access') === 'public') {
121  return true;
122  }
123  $token = (string)($request->getParsedBody()['token'] ?? $request->getQueryParams()['token']);
124  if ($token) {
125  return $this->‪getFormProtection()->validateToken($token, 'route', $route->getOption('_identifier'));
126  }
127  return false;
128  }
129 
138  protected function ‪addAndValidateModuleConfiguration(ServerRequestInterface $request, ‪Route $route)
139  {
140  $moduleName = $route->‪getOption('moduleName');
141  $moduleConfiguration = $this->‪getModuleConfiguration($moduleName);
142  $route->‪setOption('moduleConfiguration', $moduleConfiguration);
143 
144  $backendUserAuthentication = ‪$GLOBALS['BE_USER'];
145 
146  // Check permissions and exit if the user has no permission for entry
147  $backendUserAuthentication->modAccess($moduleConfiguration);
148  $id = $request->getQueryParams()['id'] ?? $request->getParsedBody()['id'];
149  if (‪MathUtility::canBeInterpretedAsInteger($id) && $id > 0) {
150  $permClause = $backendUserAuthentication->getPagePermsClause(‪Permission::PAGE_SHOW);
151  // Check page access
152  if (!is_array(‪BackendUtility::readPageAccess($id, $permClause))) {
153  // Check if page has been deleted
154  $deleteField = ‪$GLOBALS['TCA']['pages']['ctrl']['delete'];
155  $pageInfo = ‪BackendUtility::getRecord('pages', $id, $deleteField, $permClause ? ' AND ' . $permClause : '', false);
156  if (!$pageInfo[$deleteField]) {
157  throw new \RuntimeException('You don\'t have access to this page', 1289917924);
158  }
159  }
160  }
161  }
162 
170  protected function ‪getModuleConfiguration($moduleName)
171  {
172  if (!isset(‪$GLOBALS['TBE_MODULES']['_configuration'][$moduleName])) {
173  throw new \RuntimeException('Module ' . $moduleName . ' is not configured.', 1289918325);
174  }
175  return ‪$GLOBALS['TBE_MODULES']['_configuration'][$moduleName];
176  }
177 }
‪TYPO3\CMS\Core\Http\Security\ReferrerEnforcer
Definition: ReferrerEnforcer.php:31
‪TYPO3\CMS\Core\Http\Dispatcher
Definition: Dispatcher.php:30
‪TYPO3\CMS\Backend\Http\RouteDispatcher
Definition: RouteDispatcher.php:36
‪TYPO3\CMS\Backend\Http\RouteDispatcher\enforceReferrer
‪ResponseInterface null enforceReferrer(ServerRequestInterface $request)
Definition: RouteDispatcher.php:87
‪TYPO3\CMS\Core\FormProtection\FormProtectionFactory\get
‪static TYPO3 CMS Core FormProtection AbstractFormProtection get($classNameOrType='default',... $constructorArguments)
Definition: FormProtectionFactory.php:74
‪TYPO3\CMS\Core\Utility\MathUtility\canBeInterpretedAsInteger
‪static bool canBeInterpretedAsInteger($var)
Definition: MathUtility.php:74
‪TYPO3\CMS\Backend\Routing\Route\getOption
‪mixed getOption($name)
Definition: Route.php:115
‪TYPO3\CMS\Backend\Routing\Exception\InvalidRequestTokenException
Definition: InvalidRequestTokenException.php:24
‪TYPO3\CMS\Backend\Http\RouteDispatcher\isValidRequest
‪bool isValidRequest($request)
Definition: RouteDispatcher.php:117
‪TYPO3\CMS\Backend\Http
Definition: Application.php:18
‪TYPO3\CMS\Backend\Routing\Route
Definition: Route.php:24
‪TYPO3\CMS\Core\Type\Bitmask\Permission
Definition: Permission.php:24
‪TYPO3\CMS\Core\Http\Dispatcher\getCallableFromTarget
‪callable getCallableFromTarget($target)
Definition: Dispatcher.php:63
‪TYPO3\CMS\Backend\Http\RouteDispatcher\addAndValidateModuleConfiguration
‪addAndValidateModuleConfiguration(ServerRequestInterface $request, Route $route)
Definition: RouteDispatcher.php:138
‪TYPO3\CMS\Core\Configuration\Features
Definition: Features.php:56
‪TYPO3\CMS\Core\Type\Bitmask\Permission\PAGE_SHOW
‪const PAGE_SHOW
Definition: Permission.php:33
‪TYPO3\CMS\Backend\Utility\BackendUtility
Definition: BackendUtility.php:75
‪TYPO3\CMS\Backend\Utility\BackendUtility\getRecord
‪static array null getRecord($table, $uid, $fields=' *', $where='', $useDeleteClause=true)
Definition: BackendUtility.php:95
‪TYPO3\CMS\Core\Utility\GeneralUtility\trimExplode
‪static string[] trimExplode($delim, $string, $removeEmptyValues=false, $limit=0)
Definition: GeneralUtility.php:1059
‪TYPO3\CMS\Backend\Utility\BackendUtility\readPageAccess
‪static array false readPageAccess($id, $perms_clause)
Definition: BackendUtility.php:597
‪TYPO3\CMS\Core\FormProtection\FormProtectionFactory
Definition: FormProtectionFactory.php:47
‪$GLOBALS
‪$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['adminpanel']['modules']
Definition: ext_localconf.php:5
‪TYPO3\CMS\Backend\Http\RouteDispatcher\dispatch
‪ResponseInterface dispatch(ServerRequestInterface $request)
Definition: RouteDispatcher.php:45
‪TYPO3\CMS\Backend\Http\RouteDispatcher\getFormProtection
‪TYPO3 CMS Core FormProtection AbstractFormProtection getFormProtection()
Definition: RouteDispatcher.php:74
‪TYPO3\CMS\Core\Utility\MathUtility
Definition: MathUtility.php:22
‪TYPO3\CMS\Backend\Routing\Route\setOption
‪Route setOption($name, $value)
Definition: Route.php:103
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:46
‪TYPO3\CMS\Backend\Routing\Router
Definition: Router.php:34
‪TYPO3\CMS\Backend\Http\RouteDispatcher\getModuleConfiguration
‪array getModuleConfiguration($moduleName)
Definition: RouteDispatcher.php:170