RouteDispatcher.php

Go to the documentation of this file.

<?php
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
namespace ‪TYPO3\CMS\Backend\Http;
 
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use ‪TYPO3\CMS\Backend\Routing\Exception\InvalidRequestTokenException;
use ‪TYPO3\CMS\Backend\Routing\Route;
use ‪TYPO3\CMS\Backend\Routing\Router;
use ‪TYPO3\CMS\Backend\Utility\BackendUtility;
use ‪TYPO3\CMS\Core\Configuration\Features;
use ‪TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
use ‪TYPO3\CMS\Core\Http\Dispatcher;
use ‪TYPO3\CMS\Core\Http\Security\ReferrerEnforcer;
use ‪TYPO3\CMS\Core\Type\Bitmask\Permission;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
use ‪TYPO3\CMS\Core\Utility\MathUtility;
 
class ‪RouteDispatcher extends ‪Dispatcher
{
    public function ‪dispatch(ServerRequestInterface $request): ResponseInterface
    {
        $router = GeneralUtility::makeInstance(Router::class);
        $route = $router->matchRequest($request);
        $request = $request->withAttribute('route', $route);
        $request = $request->withAttribute('target', $route->getOption('target'));
 
        $enforceReferrerResponse = $this->‪enforceReferrer($request);
        if ($enforceReferrerResponse instanceof ResponseInterface) {
            return $enforceReferrerResponse;
        }
        if (!$this->‪isValidRequest($request)) {
            throw new ‪InvalidRequestTokenException('Invalid request for route "' . $route->getPath() . '"', 1425389455);
        }
 
        if ($route->getOption('module')) {
            $this->‪addAndValidateModuleConfiguration($request, $route);
        }
        $targetIdentifier = $route->getOption('target');
        $target = $this->‪getCallableFromTarget($targetIdentifier);
        $arguments = [$request];
        return call_user_func_array($target, $arguments);
    }
 
    protected function ‪getFormProtection()
    {
        return ‪FormProtectionFactory::get();
    }
 
    protected function ‪enforceReferrer(ServerRequestInterface $request): ?ResponseInterface
    {
        $features = GeneralUtility::makeInstance(Features::class);
        if (!$features->isFeatureEnabled('security.backend.enforceReferrer')) {
            return null;
        }
        $route = $request->getAttribute('route');
        $referrerFlags = ‪GeneralUtility::trimExplode(',', $route->getOption('referrer') ?? '', true);
        if (!in_array('required', $referrerFlags, true)) {
            return null;
        }
        $referrerEnforcer = GeneralUtility::makeInstance(ReferrerEnforcer::class, $request);
        return $referrerEnforcer->handle([
            'flags' => $referrerFlags,
            'subject' => $route->getPath(),
        ]);
    }
 
    protected function ‪isValidRequest($request)
    {
        $route = $request->getAttribute('route');
        if ($route->getOption('access') === 'public') {
            return true;
        }
        $token = (string)($request->getParsedBody()['token'] ?? $request->getQueryParams()['token']);
        if ($token) {
            return $this->‪getFormProtection()->validateToken($token, 'route', $route->getOption('_identifier'));
        }
        return false;
    }
 
    protected function ‪addAndValidateModuleConfiguration(ServerRequestInterface $request, ‪Route $route)
    {
        $moduleName = $route->‪getOption('moduleName');
        $moduleConfiguration = $this->‪getModuleConfiguration($moduleName);
        $route->‪setOption('moduleConfiguration', $moduleConfiguration);
 
        $backendUserAuthentication = ‪$GLOBALS['BE_USER'];
 
        // Check permissions and exit if the user has no permission for entry
        $backendUserAuthentication->modAccess($moduleConfiguration);
        $id = $request->getQueryParams()['id'] ?? $request->getParsedBody()['id'];
        if (‪MathUtility::canBeInterpretedAsInteger($id) && $id > 0) {
            $permClause = $backendUserAuthentication->getPagePermsClause(‪Permission::PAGE_SHOW);
            // Check page access
            if (!is_array(‪BackendUtility::readPageAccess($id, $permClause))) {
                // Check if page has been deleted
                $deleteField = ‪$GLOBALS['TCA']['pages']['ctrl']['delete'];
                $pageInfo = ‪BackendUtility::getRecord('pages', $id, $deleteField, $permClause ? ' AND ' . $permClause : '', false);
                if (!$pageInfo[$deleteField]) {
                    throw new \RuntimeException('You don\'t have access to this page', 1289917924);
                }
            }
        }
    }
 
    protected function ‪getModuleConfiguration($moduleName)
    {
        if (!isset(‪$GLOBALS['TBE_MODULES']['_configuration'][$moduleName])) {
            throw new \RuntimeException('Module ' . $moduleName . ' is not configured.', 1289918325);
        }
        return ‪$GLOBALS['TBE_MODULES']['_configuration'][$moduleName];
    }
}