TYPO3 CMS  TYPO3_6-2
FileMetadataPermissionsAspect.php
Go to the documentation of this file.
1 <?php
2 namespace TYPO3\CMS\Core\Resource\Security;
3 
4 /*
5  * This file is part of the TYPO3 CMS project.
6  *
7  * It is free software; you can redistribute it and/or modify it under
8  * the terms of the GNU General Public License, either version 2
9  * of the License, or any later version.
10  *
11  * For the full copyright and license information, please read the
12  * LICENSE.txt file that was distributed with this source code.
13  *
14  * The TYPO3 project - inspiring people to share!
15  */
16 
17 use TYPO3\CMS\Backend\Utility\BackendUtility;
18 use TYPO3\CMS\Core\DataHandling\DataHandler;
19 use TYPO3\CMS\Core\DataHandling\DataHandlerCheckModifyAccessListHookInterface;
20 use TYPO3\CMS\Core\Resource\ResourceFactory;
21 use TYPO3\CMS\Core\SingletonInterface;
22 use TYPO3\CMS\Core\Utility\MathUtility;
23 
29 class FileMetadataPermissionsAspect implements DataHandlerCheckModifyAccessListHookInterface, SingletonInterface {
30 
41  public function checkRecordUpdateAccess($table, $id, $fileMetadataRecord, $otherHookGrantedAccess, DataHandler $dataHandler) {
42  $accessAllowed = $otherHookGrantedAccess;
43  if ($table === 'sys_file_metadata' && $accessAllowed !== 0) {
44  $existingFileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', $id);
45  if ($existingFileMetadataRecord === NULL || (empty($existingFileMetadataRecord['file']) && !empty($fileMetadataRecord['file']))) {
46  $existingFileMetadataRecord = $fileMetadataRecord;
47  }
48  $accessAllowed = $this->checkFileWriteAccessForFileMetaData($existingFileMetadataRecord) ? 1 : 0;
49  }
50 
51  return $accessAllowed;
52  }
53 
65  public function checkModifyAccessList(&$accessAllowed, $table, DataHandler $parent) {
66  if ($table === 'sys_file_metadata') {
67  if (isset($parent->cmdmap[$table]) && is_array($parent->cmdmap[$table])) {
68  foreach ($parent->cmdmap[$table] as $id => $command) {
69  if (empty($id) || !MathUtility::canBeInterpretedAsInteger($id)) {
70  throw new \UnexpectedValueException(
71  'Integer expected for data manipulation command.
72  This can only happen in the case of an attack attempt or when something went horribly wrong.
73  To not compromise security, we exit here.',
74  1399982816
75  );
76  }
77 
78  $fileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', $id);
79  $accessAllowed = $this->checkFileWriteAccessForFileMetaData($fileMetadataRecord);
80  if (!$accessAllowed) {
81  // If for any item in the array, access is not allowed, we deny the whole operation
82  break;
83  }
84  }
85  }
86 
87  if (isset($parent->datamap[$table]) && is_array($parent->datamap[$table])) {
88  foreach ($parent->datamap[$table] as $id => $data) {
89 
90  $recordAccessAllowed = FALSE;
91 
92  if (strpos($id, 'NEW') === FALSE) {
93  $fileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', $id);
94  if ($fileMetadataRecord !== NULL) {
95  if ($parent->isImporting && empty($fileMetadataRecord['file'])) {
96  // when importing the record was added with an empty file relation as first step
97  $recordAccessAllowed = TRUE;
98  } else {
99  $recordAccessAllowed = $this->checkFileWriteAccessForFileMetaData($fileMetadataRecord);
100  }
101  }
102  } else {
103  // for new records record access is allowed
104  $recordAccessAllowed = TRUE;
105  }
106 
107  if (isset($data['file'])) {
108  if ($parent->isImporting && empty($data['file'])) {
109  // when importing the record will be created with an empty file relation as first step
110  $dataAccessAllowed = TRUE;
111  } elseif (empty($data['file'])) {
112  $dataAccessAllowed = FALSE;
113  } else {
114  $dataAccessAllowed = $this->checkFileWriteAccessForFileMetaData($data);
115  }
116  } else {
117  $dataAccessAllowed = TRUE;
118  }
119 
120  if (!$recordAccessAllowed || !$dataAccessAllowed) {
121  // If for any item in the array, access is not allowed, we deny the whole operation
122  $accessAllowed = FALSE;
123  break;
124  }
125  }
126  }
127  }
128  }
129 
136  public function isAllowedToShowEditForm(array $parameters) {
137  $table = $parameters['table'];
138  $uid = $parameters['uid'];
139  $cmd = $parameters['cmd'];
140  $accessAllowed = $parameters['hasAccess'];
141 
142  if ($accessAllowed && $table === 'sys_file_metadata' && $cmd === 'edit') {
143  $fileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', $uid);
144  $accessAllowed = $this->checkFileWriteAccessForFileMetaData($fileMetadataRecord);
145  }
146  return $accessAllowed;
147  }
148 
155  protected function checkFileWriteAccessForFileMetaData($fileMetadataRecord) {
156  $accessAllowed = FALSE;
157  if (is_array($fileMetadataRecord) && !empty($fileMetadataRecord['file'])) {
158  $file = $fileMetadataRecord['file'];
159  // the file relation could be written as sys_file_[uid], strip this off before checking the rights
160  if (strpos($file, 'sys_file_') !== FALSE) {
161  $file = substr($file, strlen('sys_file_'));
162  }
163  $fileObject = ResourceFactory::getInstance()->getFileObject((int)$file);
164  $accessAllowed = $fileObject->checkActionPermission('write');
165  }
166  return $accessAllowed;
167  }
168 }
$parameters
$parameters
Definition: FileDumpEID.php:15
$uid
$uid
Definition: server.php:36
TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect\checkRecordUpdateAccess
checkRecordUpdateAccess($table, $id, $fileMetadataRecord, $otherHookGrantedAccess, DataHandler $dataHandler)
Definition: FileMetadataPermissionsAspect.php:41