AjaxRequestHandler.php

Go to the documentation of this file.

<?php
namespace TYPO3\CMS\Backend\Http;

/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use TYPO3\CMS\Backend\Routing\Exception\InvalidRequestTokenException;
use TYPO3\CMS\Backend\Routing\Exception\ResourceNotFoundException;
use TYPO3\CMS\Core\Core\Bootstrap;
use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
use TYPO3\CMS\Core\Http\RequestHandlerInterface;
use TYPO3\CMS\Core\Http\Response;
use TYPO3\CMS\Core\Utility\GeneralUtility;

class AjaxRequestHandler implements RequestHandlerInterface
{
    protected $bootstrap;

    protected $publicAjaxIds = [
        '/ajax/login',
        '/ajax/logout',
        '/ajax/login/refresh',
        '/ajax/login/timedout',
        '/ajax/rsa/publickey',
        '/ajax/core/requirejs'
    ];

    public function __construct(Bootstrap $bootstrap)
    {
        $this->bootstrap = $bootstrap;
    }

    public function handleRequest(ServerRequestInterface $request)
    {
        // First get the ajaxID
        $ajaxID = isset($request->getParsedBody()['ajaxID']) ? $request->getParsedBody()['ajaxID'] : $request->getQueryParams()['ajaxID'];
        $request = $request->withAttribute('routePath', $ajaxID);
        $proceedIfNoUserIsLoggedIn = $this->isLoggedInBackendUserRequired($ajaxID);
        $this->boot($proceedIfNoUserIsLoggedIn);

        try {
            // Backend Routing - check if a valid route is there, and dispatch
            return $this->dispatch($request);
        } catch (ResourceNotFoundException $e) {
            // no Route found, fallback to the traditional AJAX request
        }
        return $this->dispatchTraditionalAjaxRequest($request);
    }

    public function canHandleRequest(ServerRequestInterface $request)
    {
        return $request->getAttribute('isAjaxRequest', false);
    }

    public function getPriority()
    {
        return 80;
    }

    protected function isLoggedInBackendUserRequired($ajaxId)
    {
        return in_array($ajaxId, $this->publicAjaxIds, true);
    }

    protected function boot($proceedIfNoUserIsLoggedIn)
    {
        $this->bootstrap
            ->checkLockedBackendAndRedirectOrDie($proceedIfNoUserIsLoggedIn)
            ->checkBackendIpOrDie()
            ->checkSslBackendAndRedirectIfNeeded()
            ->initializeBackendRouter()
            ->loadBaseTca()
            ->loadExtTables()
            ->initializeBackendUser()
            ->initializeBackendAuthentication($proceedIfNoUserIsLoggedIn)
            ->initializeLanguageObject()
            ->initializeBackendTemplate()
            ->endOutputBufferingAndCleanPreviousOutput()
            ->initializeOutputCompression()
            ->sendHttpHeaders();
    }

    protected function dispatch(ServerRequestInterface $request)
    {
        $response = GeneralUtility::makeInstance(Response::class, 'php://temp', 200, [
            'Content-Type' => 'application/json; charset=utf-8',
            'X-JSON' => 'true'
        ]);

        $dispatcher = GeneralUtility::makeInstance(RouteDispatcher::class);
        return $dispatcher->dispatch($request, $response);
    }

    protected function dispatchTraditionalAjaxRequest($request)
    {
        GeneralUtility::deprecationLog('Using the traditional way for AJAX requests via $TYPO3_CONF_VARS[BE][AJAX] is discouraged. Use the Backend Routes logic instead.');
        $ajaxID = $request->getAttribute('routePath');
        // Finding the script path from the registry
        $ajaxRegistryEntry = isset($GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX'][$ajaxID]) ? $GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX'][$ajaxID] : null;
        $ajaxScript = null;
        $csrfTokenCheck = false;
        if ($ajaxRegistryEntry !== null && is_array($ajaxRegistryEntry) && isset($ajaxRegistryEntry['callbackMethod'])) {
            $ajaxScript = $ajaxRegistryEntry['callbackMethod'];
            $csrfTokenCheck = $ajaxRegistryEntry['csrfTokenCheck'];
        }

        // Instantiating the AJAX object
        $ajaxObj = GeneralUtility::makeInstance(\TYPO3\CMS\Core\Http\AjaxRequestHandler::class, $ajaxID);
        $ajaxParams = ['request' => $request];

        // Evaluating the arguments and calling the AJAX method/function
        if (empty($ajaxID)) {
            $ajaxObj->setError('No valid ajaxID parameter given.');
        } elseif (empty($ajaxScript)) {
            $ajaxObj->setError('No backend function registered for ajaxID "' . $ajaxID . '".');
        } elseif ($csrfTokenCheck && !$this->isValidRequest($request)) {
            $ajaxObj->setError('Invalid CSRF token detected for ajaxID "' . $ajaxID . '", reload the backend of TYPO3');
        } else {
            $success = GeneralUtility::callUserFunction($ajaxScript, $ajaxParams, $ajaxObj, '', 1);
            if ($success === false) {
                $ajaxObj->setError('Registered backend function for ajaxID "' . $ajaxID . '" was not found.');
            }
        }

        // Outputting the content (and setting the X-JSON-Header)
        return $ajaxObj->render();
    }

    protected function getFormProtection()
    {
        return FormProtectionFactory::get();
    }

    protected function isValidRequest(ServerRequestInterface $request)
    {
        $token = (string)(isset($request->getParsedBody()['ajaxToken']) ? $request->getParsedBody()['ajaxToken'] : $request->getQueryParams()['ajaxToken']);
        return $this->getFormProtection()->validateToken($token, 'ajaxCall', $request->getAttribute('routePath'));
    }
}