‪TYPO3CMS  ‪main
FileMetadataPermissionsAspect.php
Go to the documentation of this file.
1 <?php
2 
3 /*
4  * This file is part of the TYPO3 CMS project.
5  *
6  * It is free software; you can redistribute it and/or modify it under
7  * the terms of the GNU General Public License, either version 2
8  * of the License, or any later version.
9  *
10  * For the full copyright and license information, please read the
11  * LICENSE.txt file that was distributed with this source code.
12  *
13  * The TYPO3 project - inspiring people to share!
14  */
15 
17 
19 use TYPO3\CMS\Backend\Utility\BackendUtility;
27 
34 {
44  public function ‪checkRecordUpdateAccess($table, $id, $fileMetadataRecord, $otherHookGrantedAccess, ‪DataHandler $dataHandler)
45  {
46  $accessAllowed = $otherHookGrantedAccess;
47  if ($table === 'sys_file_metadata' && $accessAllowed !== 0) {
48  $existingFileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', $id);
49  if ($existingFileMetadataRecord === null || (empty($existingFileMetadataRecord['file']) && !empty($fileMetadataRecord['file']))) {
50  $existingFileMetadataRecord = $fileMetadataRecord;
51  }
52  $accessAllowed = $this->‪checkFileWriteAccessForFileMetaData($existingFileMetadataRecord) ? 1 : 0;
53  }
54 
55  return $accessAllowed;
56  }
57 
68  public function ‪checkModifyAccessList(&$accessAllowed, $table, ‪DataHandler $parent)
69  {
70  if ($table === 'sys_file_metadata') {
71  if (isset($parent->cmdmap[$table]) && is_array($parent->cmdmap[$table])) {
72  foreach ($parent->cmdmap[$table] as $id => $command) {
73  if (empty($id) || !‪MathUtility::canBeInterpretedAsInteger($id)) {
74  throw new \UnexpectedValueException(
75  'Integer expected for data manipulation command.
76  This can only happen in the case of an attack attempt or when something went horribly wrong.
77  To not compromise security, we exit here.',
78  1399982816
79  );
80  }
81 
82  $fileMetadataRecord = (array)BackendUtility::getRecord('sys_file_metadata', (int)$id);
83  $accessAllowed = $this->‪checkFileWriteAccessForFileMetaData($fileMetadataRecord);
84  if (!$accessAllowed) {
85  // If for any item in the array, access is not allowed, we deny the whole operation
86  break;
87  }
88  }
89  }
90 
91  if (isset($parent->datamap[$table]) && is_array($parent->datamap[$table])) {
92  foreach ($parent->datamap[$table] as $id => $data) {
93  $recordAccessAllowed = false;
94 
95  if (!str_contains((string)$id, 'NEW')) {
96  $fileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', (int)$id);
97  if ($fileMetadataRecord !== null) {
98  if ($parent->isImporting && empty($fileMetadataRecord['file'])) {
99  // When importing the record was added with an empty file relation as first step
100  $recordAccessAllowed = true;
101  } else {
102  $recordAccessAllowed = $this->‪checkFileWriteAccessForFileMetaData($fileMetadataRecord);
103  }
104  }
105  } else {
106  // For new records record access is allowed
107  $recordAccessAllowed = true;
108  }
109 
110  if (isset($data['file'])) {
111  if ($parent->isImporting && empty($data['file'])) {
112  // When importing the record will be created with an empty file relation as first step
113  $dataAccessAllowed = true;
114  } elseif (empty($data['file'])) {
115  $dataAccessAllowed = false;
116  } else {
117  $dataAccessAllowed = $this->‪checkFileWriteAccessForFileMetaData($data);
118  }
119  } else {
120  $dataAccessAllowed = true;
121  }
122 
123  if (!$recordAccessAllowed || !$dataAccessAllowed) {
124  // If for any item in the array, access is not allowed, we deny the whole operation
125  $accessAllowed = false;
126  break;
127  }
128  }
129  }
130  }
131  }
132 
136  #[AsEventListener('evaluate-file-meta-data-edit-form-access')]
138  {
139  if (!$event->‪doesUserHaveAccess()
140  || $event->‪getTableName() !== 'sys_file_metadata'
141  || $event->‪getCommand() !== 'edit'
142  ) {
143  return;
144  }
145 
147  (array)BackendUtility::getRecord('sys_file_metadata', (int)($event->‪getDatabaseRow()['uid'] ?? 0))
148  ) ? $event->‪allowUserAccess() : $event->‪denyUserAccess();
149  }
150 
157  protected function ‪checkFileWriteAccessForFileMetaData($fileMetadataRecord)
158  {
159  $accessAllowed = false;
160  if (is_array($fileMetadataRecord) && !empty($fileMetadataRecord['file'])) {
161  $file = $fileMetadataRecord['file'];
162  // The file relation could be written as sys_file_[uid], strip this off before checking the rights
163  if (str_contains($file, 'sys_file_')) {
164  $file = substr($file, strlen('sys_file_'));
165  }
166  $fileObject = GeneralUtility::makeInstance(ResourceFactory::class)->getFileObject((int)$file);
167  $accessAllowed = $fileObject->checkActionPermission('editMeta');
168  }
169  return $accessAllowed;
170  }
171 }
‪TYPO3\CMS\Core\DataHandling\DataHandler
Definition: DataHandler.php:94
‪TYPO3\CMS\Backend\Form\Event\ModifyEditFormUserAccessEvent\denyUserAccess
‪denyUserAccess()
Definition: ModifyEditFormUserAccessEvent.php:53
‪TYPO3\CMS\Backend\Form\Event\ModifyEditFormUserAccessEvent\getCommand
‪getCommand()
Definition: ModifyEditFormUserAccessEvent.php:87
‪TYPO3\CMS\Core\Attribute\AsEventListener
Definition: AsEventListener.php:25
‪TYPO3\CMS\Core\Resource\Security
Definition: FileMetadataPermissionsAspect.php:16
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect\checkRecordUpdateAccess
‪int null checkRecordUpdateAccess($table, $id, $fileMetadataRecord, $otherHookGrantedAccess, DataHandler $dataHandler)
Definition: FileMetadataPermissionsAspect.php:44
‪TYPO3\CMS\Backend\Form\Event\ModifyEditFormUserAccessEvent\getDatabaseRow
‪getDatabaseRow()
Definition: ModifyEditFormUserAccessEvent.php:95
‪TYPO3\CMS\Backend\Form\Event\ModifyEditFormUserAccessEvent\getTableName
‪getTableName()
Definition: ModifyEditFormUserAccessEvent.php:78
‪TYPO3\CMS\Core\Utility\MathUtility\canBeInterpretedAsInteger
‪static bool canBeInterpretedAsInteger(mixed $var)
Definition: MathUtility.php:69
‪TYPO3\CMS\Backend\Form\Event\ModifyEditFormUserAccessEvent\doesUserHaveAccess
‪doesUserHaveAccess()
Definition: ModifyEditFormUserAccessEvent.php:61
‪TYPO3\CMS\Backend\Form\Event\ModifyEditFormUserAccessEvent
Definition: ModifyEditFormUserAccessEvent.php:27
‪TYPO3\CMS\Core\Resource\ResourceFactory
Definition: ResourceFactory.php:42
‪TYPO3\CMS\Backend\Form\Event\ModifyEditFormUserAccessEvent\allowUserAccess
‪allowUserAccess()
Definition: ModifyEditFormUserAccessEvent.php:45
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect\isAllowedToShowEditForm
‪isAllowedToShowEditForm(ModifyEditFormUserAccessEvent $event)
Definition: FileMetadataPermissionsAspect.php:137
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect\checkModifyAccessList
‪checkModifyAccessList(&$accessAllowed, $table, DataHandler $parent)
Definition: FileMetadataPermissionsAspect.php:68
‪TYPO3\CMS\Core\SingletonInterface
Definition: SingletonInterface.php:22
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect\checkFileWriteAccessForFileMetaData
‪bool checkFileWriteAccessForFileMetaData($fileMetadataRecord)
Definition: FileMetadataPermissionsAspect.php:157
‪TYPO3\CMS\Core\Utility\MathUtility
Definition: MathUtility.php:24
‪TYPO3\CMS\Core\DataHandling\DataHandlerCheckModifyAccessListHookInterface
Definition: DataHandlerCheckModifyAccessListHookInterface.php:22
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:52
‪TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect
Definition: FileMetadataPermissionsAspect.php:34