TYPO3CMS  8
 All Classes Namespaces Files Functions Variables Pages
FileMetadataPermissionsAspect.php
Go to the documentation of this file.
1 <?php
2 namespace TYPO3\CMS\Core\Resource\Security;
3 
4 /*
5  * This file is part of the TYPO3 CMS project.
6  *
7  * It is free software; you can redistribute it and/or modify it under
8  * the terms of the GNU General Public License, either version 2
9  * of the License, or any later version.
10  *
11  * For the full copyright and license information, please read the
12  * LICENSE.txt file that was distributed with this source code.
13  *
14  * The TYPO3 project - inspiring people to share!
15  */
16 
23 
30 {
41  public function checkRecordUpdateAccess($table, $id, $fileMetadataRecord, $otherHookGrantedAccess, DataHandler $dataHandler)
42  {
43  $accessAllowed = $otherHookGrantedAccess;
44  if ($table === 'sys_file_metadata' && $accessAllowed !== 0) {
45  $existingFileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', $id);
46  if ($existingFileMetadataRecord === null || (empty($existingFileMetadataRecord['file']) && !empty($fileMetadataRecord['file']))) {
47  $existingFileMetadataRecord = $fileMetadataRecord;
48  }
49  $accessAllowed = $this->checkFileWriteAccessForFileMetaData($existingFileMetadataRecord) ? 1 : 0;
50  }
51 
52  return $accessAllowed;
53  }
54 
66  public function checkModifyAccessList(&$accessAllowed, $table, DataHandler $parent)
67  {
68  if ($table === 'sys_file_metadata') {
69  if (isset($parent->cmdmap[$table]) && is_array($parent->cmdmap[$table])) {
70  foreach ($parent->cmdmap[$table] as $id => $command) {
71  if (empty($id) || !MathUtility::canBeInterpretedAsInteger($id)) {
72  throw new \UnexpectedValueException(
73  'Integer expected for data manipulation command.
74  This can only happen in the case of an attack attempt or when something went horribly wrong.
75  To not compromise security, we exit here.',
76  1399982816
77  );
78  }
79 
80  $fileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', $id);
81  $accessAllowed = $this->checkFileWriteAccessForFileMetaData($fileMetadataRecord);
82  if (!$accessAllowed) {
83  // If for any item in the array, access is not allowed, we deny the whole operation
84  break;
85  }
86  }
87  }
88 
89  if (isset($parent->datamap[$table]) && is_array($parent->datamap[$table])) {
90  foreach ($parent->datamap[$table] as $id => $data) {
91  $recordAccessAllowed = false;
92 
93  if (strpos($id, 'NEW') === false) {
94  $fileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', $id);
95  if ($fileMetadataRecord !== null) {
96  if ($parent->isImporting && empty($fileMetadataRecord['file'])) {
97  // When importing the record was added with an empty file relation as first step
98  $recordAccessAllowed = true;
99  } else {
100  $recordAccessAllowed = $this->checkFileWriteAccessForFileMetaData($fileMetadataRecord);
101  }
102  }
103  } else {
104  // For new records record access is allowed
105  $recordAccessAllowed = true;
106  }
107 
108  if (isset($data['file'])) {
109  if ($parent->isImporting && empty($data['file'])) {
110  // When importing the record will be created with an empty file relation as first step
111  $dataAccessAllowed = true;
112  } elseif (empty($data['file'])) {
113  $dataAccessAllowed = false;
114  } else {
115  $dataAccessAllowed = $this->checkFileWriteAccessForFileMetaData($data);
116  }
117  } else {
118  $dataAccessAllowed = true;
119  }
120 
121  if (!$recordAccessAllowed || !$dataAccessAllowed) {
122  // If for any item in the array, access is not allowed, we deny the whole operation
123  $accessAllowed = false;
124  break;
125  }
126  }
127  }
128  }
129  }
130 
137  public function isAllowedToShowEditForm(array $parameters)
138  {
139  $table = $parameters['table'];
140  $uid = $parameters['uid'];
141  $cmd = $parameters['cmd'];
142  $accessAllowed = $parameters['hasAccess'];
143 
144  if ($accessAllowed && $table === 'sys_file_metadata' && $cmd === 'edit') {
145  $fileMetadataRecord = BackendUtility::getRecord('sys_file_metadata', $uid);
146  $accessAllowed = $this->checkFileWriteAccessForFileMetaData($fileMetadataRecord);
147  }
148  return $accessAllowed;
149  }
150 
157  protected function checkFileWriteAccessForFileMetaData($fileMetadataRecord)
158  {
159  $accessAllowed = false;
160  if (is_array($fileMetadataRecord) && !empty($fileMetadataRecord['file'])) {
161  $file = $fileMetadataRecord['file'];
162  // The file relation could be written as sys_file_[uid], strip this off before checking the rights
163  if (strpos($file, 'sys_file_') !== false) {
164  $file = substr($file, strlen('sys_file_'));
165  }
166  $fileObject = ResourceFactory::getInstance()->getFileObject((int)$file);
167  $accessAllowed = $fileObject->checkActionPermission('write');
168  }
169  return $accessAllowed;
170  }
171 }
static getRecord($table, $uid, $fields= '*', $where= '', $useDeleteClause=true)
checkRecordUpdateAccess($table, $id, $fileMetadataRecord, $otherHookGrantedAccess, DataHandler $dataHandler)