2 /***************************************************************
5 * (c) 2007-2013 Benjamin Mack
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 * A copy is found in the text file GPL.txt and important notices to the license
17 * from the author is found in LICENSE.txt distributed with these scripts.
20 * This script is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * This copyright notice MUST APPEAR in all copies of the script!
26 ***************************************************************/
31 * @author Benjamin Mack <mack@xnos.org>
36 // This is a list of requests that don't necessarily need a valid BE user
37 $noUserAjaxIDs = array(
38 'BackendLogin::login',
39 'BackendLogin::logout',
40 'BackendLogin::refreshLogin',
41 'BackendLogin::isTimedOut',
42 'BackendLogin::getChallenge',
43 'BackendLogin::getRsaPublicKey',
46 // First get the ajaxID
47 $ajaxID = isset($_POST['ajaxID']) ?
$_POST['ajaxID'] : $_GET['ajaxID'];
49 $ajaxID = (string)stripslashes($ajaxID);
52 // If we're trying to do an ajax login, don't require a user.
53 if (in_array($ajaxID, $noUserAjaxIDs)) {
54 define('TYPO3_PROCEED_IF_NO_USER', 2);
57 require __DIR__
. '/init.php';
59 // Finding the script path from the registry
60 $ajaxRegistryEntry = isset($GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX'][$ajaxID]) ?
$GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX'][$ajaxID] : NULL;
62 $csrfTokenCheck = FALSE;
63 if ($ajaxRegistryEntry !== NULL) {
64 if (is_array($ajaxRegistryEntry)) {
65 if (isset($ajaxRegistryEntry['callbackMethod'])) {
66 $ajaxScript = $ajaxRegistryEntry['callbackMethod'];
67 $csrfTokenCheck = $ajaxRegistryEntry['csrfTokenCheck'];
70 // @Deprecated since 6.2 will be removed two versions later
71 $ajaxScript = $ajaxRegistryEntry;
75 // Instantiating the AJAX object
76 $ajaxObj = \TYPO3\CMS\Core\Utility\GeneralUtility
::makeInstance('TYPO3\\CMS\\Core\\Http\\AjaxRequestHandler', $ajaxID);
77 $ajaxParams = array();
79 // Evaluating the arguments and calling the AJAX method/function
81 $ajaxObj->setError('No valid ajaxID parameter given.');
82 } elseif (empty($ajaxScript)) {
83 $ajaxObj->setError('No backend function registered for ajaxID "' . $ajaxID . '".');
87 if ($csrfTokenCheck) {
88 $tokenIsValid = \TYPO3\CMS\Core\FormProtection\FormProtectionFactory
::get()->validateToken(\TYPO3\CMS\Core\Utility\GeneralUtility
::_GP('ajaxToken'), 'ajaxCall', $ajaxID);
91 // Cleanup global variable space
92 unset($csrfTokenCheck, $ajaxRegistryEntry, $tokenIsValid, $success);
93 $success = \TYPO3\CMS\Core\Utility\GeneralUtility
::callUserFunction($ajaxScript, $ajaxParams, $ajaxObj, FALSE, TRUE);
95 $ajaxObj->setError('Invalid CSRF token detected for ajaxID "' . $ajaxID . '"!');
97 if ($success === FALSE) {
98 $ajaxObj->setError('Registered backend function for ajaxID "' . $ajaxID . '" was not found.');
102 // Outputting the content (and setting the X-JSON-Header)