[TASK] Fix CGL errors
[Packages/TYPO3.CMS.git] / typo3 / sysext / core / Classes / FormProtection / FrontendFormProtection.php
1 <?php
2 namespace TYPO3\CMS\Core\FormProtection;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 /**
18 * This class provides protection against cross-site request forgery (XSRF/CSRF)
19 * for actions in the frontend that change data.
20 *
21 * How to use:
22 *
23 * For each form (or link that changes some data), create a token and
24 * insert is as a hidden form element or use it as GET argument. The name of the form element does not
25 * matter; you only need it to get the form token for verifying it.
26 *
27 * <pre>
28 * $formToken = TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()
29 * ->generateToken(
30 * 'User setup', 'edit'
31 * );
32 * $this->content .= '<input type="hidden" name="formToken" value="' .
33 * $formToken . '" />';
34 * </pre>
35 *
36 * The three parameters $formName, $action and $formInstanceName can be
37 * arbitrary strings, but they should make the form token as specific as
38 * possible. For different forms (e.g. User setup and editing a news
39 * record) or different records (with different UIDs) from the same table,
40 * those values should be different.
41 *
42 * For editing a news record, the call could look like this:
43 *
44 * <pre>
45 * $formToken = \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()
46 * ->getFormProtection()->generateToken(
47 * 'news', 'edit', $uid
48 * );
49 * </pre>
50 *
51 *
52 * When processing the data that has been submitted by the form, you can check
53 * that the form token is valid like this:
54 *
55 * <pre>
56 * if ($dataHasBeenSubmitted && \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()
57 * ->validateToken(
58 * \TYPO3\CMS\Core\Utility\GeneralUtility::_POST('formToken'),
59 * 'User setup', 'edit
60 * )
61 * ) {
62 * Processes the data.
63 * } else {
64 * Create a flash message for the invalid token or just discard this request.
65 * }
66 * </pre>
67 */
68
69 use TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication;
70
71 /**
72 * Frontend form protection
73 */
74 class FrontendFormProtection extends AbstractFormProtection
75 {
76 /**
77 * Keeps the instance of the user which existed during creation
78 * of the object.
79 *
80 * @var FrontendUserAuthentication
81 */
82 protected $frontendUser;
83
84 /**
85 * Only allow construction if we have an authorized frontend session
86 *
87 * @param FrontendUserAuthentication $frontendUser
88 * @param \Closure $validationFailedCallback
89 * @throws \TYPO3\CMS\Core\Error\Exception
90 */
91 public function __construct(FrontendUserAuthentication $frontendUser, \Closure $validationFailedCallback = null)
92 {
93 $this->frontendUser = $frontendUser;
94 $this->validationFailedCallback = $validationFailedCallback;
95 if (!$this->isAuthorizedFrontendSession()) {
96 throw new \TYPO3\CMS\Core\Error\Exception('A front-end form protection may only be instantiated if there is an active front-end session.', 1285067843);
97 }
98 }
99
100 /**
101 * Retrieves the saved session token or generates a new one.
102 *
103 * @return string
104 */
105 protected function retrieveSessionToken()
106 {
107 $this->sessionToken = $this->frontendUser->getSessionData('formProtectionSessionToken');
108 if (empty($this->sessionToken)) {
109 $this->sessionToken = $this->generateSessionToken();
110 $this->persistSessionToken();
111 }
112 return $this->sessionToken;
113 }
114
115 /**
116 * Saves the tokens so that they can be used by a later incarnation of this
117 * class.
118 *
119 * @access private
120 * @return void
121 */
122 public function persistSessionToken()
123 {
124 $this->frontendUser->setAndSaveSessionData('formProtectionSessionToken', $this->sessionToken);
125 }
126
127 /**
128 * Checks if a user is logged in and the session is active.
129 *
130 * @return bool
131 */
132 protected function isAuthorizedFrontendSession()
133 {
134 return !empty($this->frontendUser->user['uid']);
135 }
136 }