[TASK] Decouple adminPanel from frontend
[Packages/TYPO3.CMS.git] / typo3 / sysext / workspaces / Classes / Authentication / PreviewUserAuthentication.php
1 <?php
2 declare(strict_types = 1);
3
4 namespace TYPO3\CMS\Workspaces\Authentication;
5
6 /*
7 * This file is part of the TYPO3 CMS project.
8 *
9 * It is free software; you can redistribute it and/or modify it under
10 * the terms of the GNU General Public License, either version 2
11 * of the License, or any later version.
12 *
13 * For the full copyright and license information, please read the
14 * LICENSE.txt file that was distributed with this source code.
15 *
16 * The TYPO3 project - inspiring people to share!
17 */
18
19 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
20 use TYPO3\CMS\Core\Database\ConnectionPool;
21 use TYPO3\CMS\Core\Database\Query\Restriction\RootLevelRestriction;
22 use TYPO3\CMS\Core\Type\Bitmask\Permission;
23 use TYPO3\CMS\Core\Utility\GeneralUtility;
24
25 /**
26 * A backend-user like preview user with read-only permissions for a certain workspace
27 * is used for previewing a workspace in the frontend without having a full backend user
28 * available.
29 *
30 * Has
31 * - no user[uid]
32 * - cookie fetched from ADMCMD_prev cookie name
33 * - read-only everywhere
34 * - locked to a certain workspace > 0
35 * - locked to the current page ID as webmount
36 *
37 * This class explicitly does not derive from FrontendBackendUserAuthentication.
38 * As this user is only meant for using against GET/cookie of "ADMCMD_prev" = clicked on a preview link
39 * This user cannot use any admin panel / frontend editing capabilities.
40 */
41 class PreviewUserAuthentication extends BackendUserAuthentication
42 {
43 public function __construct()
44 {
45 parent::__construct();
46 $this->name = 'ADMCMD_prev';
47 }
48
49 /**
50 * Checking if a workspace is allowed for backend user
51 * This method is intentionally called with setTemporaryWorkspace() to check if the workspace exists.
52 *
53 * @param mixed $wsRec If integer, workspace record is looked up, if array it is seen as a Workspace record with at least uid, title, members and adminusers columns. Can be faked for workspaces uid 0
54 * @param string $fields List of fields to select. Default fields are: uid,title,adminusers,members,reviewers,publish_access,stagechg_notification
55 * @return array|bool Output will also show how access was granted. For preview users, if the record exists, it's a go.
56 */
57 public function checkWorkspace($wsRec, $fields = 'uid,title,adminusers,members,reviewers,publish_access,stagechg_notification')
58 {
59 // If not array, look up workspace record:
60 if (!is_array($wsRec)) {
61 switch ((int)$wsRec) {
62 case '0':
63 $wsRec = ['uid' => (int)$wsRec];
64 break;
65 default:
66 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('sys_workspace');
67 $queryBuilder->getRestrictions()->add(GeneralUtility::makeInstance(RootLevelRestriction::class));
68 $wsRec = $queryBuilder->select(...GeneralUtility::trimExplode(',', $fields))
69 ->from('sys_workspace')
70 ->where($queryBuilder->expr()->eq(
71 'uid',
72 $queryBuilder->createNamedParameter($wsRec, \PDO::PARAM_INT)
73 ))
74 ->orderBy('title')
75 ->setMaxResults(1)
76 ->execute()
77 ->fetch(\PDO::FETCH_ASSOC);
78 }
79 }
80 // If the workspace exists in the database, the preview user is automatically a member to that workspace
81 if (is_array($wsRec)) {
82 return array_merge($wsRec, ['_ACCESS' => 'member']);
83 }
84 return false;
85 }
86
87 /**
88 * A preview user has read-only permissions, always.
89 *
90 * @param int $perms
91 * @return string
92 */
93 public function getPagePermsClause($perms)
94 {
95 if ($perms === Permission::PAGE_SHOW) {
96 return '1=1';
97 }
98 return '0=1';
99 }
100
101 /**
102 * Has read permissions on the whole workspace, but nothing else
103 *
104 * @param array $row
105 * @return int
106 */
107 public function calcPerms($row)
108 {
109 return Permission::PAGE_SHOW;
110 }
111 }