3dc52483691ec8a3246e39086ee3c660d3a090bd
[Packages/TYPO3.CMS.git] / typo3 / sysext / felogin / Classes / Controller / FrontendLoginController.php
1 <?php
2 namespace TYPO3\CMS\Felogin\Controller;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use Psr\Log\LoggerAwareInterface;
18 use Psr\Log\LoggerAwareTrait;
19 use TYPO3\CMS\Core\Authentication\LoginType;
20 use TYPO3\CMS\Core\Context\Context;
21 use TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
22 use TYPO3\CMS\Core\Crypto\Random;
23 use TYPO3\CMS\Core\Database\Connection;
24 use TYPO3\CMS\Core\Database\ConnectionPool;
25 use TYPO3\CMS\Core\Database\Query\Restriction\FrontendRestrictionContainer;
26 use TYPO3\CMS\Core\Utility\GeneralUtility;
27 use TYPO3\CMS\Frontend\Plugin\AbstractPlugin;
28
29 /**
30 * Plugin 'Website User Login' for the 'felogin' extension.
31 */
32 class FrontendLoginController extends AbstractPlugin implements LoggerAwareInterface
33 {
34 use LoggerAwareTrait;
35
36 /**
37 * Same as class name
38 *
39 * @var string
40 */
41 public $prefixId = 'tx_felogin_pi1';
42
43 /**
44 * The extension key.
45 *
46 * @var string
47 */
48 public $extKey = 'felogin';
49
50 /**
51 * @var bool
52 */
53 public $pi_checkCHash = false;
54
55 /**
56 * @var bool
57 */
58 public $pi_USER_INT_obj = true;
59
60 /**
61 * Is user logged in?
62 *
63 * @var bool
64 */
65 protected $userIsLoggedIn;
66
67 /**
68 * Holds the template for FE rendering
69 *
70 * @var string
71 */
72 protected $template;
73
74 /**
75 * URL for the redirect
76 *
77 * @var string
78 */
79 protected $redirectUrl;
80
81 /**
82 * Flag for disable the redirect
83 *
84 * @var bool
85 */
86 protected $noRedirect = false;
87
88 /**
89 * Logintype (given as GPvar), possible: login, logout
90 *
91 * @var string
92 */
93 protected $logintype;
94
95 /**
96 * A list of page UIDs, either an integer or a comma-separated list of integers
97 *
98 * @var string
99 */
100 public $spid;
101
102 /**
103 * Referrer
104 *
105 * @var string
106 */
107 public $referer;
108
109 /**
110 * The main method of the plugin
111 *
112 * @param string $content The PlugIn content
113 * @param array $conf The PlugIn configuration
114 * @return string The content that is displayed on the website
115 * @throws \RuntimeException when no storage PID was configured.
116 */
117 public function main($content, $conf)
118 {
119 // Loading TypoScript array into object variable:
120 $this->conf = $conf;
121 // Loading default pivars
122 $this->pi_setPiVarDefaults();
123 // Loading language-labels
124 $this->pi_loadLL('EXT:felogin/Resources/Private/Language/locallang.xlf');
125 // Init FlexForm configuration for plugin:
126 $this->pi_initPIflexForm();
127 $this->mergeflexFormValuesIntoConf();
128 // Get storage PIDs:
129 if ($this->conf['storagePid']) {
130 if ((int)$this->conf['recursive']) {
131 $this->spid = $this->pi_getPidList($this->conf['storagePid'], (int)$this->conf['recursive']);
132 } else {
133 $this->spid = $this->conf['storagePid'];
134 }
135 } else {
136 throw new \RuntimeException('No storage folder (option storagePid) for frontend users given.', 1450904202);
137 }
138 // GPvars:
139 $this->logintype = GeneralUtility::_GP('logintype');
140 $this->referer = $this->validateRedirectUrl(GeneralUtility::_GP('referer'));
141 $this->noRedirect = $this->piVars['noredirect'] || $this->conf['redirectDisable'];
142 // If config.typolinkLinkAccessRestrictedPages is set, the var is return_url
143 $returnUrl = GeneralUtility::_GP('return_url');
144 if ($returnUrl) {
145 $this->redirectUrl = $returnUrl;
146 } else {
147 $this->redirectUrl = GeneralUtility::_GP('redirect_url');
148 }
149 $this->redirectUrl = $this->validateRedirectUrl($this->redirectUrl);
150 // Get Template
151 $templateFile = $this->conf['templateFile'] ?: 'EXT:felogin/Resources/Private/Templates/FrontendLogin.html';
152 $template = GeneralUtility::getFileAbsFileName($templateFile);
153 if ($template !== '' && file_exists($template)) {
154 $this->template = file_get_contents($template);
155 }
156 // Is user logged in?
157 $this->userIsLoggedIn = GeneralUtility::makeInstance(Context::class)->getPropertyFromAspect('frontend.user', 'isLoggedIn');
158 // Redirect
159 if ($this->conf['redirectMode'] && !$this->conf['redirectDisable'] && !$this->noRedirect) {
160 $redirectUrl = $this->processRedirect();
161 if (!empty($redirectUrl)) {
162 $this->redirectUrl = $this->conf['redirectFirstMethod'] ? array_shift($redirectUrl) : array_pop($redirectUrl);
163 } else {
164 $this->redirectUrl = '';
165 }
166 }
167 // What to display
168 $content = '';
169 if ($this->piVars['forgot'] && $this->conf['showForgotPasswordLink']) {
170 $content .= $this->showForgot();
171 } elseif ($this->piVars['forgothash']) {
172 $content .= $this->changePassword();
173 } else {
174 if ($this->userIsLoggedIn && !$this->logintype) {
175 $content .= $this->showLogout();
176 } else {
177 $content .= $this->showLogin();
178 }
179 }
180 // Process the redirect
181 if (($this->logintype === LoginType::LOGIN || $this->logintype === LoginType::LOGOUT) && $this->redirectUrl && !$this->noRedirect) {
182 if (!$this->frontendController->fe_user->isCookieSet() && $this->userIsLoggedIn) {
183 $content .= $this->cObj->stdWrap($this->pi_getLL('cookie_warning'), $this->conf['cookieWarning_stdWrap.']);
184 } else {
185 // Add hook for extra processing before redirect
186 $_params = [
187 'loginType' => $this->logintype,
188 'redirectUrl' => &$this->redirectUrl
189 ];
190 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['beforeRedirect'] ?? [] as $_funcRef) {
191 if ($_funcRef) {
192 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
193 }
194 }
195 \TYPO3\CMS\Core\Utility\HttpUtility::redirect($this->redirectUrl);
196 }
197 }
198 // Adds hook for processing of extra item markers / special
199 $_params = [
200 'content' => $content
201 ];
202 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['postProcContent'] ?? [] as $_funcRef) {
203 $content = GeneralUtility::callUserFunction($_funcRef, $_params, $this);
204 }
205 return $this->conf['wrapContentInBaseClass'] ? $this->pi_wrapInBaseClass($content) : $content;
206 }
207
208 /**
209 * Shows the forgot password form
210 *
211 * @return string Content
212 */
213 protected function showForgot()
214 {
215 $subpart = $this->templateService->getSubpart($this->template, '###TEMPLATE_FORGOT###');
216 $subpartArray = ($linkpartArray = []);
217 $postData = GeneralUtility::_POST($this->prefixId);
218 if ($postData['forgot_email']) {
219 // Get hashes for compare
220 $postedHash = $postData['forgot_hash'];
221 $hashData = $this->frontendController->fe_user->getKey('ses', 'forgot_hash');
222 if ($postedHash === $hashData['forgot_hash']) {
223 $userTable = $this->frontendController->fe_user->user_table;
224 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($userTable);
225 $queryBuilder->setRestrictions(GeneralUtility::makeInstance(FrontendRestrictionContainer::class));
226 $row = $queryBuilder
227 ->select('*')
228 ->from($userTable)
229 ->where(
230 $queryBuilder->expr()->orX(
231 $queryBuilder->expr()->eq(
232 'email',
233 $queryBuilder->createNamedParameter($this->piVars['forgot_email'], \PDO::PARAM_STR)
234 ),
235 $queryBuilder->expr()->eq(
236 'username',
237 $queryBuilder->createNamedParameter($this->piVars['forgot_email'], \PDO::PARAM_STR)
238 )
239 ),
240 $queryBuilder->expr()->in(
241 'pid',
242 $queryBuilder->createNamedParameter(
243 GeneralUtility::intExplode(',', $this->spid),
244 Connection::PARAM_INT_ARRAY
245 )
246 )
247 )
248 ->execute()
249 ->fetch();
250
251 $error = null;
252 if ($row) {
253 // Generate an email with the hashed link
254 $error = $this->generateAndSendHash($row);
255 } elseif ($this->conf['exposeNonexistentUserInForgotPasswordDialog']) {
256 $error = $this->pi_getLL('ll_forgot_reset_message_error');
257 }
258 // Generate message
259 if ($error) {
260 $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap($error, $this->conf['forgotErrorMessage_stdWrap.']);
261 } else {
262 $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap(
263 $this->pi_getLL('ll_forgot_reset_message_emailSent'),
264 $this->conf['forgotResetMessageEmailSentMessage_stdWrap.']
265 );
266 }
267 $subpartArray['###FORGOT_FORM###'] = '';
268 } else {
269 // Wrong email
270 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('forgot_reset_message', $this->conf['forgotMessage_stdWrap.']);
271 $markerArray['###BACKLINK_LOGIN###'] = '';
272 }
273 } else {
274 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('forgot_reset_message', $this->conf['forgotMessage_stdWrap.']);
275 $markerArray['###BACKLINK_LOGIN###'] = '';
276 }
277 $markerArray['###BACKLINK_LOGIN###'] = $this->getPageLink(htmlspecialchars($this->pi_getLL('ll_forgot_header_backToLogin')), []);
278 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('forgot_header', $this->conf['forgotHeader_stdWrap.']);
279 $markerArray['###LEGEND###'] = htmlspecialchars($this->pi_getLL('legend', $this->pi_getLL('reset_password')));
280 $markerArray['###ACTION_URI###'] = $this->getPageLink('', [$this->prefixId . '[forgot]' => 1], true);
281 $markerArray['###EMAIL_LABEL###'] = htmlspecialchars($this->pi_getLL('your_email'));
282 $markerArray['###FORGOT_PASSWORD_ENTEREMAIL###'] = htmlspecialchars($this->pi_getLL('forgot_password_enterEmail'));
283 $markerArray['###FORGOT_EMAIL###'] = $this->prefixId . '[forgot_email]';
284 $markerArray['###SEND_PASSWORD###'] = htmlspecialchars($this->pi_getLL('reset_password'));
285 $markerArray['###DATA_LABEL###'] = htmlspecialchars($this->pi_getLL('ll_enter_your_data'));
286 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
287 // Generate hash
288 $hash = md5($this->generatePassword(3));
289 $markerArray['###FORGOTHASH###'] = $hash;
290 // Set hash in feuser session
291 $this->frontendController->fe_user->setKey('ses', 'forgot_hash', ['forgot_hash' => $hash]);
292 return $this->templateService->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
293 }
294
295 /**
296 * This function checks the hash from link and checks the validity. If it's valid it shows the form for
297 * changing the password and process the change of password after submit, if not valid it returns the error message
298 *
299 * @return string The content.
300 */
301 protected function changePassword()
302 {
303 $subpartArray = ($linkpartArray = []);
304 $done = false;
305 $minLength = (int)$this->conf['newPasswordMinLength'] ?: 6;
306 $subpart = $this->templateService->getSubpart($this->template, '###TEMPLATE_CHANGEPASSWORD###');
307 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('change_password_header', $this->conf['changePasswordHeader_stdWrap.']);
308 $markerArray['###STATUS_MESSAGE###'] = sprintf($this->getDisplayText(
309 'change_password_message',
310 $this->conf['changePasswordMessage_stdWrap.']
311 ), $minLength);
312
313 $markerArray['###BACKLINK_LOGIN###'] = '';
314 $uid = $this->piVars['user'];
315 $piHash = $this->piVars['forgothash'];
316 $hash = explode('|', rawurldecode($piHash));
317 if ((int)$uid === 0) {
318 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
319 'change_password_notvalid_message',
320 $this->conf['changePasswordNotValidMessage_stdWrap.']
321 );
322 $subpartArray['###CHANGEPASSWORD_FORM###'] = '';
323 } else {
324 $user = $this->pi_getRecord('fe_users', (int)$uid);
325 $userHash = $user['felogin_forgotHash'];
326 $compareHash = explode('|', $userHash);
327 if (!$compareHash || !$compareHash[1] || $compareHash[0] < time() || $hash[0] != $compareHash[0] || md5($hash[1]) != $compareHash[1]) {
328 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
329 'change_password_notvalid_message',
330 $this->conf['changePasswordNotValidMessage_stdWrap.']
331 );
332 $subpartArray['###CHANGEPASSWORD_FORM###'] = '';
333 } else {
334 // All is fine, continue with new password
335 $postData = GeneralUtility::_POST($this->prefixId);
336 if (isset($postData['changepasswordsubmit'])) {
337 if (strlen($postData['password1']) < $minLength) {
338 $markerArray['###STATUS_MESSAGE###'] = sprintf(
339 $this->getDisplayText(
340 'change_password_tooshort_message',
341 $this->conf['changePasswordTooShortMessage_stdWrap.']
342 ),
343 $minLength
344 );
345 } elseif ($postData['password1'] != $postData['password2']) {
346 $markerArray['###STATUS_MESSAGE###'] = sprintf(
347 $this->getDisplayText(
348 'change_password_notequal_message',
349 $this->conf['changePasswordNotEqualMessage_stdWrap.']
350 ),
351 $minLength
352 );
353 } else {
354 // Hash password using configured salted passwords hash mechanism for FE
355 $hashInstance = GeneralUtility::makeInstance(PasswordHashFactory::class)->getDefaultHashInstance('FE');
356 $newPass = $hashInstance->getHashedPassword($postData['password1']);
357
358 // Call a hook for further password processing
359 if ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['password_changed']) {
360 $_params = [
361 'user' => $user,
362 'newPassword' => $newPass,
363 'newPasswordUnencrypted' => $postData['password1']
364 ];
365 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['password_changed'] as $_funcRef) {
366 if ($_funcRef) {
367 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
368 }
369 }
370 $newPass = $_params['newPassword'];
371 }
372
373 // Save new password and clear DB-hash
374 $userTable = $this->frontendController->fe_user->user_table;
375 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($userTable);
376 $queryBuilder->getRestrictions()->removeAll();
377 $queryBuilder->update($userTable)
378 ->set('password', $newPass)
379 ->set('felogin_forgotHash', '')
380 ->set('tstamp', (int)$GLOBALS['EXEC_TIME'])
381 ->where(
382 $queryBuilder->expr()->eq(
383 'uid',
384 $queryBuilder->createNamedParameter($user['uid'], \PDO::PARAM_INT)
385 )
386 )
387 ->execute();
388
389 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
390 'change_password_done_message',
391 $this->conf['changePasswordDoneMessage_stdWrap.']
392 );
393 $done = true;
394 $subpartArray['###CHANGEPASSWORD_FORM###'] = '';
395 $markerArray['###BACKLINK_LOGIN###'] = $this->getPageLink(
396 htmlspecialchars($this->pi_getLL('ll_forgot_header_backToLogin')),
397 [$this->prefixId . '[redirectReferrer]' => 'off']
398 );
399 }
400 }
401 if (!$done) {
402 // Change password form
403 $markerArray['###ACTION_URI###'] = $this->getPageLink('', [
404 $this->prefixId . '[user]' => $user['uid'],
405 $this->prefixId . '[forgothash]' => $piHash
406 ], true);
407 $markerArray['###LEGEND###'] = htmlspecialchars($this->pi_getLL('change_password'));
408 $markerArray['###NEWPASSWORD1_LABEL###'] = htmlspecialchars($this->pi_getLL('newpassword_label1'));
409 $markerArray['###NEWPASSWORD2_LABEL###'] = htmlspecialchars($this->pi_getLL('newpassword_label2'));
410 $markerArray['###NEWPASSWORD1###'] = $this->prefixId . '[password1]';
411 $markerArray['###NEWPASSWORD2###'] = $this->prefixId . '[password2]';
412 $markerArray['###STORAGE_PID###'] = $this->spid;
413 $markerArray['###SEND_PASSWORD###'] = htmlspecialchars($this->pi_getLL('change_password'));
414 $markerArray['###FORGOTHASH###'] = $piHash;
415 }
416 }
417 }
418 return $this->templateService->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
419 }
420
421 /**
422 * Generates a hashed link and send it with email
423 *
424 * @param array $user Contains user data
425 * @return string Empty string with success, error message with no success
426 */
427 protected function generateAndSendHash($user)
428 {
429 $hours = (int)$this->conf['forgotLinkHashValidTime'] > 0 ? (int)$this->conf['forgotLinkHashValidTime'] : 24;
430 $validEnd = time() + 3600 * $hours;
431 $validEndString = date($this->conf['dateFormat'], $validEnd);
432 $hash = md5(GeneralUtility::makeInstance(Random::class)->generateRandomBytes(64));
433 $randHash = $validEnd . '|' . $hash;
434 $randHashDB = $validEnd . '|' . md5($hash);
435
436 // Write hash to DB
437 $userTable = $this->frontendController->fe_user->user_table;
438 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($userTable);
439 $queryBuilder->getRestrictions()->removeAll();
440 $queryBuilder->update($userTable)
441 ->set('felogin_forgotHash', $randHashDB)
442 ->where(
443 $queryBuilder->expr()->eq(
444 'uid',
445 $queryBuilder->createNamedParameter($user['uid'], \PDO::PARAM_INT)
446 )
447 )
448 ->execute();
449
450 // Send hashlink to user
451 $this->conf['linkPrefix'] = -1;
452 $isAbsRefPrefix = !empty($this->frontendController->absRefPrefix);
453 $isBaseURL = !empty($this->frontendController->baseUrl);
454 $isFeloginBaseURL = !empty($this->conf['feloginBaseURL']);
455 $link = $this->pi_getPageLink($this->frontendController->id, '', [
456 rawurlencode($this->prefixId . '[user]') => $user['uid'],
457 rawurlencode($this->prefixId . '[forgothash]') => $randHash
458 ]);
459 // Prefix link if necessary
460 if ($isFeloginBaseURL) {
461 // First priority, use specific base URL
462 // "absRefPrefix" must be removed first, otherwise URL will be prepended twice
463 if ($isAbsRefPrefix) {
464 $link = substr($link, strlen($this->frontendController->absRefPrefix));
465 }
466 $link = $this->conf['feloginBaseURL'] . $link;
467 } elseif ($isAbsRefPrefix) {
468 // Second priority
469 // absRefPrefix must not necessarily contain a hostname and URL scheme, so add it if needed
470 $link = GeneralUtility::locationHeaderUrl($link);
471 } elseif ($isBaseURL) {
472 // Third priority
473 // Add the global base URL to the link
474 $link = $this->frontendController->baseUrlWrap($link);
475 } else {
476 // No prefix is set, return the error
477 return $this->pi_getLL('ll_change_password_nolinkprefix_message');
478 }
479 $msg = sprintf($this->pi_getLL('ll_forgot_validate_reset_password'), $user['username'], $link, $validEndString);
480 // Add hook for extra processing of mail message
481 $params = [
482 'message' => &$msg,
483 'user' => &$user
484 ];
485 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['forgotPasswordMail'] ?? [] as $reference) {
486 if ($reference) {
487 GeneralUtility::callUserFunction($reference, $params, $this);
488 }
489 }
490 if ($user['email']) {
491 $this->cObj->sendNotifyEmail($msg, $user['email'], '', $this->conf['email_from'], $this->conf['email_fromName'], $this->conf['replyTo']);
492 }
493
494 return '';
495 }
496
497 /**
498 * Shows logout form
499 *
500 * @return string The content.
501 */
502 protected function showLogout()
503 {
504 $subpart = $this->templateService->getSubpart($this->template, '###TEMPLATE_LOGOUT###');
505 $subpartArray = ($linkpartArray = []);
506 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('status_header', $this->conf['logoutHeader_stdWrap.']);
507 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('status_message', $this->conf['logoutMessage_stdWrap.']);
508 $this->cObj->stdWrap($this->flexFormValue('message', 's_status'), $this->conf['logoutMessage_stdWrap.']);
509 $markerArray['###LEGEND###'] = htmlspecialchars($this->pi_getLL('logout'));
510 $markerArray['###ACTION_URI###'] = $this->getPageLink('', [], true);
511 $markerArray['###LOGOUT_LABEL###'] = htmlspecialchars($this->pi_getLL('logout'));
512 $markerArray['###NAME###'] = htmlspecialchars($this->frontendController->fe_user->user['name']);
513 $markerArray['###STORAGE_PID###'] = $this->spid;
514 $markerArray['###USERNAME###'] = htmlspecialchars($this->frontendController->fe_user->user['username']);
515 $markerArray['###USERNAME_LABEL###'] = htmlspecialchars($this->pi_getLL('username'));
516 $markerArray['###NOREDIRECT###'] = $this->noRedirect ? '1' : '0';
517 $markerArray['###PREFIXID###'] = $this->prefixId;
518 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
519 if ($this->redirectUrl) {
520 // Use redirectUrl for action tag because of possible access restricted pages
521 $markerArray['###ACTION_URI###'] = htmlspecialchars($this->redirectUrl);
522 $this->redirectUrl = '';
523 }
524 return $this->templateService->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
525 }
526
527 /**
528 * Shows login form
529 *
530 * @return string Content
531 */
532 protected function showLogin()
533 {
534 $subpart = $this->templateService->getSubpart($this->template, '###TEMPLATE_LOGIN###');
535 $subpartArray = ($linkpartArray = ($markerArray = []));
536 $gpRedirectUrl = '';
537 $markerArray['###LEGEND###'] = htmlspecialchars($this->pi_getLL('oLabel_header_welcome'));
538 if ($this->logintype === LoginType::LOGIN) {
539 if ($this->userIsLoggedIn) {
540 // login success
541 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('success_header', $this->conf['successHeader_stdWrap.']);
542 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('success_message', $this->conf['successMessage_stdWrap.']);
543 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
544 $subpartArray['###LOGIN_FORM###'] = '';
545 // Hook for general actions after after login has been confirmed (by Thomas Danzl <thomas@danzl.org>)
546 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_confirmed'] ?? [] as $_funcRef) {
547 $_params = [];
548 if ($_funcRef) {
549 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
550 }
551 }
552 // show logout form directly
553 if ($this->conf['showLogoutFormAfterLogin']) {
554 $this->redirectUrl = '';
555 return $this->showLogout();
556 }
557 } else {
558 // Hook for general actions on login error
559 $params = [];
560 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_error'] ?? [] as $funcRef) {
561 if ($funcRef) {
562 GeneralUtility::callUserFunction($funcRef, $params, $this);
563 }
564 }
565 // login error
566 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('error_header', $this->conf['errorHeader_stdWrap.']);
567 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('error_message', $this->conf['errorMessage_stdWrap.']);
568 $gpRedirectUrl = GeneralUtility::_GP('redirect_url');
569 }
570 } else {
571 if ($this->logintype === LoginType::LOGOUT) {
572 // login form after logout
573 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('logout_header', $this->conf['logoutHeader_stdWrap.']);
574 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('logout_message', $this->conf['logoutMessage_stdWrap.']);
575 } else {
576 // login form
577 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('welcome_header', $this->conf['welcomeHeader_stdWrap.']);
578 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('welcome_message', $this->conf['welcomeMessage_stdWrap.']);
579 }
580 }
581
582 // This hook allows to call User JS functions.
583 // The methods should also set the required JS functions to get included
584 $onSubmit = '';
585 $extraHidden = '';
586 $onSubmitAr = [];
587 $extraHiddenAr = [];
588 // Check for referer redirect method. if present, save referer in form field
589 if (GeneralUtility::inList($this->conf['redirectMode'], 'referer') || GeneralUtility::inList($this->conf['redirectMode'], 'refererDomains')) {
590 $referer = $this->referer ? $this->referer : GeneralUtility::getIndpEnv('HTTP_REFERER');
591 if ($referer) {
592 $extraHiddenAr[] = '<input type="hidden" name="referer" value="' . htmlspecialchars($referer) . '" />';
593 if ($this->piVars['redirectReferrer'] === 'off') {
594 $extraHiddenAr[] = '<input type="hidden" name="' . $this->prefixId . '[redirectReferrer]" value="off" />';
595 }
596 }
597 }
598 $_params = [];
599 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['loginFormOnSubmitFuncs'] ?? [] as $funcRef) {
600 list($onSub, $hid) = GeneralUtility::callUserFunction($funcRef, $_params, $this);
601 $onSubmitAr[] = $onSub;
602 $extraHiddenAr[] = $hid;
603 }
604 if (!empty($onSubmitAr)) {
605 $onSubmit = implode('; ', $onSubmitAr) . '; return true;';
606 }
607 if (!empty($extraHiddenAr)) {
608 $extraHidden = implode(LF, $extraHiddenAr);
609 }
610 if (!$gpRedirectUrl && $this->redirectUrl) {
611 $gpRedirectUrl = $this->redirectUrl;
612 }
613 // Login form
614 $markerArray['###ACTION_URI###'] = $this->getPageLink('', [], true);
615 // Used by kb_md5fepw extension...
616 $markerArray['###EXTRA_HIDDEN###'] = $extraHidden;
617 $markerArray['###LEGEND###'] = htmlspecialchars($this->pi_getLL('login'));
618 $markerArray['###LOGIN_LABEL###'] = htmlspecialchars($this->pi_getLL('login'));
619 // Used by kb_md5fepw extension...
620 $markerArray['###ON_SUBMIT###'] = $onSubmit;
621 $markerArray['###PASSWORD_LABEL###'] = htmlspecialchars($this->pi_getLL('password'));
622 $markerArray['###STORAGE_PID###'] = $this->spid;
623 $markerArray['###USERNAME_LABEL###'] = htmlspecialchars($this->pi_getLL('username'));
624 $markerArray['###REDIRECT_URL###'] = htmlspecialchars($gpRedirectUrl);
625 $markerArray['###NOREDIRECT###'] = $this->noRedirect ? '1' : '0';
626 $markerArray['###PREFIXID###'] = $this->prefixId;
627 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
628 if ($this->conf['showForgotPasswordLink']) {
629 $linkpartArray['###FORGOT_PASSWORD_LINK###'] = explode('|', $this->getPageLink('|', [$this->prefixId . '[forgot]' => 1]));
630 $markerArray['###FORGOT_PASSWORD###'] = htmlspecialchars($this->pi_getLL('ll_forgot_header'));
631 } else {
632 $subpartArray['###FORGOTP_VALID###'] = '';
633 }
634 // The permanent login checkbox should only be shown if permalogin is not deactivated (-1),
635 // not forced to be always active (2) and lifetime is greater than 0
636 $permalogin = (int)$GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin'];
637 if (
638 $this->conf['showPermaLogin']
639 && ($permalogin === 0 || $permalogin === 1)
640 && $GLOBALS['TYPO3_CONF_VARS']['FE']['lifetime'] > 0
641 ) {
642 $markerArray['###PERMALOGIN###'] = htmlspecialchars($this->pi_getLL('permalogin'));
643 if ($permalogin === 1) {
644 $markerArray['###PERMALOGIN_HIDDENFIELD_ATTRIBUTES###'] = 'disabled="disabled"';
645 $markerArray['###PERMALOGIN_CHECKBOX_ATTRIBUTES###'] = 'checked="checked"';
646 } else {
647 $markerArray['###PERMALOGIN_HIDDENFIELD_ATTRIBUTES###'] = '';
648 $markerArray['###PERMALOGIN_CHECKBOX_ATTRIBUTES###'] = '';
649 }
650 } else {
651 $subpartArray['###PERMALOGIN_VALID###'] = '';
652 }
653 return $this->templateService->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
654 }
655
656 /**
657 * Process redirect methods. The function searches for a redirect url using all configured methods.
658 *
659 * @return array Redirect URLs
660 */
661 protected function processRedirect()
662 {
663 $redirect_url = [];
664 if ($this->conf['redirectMode']) {
665 $redirectMethods = GeneralUtility::trimExplode(',', $this->conf['redirectMode'], true);
666 foreach ($redirectMethods as $redirMethod) {
667 if ($this->userIsLoggedIn && $this->logintype === LoginType::LOGIN) {
668 // Logintype is needed because the login-page wouldn't be accessible anymore after a login (would always redirect)
669 switch ($redirMethod) {
670 case 'groupLogin':
671 // taken from dkd_redirect_at_login written by Ingmar Schlecht; database-field changed
672 $groupData = $this->frontendController->fe_user->groupData;
673 if (!empty($groupData['uid'])) {
674
675 // take the first group with a redirect page
676 $userGroupTable = $this->frontendController->fe_user->usergroup_table;
677 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($userGroupTable);
678 $queryBuilder->getRestrictions()->removeAll();
679 $row = $queryBuilder
680 ->select('felogin_redirectPid')
681 ->from($userGroupTable)
682 ->where(
683 $queryBuilder->expr()->neq(
684 'felogin_redirectPid',
685 $queryBuilder->createNamedParameter('', \PDO::PARAM_STR)
686 ),
687 $queryBuilder->expr()->in(
688 'uid',
689 $queryBuilder->createNamedParameter(
690 $groupData['uid'],
691 Connection::PARAM_INT_ARRAY
692 )
693 )
694 )
695 ->execute()
696 ->fetch();
697
698 if ($row) {
699 $redirect_url[] = $this->pi_getPageLink($row['felogin_redirectPid']);
700 }
701 }
702 break;
703 case 'userLogin':
704
705 $userTable = $this->frontendController->fe_user->user_table;
706 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($userTable);
707 $queryBuilder->getRestrictions()->removeAll();
708 $row = $queryBuilder
709 ->select('felogin_redirectPid')
710 ->from($userTable)
711 ->where(
712 $queryBuilder->expr()->neq(
713 'felogin_redirectPid',
714 $queryBuilder->createNamedParameter('', \PDO::PARAM_STR)
715 ),
716 $queryBuilder->expr()->eq(
717 $this->frontendController->fe_user->userid_column,
718 $queryBuilder->createNamedParameter(
719 $this->frontendController->fe_user->user['uid'],
720 \PDO::PARAM_INT
721 )
722 )
723 )
724 ->execute()
725 ->fetch();
726
727 if ($row) {
728 $redirect_url[] = $this->pi_getPageLink($row['felogin_redirectPid']);
729 }
730
731 break;
732 case 'login':
733 if ($this->conf['redirectPageLogin']) {
734 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLogin']);
735 }
736 break;
737 case 'getpost':
738 $redirect_url[] = $this->redirectUrl;
739 break;
740 case 'referer':
741 // Avoid redirect when logging in after changing password
742 if ($this->piVars['redirectReferrer'] !== 'off') {
743 // Avoid forced logout, when trying to login immediately after a logout
744 $redirect_url[] = preg_replace('/[&?]logintype=[a-z]+/', '', $this->referer);
745 }
746 break;
747 case 'refererDomains':
748 // Auto redirect.
749 // Feature to redirect to the page where the user came from (HTTP_REFERER).
750 // Allowed domains to redirect to, can be configured with plugin.tx_felogin_pi1.domains
751 // Thanks to plan2.net / Martin Kutschker for implementing this feature.
752 // also avoid redirect when logging in after changing password
753 if (isset($this->conf['domains']) && $this->conf['domains']
754 && (!isset($this->piVars['redirectReferrer']) || $this->piVars['redirectReferrer'] !== 'off')
755 ) {
756 $url = $this->referer;
757 // Is referring url allowed to redirect?
758 $match = [];
759 if (preg_match('#^http://([[:alnum:]._-]+)/#', $url, $match)) {
760 $redirect_domain = $match[1];
761 $found = false;
762 foreach (GeneralUtility::trimExplode(',', $this->conf['domains'], true) as $d) {
763 if (preg_match('/(?:^|\\.)' . $d . '$/', $redirect_domain)) {
764 $found = true;
765 break;
766 }
767 }
768 if (!$found) {
769 $url = '';
770 }
771 }
772 // Avoid forced logout, when trying to login immediately after a logout
773 if ($url) {
774 $redirect_url[] = preg_replace('/[&?]logintype=[a-z]+/', '', $url);
775 }
776 }
777 break;
778 }
779 } elseif ($this->logintype === LoginType::LOGIN) {
780 // after login-error
781 switch ($redirMethod) {
782 case 'loginError':
783 if ($this->conf['redirectPageLoginError']) {
784 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLoginError']);
785 }
786 break;
787 }
788 } elseif ($this->logintype == '' && $redirMethod === 'login' && $this->conf['redirectPageLogin']) {
789 // If login and page not accessible
790 $this->cObj->typoLink('', [
791 'parameter' => $this->conf['redirectPageLogin'],
792 'linkAccessRestrictedPages' => true
793 ]);
794 $redirect_url[] = $this->cObj->lastTypoLinkUrl;
795 } elseif ($this->logintype == '' && $redirMethod === 'logout' && $this->conf['redirectPageLogout'] && $this->userIsLoggedIn) {
796 // If logout and page not accessible
797 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLogout']);
798 } elseif ($this->logintype === LoginType::LOGOUT) {
799 // after logout
800 // Hook for general actions after after logout has been confirmed
801 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['logout_confirmed'] ?? [] as $_funcRef) {
802 $_params = [];
803 if ($_funcRef) {
804 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
805 }
806 }
807 switch ($redirMethod) {
808 case 'logout':
809 if ($this->conf['redirectPageLogout']) {
810 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLogout']);
811 }
812 break;
813 }
814 } else {
815 // not logged in
816 // Placeholder for maybe future options
817 switch ($redirMethod) {
818 case 'getpost':
819 // Preserve the get/post value
820 $redirect_url[] = $this->redirectUrl;
821 break;
822 }
823 }
824 }
825 }
826 // Remove empty values, but keep "0" as value (that's why "strlen" is used as second parameter)
827 if (!empty($redirect_url)) {
828 return array_filter($redirect_url, 'strlen');
829 }
830 return [];
831 }
832
833 /**
834 * Reads flexform configuration and merge it with $this->conf
835 */
836 protected function mergeflexFormValuesIntoConf()
837 {
838 $flex = [];
839 if ($this->flexFormValue('showForgotPassword', 'sDEF')) {
840 $flex['showForgotPasswordLink'] = $this->flexFormValue('showForgotPassword', 'sDEF');
841 }
842 if ($this->flexFormValue('showPermaLogin', 'sDEF')) {
843 $flex['showPermaLogin'] = $this->flexFormValue('showPermaLogin', 'sDEF');
844 }
845 if ($this->flexFormValue('showLogoutFormAfterLogin', 'sDEF')) {
846 $flex['showLogoutFormAfterLogin'] = $this->flexFormValue('showLogoutFormAfterLogin', 'sDEF');
847 }
848 if ($this->flexFormValue('pages', 'sDEF')) {
849 $flex['pages'] = $this->flexFormValue('pages', 'sDEF');
850 }
851 if ($this->flexFormValue('recursive', 'sDEF')) {
852 $flex['recursive'] = $this->flexFormValue('recursive', 'sDEF');
853 }
854 if ($this->flexFormValue('redirectMode', 's_redirect')) {
855 $flex['redirectMode'] = $this->flexFormValue('redirectMode', 's_redirect');
856 }
857 if ($this->flexFormValue('redirectFirstMethod', 's_redirect')) {
858 $flex['redirectFirstMethod'] = $this->flexFormValue('redirectFirstMethod', 's_redirect');
859 }
860 if ($this->flexFormValue('redirectDisable', 's_redirect')) {
861 $flex['redirectDisable'] = $this->flexFormValue('redirectDisable', 's_redirect');
862 }
863 if ($this->flexFormValue('redirectPageLogin', 's_redirect')) {
864 $flex['redirectPageLogin'] = $this->flexFormValue('redirectPageLogin', 's_redirect');
865 }
866 if ($this->flexFormValue('redirectPageLoginError', 's_redirect')) {
867 $flex['redirectPageLoginError'] = $this->flexFormValue('redirectPageLoginError', 's_redirect');
868 }
869 if ($this->flexFormValue('redirectPageLogout', 's_redirect')) {
870 $flex['redirectPageLogout'] = $this->flexFormValue('redirectPageLogout', 's_redirect');
871 }
872 $pid = $flex['pages'] ? $this->pi_getPidList($flex['pages'], $flex['recursive']) : 0;
873 if ($pid > 0) {
874 $flex['storagePid'] = $pid;
875 }
876 $this->conf = array_merge($this->conf, $flex);
877 }
878
879 /**
880 * Loads a variable from the flexform
881 *
882 * @param string $var Name of variable
883 * @param string $sheet Name of sheet
884 * @return string Value of var
885 */
886 protected function flexFormValue($var, $sheet)
887 {
888 return $this->pi_getFFvalue($this->cObj->data['pi_flexform'], $var, $sheet);
889 }
890
891 /**
892 * Generate link with typolink function
893 *
894 * @param string $label Linktext
895 * @param array $piVars Link vars
896 * @param bool $returnUrl TRUE: returns only url FALSE (default) returns the link)
897 * @return string Link or url
898 */
899 protected function getPageLink($label, $piVars, $returnUrl = false)
900 {
901 $additionalParams = '';
902 if (!empty($piVars)) {
903 foreach ($piVars as $key => $val) {
904 $additionalParams .= '&' . $key . '=' . $val;
905 }
906 }
907 // Should GETvars be preserved?
908 if ($this->conf['preserveGETvars']) {
909 $additionalParams .= $this->getPreserveGetVars();
910 }
911 $this->conf['linkConfig.']['parameter'] = $this->frontendController->id;
912 if ($additionalParams) {
913 $this->conf['linkConfig.']['additionalParams'] = $additionalParams;
914 }
915 if ($returnUrl) {
916 return htmlspecialchars($this->cObj->typoLink_URL($this->conf['linkConfig.']));
917 }
918 return $this->cObj->typoLink($label, $this->conf['linkConfig.']);
919 }
920
921 /**
922 * Add additional parameters for links according to TS setting preserveGETvars.
923 * Possible values are "all" or a comma separated list of allowed GET-vars.
924 * Supports multi-dimensional GET-vars.
925 * Some hardcoded values are dropped.
926 *
927 * @return string additionalParams-string
928 */
929 protected function getPreserveGetVars()
930 {
931 $getVars = GeneralUtility::_GET();
932 unset(
933 $getVars['id'],
934 $getVars['no_cache'],
935 $getVars['logintype'],
936 $getVars['redirect_url'],
937 $getVars['cHash'],
938 $getVars[$this->prefixId]
939 );
940 if ($this->conf['preserveGETvars'] === 'all') {
941 $preserveQueryParts = $getVars;
942 } else {
943 $preserveQueryStringProperties = GeneralUtility::trimExplode(',', $this->conf['preserveGETvars']);
944 $preserveQueryParts = [];
945 parse_str(implode('=1&', $preserveQueryStringProperties) . '=1', $preserveQueryParts);
946 $preserveQueryParts = \TYPO3\CMS\Core\Utility\ArrayUtility::intersectRecursive($getVars, $preserveQueryParts);
947 }
948 $parameters = GeneralUtility::implodeArrayForUrl('', $preserveQueryParts);
949 return $parameters;
950 }
951
952 /**
953 * Is used by forgot password - function with md5 option.
954 * @param int $len Length of new password
955 * @return string New password
956 */
957 protected function generatePassword($len)
958 {
959 $pass = '';
960 while ($len--) {
961 $char = rand(0, 35);
962 if ($char < 10) {
963 $pass .= '' . $char;
964 } else {
965 $pass .= chr($char - 10 + 97);
966 }
967 }
968 return $pass;
969 }
970
971 /**
972 * Returns the header / message value from flexform if present, else from locallang.xlf
973 *
974 * @param string $label label name
975 * @param array $stdWrapArray TS stdWrap array
976 * @return string label text
977 */
978 protected function getDisplayText($label, $stdWrapArray = [])
979 {
980 $text = $this->flexFormValue($label, 's_messages') ? $this->cObj->stdWrap($this->flexFormValue($label, 's_messages'), $stdWrapArray) : $this->cObj->stdWrap($this->pi_getLL('ll_' . $label), $stdWrapArray);
981 $replace = $this->getUserFieldMarkers();
982 return strtr($text, $replace);
983 }
984
985 /**
986 * Returns Array of markers filled with user fields
987 *
988 * @return array Marker array
989 */
990 protected function getUserFieldMarkers()
991 {
992 $marker = [];
993 // replace markers with fe_user data
994 if ($this->frontendController->fe_user->user) {
995 // All fields of fe_user will be replaced, scheme is ###FEUSER_FIELDNAME###
996 foreach ($this->frontendController->fe_user->user as $field => $value) {
997 $marker['###FEUSER_' . strtoupper($field) . '###'] = $this->cObj->stdWrap($value, $this->conf['userfields.'][$field . '.']);
998 }
999 // Add ###USER### for compatibility
1000 $marker['###USER###'] = $marker['###FEUSER_USERNAME###'];
1001 }
1002 return $marker;
1003 }
1004
1005 /**
1006 * Returns a valid and XSS cleaned url for redirect, checked against configuration "allowedRedirectHosts"
1007 *
1008 * @param string $url
1009 * @return string cleaned referer or empty string if not valid
1010 */
1011 protected function validateRedirectUrl($url)
1012 {
1013 $url = strval($url);
1014 if ($url === '') {
1015 return '';
1016 }
1017 // Validate the URL:
1018 if ($this->isRelativeUrl($url) || $this->isInCurrentDomain($url) || $this->isInLocalDomain($url)) {
1019 return $url;
1020 }
1021 // URL is not allowed
1022 $this->logger->warning('Url "' . $url . '" for redirect was not accepted!');
1023 return '';
1024 }
1025
1026 /**
1027 * Determines whether the URL is on the current host and belongs to the
1028 * current TYPO3 installation. The scheme part is ignored in the comparison.
1029 *
1030 * @param string $url URL to be checked
1031 * @return bool Whether the URL belongs to the current TYPO3 installation
1032 */
1033 protected function isInCurrentDomain($url)
1034 {
1035 $urlWithoutSchema = preg_replace('#^https?://#', '', $url);
1036 $siteUrlWithoutSchema = preg_replace('#^https?://#', '', GeneralUtility::getIndpEnv('TYPO3_SITE_URL'));
1037 return strpos($urlWithoutSchema . '/', GeneralUtility::getIndpEnv('HTTP_HOST') . '/') === 0
1038 && strpos($urlWithoutSchema, $siteUrlWithoutSchema) === 0;
1039 }
1040
1041 /**
1042 * Determines whether the URL matches a domain
1043 * in the sys_domain database table.
1044 *
1045 * @param string $url Absolute URL which needs to be checked
1046 * @return bool Whether the URL is considered to be local
1047 */
1048 protected function isInLocalDomain($url)
1049 {
1050 $result = false;
1051 if (GeneralUtility::isValidUrl($url)) {
1052 $parsedUrl = parse_url($url);
1053 if ($parsedUrl['scheme'] === 'http' || $parsedUrl['scheme'] === 'https') {
1054 $host = $parsedUrl['host'];
1055 // Removes the last path segment and slash sequences like /// (if given):
1056 $path = preg_replace('#/+[^/]*$#', '', $parsedUrl['path'] ?? '');
1057
1058 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('sys_domain');
1059 $queryBuilder->setRestrictions(GeneralUtility::makeInstance(FrontendRestrictionContainer::class));
1060 $localDomains = $queryBuilder->select('domainName')
1061 ->from('sys_domain')
1062 ->execute()
1063 ->fetchAll();
1064
1065 if (is_array($localDomains)) {
1066 foreach ($localDomains as $localDomain) {
1067 // strip trailing slashes (if given)
1068 $domainName = rtrim($localDomain['domainName'], '/');
1069 if (GeneralUtility::isFirstPartOfStr($host . $path . '/', $domainName . '/')) {
1070 $result = true;
1071 break;
1072 }
1073 }
1074 }
1075 }
1076 }
1077 return $result;
1078 }
1079
1080 /**
1081 * Determines whether the URL is relative to the
1082 * current TYPO3 installation.
1083 *
1084 * @param string $url URL which needs to be checked
1085 * @return bool Whether the URL is considered to be relative
1086 */
1087 protected function isRelativeUrl($url)
1088 {
1089 $url = GeneralUtility::sanitizeLocalUrl($url);
1090 if (!empty($url)) {
1091 $parsedUrl = @parse_url($url);
1092 if ($parsedUrl !== false && !isset($parsedUrl['scheme']) && !isset($parsedUrl['host'])) {
1093 // If the relative URL starts with a slash, we need to check if it's within the current site path
1094 return $parsedUrl['path'][0] !== '/' || GeneralUtility::isFirstPartOfStr($parsedUrl['path'], GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
1095 }
1096 }
1097 return false;
1098 }
1099 }