typo3/sysext/frontend/Classes/Middleware/BackendUserAuthenticator.php

   1 <?php
   2 declare(strict_types = 1);
   3
   4 namespace TYPO3\CMS\Frontend\Middleware;
   5
   6 /*
   7  * This file is part of the TYPO3 CMS project.
   8  *
   9  * It is free software; you can redistribute it and/or modify it under
  10  * the terms of the GNU General Public License, either version 2
  11  * of the License, or any later version.
  12  *
  13  * For the full copyright and license information, please read the
  14  * LICENSE.txt file that was distributed with this source code.
  15  *
  16  * The TYPO3 project - inspiring people to share!
  17  */
  18
  19 use Psr\Http\Message\ResponseInterface;
  20 use Psr\Http\Message\ServerRequestInterface;
  21 use Psr\Http\Server\MiddlewareInterface;
  22 use Psr\Http\Server\RequestHandlerInterface;
  23 use TYPO3\CMS\Backend\FrontendBackendUserAuthentication;
  24 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
  25 use TYPO3\CMS\Core\Context\Context;
  26 use TYPO3\CMS\Core\Context\UserAspect;
  27 use TYPO3\CMS\Core\Context\WorkspaceAspect;
  28 use TYPO3\CMS\Core\Core\Bootstrap;
  29 use TYPO3\CMS\Core\Http\NormalizedParams;
  30 use TYPO3\CMS\Core\Utility\GeneralUtility;
  31
  32 /**
  33  * This middleware authenticates a Backend User (be_user) (pre)-viewing a frontend page.
  34  *
  35  * This middleware also ensures that $GLOBALS['LANG'] is available, however it is possible that
  36  * a different middleware later-on might unset the BE_USER as he/she is not allowed to preview a certain
  37  * page due to rights management. As this can only happen once the page ID is resolved, this will happen
  38  * after the routing middleware.
  39  *
  40  * Currently, this middleware depends on the availability of $GLOBALS['TSFE'], however, this is solely
  41  * due to backwards-compatibility and will be disabled in the future.
  42  */
  43 class BackendUserAuthenticator implements MiddlewareInterface
  44 {
  45     /**
  46      * Creates a frontend user authentication object, tries to authenticate a user
  47      * and stores the object in $GLOBALS['TSFE']->fe_user.
  48      *
  49      * @param ServerRequestInterface $request
  50      * @param RequestHandlerInterface $handler
  51      * @return ResponseInterface
  52      */
  53     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
  54     {
  55         // Initializing a possible logged-in Backend User
  56         // If the backend cookie is set,
  57         // we proceed and check if a backend user is logged in.
  58         $backendUserObject = null;
  59         if (isset($request->getCookieParams()[BackendUserAuthentication::getCookieName()])) {
  60             $backendUserObject = $this->initializeBackendUser($request);
  61         }
  62
  63         $GLOBALS['BE_USER'] = $backendUserObject;
  64
  65         // POST BE_USER HOOK
  66         if (!empty($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/index_ts.php']['postBeUser'])) {
  67             $_params = [
  68                 'BE_USER' => &$GLOBALS['BE_USER']
  69             ];
  70             trigger_error('The "postBeUser" hook will be removed in TYPO3 v10.0 in favor of PSR-15. Use a middleware instead.', E_USER_DEPRECATED);
  71             foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/index_ts.php']['postBeUser'] as $_funcRef) {
  72                 GeneralUtility::callUserFunction($_funcRef, $_params, $GLOBALS['TSFE']);
  73             }
  74         }
  75
  76         // Load specific dependencies which are necessary for a valid Backend User
  77         // like $GLOBALS['LANG'] for labels in the language of the BE User, the router, and ext_tables.php for all modules
  78         // So things like Frontend Editing and Admin Panel can use this for generating links to the TYPO3 Backend.
  79         if ($GLOBALS['BE_USER'] instanceof FrontendBackendUserAuthentication) {
  80             Bootstrap::initializeLanguageObject();
  81             Bootstrap::initializeBackendRouter();
  82             Bootstrap::loadExtTables();
  83             $this->setBackendUserAspect(GeneralUtility::makeInstance(Context::class), $GLOBALS['BE_USER']);
  84         }
  85
  86         return $handler->handle($request);
  87     }
  88
  89     /**
  90      * Creates the backend user object and returns it.
  91      *
  92      * @param ServerRequestInterface $request
  93      * @return FrontendBackendUserAuthentication|null the backend user object or null if there was no valid user found
  94      * @throws \TYPO3\CMS\Core\Exception
  95      */
  96     protected function initializeBackendUser(ServerRequestInterface $request)
  97     {
  98         // New backend user object
  99         $backendUserObject = GeneralUtility::makeInstance(FrontendBackendUserAuthentication::class);
 100         $backendUserObject->start();
 101         $backendUserObject->unpack_uc();
 102         if (!empty($backendUserObject->user['uid'])) {
 103             $backendUserObject->fetchGroupData();
 104         }
 105         // Unset the user initialization if any setting / restriction applies
 106         if (!$this->isAuthenticated($backendUserObject, $request->getAttribute('normalizedParams'))) {
 107             $backendUserObject = null;
 108         }
 109         return $backendUserObject;
 110     }
 111
 112     /**
 113      * Implementing the access checks that the TYPO3 CMS bootstrap script does before a user is ever logged in.
 114      *
 115      * @param FrontendBackendUserAuthentication $user
 116      * @param NormalizedParams $normalizedParams
 117      * @return bool Returns TRUE if access is OK
 118      */
 119     protected function isAuthenticated(FrontendBackendUserAuthentication $user, NormalizedParams $normalizedParams)
 120     {
 121         // Check IP
 122         $ipMask = trim($GLOBALS['TYPO3_CONF_VARS']['BE']['IPmaskList'] ?? '');
 123         if ($ipMask && !GeneralUtility::cmpIP($normalizedParams->getRemoteAddress(), $ipMask)) {
 124             return false;
 125         }
 126         // Check SSL (https)
 127         if ((bool)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] && !$normalizedParams->isHttps()) {
 128             return false;
 129         }
 130         return $user->backendCheckLogin();
 131     }
 132
 133     /**
 134      * Register the backend user as aspect
 135      *
 136      * @param Context $context
 137      * @param BackendUserAuthentication|null $user
 138      */
 139     protected function setBackendUserAspect(Context $context, BackendUserAuthentication $user)
 140     {
 141         $context->setAspect('backend.user', GeneralUtility::makeInstance(UserAspect::class, $user));
 142         $context->setAspect('workspace', GeneralUtility::makeInstance(WorkspaceAspect::class, $user->workspace));
 143     }
 144 }