[BUGFIX] Felogin improperly merges flexforms and TS conf
[Packages/TYPO3.CMS.git] / typo3 / sysext / felogin / Classes / Controller / FrontendLoginController.php
1 <?php
2 namespace TYPO3\CMS\Felogin\Controller;
3
4 /**
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Utility\GeneralUtility;
18
19 /**
20 * Plugin 'Website User Login' for the 'felogin' extension.
21 *
22 * @author Steffen Kamper <info@sk-typo3.de>
23 */
24 class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin {
25
26 /**
27 * Same as class name
28 *
29 * @todo Define visibility
30 */
31 public $prefixId = 'tx_felogin_pi1';
32
33 /**
34 * Path to this script relative to the extension dir.
35 *
36 * @todo Define visibility
37 */
38 public $scriptRelPath = 'pi1/class.tx_felogin_pi1.php';
39
40 /**
41 * The extension key.
42 *
43 * @todo Define visibility
44 */
45 public $extKey = 'felogin';
46
47 /**
48 * @var boolean
49 */
50 public $pi_checkCHash = FALSE;
51
52 /**
53 * @var boolean
54 */
55 public $pi_USER_INT_obj = TRUE;
56
57 /**
58 * Is user logged in?
59 *
60 * @var boolean
61 */
62 protected $userIsLoggedIn;
63
64 /**
65 * Holds the template for FE rendering
66 *
67 * @var string
68 */
69 protected $template;
70
71 /**
72 * Upload directory, used for flexform template files
73 *
74 * @var string
75 */
76 protected $uploadDir;
77
78 /**
79 * URL for the redirect
80 *
81 * @var string
82 */
83 protected $redirectUrl;
84
85 /**
86 * Flag for disable the redirect
87 *
88 * @var boolean
89 */
90 protected $noRedirect = FALSE;
91
92 /**
93 * Logintype (given as GPvar), possible: login, logout
94 *
95 * @var string
96 */
97 protected $logintype;
98
99 /**
100 * The main method of the plugin
101 *
102 * @param string $content The PlugIn content
103 * @param array $conf The PlugIn configuration
104 * @return string The content that is displayed on the website
105 */
106 public function main($content, $conf) {
107 // Loading TypoScript array into object variable:
108 $this->conf = $conf;
109 $this->uploadDir = 'uploads/tx_felogin/';
110 // Loading default pivars
111 $this->pi_setPiVarDefaults();
112 // Loading language-labels
113 $this->pi_loadLL();
114 // Init FlexForm configuration for plugin:
115 $this->pi_initPIflexForm();
116 $this->mergeflexFormValuesIntoConf();
117 // Get storage PIDs:
118 if ($this->conf['storagePid']) {
119 if ((int)$this->conf['recursive']) {
120 $this->spid = $this->pi_getPidList($this->conf['storagePid'], (int)$this->conf['recursive']);
121 } else {
122 $this->spid = $this->conf['storagePid'];
123 }
124 } else {
125 $pids = $GLOBALS['TSFE']->getStorageSiterootPids();
126 $this->spid = $pids['_STORAGE_PID'];
127 }
128 // GPvars:
129 $this->logintype = GeneralUtility::_GP('logintype');
130 $this->referer = $this->validateRedirectUrl(GeneralUtility::_GP('referer'));
131 $this->noRedirect = $this->piVars['noredirect'] || $this->conf['redirectDisable'];
132 // If config.typolinkLinkAccessRestrictedPages is set, the var is return_url
133 $returnUrl = GeneralUtility::_GP('return_url');
134 if ($returnUrl) {
135 $this->redirectUrl = $returnUrl;
136 } else {
137 $this->redirectUrl = GeneralUtility::_GP('redirect_url');
138 }
139 $this->redirectUrl = $this->validateRedirectUrl($this->redirectUrl);
140 // Get Template
141 $templateFile = $this->conf['templateFile'] ?: 'EXT:felogin/template.html';
142 $this->template = $this->cObj->fileResource($templateFile);
143 // Is user logged in?
144 $this->userIsLoggedIn = $GLOBALS['TSFE']->loginUser;
145 // Redirect
146 if ($this->conf['redirectMode'] && !$this->conf['redirectDisable'] && !$this->noRedirect) {
147 $redirectUrl = $this->processRedirect();
148 if (count($redirectUrl)) {
149 $this->redirectUrl = $this->conf['redirectFirstMethod'] ? array_shift($redirectUrl) : array_pop($redirectUrl);
150 } else {
151 $this->redirectUrl = '';
152 }
153 }
154 // What to display
155 $content = '';
156 if ($this->piVars['forgot'] && $this->conf['showForgotPasswordLink']) {
157 $content .= $this->showForgot();
158 } elseif ($this->piVars['forgothash']) {
159 $content .= $this->changePassword();
160 } else {
161 if ($this->userIsLoggedIn && !$this->logintype) {
162 $content .= $this->showLogout();
163 } else {
164 $content .= $this->showLogin();
165 }
166 }
167 // Process the redirect
168 if (($this->logintype === 'login' || $this->logintype === 'logout') && $this->redirectUrl && !$this->noRedirect) {
169 if (!$GLOBALS['TSFE']->fe_user->isCookieSet() && $this->userIsLoggedIn) {
170 $content .= $this->cObj->stdWrap($this->pi_getLL('cookie_warning', '', TRUE), $this->conf['cookieWarning_stdWrap.']);
171 } else {
172 // Add hook for extra processing before redirect
173 if (
174 isset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['beforeRedirect']) &&
175 is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['beforeRedirect'])
176 ) {
177 $_params = array(
178 'loginType' => $this->logintype,
179 'redirectUrl' => &$this->redirectUrl
180 );
181 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['beforeRedirect'] as $_funcRef) {
182 if ($_funcRef) {
183 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
184 }
185 }
186 }
187 \TYPO3\CMS\Core\Utility\HttpUtility::redirect($this->redirectUrl);
188 }
189 }
190 // Adds hook for processing of extra item markers / special
191 if (
192 isset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['postProcContent'])
193 && is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['postProcContent'])
194 ) {
195 $_params = array(
196 'content' => $content
197 );
198 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['postProcContent'] as $_funcRef) {
199 $content = GeneralUtility::callUserFunction($_funcRef, $_params, $this);
200 }
201 }
202 return $this->conf['wrapContentInBaseClass'] ? $this->pi_wrapInBaseClass($content) : $content;
203 }
204
205 /**
206 * Shows the forgot password form
207 *
208 * @return string Content
209 */
210 protected function showForgot() {
211 $subpart = $this->cObj->getSubpart($this->template, '###TEMPLATE_FORGOT###');
212 $subpartArray = ($linkpartArray = array());
213 $postData = GeneralUtility::_POST($this->prefixId);
214 if ($postData['forgot_email']) {
215 // Get hashes for compare
216 $postedHash = $postData['forgot_hash'];
217 $hashData = $GLOBALS['TSFE']->fe_user->getKey('ses', 'forgot_hash');
218 if ($postedHash === $hashData['forgot_hash']) {
219 $row = FALSE;
220 // Look for user record
221 $data = $GLOBALS['TYPO3_DB']->fullQuoteStr($this->piVars['forgot_email'], 'fe_users');
222 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
223 'uid, username, password, email',
224 'fe_users',
225 '(email=' . $data . ' OR username=' . $data . ') AND pid IN (' . $GLOBALS['TYPO3_DB']->cleanIntList($this->spid) . ') ' . $this->cObj->enableFields('fe_users')
226 );
227 if ($GLOBALS['TYPO3_DB']->sql_num_rows($res)) {
228 $row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res);
229 }
230 $error = NULL;
231 if ($row) {
232 // Generate an email with the hashed link
233 $error = $this->generateAndSendHash($row);
234 } elseif ($this->conf['exposeNonexistentUserInForgotPasswordDialog']) {
235 $error = $this->pi_getLL('ll_forgot_reset_message_error');
236 }
237 // Generate message
238 if ($error) {
239 $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap($error, $this->conf['forgotErrorMessage_stdWrap.']);
240 } else {
241 $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap(
242 $this->pi_getLL('ll_forgot_reset_message_emailSent', '', TRUE),
243 $this->conf['forgotResetMessageEmailSentMessage_stdWrap.']
244 );
245 }
246 $subpartArray['###FORGOT_FORM###'] = '';
247 } else {
248 // Wrong email
249 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('forgot_reset_message', $this->conf['forgotMessage_stdWrap.']);
250 $markerArray['###BACKLINK_LOGIN###'] = '';
251 }
252 } else {
253 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('forgot_reset_message', $this->conf['forgotMessage_stdWrap.']);
254 $markerArray['###BACKLINK_LOGIN###'] = '';
255 }
256 $markerArray['###BACKLINK_LOGIN###'] = $this->getPageLink($this->pi_getLL('ll_forgot_header_backToLogin', '', TRUE), array());
257 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('forgot_header', $this->conf['forgotHeader_stdWrap.']);
258 $markerArray['###LEGEND###'] = $this->pi_getLL('legend', $this->pi_getLL('reset_password', '', TRUE), TRUE);
259 $markerArray['###ACTION_URI###'] = $this->getPageLink('', array($this->prefixId . '[forgot]' => 1), TRUE);
260 $markerArray['###EMAIL_LABEL###'] = $this->pi_getLL('your_email', '', TRUE);
261 $markerArray['###FORGOT_PASSWORD_ENTEREMAIL###'] = $this->pi_getLL('forgot_password_enterEmail', '', TRUE);
262 $markerArray['###FORGOT_EMAIL###'] = $this->prefixId . '[forgot_email]';
263 $markerArray['###SEND_PASSWORD###'] = $this->pi_getLL('reset_password', '', TRUE);
264 $markerArray['###DATA_LABEL###'] = $this->pi_getLL('ll_enter_your_data', '', TRUE);
265 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
266 // Generate hash
267 $hash = md5($this->generatePassword(3));
268 $markerArray['###FORGOTHASH###'] = $hash;
269 // Set hash in feuser session
270 $GLOBALS['TSFE']->fe_user->setKey('ses', 'forgot_hash', array('forgot_hash' => $hash));
271 return $this->cObj->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
272 }
273
274 /**
275 * This function checks the hash from link and checks the validity. If it's valid it shows the form for
276 * changing the password and process the change of password after submit, if not valid it returns the error message
277 *
278 * @return string The content.
279 */
280 protected function changePassword() {
281 $subpartArray = ($linkpartArray = array());
282 $done = FALSE;
283 $minLength = (int)$this->conf['newPasswordMinLength'] ?: 6;
284 $subpart = $this->cObj->getSubpart($this->template, '###TEMPLATE_CHANGEPASSWORD###');
285 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('change_password_header', $this->conf['changePasswordHeader_stdWrap.']);
286 $markerArray['###STATUS_MESSAGE###'] = sprintf($this->getDisplayText(
287 'change_password_message',
288 $this->conf['changePasswordMessage_stdWrap.']
289 ), $minLength);
290
291 $markerArray['###BACKLINK_LOGIN###'] = '';
292 $uid = $this->piVars['user'];
293 $piHash = $this->piVars['forgothash'];
294 $hash = explode('|', $piHash);
295 if ((int)$uid === 0) {
296 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
297 'change_password_notvalid_message',
298 $this->conf['changePasswordNotValidMessage_stdWrap.']
299 );
300 $subpartArray['###CHANGEPASSWORD_FORM###'] = '';
301 } else {
302 $user = $this->pi_getRecord('fe_users', (int)$uid);
303 $userHash = $user['felogin_forgotHash'];
304 $compareHash = explode('|', $userHash);
305 if (!$compareHash || !$compareHash[1] || $compareHash[0] < time() || $hash[0] != $compareHash[0] || md5($hash[1]) != $compareHash[1]) {
306 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
307 'change_password_notvalid_message',
308 $this->conf['changePasswordNotValidMessage_stdWrap.']
309 );
310 $subpartArray['###CHANGEPASSWORD_FORM###'] = '';
311 } else {
312 // All is fine, continue with new password
313 $postData = GeneralUtility::_POST($this->prefixId);
314 if (isset($postData['changepasswordsubmit'])) {
315 if (strlen($postData['password1']) < $minLength) {
316 $markerArray['###STATUS_MESSAGE###'] = sprintf($this->getDisplayText(
317 'change_password_tooshort_message',
318 $this->conf['changePasswordTooShortMessage_stdWrap.']),
319 $minLength
320 );
321 } elseif ($postData['password1'] != $postData['password2']) {
322 $markerArray['###STATUS_MESSAGE###'] = sprintf($this->getDisplayText(
323 'change_password_notequal_message',
324 $this->conf['changePasswordNotEqualMessage_stdWrap.']),
325 $minLength
326 );
327 } else {
328 $newPass = $postData['password1'];
329 if ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['password_changed']) {
330 $_params = array(
331 'user' => $user,
332 'newPassword' => $newPass
333 );
334 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['password_changed'] as $_funcRef) {
335 if ($_funcRef) {
336 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
337 }
338 }
339 $newPass = $_params['newPassword'];
340 }
341 // Save new password and clear DB-hash
342 $res = $GLOBALS['TYPO3_DB']->exec_UPDATEquery(
343 'fe_users',
344 'uid=' . $user['uid'],
345 array('password' => $newPass, 'felogin_forgotHash' => '', 'tstamp' => $GLOBALS['EXEC_TIME'])
346 );
347 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
348 'change_password_done_message',
349 $this->conf['changePasswordDoneMessage_stdWrap.']
350 );
351 $done = TRUE;
352 $subpartArray['###CHANGEPASSWORD_FORM###'] = '';
353 $markerArray['###BACKLINK_LOGIN###'] = $this->getPageLink(
354 $this->pi_getLL('ll_forgot_header_backToLogin', '', TRUE),
355 array($this->prefixId . '[redirectReferrer]' => 'off')
356 );
357 }
358 }
359 if (!$done) {
360 // Change password form
361 $markerArray['###ACTION_URI###'] = $this->pi_getPageLink($GLOBALS['TSFE']->id, '', array(
362 $this->prefixId . '[user]' => $user['uid'],
363 $this->prefixId . '[forgothash]' => $piHash
364 ));
365 $markerArray['###LEGEND###'] = $this->pi_getLL('change_password', '', TRUE);
366 $markerArray['###NEWPASSWORD1_LABEL###'] = $this->pi_getLL('newpassword_label1', '', TRUE);
367 $markerArray['###NEWPASSWORD2_LABEL###'] = $this->pi_getLL('newpassword_label2', '', TRUE);
368 $markerArray['###NEWPASSWORD1###'] = $this->prefixId . '[password1]';
369 $markerArray['###NEWPASSWORD2###'] = $this->prefixId . '[password2]';
370 $markerArray['###STORAGE_PID###'] = $this->spid;
371 $markerArray['###SEND_PASSWORD###'] = $this->pi_getLL('change_password', '', TRUE);
372 $markerArray['###FORGOTHASH###'] = $piHash;
373 }
374 }
375 }
376 return $this->cObj->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
377 }
378
379 /**
380 * Generates a hashed link and send it with email
381 *
382 * @param array $user Contains user data
383 * @return string Empty string with success, error message with no success
384 */
385 protected function generateAndSendHash($user) {
386 $hours = (int)$this->conf['forgotLinkHashValidTime'] > 0 ? (int)$this->conf['forgotLinkHashValidTime'] : 24;
387 $validEnd = time() + 3600 * $hours;
388 $validEndString = date($this->conf['dateFormat'], $validEnd);
389 $hash = md5(GeneralUtility::generateRandomBytes(64));
390 $randHash = $validEnd . '|' . $hash;
391 $randHashDB = $validEnd . '|' . md5($hash);
392 // Write hash to DB
393 $res = $GLOBALS['TYPO3_DB']->exec_UPDATEquery('fe_users', 'uid=' . $user['uid'], array('felogin_forgotHash' => $randHashDB));
394 // Send hashlink to user
395 $this->conf['linkPrefix'] = -1;
396 $isAbsRelPrefix = !empty($GLOBALS['TSFE']->absRefPrefix);
397 $isBaseURL = !empty($GLOBALS['TSFE']->baseUrl);
398 $isFeloginBaseURL = !empty($this->conf['feloginBaseURL']);
399 $link = $this->pi_getPageLink($GLOBALS['TSFE']->id, '', array(
400 rawurlencode($this->prefixId . '[user]') => $user['uid'],
401 rawurlencode($this->prefixId . '[forgothash]') => $randHash
402 ));
403 // Prefix link if necessary
404 if ($isFeloginBaseURL) {
405 // First priority, use specific base URL
406 // "absRefPrefix" must be removed first, otherwise URL will be prepended twice
407 if (!empty($GLOBALS['TSFE']->absRefPrefix)) {
408 $link = substr($link, strlen($GLOBALS['TSFE']->absRefPrefix));
409 }
410 $link = $this->conf['feloginBaseURL'] . $link;
411 } elseif ($isAbsRelPrefix) {
412 // Second priority
413 // absRefPrefix must not necessarily contain a hostname and URL scheme, so add it if needed
414 $link = GeneralUtility::locationHeaderUrl($link);
415 } elseif ($isBaseURL) {
416 // Third priority
417 // Add the global base URL to the link
418 $link = $GLOBALS['TSFE']->baseUrlWrap($link);
419 } else {
420 // No prefix is set, return the error
421 return $this->pi_getLL('ll_change_password_nolinkprefix_message');
422 }
423 $msg = sprintf($this->pi_getLL('ll_forgot_validate_reset_password'), $user['username'], $link, $validEndString);
424 // Add hook for extra processing of mail message
425 if (
426 isset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['forgotPasswordMail'])
427 && is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['forgotPasswordMail'])
428 ) {
429 $params = array(
430 'message' => &$msg,
431 'user' => &$user
432 );
433 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['forgotPasswordMail'] as $reference) {
434 if ($reference) {
435 GeneralUtility::callUserFunction($reference, $params, $this);
436 }
437 }
438 }
439 // no RDCT - Links for security reasons
440 $oldSetting = $GLOBALS['TSFE']->config['config']['notification_email_urlmode'];
441 $GLOBALS['TSFE']->config['config']['notification_email_urlmode'] = 0;
442 // Send the email
443 $this->cObj->sendNotifyEmail($msg, $user['email'], '', $this->conf['email_from'], $this->conf['email_fromName'], $this->conf['replyTo']);
444 // Restore settings
445 $GLOBALS['TSFE']->config['config']['notification_email_urlmode'] = $oldSetting;
446 return '';
447 }
448
449 /**
450 * Shows logout form
451 *
452 * @return string The content.
453 */
454 protected function showLogout() {
455 $subpart = $this->cObj->getSubpart($this->template, '###TEMPLATE_LOGOUT###');
456 $subpartArray = ($linkpartArray = array());
457 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('status_header', $this->conf['logoutHeader_stdWrap.']);
458 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('status_message', $this->conf['logoutMessage_stdWrap.']);
459 $this->cObj->stdWrap($this->flexFormValue('message', 's_status'), $this->conf['logoutMessage_stdWrap.']);
460 $markerArray['###LEGEND###'] = $this->pi_getLL('logout', '', TRUE);
461 $markerArray['###ACTION_URI###'] = $this->getPageLink('', array(), TRUE);
462 $markerArray['###LOGOUT_LABEL###'] = $this->pi_getLL('logout', '', TRUE);
463 $markerArray['###NAME###'] = htmlspecialchars($GLOBALS['TSFE']->fe_user->user['name']);
464 $markerArray['###STORAGE_PID###'] = $this->spid;
465 $markerArray['###USERNAME###'] = htmlspecialchars($GLOBALS['TSFE']->fe_user->user['username']);
466 $markerArray['###USERNAME_LABEL###'] = $this->pi_getLL('username', '', TRUE);
467 $markerArray['###NOREDIRECT###'] = $this->noRedirect ? '1' : '0';
468 $markerArray['###PREFIXID###'] = $this->prefixId;
469 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
470 if ($this->redirectUrl) {
471 // Use redirectUrl for action tag because of possible access restricted pages
472 $markerArray['###ACTION_URI###'] = htmlspecialchars($this->redirectUrl);
473 $this->redirectUrl = '';
474 }
475 return $this->cObj->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
476 }
477
478 /**
479 * Shows login form
480 *
481 * @return string Content
482 */
483 protected function showLogin() {
484 $subpart = $this->cObj->getSubpart($this->template, '###TEMPLATE_LOGIN###');
485 $subpartArray = ($linkpartArray = ($markerArray = array()));
486 $gpRedirectUrl = '';
487 $markerArray['###LEGEND###'] = $this->pi_getLL('oLabel_header_welcome', '', TRUE);
488 if ($this->logintype === 'login') {
489 if ($this->userIsLoggedIn) {
490 // login success
491 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('success_header', $this->conf['successHeader_stdWrap.']);
492 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('success_message', $this->conf['successMessage_stdWrap.']);
493 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
494 $subpartArray['###LOGIN_FORM###'] = '';
495 // Hook for general actions after after login has been confirmed (by Thomas Danzl <thomas@danzl.org>)
496 if ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_confirmed']) {
497 $_params = array();
498 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_confirmed'] as $_funcRef) {
499 if ($_funcRef) {
500 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
501 }
502 }
503 }
504 // show logout form directly
505 if ($this->conf['showLogoutFormAfterLogin']) {
506 $this->redirectUrl = '';
507 return $this->showLogout();
508 }
509 } else {
510 // Hook for general actions on login error
511 if (
512 isset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_error'])
513 && is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_error'])
514 ) {
515 $params = array();
516 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_error'] as $funcRef) {
517 if ($funcRef) {
518 GeneralUtility::callUserFunction($funcRef, $params, $this);
519 }
520 }
521 }
522 // login error
523 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('error_header', $this->conf['errorHeader_stdWrap.']);
524 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('error_message', $this->conf['errorMessage_stdWrap.']);
525 $gpRedirectUrl = GeneralUtility::_GP('redirect_url');
526 }
527 } else {
528 if ($this->logintype === 'logout') {
529 // login form after logout
530 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('logout_header', $this->conf['logoutHeader_stdWrap.']);
531 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('logout_message', $this->conf['logoutMessage_stdWrap.']);
532 } else {
533 // login form
534 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('welcome_header', $this->conf['welcomeHeader_stdWrap.']);
535 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('welcome_message', $this->conf['welcomeMessage_stdWrap.']);
536 }
537 }
538
539 // This hook allows to call User JS functions.
540 // The methods should also set the required JS functions to get included
541 $onSubmit = '';
542 $extraHidden = '';
543 $onSubmitAr = array();
544 $extraHiddenAr = array();
545 // Check for referer redirect method. if present, save referer in form field
546 if (GeneralUtility::inList($this->conf['redirectMode'], 'referer') || GeneralUtility::inList($this->conf['redirectMode'], 'refererDomains')) {
547 $referer = $this->referer ? $this->referer : GeneralUtility::getIndpEnv('HTTP_REFERER');
548 if ($referer) {
549 $extraHiddenAr[] = '<input type="hidden" name="referer" value="' . htmlspecialchars($referer) . '" />';
550 if ($this->piVars['redirectReferrer'] === 'off') {
551 $extraHiddenAr[] = '<input type="hidden" name="' . $this->prefixId . '[redirectReferrer]" value="off" />';
552 }
553 }
554 }
555 if (is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['loginFormOnSubmitFuncs'])) {
556 $_params = array();
557 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['loginFormOnSubmitFuncs'] as $funcRef) {
558 list($onSub, $hid) = GeneralUtility::callUserFunction($funcRef, $_params, $this);
559 $onSubmitAr[] = $onSub;
560 $extraHiddenAr[] = $hid;
561 }
562 }
563 if (count($onSubmitAr)) {
564 $onSubmit = implode('; ', $onSubmitAr) . '; return true;';
565 }
566 if (count($extraHiddenAr)) {
567 $extraHidden = implode(LF, $extraHiddenAr);
568 }
569 if (!$gpRedirectUrl && $this->redirectUrl) {
570 $gpRedirectUrl = $this->redirectUrl;
571 }
572 // Login form
573 $markerArray['###ACTION_URI###'] = $this->getPageLink('', array(), TRUE);
574 // Used by kb_md5fepw extension...
575 $markerArray['###EXTRA_HIDDEN###'] = $extraHidden;
576 $markerArray['###LEGEND###'] = $this->pi_getLL('login', '', TRUE);
577 $markerArray['###LOGIN_LABEL###'] = $this->pi_getLL('login', '', TRUE);
578 // Used by kb_md5fepw extension...
579 $markerArray['###ON_SUBMIT###'] = $onSubmit;
580 $markerArray['###PASSWORD_LABEL###'] = $this->pi_getLL('password', '', TRUE);
581 $markerArray['###STORAGE_PID###'] = $this->spid;
582 $markerArray['###USERNAME_LABEL###'] = $this->pi_getLL('username', '', TRUE);
583 $markerArray['###REDIRECT_URL###'] = htmlspecialchars($gpRedirectUrl);
584 $markerArray['###NOREDIRECT###'] = $this->noRedirect ? '1' : '0';
585 $markerArray['###PREFIXID###'] = $this->prefixId;
586 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
587 if ($this->conf['showForgotPasswordLink']) {
588 $linkpartArray['###FORGOT_PASSWORD_LINK###'] = explode('|', $this->getPageLink('|', array($this->prefixId . '[forgot]' => 1)));
589 $markerArray['###FORGOT_PASSWORD###'] = $this->pi_getLL('ll_forgot_header', '', TRUE);
590 } else {
591 $subpartArray['###FORGOTP_VALID###'] = '';
592 }
593 // The permanent login checkbox should only be shown if permalogin is not deactivated (-1),
594 // not forced to be always active (2) and lifetime is greater than 0
595 if (
596 $this->conf['showPermaLogin']
597 && GeneralUtility::inList('0,1', $GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin'])
598 && $GLOBALS['TYPO3_CONF_VARS']['FE']['lifetime'] > 0
599 ) {
600 $markerArray['###PERMALOGIN###'] = $this->pi_getLL('permalogin', '', TRUE);
601 if ($GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin'] == 1) {
602 $markerArray['###PERMALOGIN_HIDDENFIELD_ATTRIBUTES###'] = 'disabled="disabled"';
603 $markerArray['###PERMALOGIN_CHECKBOX_ATTRIBUTES###'] = 'checked="checked"';
604 } else {
605 $markerArray['###PERMALOGIN_HIDDENFIELD_ATTRIBUTES###'] = '';
606 $markerArray['###PERMALOGIN_CHECKBOX_ATTRIBUTES###'] = '';
607 }
608 } else {
609 $subpartArray['###PERMALOGIN_VALID###'] = '';
610 }
611 return $this->cObj->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
612 }
613
614 /**
615 * Process redirect methods. The function searches for a redirect url using all configured methods.
616 *
617 * @return string Redirect url
618 */
619 protected function processRedirect() {
620 $redirect_url = array();
621 if ($this->conf['redirectMode']) {
622 $redirectMethods = GeneralUtility::trimExplode(',', $this->conf['redirectMode'], TRUE);
623 foreach ($redirectMethods as $redirMethod) {
624 if ($GLOBALS['TSFE']->loginUser && $this->logintype === 'login') {
625 // Logintype is needed because the login-page wouldn't be accessible anymore after a login (would always redirect)
626 switch ($redirMethod) {
627 case 'groupLogin':
628 // taken from dkd_redirect_at_login written by Ingmar Schlecht; database-field changed
629 $groupData = $GLOBALS['TSFE']->fe_user->groupData;
630 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
631 'felogin_redirectPid',
632 $GLOBALS['TSFE']->fe_user->usergroup_table,
633 'felogin_redirectPid<>\'\' AND uid IN (' . implode(',', $groupData['uid']) . ')'
634 );
635 if ($row = $GLOBALS['TYPO3_DB']->sql_fetch_row($res)) {
636 // take the first group with a redirect page
637 $redirect_url[] = $this->pi_getPageLink($row[0]);
638 }
639 break;
640 case 'userLogin':
641 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
642 'felogin_redirectPid',
643 $GLOBALS['TSFE']->fe_user->user_table,
644 $GLOBALS['TSFE']->fe_user->userid_column . '=' . $GLOBALS['TSFE']->fe_user->user['uid'] . ' AND felogin_redirectPid<>\'\''
645 );
646 if ($row = $GLOBALS['TYPO3_DB']->sql_fetch_row($res)) {
647 $redirect_url[] = $this->pi_getPageLink($row[0]);
648 }
649 break;
650 case 'login':
651 if ($this->conf['redirectPageLogin']) {
652 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLogin']);
653 }
654 break;
655 case 'getpost':
656 $redirect_url[] = $this->redirectUrl;
657 break;
658 case 'referer':
659 // Avoid redirect when logging in after changing password
660 if ($this->piVars['redirectReferrer'] !== 'off') {
661 // Avoid forced logout, when trying to login immediately after a logout
662 $redirect_url[] = preg_replace('/[&?]logintype=[a-z]+/', '', $this->referer);
663 }
664 break;
665 case 'refererDomains':
666 // Auto redirect.
667 // Feature to redirect to the page where the user came from (HTTP_REFERER).
668 // Allowed domains to redirect to, can be configured with plugin.tx_felogin_pi1.domains
669 // Thanks to plan2.net / Martin Kutschker for implementing this feature.
670 // also avoid redirect when logging in after changing password
671 if ($this->conf['domains'] && $this->piVars['redirectReferrer'] !== 'off') {
672 $url = $this->referer;
673 // Is referring url allowed to redirect?
674 $match = array();
675 if (preg_match('#^http://([[:alnum:]._-]+)/#', $url, $match)) {
676 $redirect_domain = $match[1];
677 $found = FALSE;
678 foreach (GeneralUtility::trimExplode(',', $this->conf['domains'], TRUE) as $d) {
679 if (preg_match('/(^|\\.)/' . $d . '$', $redirect_domain)) {
680 $found = TRUE;
681 break;
682 }
683 }
684 if (!$found) {
685 $url = '';
686 }
687 }
688 // Avoid forced logout, when trying to login immediately after a logout
689 if ($url) {
690 $redirect_url[] = preg_replace('/[&?]logintype=[a-z]+/', '', $url);
691 }
692 }
693 break;
694 }
695 } elseif ($this->logintype === 'login') {
696 // after login-error
697 switch ($redirMethod) {
698 case 'loginError':
699 if ($this->conf['redirectPageLoginError']) {
700 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLoginError']);
701 }
702 break;
703 }
704 } elseif ($this->logintype == '' && $redirMethod == 'login' && $this->conf['redirectPageLogin']) {
705 // If login and page not accessible
706 $this->cObj->typolink('', array(
707 'parameter' => $this->conf['redirectPageLogin'],
708 'linkAccessRestrictedPages' => TRUE
709 ));
710 $redirect_url[] = $this->cObj->lastTypoLinkUrl;
711 } elseif ($this->logintype == '' && $redirMethod == 'logout' && $this->conf['redirectPageLogout'] && $GLOBALS['TSFE']->loginUser) {
712 // If logout and page not accessible
713 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLogout']);
714 } elseif ($this->logintype === 'logout') {
715 // after logout
716 // Hook for general actions after after logout has been confirmed
717 if ($this->logintype === 'logout' && $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['logout_confirmed']) {
718 $_params = array();
719 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['logout_confirmed'] as $_funcRef) {
720 if ($_funcRef) {
721 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
722 }
723 }
724 }
725 switch ($redirMethod) {
726 case 'logout':
727 if ($this->conf['redirectPageLogout']) {
728 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLogout']);
729 }
730 break;
731 }
732 } else {
733 // not logged in
734 // Placeholder for maybe future options
735 switch ($redirMethod) {
736 case 'getpost':
737 // Preserve the get/post value
738 $redirect_url[] = $this->redirectUrl;
739 break;
740 }
741 }
742 }
743 }
744 // Remove empty values
745 if (count($redirect_url)) {
746 return GeneralUtility::trimExplode(',', implode(',', $redirect_url), TRUE);
747 } else {
748 return array();
749 }
750 }
751
752 /**
753 * Reads flexform configuration and merge it with $this->conf
754 *
755 * @return void
756 */
757 protected function mergeflexFormValuesIntoConf() {
758 $flex = array();
759 if ($this->flexFormValue('showForgotPassword', 'sDEF')) {
760 $flex['showForgotPasswordLink'] = $this->flexFormValue('showForgotPassword', 'sDEF');
761 }
762 if ($this->flexFormValue('showPermaLogin', 'sDEF')) {
763 $flex['showPermaLogin'] = $this->flexFormValue('showPermaLogin', 'sDEF');
764 }
765 if ($this->flexFormValue('showLogoutFormAfterLogin', 'sDEF')) {
766 $flex['showLogoutFormAfterLogin'] = $this->flexFormValue('showLogoutFormAfterLogin', 'sDEF');
767 }
768 if ($this->flexFormValue('pages', 'sDEF')) {
769 $flex['pages'] = $this->flexFormValue('pages', 'sDEF');
770 }
771 if ($this->flexFormValue('recursive', 'sDEF')) {
772 $flex['recursive'] = $this->flexFormValue('recursive', 'sDEF');
773 }
774 if ($this->flexFormValue('templateFile', 'sDEF')) {
775 $flex['templateFile'] = $this->uploadDir . $this->flexFormValue('templateFile', 'sDEF');
776 }
777 if ($this->flexFormValue('redirectMode', 's_redirect')) {
778 $flex['redirectMode'] = $this->flexFormValue('redirectMode', 's_redirect');
779 }
780 if ($this->flexFormValue('redirectFirstMethod', 's_redirect')) {
781 $flex['redirectFirstMethod'] = $this->flexFormValue('redirectFirstMethod', 's_redirect');
782 }
783 if ($this->flexFormValue('redirectDisable', 's_redirect')) {
784 $flex['redirectDisable'] = $this->flexFormValue('redirectDisable', 's_redirect');
785 }
786 if ($this->flexFormValue('redirectPageLogin', 's_redirect')) {
787 $flex['redirectPageLogin'] = $this->flexFormValue('redirectPageLogin', 's_redirect');
788 }
789 if ($this->flexFormValue('redirectPageLoginError', 's_redirect')) {
790 $flex['redirectPageLoginError'] = $this->flexFormValue('redirectPageLoginError', 's_redirect');
791 }
792 if ($this->flexFormValue('redirectPageLogout', 's_redirect')) {
793 $flex['redirectPageLogout'] = $this->flexFormValue('redirectPageLogout', 's_redirect');
794 }
795 $pid = $flex['pages'] ? $this->pi_getPidList($flex['pages'], $flex['recursive']) : 0;
796 if ($pid > 0) {
797 $flex['storagePid'] = $pid;
798 }
799 $this->conf = array_merge($this->conf, $flex);
800 }
801
802 /**
803 * Loads a variable from the flexform
804 *
805 * @param string $var Name of variable
806 * @param string $sheet Name of sheet
807 * @return string Value of var
808 */
809 protected function flexFormValue($var, $sheet) {
810 return $this->pi_getFFvalue($this->cObj->data['pi_flexform'], $var, $sheet);
811 }
812
813 /**
814 * Generate link with typolink function
815 *
816 * @param string $label Linktext
817 * @param array $piVars Link vars
818 * @param boolean $returnUrl TRUE: returns only url FALSE (default) returns the link)
819 * @return string Link or url
820 */
821 protected function getPageLink($label, $piVars, $returnUrl = FALSE) {
822 $additionalParams = '';
823 if (count($piVars)) {
824 foreach ($piVars as $key => $val) {
825 $additionalParams .= '&' . $key . '=' . $val;
826 }
827 }
828 // Should GETvars be preserved?
829 if ($this->conf['preserveGETvars']) {
830 $additionalParams .= $this->getPreserveGetVars();
831 }
832 $this->conf['linkConfig.']['parameter'] = $GLOBALS['TSFE']->id;
833 if ($additionalParams) {
834 $this->conf['linkConfig.']['additionalParams'] = $additionalParams;
835 }
836 if ($returnUrl) {
837 return htmlspecialchars($this->cObj->typolink_url($this->conf['linkConfig.']));
838 } else {
839 return $this->cObj->typolink($label, $this->conf['linkConfig.']);
840 }
841 }
842
843 /**
844 * Add additional parameters for links according to TS setting preserveGETvars.
845 * Possible values are "all" or a comma separated list of allowed GET-vars.
846 * Supports multi-dimensional GET-vars.
847 * Some hardcoded values are dropped.
848 *
849 * @return string additionalParams-string
850 */
851 protected function getPreserveGetVars() {
852 $getVars = GeneralUtility::_GET();
853 unset(
854 $getVars['id'],
855 $getVars['no_cache'],
856 $getVars['logintype'],
857 $getVars['redirect_url'],
858 $getVars['cHash'],
859 $getVars[$this->prefixId]
860 );
861 if ($this->conf['preserveGETvars'] === 'all') {
862 $preserveQueryParts = $getVars;
863 } else {
864 $preserveQueryParts = GeneralUtility::trimExplode(',', $this->conf['preserveGETvars']);
865 $preserveQueryParts = GeneralUtility::explodeUrl2Array(implode('=1&', $preserveQueryParts) . '=1', TRUE);
866 $preserveQueryParts = \TYPO3\CMS\Core\Utility\ArrayUtility::intersectRecursive($getVars, $preserveQueryParts);
867 }
868 $parameters = GeneralUtility::implodeArrayForUrl('', $preserveQueryParts);
869 return $parameters;
870 }
871
872 /**
873 * Is used by forgot password - function with md5 option.
874 *
875 * @author Bernhard Kraft
876 * @param integer $len Length of new password
877 * @return string New password
878 */
879 protected function generatePassword($len) {
880 $pass = '';
881 while ($len--) {
882 $char = rand(0, 35);
883 if ($char < 10) {
884 $pass .= '' . $char;
885 } else {
886 $pass .= chr($char - 10 + 97);
887 }
888 }
889 return $pass;
890 }
891
892 /**
893 * Returns the header / message value from flexform if present, else from locallang.xlf
894 *
895 * @param string $label label name
896 * @param string $stdWrapArray TS stdWrap array
897 * @return string label text
898 */
899 protected function getDisplayText($label, $stdWrapArray = array()) {
900 $text = $this->flexFormValue($label, 's_messages') ? $this->cObj->stdWrap($this->flexFormValue($label, 's_messages'), $stdWrapArray) : $this->cObj->stdWrap($this->pi_getLL('ll_' . $label, '', TRUE), $stdWrapArray);
901 $replace = $this->getUserFieldMarkers();
902 return strtr($text, $replace);
903 }
904
905 /**
906 * Returns Array of markers filled with user fields
907 *
908 * @return array Marker array
909 */
910 protected function getUserFieldMarkers() {
911 $marker = array();
912 // replace markers with fe_user data
913 if ($GLOBALS['TSFE']->fe_user->user) {
914 // All fields of fe_user will be replaced, scheme is ###FEUSER_FIELDNAME###
915 foreach ($GLOBALS['TSFE']->fe_user->user as $field => $value) {
916 $marker['###FEUSER_' . GeneralUtility::strtoupper($field) . '###'] = $this->cObj->stdWrap($value, $this->conf['userfields.'][$field . '.']);
917 }
918 // Add ###USER### for compatibility
919 $marker['###USER###'] = $marker['###FEUSER_USERNAME###'];
920 }
921 return $marker;
922 }
923
924 /**
925 * Returns a valid and XSS cleaned url for redirect, checked against configuration "allowedRedirectHosts"
926 *
927 * @param string $url
928 * @return string cleaned referer or empty string if not valid
929 */
930 protected function validateRedirectUrl($url) {
931 $url = strval($url);
932 if ($url === '') {
933 return '';
934 }
935 $decodedUrl = rawurldecode($url);
936 $sanitizedUrl = GeneralUtility::removeXSS($decodedUrl);
937 if ($decodedUrl !== $sanitizedUrl || preg_match('#["<>\\\\]+#', $url)) {
938 GeneralUtility::sysLog(sprintf($this->pi_getLL('xssAttackDetected'), $url), 'felogin', GeneralUtility::SYSLOG_SEVERITY_WARNING);
939 return '';
940 }
941 // Validate the URL:
942 if ($this->isRelativeUrl($url) || $this->isInCurrentDomain($url) || $this->isInLocalDomain($url)) {
943 return $url;
944 }
945 // URL is not allowed
946 GeneralUtility::sysLog(sprintf($this->pi_getLL('noValidRedirectUrl'), $url), 'felogin', GeneralUtility::SYSLOG_SEVERITY_WARNING);
947 return '';
948 }
949
950 /**
951 * Determines whether the URL is on the current host
952 * and belongs to the current TYPO3 installation.
953 *
954 * @param string $url URL to be checked
955 * @return boolean Whether the URL belongs to the current TYPO3 installation
956 */
957 protected function isInCurrentDomain($url) {
958 return GeneralUtility::isOnCurrentHost($url) && GeneralUtility::isFirstPartOfStr($url, GeneralUtility::getIndpEnv('TYPO3_SITE_URL'));
959 }
960
961 /**
962 * Determines whether the URL matches a domain
963 * in the sys_domain database table.
964 *
965 * @param string $url Absolute URL which needs to be checked
966 * @return boolean Whether the URL is considered to be local
967 */
968 protected function isInLocalDomain($url) {
969 $result = FALSE;
970 if (GeneralUtility::isValidUrl($url)) {
971 $parsedUrl = parse_url($url);
972 if ($parsedUrl['scheme'] === 'http' || $parsedUrl['scheme'] === 'https') {
973 $host = $parsedUrl['host'];
974 // Removes the last path segment and slash sequences like /// (if given):
975 $path = preg_replace('#/+[^/]*$#', '', $parsedUrl['path']);
976 $localDomains = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows('domainName', 'sys_domain', '1=1' . $this->cObj->enableFields('sys_domain'));
977 if (is_array($localDomains)) {
978 foreach ($localDomains as $localDomain) {
979 // strip trailing slashes (if given)
980 $domainName = rtrim($localDomain['domainName'], '/');
981 if (GeneralUtility::isFirstPartOfStr($host . $path . '/', $domainName . '/')) {
982 $result = TRUE;
983 break;
984 }
985 }
986 }
987 }
988 }
989 return $result;
990 }
991
992 /**
993 * Determines whether the URL is relative to the
994 * current TYPO3 installation.
995 *
996 * @param string $url URL which needs to be checked
997 * @return boolean Whether the URL is considered to be relative
998 */
999 protected function isRelativeUrl($url) {
1000 $parsedUrl = @parse_url($url);
1001 if ($parsedUrl !== FALSE && !isset($parsedUrl['scheme']) && !isset($parsedUrl['host'])) {
1002 // If the relative URL starts with a slash, we need to check if it's within the current site path
1003 return $parsedUrl['path'][0] !== '/' || GeneralUtility::isFirstPartOfStr($parsedUrl['path'], GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
1004 }
1005 return FALSE;
1006 }
1007
1008 }