[BUGFIX] Redirect BE user to login on invalid module/route token
[Packages/TYPO3.CMS.git] / typo3 / sysext / backend / Classes / Http / RequestHandler.php
1 <?php
2 namespace TYPO3\CMS\Backend\Http;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use Psr\Http\Message\ResponseInterface;
18 use Psr\Http\Message\ServerRequestInterface;
19 use TYPO3\CMS\Backend\Routing\Exception\InvalidRequestTokenException;
20 use TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException;
21 use TYPO3\CMS\Core\Core\Bootstrap;
22 use TYPO3\CMS\Core\Http\RequestHandlerInterface;
23 use TYPO3\CMS\Core\Http\Response;
24 use TYPO3\CMS\Core\Utility\GeneralUtility;
25
26 /**
27 * General RequestHandler for the TYPO3 Backend. This is used for all Backend requests except for CLI
28 * or AJAX calls. Unlike all other RequestHandlers in the TYPO3 CMS Core, the actual logic for choosing
29 * the controller is still done inside places like each single file.
30 * This RequestHandler here serves solely to check and set up all requirements needed for a TYPO3 Backend.
31 * This class might be changed in the future.
32 *
33 * At first, this request handler serves as a replacement to typo3/init.php. It is called but does not exit
34 * so any typical script that is not dispatched, is just running through the handleRequest() method and then
35 * calls its own code.
36 *
37 * However, if a get/post parameter "route" is set, the unified Backend Routing is called and searches for a
38 * matching route inside the Router. The corresponding controller / action is called then which returns content.
39 *
40 * The following get/post parameters are evaluated here:
41 * - route
42 * - token
43 */
44 class RequestHandler implements RequestHandlerInterface
45 {
46 /**
47 * Instance of the current TYPO3 bootstrap
48 * @var Bootstrap
49 */
50 protected $bootstrap;
51
52 /**
53 * Constructor handing over the bootstrap and the original request
54 *
55 * @param Bootstrap $bootstrap
56 */
57 public function __construct(Bootstrap $bootstrap)
58 {
59 $this->bootstrap = $bootstrap;
60 }
61
62 /**
63 * Handles any backend request
64 *
65 * @param ServerRequestInterface $request
66 * @return NULL|ResponseInterface
67 */
68 public function handleRequest(ServerRequestInterface $request)
69 {
70 // enable dispatching via Request/Response logic only for typo3/index.php
71 // This fallback will be removed in TYPO3 CMS 8, as only index.php will be allowed
72 $path = substr($request->getUri()->getPath(), strlen(GeneralUtility::getIndpEnv('TYPO3_SITE_PATH')));
73 $routingEnabled = ($path === TYPO3_mainDir . 'index.php' || $path === TYPO3_mainDir);
74 $proceedIfNoUserIsLoggedIn = false;
75
76 if ($routingEnabled) {
77 $pathToRoute = (string)$request->getQueryParams()['route'];
78 // Allow the login page to be displayed if routing is not used and on index.php
79 if (empty($pathToRoute)) {
80 $pathToRoute = '/login';
81 }
82 $request = $request->withAttribute('routePath', $pathToRoute);
83
84 // Evaluate the constant for skipping the BE user check for the bootstrap
85 // should be handled differently in the future by checking the Bootstrap directly
86 if ($pathToRoute === '/login') {
87 $proceedIfNoUserIsLoggedIn = true;
88 }
89 }
90
91 $this->boot($proceedIfNoUserIsLoggedIn);
92
93 // Check if the router has the available route and dispatch.
94 if ($routingEnabled) {
95 try {
96 return $this->dispatch($request);
97
98 // When token was invalid redirect to login
99 } catch (InvalidRequestTokenException $e) {
100 $url = GeneralUtility::getIndpEnv('TYPO3_SITE_URL') . TYPO3_mainDir;
101 \TYPO3\CMS\Core\Utility\HttpUtility::redirect($url);
102 }
103 }
104
105 // No route found, so the system proceeds in called entrypoint as fallback.
106 return null;
107 }
108
109 /**
110 * Does the main work for setting up the backend environment for any Backend request
111 *
112 * @param bool $proceedIfNoUserIsLoggedIn option to allow to render the request even if no user is logged in
113 * @return void
114 */
115 protected function boot($proceedIfNoUserIsLoggedIn)
116 {
117 $this->bootstrap
118 ->checkLockedBackendAndRedirectOrDie()
119 ->checkBackendIpOrDie()
120 ->checkSslBackendAndRedirectIfNeeded()
121 ->initializeBackendRouter()
122 ->loadExtensionTables(true)
123 ->initializeSpriteManager()
124 ->initializeBackendUser()
125 ->initializeBackendAuthentication($proceedIfNoUserIsLoggedIn)
126 ->initializeLanguageObject()
127 ->initializeBackendTemplate()
128 ->endOutputBufferingAndCleanPreviousOutput()
129 ->initializeOutputCompression()
130 ->sendHttpHeaders();
131 }
132
133 /**
134 * This request handler can handle any backend request (but not CLI).
135 *
136 * @param ServerRequestInterface $request
137 * @return bool If the request is not a CLI script, TRUE otherwise FALSE
138 */
139 public function canHandleRequest(ServerRequestInterface $request)
140 {
141 return (TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_BE && !(TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_CLI));
142 }
143
144 /**
145 * Returns the priority - how eager the handler is to actually handle the
146 * request.
147 *
148 * @return int The priority of the request handler.
149 */
150 public function getPriority()
151 {
152 return 50;
153 }
154
155 /**
156 * Dispatch the request to the appropriate controller through the Backend Dispatcher which resolves the routing
157 *
158 * @param ServerRequestInterface $request
159 * @return ResponseInterface
160 * @throws RouteNotFoundException when no route is registered
161 * @throws \InvalidArgumentException when a route is found but the target of the route cannot be called
162 */
163 protected function dispatch($request)
164 {
165 /** @var Response $response */
166 $response = GeneralUtility::makeInstance(Response::class);
167 /** @var RouteDispatcher $dispatcher */
168 $dispatcher = GeneralUtility::makeInstance(RouteDispatcher::class);
169 return $dispatcher->dispatch($request, $response);
170 }
171 }