[!!!][SECURITY] Allow first install only with FIRST_INSTALL file
[Packages/TYPO3.CMS.git] / typo3 / sysext / install / Classes / Controller / AjaxController.php
1 <?php
2 namespace TYPO3\CMS\Install\Controller;
3
4 /***************************************************************
5 * Copyright notice
6 *
7 * (c) 2013 Susanne Moog <typo3@susannemoog.de>
8 * All rights reserved
9 *
10 * This script is part of the TYPO3 project. The TYPO3 project is
11 * free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * The GNU General Public License can be found at
17 * http://www.gnu.org/copyleft/gpl.html.
18 * A copy is found in the text file GPL.txt and important notices to the license
19 * from the author is found in LICENSE.txt distributed with these scripts.
20 *
21 *
22 * This script is distributed in the hope that it will be useful,
23 * but WITHOUT ANY WARRANTY; without even the implied warranty of
24 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 * GNU General Public License for more details.
26 *
27 * This copyright notice MUST APPEAR in all copies of the script!
28 ***************************************************************/
29
30 /**
31 * Install tool ajax controller, handles ajax requests
32 *
33 */
34 class AjaxController extends AbstractController {
35
36 /**
37 * @var string
38 */
39 protected $unauthorized = 'unauthorized';
40
41 /**
42 * @var array List of valid action names that need authentication
43 */
44 protected $authenticationActions = array(
45 'extensionCompatibilityTester',
46 'uninstallExtension',
47 'clearCache',
48 'coreUpdateUpdateVersionMatrix',
49 'coreUpdateIsUpdateAvailable',
50 'coreUpdateCheckPreConditions',
51 'coreUpdateDownload',
52 'coreUpdateVerifyChecksum',
53 'coreUpdateUnpack',
54 'coreUpdateMove',
55 'coreUpdateActivate',
56 );
57
58 /**
59 * Main entry point
60 *
61 * @return void
62 */
63 public function execute() {
64 $this->loadBaseExtensions();
65 $this->initializeObjectManager();
66 // Warning: Order of these methods is security relevant and interferes with different access
67 // conditions (new/existing installation). See the single method comments for details.
68 $this->outputInstallToolNotEnabledMessageIfNeeded();
69 $this->checkInstallToolPasswordNotSet();
70 $this->initializeSession();
71 $this->checkSessionToken();
72 $this->checkSessionLifetime();
73 $this->checkLogin();
74 $this->dispatchAuthenticationActions();
75 }
76
77 /**
78 * Check whether the install tool is enabled
79 *
80 * @return void
81 */
82 protected function outputInstallToolNotEnabledMessageIfNeeded() {
83 if (!$this->isInstallToolAvailable()) {
84 $this->output($this->unauthorized);
85 }
86 }
87
88 /**
89 * Check if the install tool password is set
90 *
91 * @return void
92 */
93 protected function checkInstallToolPasswordNotSet() {
94 if (empty($GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'])) {
95 $this->output($this->unauthorized);
96 }
97 }
98
99 /**
100 * Check login status
101 *
102 * @return void
103 */
104 protected function checkLogin() {
105 if (!$this->session->isAuthorized()) {
106 $this->output($this->unauthorized);
107 } else {
108 $this->session->refreshSession();
109 }
110 }
111
112 /**
113 * Overwrites abstract method
114 * In contrast to abstract method, a response "you are not authorized is outputted"
115 *
116 * @param boolean $tokenOk
117 * @return void
118 */
119 protected function handleSessionTokenCheck($tokenOk) {
120 if (!$tokenOk) {
121 $this->output($this->unauthorized);
122 }
123 }
124
125 /**
126 * Overwrites abstract method
127 * In contrast to abstract method, a response "you are not authorized is outputted"
128 *
129 * @return void
130 */
131 protected function handleSessionLifeTimeExpired() {
132 $this->output($this->unauthorized);
133 }
134
135 /**
136 * Call an action that needs authentication
137 *
138 * @throws Exception
139 * @return string Rendered content
140 */
141 protected function dispatchAuthenticationActions() {
142 $action = $this->getAction();
143 if ($action === '') {
144 $this->output('noAction');
145 }
146 $this->validateAuthenticationAction($action);
147 $actionClass = ucfirst($action);
148 /** @var \TYPO3\CMS\Install\Controller\Action\ActionInterface $toolAction */
149 $toolAction = $this->objectManager->get('TYPO3\\CMS\\Install\\Controller\\Action\\Ajax\\' . $actionClass);
150 if (!($toolAction instanceof Action\ActionInterface)) {
151 throw new Exception(
152 $action . ' does not implement ActionInterface',
153 1369474308
154 );
155 }
156 $toolAction->setController('ajax');
157 $toolAction->setAction($action);
158 $toolAction->setToken($this->generateTokenForAction($action));
159 $toolAction->setPostValues($this->getPostValues());
160 $this->output($toolAction->handle());
161 }
162
163 /**
164 * Output content.
165 * WARNING: This exits the script execution!
166 *
167 * @param string $content JSON encoded content to output
168 */
169 protected function output($content = '') {
170 ob_clean();
171 header('Content-Type: application/json; charset=utf-8');
172 header('Cache-Control: no-cache, must-revalidate');
173 header('Pragma: no-cache');
174 echo $content;
175 die;
176 }
177 }