[TASK] Fix spelling issues
[Packages/TYPO3.CMS.git] / typo3 / sysext / frontend / Classes / Authentication / FrontendUserAuthentication.php
1 <?php
2 namespace TYPO3\CMS\Frontend\Authentication;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Authentication\AbstractUserAuthentication;
18 use TYPO3\CMS\Core\Database\ConnectionPool;
19 use TYPO3\CMS\Core\TypoScript\Parser\TypoScriptParser;
20 use TYPO3\CMS\Core\Utility\GeneralUtility;
21
22 /**
23 * Extension class for Front End User Authentication.
24 */
25 class FrontendUserAuthentication extends AbstractUserAuthentication
26 {
27 /**
28 * form field with 0 or 1
29 * 1 = permanent login enabled
30 * 0 = session is valid for a browser session only
31 * @var string
32 */
33 public $formfield_permanent = 'permalogin';
34
35 /**
36 * Lifetime of session data in seconds.
37 * @var int
38 */
39 protected $sessionDataLifetime = 86400;
40
41 /**
42 * if > 0 : session-timeout in seconds.
43 * if FALSE/<0 : no timeout.
44 * if string: The string is field name from the user table where the timeout can be found.
45 * @var string|int
46 */
47 public $sessionTimeout = 6000;
48
49 /**
50 * @var string
51 */
52 public $usergroup_column = 'usergroup';
53
54 /**
55 * @var string
56 */
57 public $usergroup_table = 'fe_groups';
58
59 /**
60 * @var array
61 */
62 public $groupData = [
63 'title' => [],
64 'uid' => [],
65 'pid' => []
66 ];
67
68 /**
69 * Used to accumulate the TSconfig data of the user
70 * @var array
71 */
72 public $TSdataArray = [];
73
74 /**
75 * @var array
76 */
77 public $userTS = [];
78
79 /**
80 * @var bool
81 */
82 public $userTSUpdated = false;
83
84 /**
85 * Session and user data:
86 * There are two types of data that can be stored: UserData and Session-Data.
87 * Userdata is for the login-user, and session-data for anyone viewing the pages.
88 * 'Keys' are keys in the internal data array of the data.
89 * When you get or set a key in one of the data-spaces (user or session) you decide the type of the variable (not object though)
90 * 'Reserved' keys are:
91 * - 'recs': Array: Used to 'register' records, eg in a shopping basket. Structure: [recs][tablename][record_uid]=number
92 * - sys: Reserved for TypoScript standard code.
93 *
94 * @var array
95 */
96 public $sesData = [];
97
98 /**
99 * @var bool
100 */
101 public $sesData_change = false;
102
103 /**
104 * @var bool
105 */
106 public $userData_change = false;
107
108 /**
109 * @var bool
110 */
111 public $is_permanent = false;
112
113 /**
114 * @var int|NULL
115 */
116 protected $sessionDataTimestamp = null;
117
118 /**
119 * @var bool
120 */
121 protected $loginHidden = false;
122
123 /**
124 * Default constructor.
125 */
126 public function __construct()
127 {
128 parent::__construct();
129
130 // Disable cookie by default, will be activated if saveSessionData() is called,
131 // a user is logging-in or an existing session is found
132 $this->dontSetCookie = true;
133
134 $this->session_table = 'fe_sessions';
135 $this->name = self::getCookieName();
136 $this->get_name = 'ftu';
137 $this->loginType = 'FE';
138 $this->user_table = 'fe_users';
139 $this->username_column = 'username';
140 $this->userident_column = 'password';
141 $this->userid_column = 'uid';
142 $this->lastLogin_column = 'lastlogin';
143 $this->enablecolumns = [
144 'deleted' => 'deleted',
145 'disabled' => 'disable',
146 'starttime' => 'starttime',
147 'endtime' => 'endtime'
148 ];
149 $this->formfield_uname = 'user';
150 $this->formfield_uident = 'pass';
151 $this->formfield_status = 'logintype';
152 $this->sendNoCacheHeaders = false;
153 $this->getFallBack = true;
154 $this->getMethodEnabled = true;
155 }
156
157 /**
158 * Returns the configured cookie name
159 *
160 * @return string
161 */
162 public static function getCookieName()
163 {
164 $configuredCookieName = trim($GLOBALS['TYPO3_CONF_VARS']['FE']['cookieName']);
165 if (empty($configuredCookieName)) {
166 $configuredCookieName = 'fe_typo_user';
167 }
168 return $configuredCookieName;
169 }
170
171 /**
172 * Starts a user session
173 *
174 * @return void
175 * @see AbstractUserAuthentication::start()
176 */
177 public function start()
178 {
179 if ((int)$this->sessionTimeout > 0 && $this->sessionTimeout < $this->lifetime) {
180 // If server session timeout is non-zero but less than client session timeout: Copy this value instead.
181 $this->sessionTimeout = $this->lifetime;
182 }
183 $this->sessionDataLifetime = (int)$GLOBALS['TYPO3_CONF_VARS']['FE']['sessionDataLifetime'];
184 if ($this->sessionDataLifetime <= 0) {
185 $this->sessionDataLifetime = 86400;
186 }
187 parent::start();
188 }
189
190 /**
191 * Returns a new session record for the current user for insertion into the DB.
192 *
193 * @param array $tempuser
194 * @return array User session record
195 */
196 public function getNewSessionRecord($tempuser)
197 {
198 $insertFields = parent::getNewSessionRecord($tempuser);
199 $insertFields['ses_permanent'] = $this->is_permanent ? 1 : 0;
200 return $insertFields;
201 }
202
203 /**
204 * Determine whether a session cookie needs to be set (lifetime=0)
205 *
206 * @return bool
207 * @internal
208 */
209 public function isSetSessionCookie()
210 {
211 return ($this->newSessionID || $this->forceSetCookie)
212 && ($this->lifetime == 0 || !isset($this->user['ses_permanent']) || !$this->user['ses_permanent']);
213 }
214
215 /**
216 * Determine whether a non-session cookie needs to be set (lifetime>0)
217 *
218 * @return bool
219 * @internal
220 */
221 public function isRefreshTimeBasedCookie()
222 {
223 return $this->lifetime > 0 && isset($this->user['ses_permanent']) && $this->user['ses_permanent'];
224 }
225
226 /**
227 * Returns an info array with Login/Logout data submitted by a form or params
228 *
229 * @return array
230 * @see AbstractUserAuthentication::getLoginFormData()
231 */
232 public function getLoginFormData()
233 {
234 $loginData = parent::getLoginFormData();
235 if ($GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin'] == 0 || $GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin'] == 1) {
236 if ($this->getMethodEnabled) {
237 $isPermanent = GeneralUtility::_GP($this->formfield_permanent);
238 } else {
239 $isPermanent = GeneralUtility::_POST($this->formfield_permanent);
240 }
241 if (strlen($isPermanent) != 1) {
242 $isPermanent = $GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin'];
243 } elseif (!$isPermanent) {
244 // To make sure the user gets a session cookie and doesn't keep a possibly existing time based cookie,
245 // we need to force setting the session cookie here
246 $this->forceSetCookie = true;
247 }
248 $isPermanent = (bool)$isPermanent;
249 } elseif ($GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin'] == 2) {
250 $isPermanent = true;
251 } else {
252 $isPermanent = false;
253 }
254 $loginData['permanent'] = $isPermanent;
255 $this->is_permanent = $isPermanent;
256 return $loginData;
257 }
258
259 /**
260 * Creates a user session record and returns its values.
261 * However, as the FE user cookie is normally not set, this has to be done
262 * before the parent class is doing the rest.
263 *
264 * @param array $tempuser User data array
265 * @return array The session data for the newly created session.
266 */
267 public function createUserSession($tempuser)
268 {
269 // At this point we do not know if we need to set a session or a "permanant" cookie
270 // So we force the cookie to be set after authentication took place, which will
271 // then call setSessionCookie(), which will set a cookie with correct settings.
272 $this->dontSetCookie = false;
273 return parent::createUserSession($tempuser);
274 }
275
276 /**
277 * Will select all fe_groups records that the current fe_user is member of
278 * and which groups are also allowed in the current domain.
279 * It also accumulates the TSconfig for the fe_user/fe_groups in ->TSdataArray
280 *
281 * @return int Returns the number of usergroups for the frontend users (if the internal user record exists and the usergroup field contains a value)
282 */
283 public function fetchGroupData()
284 {
285 $this->TSdataArray = [];
286 $this->userTS = [];
287 $this->userTSUpdated = false;
288 $this->groupData = [
289 'title' => [],
290 'uid' => [],
291 'pid' => []
292 ];
293 // Setting default configuration:
294 $this->TSdataArray[] = $GLOBALS['TYPO3_CONF_VARS']['FE']['defaultUserTSconfig'];
295 // Get the info data for auth services
296 $authInfo = $this->getAuthInfoArray();
297 if ($this->writeDevLog) {
298 if (is_array($this->user)) {
299 GeneralUtility::devLog('Get usergroups for user: ' . GeneralUtility::arrayToLogString($this->user, [$this->userid_column, $this->username_column]), __CLASS__);
300 } else {
301 GeneralUtility::devLog('Get usergroups for "anonymous" user', __CLASS__);
302 }
303 }
304 $groupDataArr = [];
305 // Use 'auth' service to find the groups for the user
306 $serviceChain = '';
307 $subType = 'getGroups' . $this->loginType;
308 while (is_object($serviceObj = GeneralUtility::makeInstanceService('auth', $subType, $serviceChain))) {
309 $serviceChain .= ',' . $serviceObj->getServiceKey();
310 $serviceObj->initAuth($subType, [], $authInfo, $this);
311 $groupData = $serviceObj->getGroups($this->user, $groupDataArr);
312 if (is_array($groupData) && !empty($groupData)) {
313 // Keys in $groupData should be unique ids of the groups (like "uid") so this function will override groups.
314 $groupDataArr = $groupData + $groupDataArr;
315 }
316 unset($serviceObj);
317 }
318 if ($this->writeDevLog && $serviceChain) {
319 GeneralUtility::devLog($subType . ' auth services called: ' . $serviceChain, __CLASS__);
320 }
321 if ($this->writeDevLog && empty($groupDataArr)) {
322 GeneralUtility::devLog('No usergroups found by services', __CLASS__);
323 }
324 if ($this->writeDevLog && !empty($groupDataArr)) {
325 GeneralUtility::devLog(count($groupDataArr) . ' usergroup records found by services', __CLASS__);
326 }
327 // Use 'auth' service to check the usergroups if they are really valid
328 foreach ($groupDataArr as $groupData) {
329 // By default a group is valid
330 $validGroup = true;
331 $serviceChain = '';
332 $subType = 'authGroups' . $this->loginType;
333 while (is_object($serviceObj = GeneralUtility::makeInstanceService('auth', $subType, $serviceChain))) {
334 $serviceChain .= ',' . $serviceObj->getServiceKey();
335 $serviceObj->initAuth($subType, [], $authInfo, $this);
336 if (!$serviceObj->authGroup($this->user, $groupData)) {
337 $validGroup = false;
338 if ($this->writeDevLog) {
339 GeneralUtility::devLog($subType . ' auth service did not auth group: ' . GeneralUtility::arrayToLogString($groupData, 'uid,title'), __CLASS__, 2);
340 }
341 break;
342 }
343 unset($serviceObj);
344 }
345 unset($serviceObj);
346 if ($validGroup && (string)$groupData['uid'] !== '') {
347 $this->groupData['title'][$groupData['uid']] = $groupData['title'];
348 $this->groupData['uid'][$groupData['uid']] = $groupData['uid'];
349 $this->groupData['pid'][$groupData['uid']] = $groupData['pid'];
350 $this->groupData['TSconfig'][$groupData['uid']] = $groupData['TSconfig'];
351 }
352 }
353 if (!empty($this->groupData) && !empty($this->groupData['TSconfig'])) {
354 // TSconfig: collect it in the order it was collected
355 foreach ($this->groupData['TSconfig'] as $TSdata) {
356 $this->TSdataArray[] = $TSdata;
357 }
358 $this->TSdataArray[] = $this->user['TSconfig'];
359 // Sort information
360 ksort($this->groupData['title']);
361 ksort($this->groupData['uid']);
362 ksort($this->groupData['pid']);
363 }
364 return !empty($this->groupData['uid']) ? count($this->groupData['uid']) : 0;
365 }
366
367 /**
368 * Returns the parsed TSconfig for the fe_user
369 * The TSconfig will be cached in $this->userTS.
370 *
371 * @return array TSconfig array for the fe_user
372 */
373 public function getUserTSconf()
374 {
375 if (!$this->userTSUpdated) {
376 // Parsing the user TS (or getting from cache)
377 $this->TSdataArray = TypoScriptParser::checkIncludeLines_array($this->TSdataArray);
378 $userTS = implode(LF . '[GLOBAL]' . LF, $this->TSdataArray);
379 $parseObj = GeneralUtility::makeInstance(TypoScriptParser::class);
380 $parseObj->parse($userTS);
381 $this->userTS = $parseObj->setup;
382 $this->userTSUpdated = true;
383 }
384 return $this->userTS;
385 }
386
387 /*****************************************
388 *
389 * Session data management functions
390 *
391 ****************************************/
392 /**
393 * Fetches the session data for the user (from the fe_session_data table) based on the ->id of the current user-session.
394 * The session data is restored to $this->sesData
395 * 1/100 calls will also do a garbage collection.
396 *
397 * @return void
398 * @access private
399 * @see storeSessionData()
400 */
401 public function fetchSessionData()
402 {
403 // Gets SesData if any AND if not already selected by session fixation check in ->isExistingSessionRecord()
404 if ($this->id && empty($this->sesData)) {
405 $sesDataRow = GeneralUtility::makeInstance(ConnectionPool::class)
406 ->getConnectionForTable('fe_session_data')->select(
407 ['*'],
408 'fe_session_data',
409 ['hash' => $this->id]
410 )->fetch();
411 if ($sesDataRow !== null) {
412 $this->sesData = unserialize($sesDataRow['content']);
413 $this->sessionDataTimestamp = $sesDataRow['tstamp'];
414 }
415 }
416 }
417
418 /**
419 * Will write UC and session data.
420 * If the flag $this->userData_change has been set, the function ->writeUC is called (which will save persistent user session data)
421 * If the flag $this->sesData_change has been set, the fe_session_data table is updated with the content of $this->sesData
422 * If the $this->sessionDataTimestamp is NULL there was no session record yet, so we need to insert it into the database
423 *
424 * @return void
425 * @see fetchSessionData(), getKey(), setKey()
426 */
427 public function storeSessionData()
428 {
429 // Saves UC and SesData if changed.
430 if ($this->userData_change) {
431 $this->writeUC('');
432 }
433 $databaseConnection = GeneralUtility::makeInstance(ConnectionPool::class)
434 ->getConnectionForTable('fe_session_data');
435 if ($this->sesData_change && $this->id) {
436 if (empty($this->sesData)) {
437 // Remove session-data
438 $this->removeSessionData();
439 // Remove cookie if not logged in as the session data is removed as well
440 if (empty($this->user['uid']) && !$this->loginHidden && $this->isCookieSet()) {
441 $this->removeCookie($this->name);
442 }
443 } elseif ($this->sessionDataTimestamp === null) {
444 // Write new session-data
445 $insertFields = [
446 'hash' => $this->id,
447 'content' => serialize($this->sesData),
448 'tstamp' => $GLOBALS['EXEC_TIME']
449 ];
450 $this->sessionDataTimestamp = $GLOBALS['EXEC_TIME'];
451 $databaseConnection->insert('fe_session_data', $insertFields);
452 // Now set the cookie (= fix the session)
453 $this->setSessionCookie();
454 } else {
455 // Update session data
456 $updateFields = [
457 'content' => serialize($this->sesData),
458 'tstamp' => $GLOBALS['EXEC_TIME']
459 ];
460 $this->sessionDataTimestamp = $GLOBALS['EXEC_TIME'];
461 $databaseConnection->update('fe_session_data', $updateFields, ['hash' => $this->id]);
462 }
463 }
464 }
465
466 /**
467 * Removes data of the current session.
468 *
469 * @return void
470 */
471 public function removeSessionData()
472 {
473 $this->sessionDataTimestamp = null;
474 GeneralUtility::makeInstance(ConnectionPool::class)->getConnectionForTable('fe_session_data')->delete(
475 'fe_session_data',
476 ['hash' => $this->id]
477 );
478 }
479
480 /**
481 * Log out current user!
482 * Removes the current session record, sets the internal ->user array to a blank string
483 * Thereby the current user (if any) is effectively logged out!
484 * Additionally the cookie is removed
485 *
486 * @return void
487 */
488 public function logoff()
489 {
490 parent::logoff();
491 // Remove the cookie on log-off, but only if we do not have an anonymous session
492 if (!$this->isExistingSessionRecord($this->id) && $this->isCookieSet()) {
493 $this->removeCookie($this->name);
494 }
495 }
496
497 /**
498 * Regenerate the id, take separate session data table into account
499 * and set cookie again
500 */
501 protected function regenerateSessionId()
502 {
503 $oldSessionId = $this->id;
504 parent::regenerateSessionId();
505 // Update session data with new ID
506 GeneralUtility::makeInstance(ConnectionPool::class)->getConnectionForTable('fe_session_data')
507 ->update(
508 'fe_session_data',
509 ['hash' => $this->id],
510 ['hash' => $oldSessionId]
511 );
512
513 // We force the cookie to be set later in the authentication process
514 $this->dontSetCookie = false;
515 }
516
517 /**
518 * Executes the garbage collection of session data and session.
519 * The lifetime of session data is defined by $TYPO3_CONF_VARS['FE']['sessionDataLifetime'].
520 *
521 * @return void
522 */
523 public function gc()
524 {
525 $timeoutTimeStamp = (int)($GLOBALS['EXEC_TIME'] - $this->sessionDataLifetime);
526 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('fe_session_data');
527 $queryBuilder->delete('fe_session_data')
528 ->where($queryBuilder->expr()->lt('tstamp', $timeoutTimeStamp))
529 ->execute();
530 parent::gc();
531 }
532
533 /**
534 * Returns session data for the fe_user; Either persistent data following the fe_users uid/profile (requires login)
535 * or current-session based (not available when browse is closed, but does not require login)
536 *
537 * @param string $type Session data type; Either "user" (persistent, bound to fe_users profile) or "ses" (temporary, bound to current session cookie)
538 * @param string $key Key from the data array to return; The session data (in either case) is an array ($this->uc / $this->sesData) and this value determines which key to return the value for.
539 * @return mixed Returns whatever value there was in the array for the key, $key
540 * @see setKey()
541 */
542 public function getKey($type, $key)
543 {
544 if (!$key) {
545 return null;
546 }
547 $value = null;
548 switch ($type) {
549 case 'user':
550 $value = $this->uc[$key];
551 break;
552 case 'ses':
553 $value = $this->sesData[$key];
554 break;
555 }
556 return $value;
557 }
558
559 /**
560 * Saves session data, either persistent or bound to current session cookie. Please see getKey() for more details.
561 * When a value is set the flags $this->userData_change or $this->sesData_change will be set so that the final call to ->storeSessionData() will know if a change has occurred and needs to be saved to the database.
562 * Notice: The key "recs" is already used by the function record_registration() which stores table/uid=value pairs in that key. This is used for the shopping basket among other things.
563 * Notice: Simply calling this function will not save the data to the database! The actual saving is done in storeSessionData() which is called as some of the last things in \TYPO3\CMS\Frontend\Http\RequestHandler. So if you exit before this point, nothing gets saved of course! And the solution is to call $GLOBALS['TSFE']->storeSessionData(); before you exit.
564 *
565 * @param string $type Session data type; Either "user" (persistent, bound to fe_users profile) or "ses" (temporary, bound to current session cookie)
566 * @param string $key Key from the data array to store incoming data in; The session data (in either case) is an array ($this->uc / $this->sesData) and this value determines in which key the $data value will be stored.
567 * @param mixed $data The data value to store in $key
568 * @return void
569 * @see setKey(), storeSessionData(), record_registration()
570 */
571 public function setKey($type, $key, $data)
572 {
573 if (!$key) {
574 return;
575 }
576 switch ($type) {
577 case 'user':
578 if ($this->user['uid']) {
579 if ($data === null) {
580 unset($this->uc[$key]);
581 } else {
582 $this->uc[$key] = $data;
583 }
584 $this->userData_change = true;
585 }
586 break;
587 case 'ses':
588 if ($data === null) {
589 unset($this->sesData[$key]);
590 } else {
591 $this->sesData[$key] = $data;
592 }
593 $this->sesData_change = true;
594 break;
595 }
596 }
597
598 /**
599 * Returns the session data stored for $key.
600 * The data will last only for this login session since it is stored in the session table.
601 *
602 * @param string $key
603 * @return mixed
604 */
605 public function getSessionData($key)
606 {
607 return $this->getKey('ses', $key);
608 }
609
610 /**
611 * Saves the tokens so that they can be used by a later incarnation of this class.
612 *
613 * @param string $key
614 * @param mixed $data
615 * @return void
616 */
617 public function setAndSaveSessionData($key, $data)
618 {
619 $this->setKey('ses', $key, $data);
620 $this->storeSessionData();
621 }
622
623 /**
624 * Registration of records/"shopping basket" in session data
625 * This will take the input array, $recs, and merge into the current "recs" array found in the session data.
626 * If a change in the recs storage happens (which it probably does) the function setKey() is called in order to store the array again.
627 *
628 * @param array $recs The data array to merge into/override the current recs values. The $recs array is constructed as [table]][uid] = scalar-value (eg. string/integer).
629 * @param int $maxSizeOfSessionData The maximum size of stored session data. If zero, no limit is applied and even confirmation of cookie session is discarded.
630 * @return void
631 */
632 public function record_registration($recs, $maxSizeOfSessionData = 0)
633 {
634 // Storing value ONLY if there is a confirmed cookie set,
635 // otherwise a shellscript could easily be spamming the fe_sessions table
636 // with bogus content and thus bloat the database
637 if (!$maxSizeOfSessionData || $this->isCookieSet()) {
638 if ($recs['clear_all']) {
639 $this->setKey('ses', 'recs', []);
640 }
641 $change = 0;
642 $recs_array = $this->getKey('ses', 'recs');
643 foreach ($recs as $table => $data) {
644 if (is_array($data)) {
645 foreach ($data as $rec_id => $value) {
646 if ($value != $recs_array[$table][$rec_id]) {
647 $recs_array[$table][$rec_id] = $value;
648 $change = 1;
649 }
650 }
651 }
652 }
653 if ($change && (!$maxSizeOfSessionData || strlen(serialize($recs_array)) < $maxSizeOfSessionData)) {
654 $this->setKey('ses', 'recs', $recs_array);
655 }
656 }
657 }
658
659 /**
660 * Determine whether there's an according session record to a given session_id
661 * in the database. Don't care if session record is still valid or not.
662 *
663 * This calls the parent function but additionally tries to look up the session ID in the "fe_session_data" table.
664 *
665 * @param int $id Claimed Session ID
666 * @return bool Returns TRUE if a corresponding session was found in the database
667 */
668 public function isExistingSessionRecord($id)
669 {
670 // Perform check in parent function
671 $count = parent::isExistingSessionRecord($id);
672 // Check if there are any fe_session_data records for the session ID the client claims to have
673 if ($count == false) {
674 $sesDataRow = GeneralUtility::makeInstance(ConnectionPool::class)->getConnectionForTable('fe_session_data')
675 ->select(['content', 'tstamp'], 'fe_session_data', ['hash' => $id])->fetch();
676
677 if ($sesDataRow !== null) {
678 $count = true;
679 $this->sesData = unserialize($sesDataRow['content']);
680 $this->sessionDataTimestamp = $sesDataRow['tstamp'];
681 }
682 }
683 return $count;
684 }
685
686 /**
687 * Hide the current login
688 *
689 * This is used by the fe_login_mode feature for pages.
690 * A current login is unset, but we remember that there has been one.
691 *
692 * @return void
693 */
694 public function hideActiveLogin()
695 {
696 $this->user = null;
697 $this->loginHidden = true;
698 }
699 }