[BUGFIX] Remove double encoding of fieldset in extension "felogin"
[Packages/TYPO3.CMS.git] / typo3 / sysext / felogin / Classes / Controller / FrontendLoginController.php
1 <?php
2 namespace TYPO3\CMS\Felogin\Controller;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Utility\GeneralUtility;
18 use TYPO3\CMS\Core\Utility\StringUtility;
19
20 /**
21 * Plugin 'Website User Login' for the 'felogin' extension.
22 */
23 class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
24 {
25 /**
26 * Same as class name
27 *
28 * @var string
29 */
30 public $prefixId = 'tx_felogin_pi1';
31
32 /**
33 * The extension key.
34 *
35 * @var string
36 */
37 public $extKey = 'felogin';
38
39 /**
40 * @var bool
41 */
42 public $pi_checkCHash = false;
43
44 /**
45 * @var bool
46 */
47 public $pi_USER_INT_obj = true;
48
49 /**
50 * Is user logged in?
51 *
52 * @var bool
53 */
54 protected $userIsLoggedIn;
55
56 /**
57 * Holds the template for FE rendering
58 *
59 * @var string
60 */
61 protected $template;
62
63 /**
64 * Upload directory, used for flexform template files
65 *
66 * @var string
67 */
68 protected $uploadDir;
69
70 /**
71 * URL for the redirect
72 *
73 * @var string
74 */
75 protected $redirectUrl;
76
77 /**
78 * Flag for disable the redirect
79 *
80 * @var bool
81 */
82 protected $noRedirect = false;
83
84 /**
85 * Logintype (given as GPvar), possible: login, logout
86 *
87 * @var string
88 */
89 protected $logintype;
90
91 /**
92 * A list of page UIDs, either an integer or a comma-separated list of integers
93 *
94 * @var string
95 */
96 public $spid;
97
98 /**
99 * Referrer
100 *
101 * @var string
102 */
103 public $referer;
104
105 /**
106 * The main method of the plugin
107 *
108 * @param string $content The PlugIn content
109 * @param array $conf The PlugIn configuration
110 * @return string The content that is displayed on the website
111 */
112 public function main($content, $conf)
113 {
114 // Loading TypoScript array into object variable:
115 $this->conf = $conf;
116 $this->uploadDir = 'uploads/tx_felogin/';
117 // Loading default pivars
118 $this->pi_setPiVarDefaults();
119 // Loading language-labels
120 $this->pi_loadLL('EXT:felogin/Resources/Private/Language/locallang.xlf');
121 // Init FlexForm configuration for plugin:
122 $this->pi_initPIflexForm();
123 $this->mergeflexFormValuesIntoConf();
124 // Get storage PIDs:
125 if ($this->conf['storagePid']) {
126 if ((int)$this->conf['recursive']) {
127 $this->spid = $this->pi_getPidList($this->conf['storagePid'], (int)$this->conf['recursive']);
128 } else {
129 $this->spid = $this->conf['storagePid'];
130 }
131 } else {
132 GeneralUtility::deprecationLog('Extension "felogin" must have a storagePid set via TypoScript or the plugin configuration.');
133 $pids = $this->frontendController->getStorageSiterootPids();
134 $this->spid = $pids['_STORAGE_PID'];
135 }
136 // GPvars:
137 $this->logintype = GeneralUtility::_GP('logintype');
138 $this->referer = $this->validateRedirectUrl(GeneralUtility::_GP('referer'));
139 $this->noRedirect = $this->piVars['noredirect'] || $this->conf['redirectDisable'];
140 // If config.typolinkLinkAccessRestrictedPages is set, the var is return_url
141 $returnUrl = GeneralUtility::_GP('return_url');
142 if ($returnUrl) {
143 $this->redirectUrl = $returnUrl;
144 } else {
145 $this->redirectUrl = GeneralUtility::_GP('redirect_url');
146 }
147 $this->redirectUrl = $this->validateRedirectUrl($this->redirectUrl);
148 // Get Template
149 $templateFile = $this->conf['templateFile'] ?: 'EXT:felogin/Resources/Private/Templates/FrontendLogin.html';
150 $this->template = $this->cObj->fileResource($templateFile);
151 // Is user logged in?
152 $this->userIsLoggedIn = $this->frontendController->loginUser;
153 // Redirect
154 if ($this->conf['redirectMode'] && !$this->conf['redirectDisable'] && !$this->noRedirect && !$this->conf['showLogoutFormAfterLogin']) {
155 $redirectUrl = $this->processRedirect();
156 if (!empty($redirectUrl)) {
157 $this->redirectUrl = $this->conf['redirectFirstMethod'] ? array_shift($redirectUrl) : array_pop($redirectUrl);
158 } else {
159 $this->redirectUrl = '';
160 }
161 }
162 // What to display
163 $content = '';
164 if ($this->piVars['forgot'] && $this->conf['showForgotPasswordLink']) {
165 $content .= $this->showForgot();
166 } elseif ($this->piVars['forgothash']) {
167 $content .= $this->changePassword();
168 } else {
169 if ($this->userIsLoggedIn && !$this->logintype) {
170 $content .= $this->showLogout();
171 } else {
172 $content .= $this->showLogin();
173 }
174 }
175 // Process the redirect
176 if (($this->logintype === 'login' || $this->logintype === 'logout') && $this->redirectUrl && !$this->noRedirect) {
177 if (!$this->frontendController->fe_user->isCookieSet() && $this->userIsLoggedIn) {
178 $content .= $this->cObj->stdWrap($this->pi_getLL('cookie_warning', '', true), $this->conf['cookieWarning_stdWrap.']);
179 } else {
180 // Add hook for extra processing before redirect
181 if (
182 isset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['beforeRedirect']) &&
183 is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['beforeRedirect'])
184 ) {
185 $_params = array(
186 'loginType' => $this->logintype,
187 'redirectUrl' => &$this->redirectUrl
188 );
189 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['beforeRedirect'] as $_funcRef) {
190 if ($_funcRef) {
191 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
192 }
193 }
194 }
195 \TYPO3\CMS\Core\Utility\HttpUtility::redirect($this->redirectUrl);
196 }
197 }
198 // Adds hook for processing of extra item markers / special
199 if (
200 isset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['postProcContent'])
201 && is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['postProcContent'])
202 ) {
203 $_params = array(
204 'content' => $content
205 );
206 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['postProcContent'] as $_funcRef) {
207 $content = GeneralUtility::callUserFunction($_funcRef, $_params, $this);
208 }
209 }
210 return $this->conf['wrapContentInBaseClass'] ? $this->pi_wrapInBaseClass($content) : $content;
211 }
212
213 /**
214 * Shows the forgot password form
215 *
216 * @return string Content
217 */
218 protected function showForgot()
219 {
220 $subpart = $this->cObj->getSubpart($this->template, '###TEMPLATE_FORGOT###');
221 $subpartArray = ($linkpartArray = array());
222 $postData = GeneralUtility::_POST($this->prefixId);
223 if ($postData['forgot_email']) {
224 // Get hashes for compare
225 $postedHash = $postData['forgot_hash'];
226 $hashData = $this->frontendController->fe_user->getKey('ses', 'forgot_hash');
227 if ($postedHash === $hashData['forgot_hash']) {
228 $row = false;
229 // Look for user record
230 $data = $this->databaseConnection->fullQuoteStr($this->piVars['forgot_email'], 'fe_users');
231 $res = $this->databaseConnection->exec_SELECTquery(
232 'uid, username, password, email',
233 'fe_users',
234 '(email=' . $data . ' OR username=' . $data . ') AND pid IN (' . $this->databaseConnection->cleanIntList($this->spid) . ') ' . $this->cObj->enableFields('fe_users')
235 );
236 if ($this->databaseConnection->sql_num_rows($res)) {
237 $row = $this->databaseConnection->sql_fetch_assoc($res);
238 }
239 $error = null;
240 if ($row) {
241 // Generate an email with the hashed link
242 $error = $this->generateAndSendHash($row);
243 } elseif ($this->conf['exposeNonexistentUserInForgotPasswordDialog']) {
244 $error = $this->pi_getLL('ll_forgot_reset_message_error');
245 }
246 // Generate message
247 if ($error) {
248 $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap($error, $this->conf['forgotErrorMessage_stdWrap.']);
249 } else {
250 $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap(
251 $this->pi_getLL('ll_forgot_reset_message_emailSent', '', true),
252 $this->conf['forgotResetMessageEmailSentMessage_stdWrap.']
253 );
254 }
255 $subpartArray['###FORGOT_FORM###'] = '';
256 } else {
257 // Wrong email
258 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('forgot_reset_message', $this->conf['forgotMessage_stdWrap.']);
259 $markerArray['###BACKLINK_LOGIN###'] = '';
260 }
261 } else {
262 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('forgot_reset_message', $this->conf['forgotMessage_stdWrap.']);
263 $markerArray['###BACKLINK_LOGIN###'] = '';
264 }
265 $markerArray['###BACKLINK_LOGIN###'] = $this->getPageLink($this->pi_getLL('ll_forgot_header_backToLogin', '', true), array());
266 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('forgot_header', $this->conf['forgotHeader_stdWrap.']);
267 $markerArray['###LEGEND###'] = $this->pi_getLL('legend', $this->pi_getLL('reset_password'), true);
268 $markerArray['###ACTION_URI###'] = $this->getPageLink('', array($this->prefixId . '[forgot]' => 1), true);
269 $markerArray['###EMAIL_LABEL###'] = $this->pi_getLL('your_email', '', true);
270 $markerArray['###FORGOT_PASSWORD_ENTEREMAIL###'] = $this->pi_getLL('forgot_password_enterEmail', '', true);
271 $markerArray['###FORGOT_EMAIL###'] = $this->prefixId . '[forgot_email]';
272 $markerArray['###SEND_PASSWORD###'] = $this->pi_getLL('reset_password', '', true);
273 $markerArray['###DATA_LABEL###'] = $this->pi_getLL('ll_enter_your_data', '', true);
274 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
275 // Generate hash
276 $hash = md5($this->generatePassword(3));
277 $markerArray['###FORGOTHASH###'] = $hash;
278 // Set hash in feuser session
279 $this->frontendController->fe_user->setKey('ses', 'forgot_hash', array('forgot_hash' => $hash));
280 return $this->cObj->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
281 }
282
283 /**
284 * This function checks the hash from link and checks the validity. If it's valid it shows the form for
285 * changing the password and process the change of password after submit, if not valid it returns the error message
286 *
287 * @return string The content.
288 */
289 protected function changePassword()
290 {
291 $subpartArray = ($linkpartArray = array());
292 $done = false;
293 $minLength = (int)$this->conf['newPasswordMinLength'] ?: 6;
294 $subpart = $this->cObj->getSubpart($this->template, '###TEMPLATE_CHANGEPASSWORD###');
295 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('change_password_header', $this->conf['changePasswordHeader_stdWrap.']);
296 $markerArray['###STATUS_MESSAGE###'] = sprintf($this->getDisplayText(
297 'change_password_message',
298 $this->conf['changePasswordMessage_stdWrap.']
299 ), $minLength);
300
301 $markerArray['###BACKLINK_LOGIN###'] = '';
302 $uid = $this->piVars['user'];
303 $piHash = $this->piVars['forgothash'];
304 $hash = explode('|', $piHash);
305 if ((int)$uid === 0) {
306 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
307 'change_password_notvalid_message',
308 $this->conf['changePasswordNotValidMessage_stdWrap.']
309 );
310 $subpartArray['###CHANGEPASSWORD_FORM###'] = '';
311 } else {
312 $user = $this->pi_getRecord('fe_users', (int)$uid);
313 $userHash = $user['felogin_forgotHash'];
314 $compareHash = explode('|', $userHash);
315 if (!$compareHash || !$compareHash[1] || $compareHash[0] < time() || $hash[0] != $compareHash[0] || md5($hash[1]) != $compareHash[1]) {
316 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
317 'change_password_notvalid_message',
318 $this->conf['changePasswordNotValidMessage_stdWrap.']
319 );
320 $subpartArray['###CHANGEPASSWORD_FORM###'] = '';
321 } else {
322 // All is fine, continue with new password
323 $postData = GeneralUtility::_POST($this->prefixId);
324 if (isset($postData['changepasswordsubmit'])) {
325 if (strlen($postData['password1']) < $minLength) {
326 $markerArray['###STATUS_MESSAGE###'] = sprintf($this->getDisplayText(
327 'change_password_tooshort_message',
328 $this->conf['changePasswordTooShortMessage_stdWrap.']),
329 $minLength
330 );
331 } elseif ($postData['password1'] != $postData['password2']) {
332 $markerArray['###STATUS_MESSAGE###'] = sprintf($this->getDisplayText(
333 'change_password_notequal_message',
334 $this->conf['changePasswordNotEqualMessage_stdWrap.']),
335 $minLength
336 );
337 } else {
338 $newPass = $postData['password1'];
339 if ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['password_changed']) {
340 $_params = array(
341 'user' => $user,
342 'newPassword' => $newPass,
343 'newPasswordUnencrypted' => $newPass
344 );
345 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['password_changed'] as $_funcRef) {
346 if ($_funcRef) {
347 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
348 }
349 }
350 $newPass = $_params['newPassword'];
351 }
352 // Save new password and clear DB-hash
353 $res = $this->databaseConnection->exec_UPDATEquery(
354 'fe_users',
355 'uid=' . $user['uid'],
356 array('password' => $newPass, 'felogin_forgotHash' => '', 'tstamp' => $GLOBALS['EXEC_TIME'])
357 );
358 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
359 'change_password_done_message',
360 $this->conf['changePasswordDoneMessage_stdWrap.']
361 );
362 $done = true;
363 $subpartArray['###CHANGEPASSWORD_FORM###'] = '';
364 $markerArray['###BACKLINK_LOGIN###'] = $this->getPageLink(
365 $this->pi_getLL('ll_forgot_header_backToLogin', '', true),
366 array($this->prefixId . '[redirectReferrer]' => 'off')
367 );
368 }
369 }
370 if (!$done) {
371 // Change password form
372 $markerArray['###ACTION_URI###'] = $this->getPageLink('', array(
373 $this->prefixId . '[user]' => $user['uid'],
374 $this->prefixId . '[forgothash]' => $piHash
375 ), true);
376 $markerArray['###LEGEND###'] = $this->pi_getLL('change_password', '', true);
377 $markerArray['###NEWPASSWORD1_LABEL###'] = $this->pi_getLL('newpassword_label1', '', true);
378 $markerArray['###NEWPASSWORD2_LABEL###'] = $this->pi_getLL('newpassword_label2', '', true);
379 $markerArray['###NEWPASSWORD1###'] = $this->prefixId . '[password1]';
380 $markerArray['###NEWPASSWORD2###'] = $this->prefixId . '[password2]';
381 $markerArray['###STORAGE_PID###'] = $this->spid;
382 $markerArray['###SEND_PASSWORD###'] = $this->pi_getLL('change_password', '', true);
383 $markerArray['###FORGOTHASH###'] = $piHash;
384 }
385 }
386 }
387 return $this->cObj->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
388 }
389
390 /**
391 * Generates a hashed link and send it with email
392 *
393 * @param array $user Contains user data
394 * @return string Empty string with success, error message with no success
395 */
396 protected function generateAndSendHash($user)
397 {
398 $hours = (int)$this->conf['forgotLinkHashValidTime'] > 0 ? (int)$this->conf['forgotLinkHashValidTime'] : 24;
399 $validEnd = time() + 3600 * $hours;
400 $validEndString = date($this->conf['dateFormat'], $validEnd);
401 $hash = md5(GeneralUtility::generateRandomBytes(64));
402 $randHash = $validEnd . '|' . $hash;
403 $randHashDB = $validEnd . '|' . md5($hash);
404 // Write hash to DB
405 $res = $this->databaseConnection->exec_UPDATEquery('fe_users', 'uid=' . $user['uid'], array('felogin_forgotHash' => $randHashDB));
406 // Send hashlink to user
407 $this->conf['linkPrefix'] = -1;
408 $isAbsRefPrefix = !empty($this->frontendController->absRefPrefix);
409 $isBaseURL = !empty($this->frontendController->baseUrl);
410 $isFeloginBaseURL = !empty($this->conf['feloginBaseURL']);
411 $link = $this->pi_getPageLink($this->frontendController->id, '', array(
412 rawurlencode($this->prefixId . '[user]') => $user['uid'],
413 rawurlencode($this->prefixId . '[forgothash]') => $randHash
414 ));
415 // Prefix link if necessary
416 if ($isFeloginBaseURL) {
417 // First priority, use specific base URL
418 // "absRefPrefix" must be removed first, otherwise URL will be prepended twice
419 if ($isAbsRefPrefix) {
420 $link = substr($link, strlen($this->frontendController->absRefPrefix));
421 }
422 $link = $this->conf['feloginBaseURL'] . $link;
423 } elseif ($isAbsRefPrefix) {
424 // Second priority
425 // absRefPrefix must not necessarily contain a hostname and URL scheme, so add it if needed
426 $link = GeneralUtility::locationHeaderUrl($link);
427 } elseif ($isBaseURL) {
428 // Third priority
429 // Add the global base URL to the link
430 $link = $this->frontendController->baseUrlWrap($link);
431 } else {
432 // No prefix is set, return the error
433 return $this->pi_getLL('ll_change_password_nolinkprefix_message');
434 }
435 $msg = sprintf($this->pi_getLL('ll_forgot_validate_reset_password'), $user['username'], $link, $validEndString);
436 // Add hook for extra processing of mail message
437 if (
438 isset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['forgotPasswordMail'])
439 && is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['forgotPasswordMail'])
440 ) {
441 $params = array(
442 'message' => &$msg,
443 'user' => &$user
444 );
445 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['forgotPasswordMail'] as $reference) {
446 if ($reference) {
447 GeneralUtility::callUserFunction($reference, $params, $this);
448 }
449 }
450 }
451 if ($user['email']) {
452 $this->cObj->sendNotifyEmail($msg, $user['email'], '', $this->conf['email_from'], $this->conf['email_fromName'], $this->conf['replyTo']);
453 }
454
455 return '';
456 }
457
458 /**
459 * Shows logout form
460 *
461 * @return string The content.
462 */
463 protected function showLogout()
464 {
465 $subpart = $this->cObj->getSubpart($this->template, '###TEMPLATE_LOGOUT###');
466 $subpartArray = ($linkpartArray = array());
467 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('status_header', $this->conf['logoutHeader_stdWrap.']);
468 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('status_message', $this->conf['logoutMessage_stdWrap.']);
469 $this->cObj->stdWrap($this->flexFormValue('message', 's_status'), $this->conf['logoutMessage_stdWrap.']);
470 $markerArray['###LEGEND###'] = $this->pi_getLL('logout', '', true);
471 $markerArray['###ACTION_URI###'] = $this->getPageLink('', array(), true);
472 $markerArray['###LOGOUT_LABEL###'] = $this->pi_getLL('logout', '', true);
473 $markerArray['###NAME###'] = htmlspecialchars($this->frontendController->fe_user->user['name']);
474 $markerArray['###STORAGE_PID###'] = $this->spid;
475 $markerArray['###USERNAME###'] = htmlspecialchars($this->frontendController->fe_user->user['username']);
476 $markerArray['###USERNAME_LABEL###'] = $this->pi_getLL('username', '', true);
477 $markerArray['###NOREDIRECT###'] = $this->noRedirect ? '1' : '0';
478 $markerArray['###PREFIXID###'] = $this->prefixId;
479 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
480 if ($this->redirectUrl) {
481 // Use redirectUrl for action tag because of possible access restricted pages
482 $markerArray['###ACTION_URI###'] = htmlspecialchars($this->redirectUrl);
483 $this->redirectUrl = '';
484 }
485 return $this->cObj->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
486 }
487
488 /**
489 * Shows login form
490 *
491 * @return string Content
492 */
493 protected function showLogin()
494 {
495 $subpart = $this->cObj->getSubpart($this->template, '###TEMPLATE_LOGIN###');
496 $subpartArray = ($linkpartArray = ($markerArray = array()));
497 $gpRedirectUrl = '';
498 $markerArray['###LEGEND###'] = $this->pi_getLL('oLabel_header_welcome', '', true);
499 if ($this->logintype === 'login') {
500 if ($this->userIsLoggedIn) {
501 // login success
502 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('success_header', $this->conf['successHeader_stdWrap.']);
503 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('success_message', $this->conf['successMessage_stdWrap.']);
504 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
505 $subpartArray['###LOGIN_FORM###'] = '';
506 // Hook for general actions after after login has been confirmed (by Thomas Danzl <thomas@danzl.org>)
507 if ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_confirmed']) {
508 $_params = array();
509 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_confirmed'] as $_funcRef) {
510 if ($_funcRef) {
511 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
512 }
513 }
514 }
515 // show logout form directly
516 if ($this->conf['showLogoutFormAfterLogin']) {
517 $this->redirectUrl = '';
518 return $this->showLogout();
519 }
520 } else {
521 // Hook for general actions on login error
522 if (
523 isset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_error'])
524 && is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_error'])
525 ) {
526 $params = array();
527 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['login_error'] as $funcRef) {
528 if ($funcRef) {
529 GeneralUtility::callUserFunction($funcRef, $params, $this);
530 }
531 }
532 }
533 // login error
534 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('error_header', $this->conf['errorHeader_stdWrap.']);
535 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('error_message', $this->conf['errorMessage_stdWrap.']);
536 $gpRedirectUrl = GeneralUtility::_GP('redirect_url');
537 }
538 } else {
539 if ($this->logintype === 'logout') {
540 // login form after logout
541 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('logout_header', $this->conf['logoutHeader_stdWrap.']);
542 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('logout_message', $this->conf['logoutMessage_stdWrap.']);
543 } else {
544 // login form
545 $markerArray['###STATUS_HEADER###'] = $this->getDisplayText('welcome_header', $this->conf['welcomeHeader_stdWrap.']);
546 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText('welcome_message', $this->conf['welcomeMessage_stdWrap.']);
547 }
548 }
549
550 // This hook allows to call User JS functions.
551 // The methods should also set the required JS functions to get included
552 $onSubmit = '';
553 $extraHidden = '';
554 $onSubmitAr = array();
555 $extraHiddenAr = array();
556 // Check for referer redirect method. if present, save referer in form field
557 if (GeneralUtility::inList($this->conf['redirectMode'], 'referer') || GeneralUtility::inList($this->conf['redirectMode'], 'refererDomains')) {
558 $referer = $this->referer ? $this->referer : GeneralUtility::getIndpEnv('HTTP_REFERER');
559 if ($referer) {
560 $extraHiddenAr[] = '<input type="hidden" name="referer" value="' . htmlspecialchars($referer) . '" />';
561 if ($this->piVars['redirectReferrer'] === 'off') {
562 $extraHiddenAr[] = '<input type="hidden" name="' . $this->prefixId . '[redirectReferrer]" value="off" />';
563 }
564 }
565 }
566 if (is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['loginFormOnSubmitFuncs'])) {
567 $_params = array();
568 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['loginFormOnSubmitFuncs'] as $funcRef) {
569 list($onSub, $hid) = GeneralUtility::callUserFunction($funcRef, $_params, $this);
570 $onSubmitAr[] = $onSub;
571 $extraHiddenAr[] = $hid;
572 }
573 }
574 if (!empty($onSubmitAr)) {
575 $onSubmit = implode('; ', $onSubmitAr) . '; return true;';
576 }
577 if (!empty($extraHiddenAr)) {
578 $extraHidden = implode(LF, $extraHiddenAr);
579 }
580 if (!$gpRedirectUrl && $this->redirectUrl) {
581 $gpRedirectUrl = $this->redirectUrl;
582 }
583 // Login form
584 $markerArray['###ACTION_URI###'] = $this->getPageLink('', array(), true);
585 // Used by kb_md5fepw extension...
586 $markerArray['###EXTRA_HIDDEN###'] = $extraHidden;
587 $markerArray['###LEGEND###'] = $this->pi_getLL('login', '', true);
588 $markerArray['###LOGIN_LABEL###'] = $this->pi_getLL('login', '', true);
589 // Used by kb_md5fepw extension...
590 $markerArray['###ON_SUBMIT###'] = $onSubmit;
591 $markerArray['###PASSWORD_LABEL###'] = $this->pi_getLL('password', '', true);
592 $markerArray['###STORAGE_PID###'] = $this->spid;
593 $markerArray['###USERNAME_LABEL###'] = $this->pi_getLL('username', '', true);
594 $markerArray['###REDIRECT_URL###'] = htmlspecialchars($gpRedirectUrl);
595 $markerArray['###NOREDIRECT###'] = $this->noRedirect ? '1' : '0';
596 $markerArray['###PREFIXID###'] = $this->prefixId;
597 $markerArray = array_merge($markerArray, $this->getUserFieldMarkers());
598 if ($this->conf['showForgotPasswordLink']) {
599 $linkpartArray['###FORGOT_PASSWORD_LINK###'] = explode('|', $this->getPageLink('|', array($this->prefixId . '[forgot]' => 1)));
600 $markerArray['###FORGOT_PASSWORD###'] = $this->pi_getLL('ll_forgot_header', '', true);
601 } else {
602 $subpartArray['###FORGOTP_VALID###'] = '';
603 }
604 // The permanent login checkbox should only be shown if permalogin is not deactivated (-1),
605 // not forced to be always active (2) and lifetime is greater than 0
606 if (
607 $this->conf['showPermaLogin']
608 && GeneralUtility::inList('0,1', $GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin'])
609 && $GLOBALS['TYPO3_CONF_VARS']['FE']['lifetime'] > 0
610 ) {
611 $markerArray['###PERMALOGIN###'] = $this->pi_getLL('permalogin', '', true);
612 if ($GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin'] == 1) {
613 $markerArray['###PERMALOGIN_HIDDENFIELD_ATTRIBUTES###'] = 'disabled="disabled"';
614 $markerArray['###PERMALOGIN_CHECKBOX_ATTRIBUTES###'] = 'checked="checked"';
615 } else {
616 $markerArray['###PERMALOGIN_HIDDENFIELD_ATTRIBUTES###'] = '';
617 $markerArray['###PERMALOGIN_CHECKBOX_ATTRIBUTES###'] = '';
618 }
619 } else {
620 $subpartArray['###PERMALOGIN_VALID###'] = '';
621 }
622 return $this->cObj->substituteMarkerArrayCached($subpart, $markerArray, $subpartArray, $linkpartArray);
623 }
624
625 /**
626 * Process redirect methods. The function searches for a redirect url using all configured methods.
627 *
628 * @return array Redirect URLs
629 */
630 protected function processRedirect()
631 {
632 $redirect_url = array();
633 if ($this->conf['redirectMode']) {
634 $redirectMethods = GeneralUtility::trimExplode(',', $this->conf['redirectMode'], true);
635 foreach ($redirectMethods as $redirMethod) {
636 if ($this->frontendController->loginUser && $this->logintype === 'login') {
637 // Logintype is needed because the login-page wouldn't be accessible anymore after a login (would always redirect)
638 switch ($redirMethod) {
639 case 'groupLogin':
640 // taken from dkd_redirect_at_login written by Ingmar Schlecht; database-field changed
641 $groupData = $this->frontendController->fe_user->groupData;
642 $res = $this->databaseConnection->exec_SELECTquery(
643 'felogin_redirectPid',
644 $this->frontendController->fe_user->usergroup_table,
645 'felogin_redirectPid<>\'\' AND uid IN (' . implode(',', $groupData['uid']) . ')'
646 );
647 if ($row = $this->databaseConnection->sql_fetch_row($res)) {
648 // take the first group with a redirect page
649 $redirect_url[] = $this->pi_getPageLink($row[0]);
650 }
651 break;
652 case 'userLogin':
653 $res = $this->databaseConnection->exec_SELECTquery(
654 'felogin_redirectPid',
655 $this->frontendController->fe_user->user_table,
656 $this->frontendController->fe_user->userid_column . '=' . $this->frontendController->fe_user->user['uid'] . ' AND felogin_redirectPid<>\'\''
657 );
658 if ($row = $this->databaseConnection->sql_fetch_row($res)) {
659 $redirect_url[] = $this->pi_getPageLink($row[0]);
660 }
661 break;
662 case 'login':
663 if ($this->conf['redirectPageLogin']) {
664 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLogin']);
665 }
666 break;
667 case 'getpost':
668 $redirect_url[] = $this->redirectUrl;
669 break;
670 case 'referer':
671 // Avoid redirect when logging in after changing password
672 if ($this->piVars['redirectReferrer'] !== 'off') {
673 // Avoid forced logout, when trying to login immediately after a logout
674 $redirect_url[] = preg_replace('/[&?]logintype=[a-z]+/', '', $this->referer);
675 }
676 break;
677 case 'refererDomains':
678 // Auto redirect.
679 // Feature to redirect to the page where the user came from (HTTP_REFERER).
680 // Allowed domains to redirect to, can be configured with plugin.tx_felogin_pi1.domains
681 // Thanks to plan2.net / Martin Kutschker for implementing this feature.
682 // also avoid redirect when logging in after changing password
683 if ($this->conf['domains'] && $this->piVars['redirectReferrer'] !== 'off') {
684 $url = $this->referer;
685 // Is referring url allowed to redirect?
686 $match = array();
687 if (preg_match('#^http://([[:alnum:]._-]+)/#', $url, $match)) {
688 $redirect_domain = $match[1];
689 $found = false;
690 foreach (GeneralUtility::trimExplode(',', $this->conf['domains'], true) as $d) {
691 if (preg_match('/(?:^|\\.)' . $d . '$/', $redirect_domain)) {
692 $found = true;
693 break;
694 }
695 }
696 if (!$found) {
697 $url = '';
698 }
699 }
700 // Avoid forced logout, when trying to login immediately after a logout
701 if ($url) {
702 $redirect_url[] = preg_replace('/[&?]logintype=[a-z]+/', '', $url);
703 }
704 }
705 break;
706 }
707 } elseif ($this->logintype === 'login') {
708 // after login-error
709 switch ($redirMethod) {
710 case 'loginError':
711 if ($this->conf['redirectPageLoginError']) {
712 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLoginError']);
713 }
714 break;
715 }
716 } elseif ($this->logintype == '' && $redirMethod == 'login' && $this->conf['redirectPageLogin']) {
717 // If login and page not accessible
718 $this->cObj->typoLink('', array(
719 'parameter' => $this->conf['redirectPageLogin'],
720 'linkAccessRestrictedPages' => true
721 ));
722 $redirect_url[] = $this->cObj->lastTypoLinkUrl;
723 } elseif ($this->logintype == '' && $redirMethod == 'logout' && $this->conf['redirectPageLogout'] && $this->frontendController->loginUser) {
724 // If logout and page not accessible
725 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLogout']);
726 } elseif ($this->logintype === 'logout') {
727 // after logout
728 // Hook for general actions after after logout has been confirmed
729 if ($this->logintype === 'logout' && $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['logout_confirmed']) {
730 $_params = array();
731 foreach ($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['logout_confirmed'] as $_funcRef) {
732 if ($_funcRef) {
733 GeneralUtility::callUserFunction($_funcRef, $_params, $this);
734 }
735 }
736 }
737 switch ($redirMethod) {
738 case 'logout':
739 if ($this->conf['redirectPageLogout']) {
740 $redirect_url[] = $this->pi_getPageLink((int)$this->conf['redirectPageLogout']);
741 }
742 break;
743 }
744 } else {
745 // not logged in
746 // Placeholder for maybe future options
747 switch ($redirMethod) {
748 case 'getpost':
749 // Preserve the get/post value
750 $redirect_url[] = $this->redirectUrl;
751 break;
752 }
753 }
754 }
755 }
756 // Remove empty values
757 if (!empty($redirect_url)) {
758 return GeneralUtility::trimExplode(',', implode(',', $redirect_url), true);
759 }
760 return array();
761 }
762
763 /**
764 * Reads flexform configuration and merge it with $this->conf
765 *
766 * @return void
767 */
768 protected function mergeflexFormValuesIntoConf()
769 {
770 $flex = array();
771 if ($this->flexFormValue('showForgotPassword', 'sDEF')) {
772 $flex['showForgotPasswordLink'] = $this->flexFormValue('showForgotPassword', 'sDEF');
773 }
774 if ($this->flexFormValue('showPermaLogin', 'sDEF')) {
775 $flex['showPermaLogin'] = $this->flexFormValue('showPermaLogin', 'sDEF');
776 }
777 if ($this->flexFormValue('showLogoutFormAfterLogin', 'sDEF')) {
778 $flex['showLogoutFormAfterLogin'] = $this->flexFormValue('showLogoutFormAfterLogin', 'sDEF');
779 }
780 if ($this->flexFormValue('pages', 'sDEF')) {
781 $flex['pages'] = $this->flexFormValue('pages', 'sDEF');
782 }
783 if ($this->flexFormValue('recursive', 'sDEF')) {
784 $flex['recursive'] = $this->flexFormValue('recursive', 'sDEF');
785 }
786 if ($this->flexFormValue('templateFile', 'sDEF')) {
787 $flex['templateFile'] = $this->uploadDir . $this->flexFormValue('templateFile', 'sDEF');
788 }
789 if ($this->flexFormValue('redirectMode', 's_redirect')) {
790 $flex['redirectMode'] = $this->flexFormValue('redirectMode', 's_redirect');
791 }
792 if ($this->flexFormValue('redirectFirstMethod', 's_redirect')) {
793 $flex['redirectFirstMethod'] = $this->flexFormValue('redirectFirstMethod', 's_redirect');
794 }
795 if ($this->flexFormValue('redirectDisable', 's_redirect')) {
796 $flex['redirectDisable'] = $this->flexFormValue('redirectDisable', 's_redirect');
797 }
798 if ($this->flexFormValue('redirectPageLogin', 's_redirect')) {
799 $flex['redirectPageLogin'] = $this->flexFormValue('redirectPageLogin', 's_redirect');
800 }
801 if ($this->flexFormValue('redirectPageLoginError', 's_redirect')) {
802 $flex['redirectPageLoginError'] = $this->flexFormValue('redirectPageLoginError', 's_redirect');
803 }
804 if ($this->flexFormValue('redirectPageLogout', 's_redirect')) {
805 $flex['redirectPageLogout'] = $this->flexFormValue('redirectPageLogout', 's_redirect');
806 }
807 $pid = $flex['pages'] ? $this->pi_getPidList($flex['pages'], $flex['recursive']) : 0;
808 if ($pid > 0) {
809 $flex['storagePid'] = $pid;
810 }
811 $this->conf = array_merge($this->conf, $flex);
812 }
813
814 /**
815 * Loads a variable from the flexform
816 *
817 * @param string $var Name of variable
818 * @param string $sheet Name of sheet
819 * @return string Value of var
820 */
821 protected function flexFormValue($var, $sheet)
822 {
823 return $this->pi_getFFvalue($this->cObj->data['pi_flexform'], $var, $sheet);
824 }
825
826 /**
827 * Generate link with typolink function
828 *
829 * @param string $label Linktext
830 * @param array $piVars Link vars
831 * @param bool $returnUrl TRUE: returns only url FALSE (default) returns the link)
832 * @return string Link or url
833 */
834 protected function getPageLink($label, $piVars, $returnUrl = false)
835 {
836 $additionalParams = '';
837 if (!empty($piVars)) {
838 foreach ($piVars as $key => $val) {
839 $additionalParams .= '&' . $key . '=' . $val;
840 }
841 }
842 // Should GETvars be preserved?
843 if ($this->conf['preserveGETvars']) {
844 $additionalParams .= $this->getPreserveGetVars();
845 }
846 $this->conf['linkConfig.']['parameter'] = $this->frontendController->id;
847 if ($additionalParams) {
848 $this->conf['linkConfig.']['additionalParams'] = $additionalParams;
849 }
850 if ($returnUrl) {
851 return htmlspecialchars($this->cObj->typoLink_URL($this->conf['linkConfig.']));
852 } else {
853 return $this->cObj->typoLink($label, $this->conf['linkConfig.']);
854 }
855 }
856
857 /**
858 * Add additional parameters for links according to TS setting preserveGETvars.
859 * Possible values are "all" or a comma separated list of allowed GET-vars.
860 * Supports multi-dimensional GET-vars.
861 * Some hardcoded values are dropped.
862 *
863 * @return string additionalParams-string
864 */
865 protected function getPreserveGetVars()
866 {
867 $getVars = GeneralUtility::_GET();
868 unset(
869 $getVars['id'],
870 $getVars['no_cache'],
871 $getVars['logintype'],
872 $getVars['redirect_url'],
873 $getVars['cHash'],
874 $getVars[$this->prefixId]
875 );
876 if ($this->conf['preserveGETvars'] === 'all') {
877 $preserveQueryParts = $getVars;
878 } else {
879 $preserveQueryParts = GeneralUtility::trimExplode(',', $this->conf['preserveGETvars']);
880 $preserveQueryParts = GeneralUtility::explodeUrl2Array(implode('=1&', $preserveQueryParts) . '=1', true);
881 $preserveQueryParts = \TYPO3\CMS\Core\Utility\ArrayUtility::intersectRecursive($getVars, $preserveQueryParts);
882 }
883 $parameters = GeneralUtility::implodeArrayForUrl('', $preserveQueryParts);
884 return $parameters;
885 }
886
887 /**
888 * Is used by forgot password - function with md5 option.
889 * @param int $len Length of new password
890 * @return string New password
891 */
892 protected function generatePassword($len)
893 {
894 $pass = '';
895 while ($len--) {
896 $char = rand(0, 35);
897 if ($char < 10) {
898 $pass .= '' . $char;
899 } else {
900 $pass .= chr($char - 10 + 97);
901 }
902 }
903 return $pass;
904 }
905
906 /**
907 * Returns the header / message value from flexform if present, else from locallang.xlf
908 *
909 * @param string $label label name
910 * @param array $stdWrapArray TS stdWrap array
911 * @return string label text
912 */
913 protected function getDisplayText($label, $stdWrapArray = array())
914 {
915 $text = $this->flexFormValue($label, 's_messages') ? $this->cObj->stdWrap($this->flexFormValue($label, 's_messages'), $stdWrapArray) : $this->cObj->stdWrap($this->pi_getLL('ll_' . $label, '', true), $stdWrapArray);
916 $replace = $this->getUserFieldMarkers();
917 return strtr($text, $replace);
918 }
919
920 /**
921 * Returns Array of markers filled with user fields
922 *
923 * @return array Marker array
924 */
925 protected function getUserFieldMarkers()
926 {
927 $marker = array();
928 // replace markers with fe_user data
929 if ($this->frontendController->fe_user->user) {
930 // All fields of fe_user will be replaced, scheme is ###FEUSER_FIELDNAME###
931 foreach ($this->frontendController->fe_user->user as $field => $value) {
932 $marker['###FEUSER_' . GeneralUtility::strtoupper($field) . '###'] = $this->cObj->stdWrap($value, $this->conf['userfields.'][$field . '.']);
933 }
934 // Add ###USER### for compatibility
935 $marker['###USER###'] = $marker['###FEUSER_USERNAME###'];
936 }
937 return $marker;
938 }
939
940 /**
941 * Returns a valid and XSS cleaned url for redirect, checked against configuration "allowedRedirectHosts"
942 *
943 * @param string $url
944 * @return string cleaned referer or empty string if not valid
945 */
946 protected function validateRedirectUrl($url)
947 {
948 $url = strval($url);
949 if ($url === '') {
950 return '';
951 }
952 $decodedUrl = rawurldecode($url);
953 $sanitizedUrl = GeneralUtility::removeXSS($decodedUrl);
954 if ($decodedUrl !== $sanitizedUrl || preg_match('#["<>\\\\]+#', $url)) {
955 GeneralUtility::sysLog(sprintf($this->pi_getLL('xssAttackDetected'), $url), 'felogin', GeneralUtility::SYSLOG_SEVERITY_WARNING);
956 return '';
957 }
958 // Validate the URL:
959 if ($this->isRelativeUrl($url) || $this->isInCurrentDomain($url) || $this->isInLocalDomain($url)) {
960 return $url;
961 }
962 // URL is not allowed
963 GeneralUtility::sysLog(sprintf($this->pi_getLL('noValidRedirectUrl'), $url), 'felogin', GeneralUtility::SYSLOG_SEVERITY_WARNING);
964 return '';
965 }
966
967 /**
968 * Determines whether the URL is on the current host and belongs to the
969 * current TYPO3 installation. The scheme part is ignored in the comparison.
970 *
971 * @param string $url URL to be checked
972 * @return bool Whether the URL belongs to the current TYPO3 installation
973 */
974 protected function isInCurrentDomain($url)
975 {
976 $urlWithoutSchema = preg_replace('#^https?://#', '', $url);
977 $siteUrlWithoutSchema = preg_replace('#^https?://#', '', GeneralUtility::getIndpEnv('TYPO3_SITE_URL'));
978 return StringUtility::beginsWith($urlWithoutSchema . '/', GeneralUtility::getIndpEnv('HTTP_HOST') . '/')
979 && StringUtility::beginsWith($urlWithoutSchema, $siteUrlWithoutSchema);
980 }
981
982 /**
983 * Determines whether the URL matches a domain
984 * in the sys_domain database table.
985 *
986 * @param string $url Absolute URL which needs to be checked
987 * @return bool Whether the URL is considered to be local
988 */
989 protected function isInLocalDomain($url)
990 {
991 $result = false;
992 if (GeneralUtility::isValidUrl($url)) {
993 $parsedUrl = parse_url($url);
994 if ($parsedUrl['scheme'] === 'http' || $parsedUrl['scheme'] === 'https') {
995 $host = $parsedUrl['host'];
996 // Removes the last path segment and slash sequences like /// (if given):
997 $path = preg_replace('#/+[^/]*$#', '', $parsedUrl['path']);
998 $localDomains = $this->databaseConnection->exec_SELECTgetRows('domainName', 'sys_domain', '1=1' . $this->cObj->enableFields('sys_domain'));
999 if (is_array($localDomains)) {
1000 foreach ($localDomains as $localDomain) {
1001 // strip trailing slashes (if given)
1002 $domainName = rtrim($localDomain['domainName'], '/');
1003 if (GeneralUtility::isFirstPartOfStr($host . $path . '/', $domainName . '/')) {
1004 $result = true;
1005 break;
1006 }
1007 }
1008 }
1009 }
1010 }
1011 return $result;
1012 }
1013
1014 /**
1015 * Determines whether the URL is relative to the
1016 * current TYPO3 installation.
1017 *
1018 * @param string $url URL which needs to be checked
1019 * @return bool Whether the URL is considered to be relative
1020 */
1021 protected function isRelativeUrl($url)
1022 {
1023 $parsedUrl = @parse_url($url);
1024 if ($parsedUrl !== false && !isset($parsedUrl['scheme']) && !isset($parsedUrl['host'])) {
1025 // If the relative URL starts with a slash, we need to check if it's within the current site path
1026 return $parsedUrl['path'][0] !== '/' || GeneralUtility::isFirstPartOfStr($parsedUrl['path'], GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
1027 }
1028 return false;
1029 }
1030 }