vendor/contao/core-bundle/src/Security/Authentication/Token/TokenChecker.php line 209

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. /*
  6.  * This file is part of Contao.
  7.  *
  8.  * (c) Leo Feyer
  9.  *
  10.  * @license LGPL-3.0-or-later
  11.  */
  13. namespace Contao\CoreBundle\Security\Authentication\Token;
  15. use Contao\BackendUser;
  16. use Contao\FrontendUser;
  17. use Doctrine\DBAL\Connection;
  18. use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
  19. use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
  20. use Symfony\Component\HttpFoundation\Request;
  21. use Symfony\Component\HttpFoundation\RequestStack;
  22. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  25. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  26. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  27. use Symfony\Component\Security\Http\FirewallMapInterface;
  29. class TokenChecker
  30. {
  31.     private const FRONTEND_FIREWALL 'contao_frontend';
  32.     private const BACKEND_FIREWALL 'contao_backend';
  34.     private RequestStack $requestStack;
  35.     private FirewallMapInterface $firewallMap;
  36.     private TokenStorageInterface $tokenStorage;
  37.     private SessionInterface $session;
  38.     private AuthenticationTrustResolverInterface $trustResolver;
  39.     private VoterInterface $roleVoter;
  40.     private Connection $connection;
  41.     private array $previewLinks;
  43.     /**
  44.      * @internal
  45.      */
  46.     public function __construct(RequestStack $requestStackFirewallMapInterface $firewallMapTokenStorageInterface $tokenStorageSessionInterface $sessionAuthenticationTrustResolverInterface $trustResolverVoterInterface $roleVoterConnection $connection)
  47.     {
  48.         $this->requestStack $requestStack;
  49.         $this->firewallMap $firewallMap;
  50.         $this->tokenStorage $tokenStorage;
  51.         $this->session $session;
  52.         $this->trustResolver $trustResolver;
  53.         $this->roleVoter $roleVoter;
  54.         $this->connection $connection;
  55.     }
  57.     /**
  58.      * Checks if a front end user is authenticated.
  59.      */
  60.     public function hasFrontendUser(): bool
  61.     {
  62.         $token $this->getToken(self::FRONTEND_FIREWALL);
  64.         return null !== $token && VoterInterface::ACCESS_GRANTED === $this->roleVoter->vote($tokennull, ['ROLE_MEMBER']);
  65.     }
  67.     /**
  68.      * Checks if a back end user is authenticated.
  69.      */
  70.     public function hasBackendUser(): bool
  71.     {
  72.         $token $this->getToken(self::BACKEND_FIREWALL);
  74.         return null !== $token && VoterInterface::ACCESS_GRANTED === $this->roleVoter->vote($tokennull, ['ROLE_USER']);
  75.     }
  77.     /**
  78.      * Gets the front end username from the session.
  79.      */
  80.     public function getFrontendUsername(): ?string
  81.     {
  82.         $token $this->getToken(self::FRONTEND_FIREWALL);
  84.         if (null === $token || !$token->getUser() instanceof FrontendUser) {
  85.             return null;
  86.         }
  88.         return $token->getUser()->getUserIdentifier();
  89.     }
  91.     /**
  92.      * Gets the back end username from the session.
  93.      */
  94.     public function getBackendUsername(): ?string
  95.     {
  96.         $token $this->getToken(self::BACKEND_FIREWALL);
  98.         if (null === $token || !$token->getUser() instanceof BackendUser) {
  99.             return null;
  100.         }
  102.         return $token->getUser()->getUserIdentifier();
  103.     }
  105.     /**
  106.      * Tells whether the front end preview can be accessed.
  107.      */
  108.     public function canAccessPreview(): bool
  109.     {
  110.         if ($this->hasBackendUser()) {
  111.             return true;
  112.         }
  114.         $token $this->getToken(self::FRONTEND_FIREWALL);
  116.         if (!$token instanceof FrontendPreviewToken) {
  117.             return false;
  118.         }
  120.         if (null === $token->getPreviewLinkId()) {
  121.             return false;
  122.         }
  124.         return $this->isValidPreviewLink($token);
  125.     }
  127.     /**
  128.      * Tells whether the front end preview can show unpublished fragments.
  129.      */
  130.     public function isPreviewMode(): bool
  131.     {
  132.         $request $this->requestStack->getMainRequest();
  134.         if (null === $request || !$request->attributes->get('_preview'false) || !$this->canAccessPreview()) {
  135.             return false;
  136.         }
  138.         $token $this->getToken(self::FRONTEND_FIREWALL);
  140.         return $token instanceof FrontendPreviewToken && $token->showUnpublished();
  141.     }
  143.     public function isFrontendFirewall(): bool
  144.     {
  145.         return self::FRONTEND_FIREWALL === $this->getFirewallContext();
  146.     }
  148.     public function isBackendFirewall(): bool
  149.     {
  150.         return self::BACKEND_FIREWALL === $this->getFirewallContext();
  151.     }
  153.     private function getToken(string $context): ?TokenInterface
  154.     {
  155.         $token $this->getTokenFromStorage($context);
  157.         if (null === $token) {
  158.             $token $this->getTokenFromSession('_security_'.$context);
  159.         }
  161.         if (!$token instanceof TokenInterface || !$token->isAuthenticated()) {
  162.             return null;
  163.         }
  165.         if ($this->trustResolver->isAnonymous($token)) {
  166.             return null;
  167.         }
  169.         return $token;
  170.     }
  172.     private function getTokenFromStorage(string $context): ?TokenInterface
  173.     {
  174.         if ($this->getFirewallContext() !== $context) {
  175.             return null;
  176.         }
  178.         return $this->tokenStorage->getToken();
  179.     }
  181.     private function getFirewallContext(): ?string
  182.     {
  183.         $request $this->requestStack->getMainRequest();
  185.         if (!$this->firewallMap instanceof FirewallMap || null === $request) {
  186.             return null;
  187.         }
  189.         $config $this->firewallMap->getFirewallConfig($request);
  191.         if (!$config instanceof FirewallConfig) {
  192.             return null;
  193.         }
  195.         return $config->getContext();
  196.     }
  198.     private function getTokenFromSession(string $sessionKey): ?TokenInterface
  199.     {
  200.         if (!$this->session->isStarted()) {
  201.             $request $this->requestStack->getMainRequest();
  203.             if (!$request || !$request->hasPreviousSession()) {
  204.                 return null;
  205.             }
  206.         }
  208.         // This will start the session if Request::hasPreviousSession() was true
  209.         if (!$this->session->has($sessionKey)) {
  210.             return null;
  211.         }
  213.         $token unserialize($this->session->get($sessionKey), ['allowed_classes' => true]);
  215.         if (!$token instanceof TokenInterface) {
  216.             return null;
  217.         }
  219.         return $token;
  220.     }
  222.     private function isValidPreviewLink(FrontendPreviewToken $token): bool
  223.     {
  224.         $id $token->getPreviewLinkId();
  226.         if (!isset($this->previewLinks[$id])) {
  227.             $this->previewLinks[$id] = $this->connection->fetchAssociative(
  228.                 "
  229.                     SELECT
  230.                         url,
  231.                         showUnpublished,
  232.                         restrictToUrl
  233.                     FROM tl_preview_link
  234.                     WHERE
  235.                         id = :id
  236.                         AND published = '1'
  237.                         AND expiresAt > UNIX_TIMESTAMP()
  238.                 ",
  239.                 ['id' => $id],
  240.             );
  241.         }
  243.         $previewLink $this->previewLinks[$id];
  245.         if (!$previewLink) {
  246.             return false;
  247.         }
  249.         if ((bool) $previewLink['showUnpublished'] !== $token->showUnpublished()) {
  250.             return false;
  251.         }
  253.         if (!$previewLink['restrictToUrl']) {
  254.             return true;
  255.         }
  257.         $request $this->requestStack->getMainRequest();
  259.         return $request && strtok($request->getUri(), '?') === strtok(Request::create($previewLink['url'])->getUri(), '?');
  260.     }
  261. }