vendor/contao/core-bundle/src/Security/Authentication/Token/TokenChecker.php line 62

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. /*
  6. * This file is part of Contao.
  7. *
  8. * (c) Leo Feyer
  9. *
  10. * @license LGPL-3.0-or-later
  11. */
  13. namespace Contao\CoreBundle\Security\Authentication\Token;
  15. use Contao\BackendUser;
  16. use Contao\FrontendUser;
  17. use Doctrine\DBAL\Connection;
  18. use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
  19. use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
  20. use Symfony\Component\HttpFoundation\Request;
  21. use Symfony\Component\HttpFoundation\RequestStack;
  22. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  25. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  26. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  27. use Symfony\Component\Security\Http\FirewallMapInterface;
  29. class TokenChecker
  30. {
  31. private const FRONTEND_FIREWALL = 'contao_frontend';
  32. private const BACKEND_FIREWALL = 'contao_backend';
  34. private RequestStack $requestStack;
  35. private FirewallMapInterface $firewallMap;
  36. private TokenStorageInterface $tokenStorage;
  37. private SessionInterface $session;
  38. private AuthenticationTrustResolverInterface $trustResolver;
  39. private VoterInterface $roleVoter;
  40. private Connection $connection;
  41. private array $previewLinks;
  43. /**
  44. * @internal
  45. */
  46. public function __construct(RequestStack $requestStack, FirewallMapInterface $firewallMap, TokenStorageInterface $tokenStorage, SessionInterface $session, AuthenticationTrustResolverInterface $trustResolver, VoterInterface $roleVoter, Connection $connection)
  47. {
  48. $this->requestStack = $requestStack;
  49. $this->firewallMap = $firewallMap;
  50. $this->tokenStorage = $tokenStorage;
  51. $this->session = $session;
  52. $this->trustResolver = $trustResolver;
  53. $this->roleVoter = $roleVoter;
  54. $this->connection = $connection;
  55. }
  57. /**
  58. * Checks if a front end user is authenticated.
  59. */
  60. public function hasFrontendUser(): bool
  61. {
  62. $token = $this->getToken(self::FRONTEND_FIREWALL);
  64. return null !== $token && VoterInterface::ACCESS_GRANTED === $this->roleVoter->vote($token, null, ['ROLE_MEMBER']);
  65. }
  67. /**
  68. * Checks if a back end user is authenticated.
  69. */
  70. public function hasBackendUser(): bool
  71. {
  72. $token = $this->getToken(self::BACKEND_FIREWALL);
  74. return null !== $token && VoterInterface::ACCESS_GRANTED === $this->roleVoter->vote($token, null, ['ROLE_USER']);
  75. }
  77. /**
  78. * Gets the front end username from the session.
  79. */
  80. public function getFrontendUsername(): ?string
  81. {
  82. $token = $this->getToken(self::FRONTEND_FIREWALL);
  84. if (null === $token || !$token->getUser() instanceof FrontendUser) {
  85. return null;
  86. }
  88. return $token->getUser()->getUserIdentifier();
  89. }
  91. /**
  92. * Gets the back end username from the session.
  93. */
  94. public function getBackendUsername(): ?string
  95. {
  96. $token = $this->getToken(self::BACKEND_FIREWALL);
  98. if (null === $token || !$token->getUser() instanceof BackendUser) {
  99. return null;
  100. }
  102. return $token->getUser()->getUserIdentifier();
  103. }
  105. /**
  106. * Tells whether the front end preview can be accessed.
  107. */
  108. public function canAccessPreview(): bool
  109. {
  110. if ($this->hasBackendUser()) {
  111. return true;
  112. }
  114. $token = $this->getToken(self::FRONTEND_FIREWALL);
  116. if (!$token instanceof FrontendPreviewToken) {
  117. return false;
  118. }
  120. if (null === $token->getPreviewLinkId()) {
  121. return false;
  122. }
  124. return $this->isValidPreviewLink($token);
  125. }
  127. /**
  128. * Tells whether the front end preview can show unpublished fragments.
  129. */
  130. public function isPreviewMode(): bool
  131. {
  132. $request = $this->requestStack->getMainRequest();
  134. if (null === $request || !$request->attributes->get('_preview', false) || !$this->canAccessPreview()) {
  135. return false;
  136. }
  138. $token = $this->getToken(self::FRONTEND_FIREWALL);
  140. return $token instanceof FrontendPreviewToken && $token->showUnpublished();
  141. }
  143. public function isFrontendFirewall(): bool
  144. {
  145. return self::FRONTEND_FIREWALL === $this->getFirewallContext();
  146. }
  148. public function isBackendFirewall(): bool
  149. {
  150. return self::BACKEND_FIREWALL === $this->getFirewallContext();
  151. }
  153. private function getToken(string $context): ?TokenInterface
  154. {
  155. $token = $this->getTokenFromStorage($context);
  157. if (null === $token) {
  158. $token = $this->getTokenFromSession('_security_'.$context);
  159. }
  161. if (!$token instanceof TokenInterface || !$token->isAuthenticated()) {
  162. return null;
  163. }
  165. if ($this->trustResolver->isAnonymous($token)) {
  166. return null;
  167. }
  169. return $token;
  170. }
  172. private function getTokenFromStorage(string $context): ?TokenInterface
  173. {
  174. if ($this->getFirewallContext() !== $context) {
  175. return null;
  176. }
  178. return $this->tokenStorage->getToken();
  179. }
  181. private function getFirewallContext(): ?string
  182. {
  183. $request = $this->requestStack->getMainRequest();
  185. if (!$this->firewallMap instanceof FirewallMap || null === $request) {
  186. return null;
  187. }
  189. $config = $this->firewallMap->getFirewallConfig($request);
  191. if (!$config instanceof FirewallConfig) {
  192. return null;
  193. }
  195. return $config->getContext();
  196. }
  198. private function getTokenFromSession(string $sessionKey): ?TokenInterface
  199. {
  200. if (!$this->session->isStarted()) {
  201. $request = $this->requestStack->getMainRequest();
  203. if (!$request || !$request->hasPreviousSession()) {
  204. return null;
  205. }
  206. }
  208. // This will start the session if Request::hasPreviousSession() was true
  209. if (!$this->session->has($sessionKey)) {
  210. return null;
  211. }
  213. $token = unserialize($this->session->get($sessionKey), ['allowed_classes' => true]);
  215. if (!$token instanceof TokenInterface) {
  216. return null;
  217. }
  219. return $token;
  220. }
  222. private function isValidPreviewLink(FrontendPreviewToken $token): bool
  223. {
  224. $id = $token->getPreviewLinkId();
  226. if (!isset($this->previewLinks[$id])) {
  227. $this->previewLinks[$id] = $this->connection->fetchAssociative(
  228. "
  229. SELECT
  230. url,
  231. showUnpublished,
  232. restrictToUrl
  233. FROM tl_preview_link
  234. WHERE
  235. id = :id
  236. AND published = '1'
  237. AND expiresAt > UNIX_TIMESTAMP()
  238. ",
  239. ['id' => $id],
  240. );
  241. }
  243. $previewLink = $this->previewLinks[$id];
  245. if (!$previewLink) {
  246. return false;
  247. }
  249. if ((bool) $previewLink['showUnpublished'] !== $token->showUnpublished()) {
  250. return false;
  251. }
  253. if (!$previewLink['restrictToUrl']) {
  254. return true;
  255. }
  257. $request = $this->requestStack->getMainRequest();
  259. return $request && strtok($request->getUri(), '?') === strtok(Request::create($previewLink['url'])->getUri(), '?');
  260. }
  261. }