|
| 1 | +<?php |
| 2 | + |
| 3 | +namespace Xima\XimaOauth2Extended\EventListener; |
| 4 | + |
| 5 | +use TYPO3\CMS\Backend\Security\SudoMode\Event\SudoModeRequiredEvent; |
| 6 | +use TYPO3\CMS\Core\Authentication\BackendUserAuthentication; |
| 7 | +use TYPO3\CMS\Core\Configuration\ExtensionConfiguration; |
| 8 | +use TYPO3\CMS\Core\Database\Connection; |
| 9 | +use TYPO3\CMS\Core\Database\ConnectionPool; |
| 10 | +use TYPO3\CMS\Core\Utility\GeneralUtility; |
| 11 | + |
| 12 | +class SkipSudoModeRequirement |
| 13 | +{ |
| 14 | + public function __construct( |
| 15 | + private ExtensionConfiguration $extensionConfiguration, |
| 16 | + ) { |
| 17 | + } |
| 18 | + |
| 19 | + public function __invoke(SudoModeRequiredEvent $event): void |
| 20 | + { |
| 21 | + // Check if sudo mode is required |
| 22 | + if (!$event->isVerificationRequired()) { |
| 23 | + return; |
| 24 | + } |
| 25 | + |
| 26 | + // Check if the user has an oAuth2 client configuration |
| 27 | + $hasOauth2ClientConfig = $this->getCurrentUser()->user['tx_oauth2_client_configs'] ?? false; |
| 28 | + if (!$hasOauth2ClientConfig) { |
| 29 | + return; |
| 30 | + } |
| 31 | + |
| 32 | + // User has an oauth2 configuration with enabled user creation |
| 33 | + if (!$this->currentUserHasOauthProviderWithCreation()) { |
| 34 | + return; |
| 35 | + } |
| 36 | + |
| 37 | + // Users can always bypass sudo mode if changing their own password |
| 38 | + $subjects = $event->getClaim()->subjects; |
| 39 | + if (isset($subjects[0]) && str_starts_with($subjects[0]->getSubject(), 'be_users.password.')) { |
| 40 | + $event->setVerificationRequired(false); |
| 41 | + return; |
| 42 | + } |
| 43 | + |
| 44 | + // Admins can bypass any sudo mode |
| 45 | + if ($this->currentUserIsAdmin()) { |
| 46 | + $event->setVerificationRequired(false); |
| 47 | + } |
| 48 | + } |
| 49 | + |
| 50 | + private function getCurrentUser(): BackendUserAuthentication |
| 51 | + { |
| 52 | + return $GLOBALS['BE_USER']; |
| 53 | + } |
| 54 | + |
| 55 | + private function currentUserHasOauthProviderWithCreation(): bool |
| 56 | + { |
| 57 | + $allProviderConfigs = $this->extensionConfiguration->get('xima_oauth2_extended', 'oauth2_client_providers', []); |
| 58 | + $providerWithCreation = array_keys(array_filter($allProviderConfigs, static function ($config) { |
| 59 | + return isset($config['createBackendUser']) && $config['createBackendUser'] === true; |
| 60 | + })); |
| 61 | + |
| 62 | + if (empty($providerWithCreation)) { |
| 63 | + return false; |
| 64 | + } |
| 65 | + |
| 66 | + $userUid = $this->getCurrentUser()->getUserId(); |
| 67 | + |
| 68 | + $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('tx_oauth2_beuser_provider_configuration'); |
| 69 | + $userProvider = $queryBuilder->count('uid') |
| 70 | + ->from('tx_oauth2_beuser_provider_configuration') |
| 71 | + ->where( |
| 72 | + $queryBuilder->expr()->eq('parentid', $queryBuilder->createNamedParameter($userUid, Connection::PARAM_INT)) |
| 73 | + ) |
| 74 | + ->andWhere( |
| 75 | + $queryBuilder->expr()->in( |
| 76 | + 'provider', |
| 77 | + $queryBuilder->createNamedParameter($providerWithCreation, Connection::PARAM_STR_ARRAY) |
| 78 | + ) |
| 79 | + ) |
| 80 | + ->executeQuery() |
| 81 | + ->fetchOne(); |
| 82 | + |
| 83 | + return (bool)$userProvider; |
| 84 | + } |
| 85 | + |
| 86 | + private function currentUserIsAdmin(): bool |
| 87 | + { |
| 88 | + $user = $this->getCurrentUser()->getUserId(); |
| 89 | + |
| 90 | + $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('be_users'); |
| 91 | + return (bool)$queryBuilder->select('admin') |
| 92 | + ->from('be_users') |
| 93 | + ->where( |
| 94 | + $queryBuilder->expr()->eq('uid', $queryBuilder->createNamedParameter($user, Connection::PARAM_INT)) |
| 95 | + ) |
| 96 | + ->executeQuery() |
| 97 | + ->fetchOne(); |
| 98 | + } |
| 99 | +} |
0 commit comments