Context
class Context (View source)
This is the default implementation of a security context, which holds current security information like roles oder details of authenticated users.
Constants
| AUTHENTICATE_ANY_TOKEN |
Authenticate as many tokens as possible but do not require
an authenticated token (e.g. for guest users with role Neos.Flow:Everybody). |
| AUTHENTICATE_ONE_TOKEN |
Stop authentication of tokens after first successful
authentication of a token. |
| AUTHENTICATE_ALL_TOKENS |
Authenticate all active tokens and throw an exception if
an active token could not be authenticated. |
| AUTHENTICATE_AT_LEAST_ONE_TOKEN |
Authenticate as many tokens as possible but do not fail if
a token could not be authenticated and at least one token
could be authenticated. |
| CSRF_ONE_PER_SESSION |
Creates one csrf token per session |
| CSRF_ONE_PER_URI |
Creates one csrf token per uri |
| CSRF_ONE_PER_REQUEST |
Creates one csrf token per request |
| CONTEXT_HASH_UNINITIALIZED |
If the security context isn't initialized (or authorization checks are disabled)
this constant will be returned by getContextHash() |
Properties
| protected int | $authenticationStrategy | One of the AUTHENTICATE_* constants to set the authentication strategy. |
|
| protected int | $csrfProtectionStrategy | One of the CSRF_* constants to set the csrf protection strategy |
|
| protected array | $tokenStatusLabels | ||
| protected bool | $initialized | true if the context is initialized in the current request, false or NULL otherwise. |
|
| protected TokenInterface[] | $activeTokens | Array of tokens currently active |
|
| protected TokenInterface[] | $inactiveTokens | Array of tokens currently inactive |
|
| protected ActionRequest | $request | ||
| protected Role[] | $roles | ||
| protected bool | $authorizationChecksDisabled | Whether authorization is disabled areAuthorizationChecksDisabled() |
|
| protected string | $contextHash | A hash for this security context that is unique to the currently authenticated roles. |
|
| protected array | $csrfTokensRemovedAfterCurrentRequest | CSRF tokens that are valid during this request but will be gone after. |
|
| protected string | $requestCsrfToken | CSRF token created in the current request. |
|
| protected TokenAndProviderFactoryInterface | $tokenAndProviderFactory | ||
| protected SessionManagerInterface | $sessionManager | ||
| protected LoggerInterface | $securityLogger | ||
| protected PolicyService | $policyService | ||
| protected ObjectManagerInterface | $objectManager | ||
| protected array | $globalObjects | Array of registered global objects that can be accessed as operands |
Methods
Lets you switch off authorization checks (CSRF token, policies, content security, ...) for the runtime of $callback
Returns true if authorization should be ignored, otherwise false This is mainly useful to fetch records without Content Security to kick in (e.g. for AuthenticationProviders)
Injects the configuration settings
Initializes the security context for the given request.
No description
Get the token authentication strategy
Returns all Authentication\Tokens of the security context which are active for the current request. If a token has a request pattern that cannot match against the current request it is determined as not active.
Returns all Authentication\Tokens of the security context which are active for the current request and of the given type. If a token has a request pattern that cannot match against the current request it is determined as not active.
Returns true, if at least one of the currently authenticated accounts holds a role with the given identifier, also recursively.
Returns the account of the first authenticated authentication token.
Returns an authenticated account for the given provider or NULL if no account was authenticated or no token was registered for the given authentication provider name.
Returns the current CSRF protection token. A new one is created when needed, depending on the configured CSRF protection strategy.
Returns true if the context has CSRF protection tokens.
Returns true if the given string is a valid CSRF protection token. The token will be removed if the configured csrf strategy is 'onePerUri'.
Sets an action request, to be stored for later resuming after it has been intercepted by a security exception.
Returns the request, that has been stored for later resuming after it has been intercepted by a security exception, NULL if there is none.
Clears the security context.
Stores all active tokens in $this->activeTokens, all others in $this->inactiveTokens
Evaluates any RequestPatterns of the given token to determine whether it is active for the current request
- If no RequestPattern is configured for this token, it is active
- Otherwise it is active only if at least one configured RequestPattern per type matches the request
Merges the session and manager tokens. All manager tokens types will be in the result array If a specific type is found in the session this token replaces the one (of the same type) given by the manager.
Tries to find a token matchting the given manager token in the session tokens, will return that or the manager token.
Updates the token credentials for all tokens in the given array.
Refreshes all active tokens by updating the credentials.
Refreshes the currently effective roles. In fact the roles first level cache is reset and the effective roles get recalculated by calling getRoles().
Check if the securityContext is ready to be initialized. Only after that security will be active.
Returns a hash that is unique for the current context, depending on hash components, setContextHashComponent()
returns the tag to use for sessions belonging to the given $account
destroys all sessions belonging to the given $account
Details
void
withoutAuthorizationChecks(Closure $callback)
Lets you switch off authorization checks (CSRF token, policies, content security, ...) for the runtime of $callback
Usage: $this->securityContext->withoutAuthorizationChecks(function () use ($accountRepository, $username, $providerName, &$account) { // this will disable the PersistenceQueryRewritingAspect for this one call $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName) });
bool
areAuthorizationChecksDisabled()
Returns true if authorization should be ignored, otherwise false This is mainly useful to fetch records without Content Security to kick in (e.g. for AuthenticationProviders)
void
setRequest(ActionRequest $request)
Set the current action request
This method is called manually by the request handler which created the HTTP request.
void
injectSettings(array $settings)
Injects the configuration settings
void
initialize()
Initializes the security context for the given request.
bool
isInitialized()
No description
int
getAuthenticationStrategy()
Get the token authentication strategy
TokenInterface[]
getAuthenticationTokens()
Returns all Authentication\Tokens of the security context which are active for the current request. If a token has a request pattern that cannot match against the current request it is determined as not active.
TokenInterface[]
getAuthenticationTokensOfType(string $className)
Returns all Authentication\Tokens of the security context which are active for the current request and of the given type. If a token has a request pattern that cannot match against the current request it is determined as not active.
Role[]
getRoles()
Returns the roles of all authenticated accounts, including inherited roles.
If no authenticated roles could be found the "Anonymous" role is returned.
The "Neos.Flow:Everybody" roles is always returned.
bool
hasRole(string $roleIdentifier)
Returns true, if at least one of the currently authenticated accounts holds a role with the given identifier, also recursively.
Account
getAccount()
Returns the account of the first authenticated authentication token.
Note: There might be a more currently authenticated account in the remaining tokens. If you need them you'll have to fetch them directly from the tokens. (getAuthenticationTokens())
Account
getAccountByAuthenticationProviderName(string $authenticationProviderName)
Returns an authenticated account for the given provider or NULL if no account was authenticated or no token was registered for the given authentication provider name.
string
getCsrfProtectionToken()
Returns the current CSRF protection token. A new one is created when needed, depending on the configured CSRF protection strategy.
bool
hasCsrfProtectionTokens()
Returns true if the context has CSRF protection tokens.
bool
isCsrfProtectionTokenValid(string $csrfToken)
Returns true if the given string is a valid CSRF protection token. The token will be removed if the configured csrf strategy is 'onePerUri'.
void
setInterceptedRequest(ActionRequest $interceptedRequest = null)
Sets an action request, to be stored for later resuming after it has been intercepted by a security exception.
ActionRequest|null
getInterceptedRequest()
Returns the request, that has been stored for later resuming after it has been intercepted by a security exception, NULL if there is none.
void
clearContext()
Clears the security context.
protected array
collectRolesAndParentRolesFromAccount(Account $account)
No description
protected array
collectParentRoles(Role $role)
No description
protected void
separateActiveAndInactiveTokens(array $tokens)
Stores all active tokens in $this->activeTokens, all others in $this->inactiveTokens
protected bool
isTokenActive(TokenInterface $token)
Evaluates any RequestPatterns of the given token to determine whether it is active for the current request
- If no RequestPattern is configured for this token, it is active
- Otherwise it is active only if at least one configured RequestPattern per type matches the request
protected array
mergeTokens(array $managerTokens, array $sessionTokens)
Merges the session and manager tokens. All manager tokens types will be in the result array If a specific type is found in the session this token replaces the one (of the same type) given by the manager.
protected TokenInterface
findBestMatchingToken(TokenInterface $managerToken, array $sessionTokens)
Tries to find a token matchting the given manager token in the session tokens, will return that or the manager token.
protected void
updateTokens(array $tokens)
Updates the token credentials for all tokens in the given array.
void
refreshTokens()
Refreshes all active tokens by updating the credentials.
This is useful when doing an explicit authentication inside a request.
void
refreshRoles()
Refreshes the currently effective roles. In fact the roles first level cache is reset and the effective roles get recalculated by calling getRoles().
bool
canBeInitialized()
Check if the securityContext is ready to be initialized. Only after that security will be active.
To be able to initialize, there needs to be an ActionRequest available, usually that is provided by the MVC router.
string
getContextHash()
Returns a hash that is unique for the current context, depending on hash components, setContextHashComponent()
string
getSessionTagForAccount(Account $account)
returns the tag to use for sessions belonging to the given $account
void
destroySessionsForAccount(Account $account, string $reason = '')
destroys all sessions belonging to the given $account