FrontendBackendUserAuthentication extends BackendUserAuthentication
TYPO3 backend user authentication in the Frontend rendering.
This class is a TYPO3 Backend implementation and is not considered part of the Public TYPO3 API.
Table of Contents
Constants
- ROLE_SYSTEMMAINTAINER = 'systemMaintainer'
Properties
- $checkPid : bool
- If set, the user-record must be stored at the page defined by $checkPid_value
- $checkPid_value : int|string|null
- The page id the user record must be stored at, can also hold a comma separated list of pids
- $enablecolumns : array<string|int, mixed>
- Enable field columns of user table
- $errorMsg : string
- Contains last error message
- $firstMainGroup : int
- $groupData : array<string|int, mixed>
- holds lists of eg. tables, fields and other values related to the permission-system. See fetchGroupData
- $lastLogin_column : string
- Column name for last login timestamp
- $loginType : string
- Login type, used for services.
- $name : string
- Session/Cookie name
- $uc : array<string|int, mixed>
- User Settings (= preferences)
- $uc_default : array<string|int, mixed>
- User Config Default values: The array may contain other fields for configuration.
- $user : array<string|int, mixed>|null
- $user_table : string
- Table in database with user data
- $usergroup_column : string
- Should be set to the usergroup-column (id-list) in the user-record
- $usergroup_table : string
- The name of the group-table
- $userGroups : array<string|int, mixed>
- This array will hold the groups that the user is a member of
- $userGroupsUID : array<string|int, mixed>
- This array holds the uid's of the groups in the listed order
- $userid_column : string
- Column for user-id
- $userident_column : string
- Column for password
- $username_column : string
- Column for login-name
- $workspace : int
- User workspace.
- $workspaceRec : array<string|int, mixed>
- Custom workspace record if any
- $writeAttemptLog : bool
- If the writelog() functions is called if a login-attempt has be tried without success.
- $writeStdLog : bool
- Decides if the writelog() function is called at login and logout.
- $checkWorkspaceCurrent_cache : array<string|int, mixed>|null
- Cache for checkWorkspaceCurrent()
- $dontSetCookie : bool
- Will prevent the setting of the session cookie
- $filePermissions : array<string|int, mixed>|null
- $fileStorages : array<string|int, ResourceStorage>
- $formfield_status : string
- Formfield_status should be set to "". The value this->formfield_status is set to empty in order to disable login-attempts to the backend account through this script
- $formfield_uident : string
- Form field with password.
- $formfield_uname : string
- Form field with login name.
- $loginSessionStarted : bool
- Will be set to TRUE if the login session is actually written during auth-check.
- $setCookie : SetCookieBehavior
- If set, this cookie will be set to the response.
- $userSession : UserSession|null
- $userSessionManager : UserSessionManager
- $userTsConfig : UserTsConfig|null
- $userTSUpdated : bool
- True if the user TSconfig was parsed and needs to be cached.
Methods
- __construct() : mixed
- Constructor
- appendCookieToResponse() : ResponseInterface
- Used to apply a cookie to a PSR-7 Response.
- backendCheckLogin() : bool
- Implementing the access checks that the TYPO3 CMS bootstrap script does before a user is ever logged in.
- backendSetUC() : mixed
- Initialize the internal ->uc array for the backend user (UC - user configuration is a serialized array inside the user object). Will make the overrides if necessary, and write the UC back to the be_users record if changes has happened.
- calcPerms() : int
- Returns a combined binary representation of the current users permissions for the page-record, $row.
- check() : bool
- Returns TRUE if the $value is found in the list in a $this->groupData[] index pointed to by $type (array key).
- checkAuthentication() : mixed
- Checks if a submission of username and password is present or use other authentication by auth services
- checkAuthMode() : bool
- Checking the authMode of a select field with authMode set
- checkFullLanguagesAccess() : bool
- Check if user has access to all existing localizations for a certain record
- checkLanguageAccess() : bool
- Checking if a language value (-1, 0 and >0) is allowed to be edited by the user.
- checkWorkspace() : array<string|int, mixed>|false
- Checking if a workspace is allowed for backend user
- createUserSession() : UserSession
- Creates a user session record and returns its values.
- doesUserHaveAccess() : bool
- Checks if the permissions is granted based on a page-record ($row) and $perms (binary and'ed)
- enforceNewSessionId() : mixed
- Regenerates the session ID and sets the cookie again.
- evaluateUserSpecificFileFilterSettings() : mixed
- Adds filters based on what the user has set this should be done in this place, and called whenever needed, but only when needed
- fetchGroupData() : mixed
- Initializes a lot of stuff like the access-lists, database-mountpoints and filemountpoints This method is called by ->backendCheckLogin() (from extending BackendUserAuthentication) if the backend user login has verified OK.
- getAuthInfoArray() : array<string|int, mixed>
- Returns an info array which provides additional information for auth services
- getCategoryMountPoints() : array<string|int, mixed>
- Returns an array of category mount points. The category permissions from BE Groups are also taken into consideration and are merged into User permissions.
- getCookieName() : string
- Returns the configured cookie name
- getFileMountRecords() : array<string|int, mixed>
- Returns an array of file mount records, taking workspaces and user home and group home directories into account Needs to be called AFTER the groups have been loaded.
- getFilePermissions() : array<string|int, mixed>
- Returns the information about file permissions.
- getFileStorages() : array<string|int, ResourceStorage>
- Returns an array with the filemounts for the user.
- getLoginFormData() : array<string|int, mixed>
- Returns an info array with Login/Logout data submitted by a form or params
- getModuleData() : mixed
- Gets module data for a module (from a loaded ->uc array)
- getOriginalUserIdWhenInSwitchUserMode() : int|null
- Returns the uid of the backend user to return to.
- getPagePermsClause() : string
- Returns a WHERE-clause for the pages-table where user permissions according to input argument, $perms, is validated.
- getRawUserByName() : array<string|int, mixed>
- Fetching raw user record with username=$name
- getRawUserByUid() : array<string|int, mixed>
- Fetching raw user record with uid=$uid
- getSession() : UserSession
- getSessionData() : mixed
- Returns the session data stored for $key.
- getTSConfig() : array<string|int, mixed>
- Returns full parsed user TSconfig array, merged with TSconfig from groups.
- getUserId() : int|null
- getUserName() : string|null
- getUserTsConfig() : UserTsConfig|null
- Return the full user TSconfig object instead of just the array as in getTSConfig()
- getWebmounts() : array<int, int>
- Returns an unique array with the webmounts.
- handleUserLoggedIn() : void
- Is called after a user has sucesfully logged in. So either by using only one factor (e.g. username/password) or after the multi-factor authentication process has been passed.
- initializeBackendLogin() : void
- initializeUserSessionManager() : void
- Currently needed for various unit tests, until start() and checkAuthentication() methods are smaller and extracted from this class.
- initializeWebmountsForElementBrowser() : mixed
- Checks for alternative web mount points for the element browser.
- isActiveLogin() : bool
- isAdmin() : bool
- Returns TRUE if user is admin Basically this function evaluates if the ->user[admin] field has bit 0 set. If so, user is admin.
- isExportEnabled() : bool
- Returns if export functionality is available for current user
- isImportEnabled() : bool
- Returns if import functionality is available for current user
- isInWebMount() : int|null
- Checks if the page id or page record ($idOrRow) is found within the webmounts set up for the user.
- isMfaSetupRequired() : bool
- Evaluate whether the user is required to set up MFA, based on user TSconfig and global configuration
- isSystemMaintainer() : bool
- Checks if the user is in the valid list of allowed system maintainers. if the list is not set, then all admins are system maintainers. If the list is empty, no one is system maintainer (good for production systems). If the currently logged in user is in "switch user" mode, this method will return false.
- isUserAllowedToLogin() : bool
- Determines whether a backend user is allowed to access the backend.
- jsConfirmation() : bool
- Returns TRUE or FALSE, depending if an alert popup (a javascript confirmation) should be shown call like $GLOBALS['BE_USER']->jsConfirmation($BITMASK).
- logoff() : mixed
- Logs out the current user and clears the form protection tokens.
- mayMakeShortcut() : bool
- Returns TRUE if the BE_USER is allowed to *create* shortcuts in the backend modules
- overrideUC() : mixed
- Override: Call this function every time the uc is updated.
- processLoginData() : array<string|int, mixed>
- Processes Login data submitted by a form or params
- pushModuleData() : void
- Stores data for a module.
- recordEditAccessInternals() : bool
- Checking if a user has editing access to a record from a $GLOBALS['TCA'] table.
- removeCookie() : mixed
- Empty / unset the cookie
- resetUC() : mixed
- Clears the user[uc] and ->uc to blank strings. Then calls ->backendSetUC() to fill it again with reset contents
- returnWebmounts() : array<int, numeric-string>
- Returns an array with the webmounts.
- setAndSaveSessionData() : mixed
- Sets the session data ($data) for $key and writes all session data (from ->user['ses_data']) to the database.
- setBeUserByName() : mixed
- Raw initialization of the be_user with username=$name
- setBeUserByUid() : mixed
- Raw initialization of the be_user with uid=$uid This will circumvent all login procedures and select a be_users record from the database and set the content of ->user to the record selected.
- setSessionData() : mixed
- Set session data by key.
- setTemporaryWorkspace() : bool
- Sets a temporary workspace in the context of the current backend user.
- setWebmounts() : mixed
- Initializes the given mount points for the current Backend user.
- setWorkspace() : mixed
- Setting workspace ID
- shallDisplayDebugInformation() : bool
- Returns whether debug information shall be displayed to the user
- start() : mixed
- Starts a user session Typical configurations will: a) check if session cookie was set and if not, set one, b) check if a password/username was sent and if so, try to authenticate the user c) Lookup a session attached to a user and check timeout etc.
- workspaceAllowsLiveEditingInTable() : bool
- Checks if a record is allowed to be edited in the current workspace.
- workspaceCanCreateNewRecord() : bool
- Evaluates if a record from $table can be created. If the table is not set up for versioning, and the "live edit" flag of the page is set, return false. In live workspace this is always true, as all records can be created in live workspace
- workspaceCheckStageForCurrent() : bool
- Checks if an element stage allows access for the user in the current workspace In live workspace (= 0) access is always granted for any stage.
- writelog() : int
- Writes an entry in the logfile/table Documentation in "TYPO3 Core API"
- writeUC() : mixed
- This writes $this->>uc to the user-record. This is a way of providing session-data.
- checkWorkspaceCurrent() : false|array<string|int, mixed>|null
- Uses checkWorkspace() to check if current workspace is available for user.
- evaluateMfaRequirements() : void
- This method checks if the user is authenticated but has not succeeded in passing his MFA challenge. This method can therefore only be used if a user has been authenticated against his first authentication method (username+password or any other authentication token).
- fetchPossibleUsers() : array<string|int, mixed>
- Loads users from various sources (= authentication services) as an array of arrays.
- fetchValidUserFromSessionOrDestroySession() : array<string|int, mixed>|null
- If the session is bound to a user, this method fetches the user record, and returns it.
- filterValidWebMounts() : array<string|int, mixed>
- Checking read access to web mounts, but keeps "0" or empty strings.
- getAuthServiceConfiguration() : array<string|int, mixed>
- "auth" services configuration array from $GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']
- getAuthServices() : Traversable
- Initializes authentication services to be used in a foreach loop
- getDefaultWorkspace() : int
- Return default workspace ID for user, if EXT:workspaces is not installed the user will be pushed to the Live workspace, if he has access to. If no workspace is available for the user, the workspace ID is set to "-99"
- hasEditAccessToLiveWorkspace() : bool
- If a user is in a workspace, but previews the live workspace (GET keyword "LIVE") even if the user has no editing permissions for this, it should still be visible, even though "be_users.workspace_perms" is set to "0".
- initializeDbMountpointsInWorkspace() : mixed
- Limiting the DB mountpoints if there are any selected in the workspace record
- initializeFileStorages() : mixed
- Sets up all file storages for a user.
- isCookieSet() : bool
- Returns whether this request is going to set a cookie or a cookie was already found in the system
- isMemberOfGroup() : bool
- Returns TRUE if the current user is a member of group $groupId $groupId must be set. $this->userGroupsUID must contain groups Will return TRUE also if the user is a member of a group through subgroups.
- isRefreshTimeBasedCookie() : bool
- Determine whether a non-session cookie needs to be set (lifetime>0)
- isSetSessionCookie() : bool
- Determine whether a session cookie needs to be set (lifetime=0)
- performLogoff() : mixed
- Perform the logoff action. Called from logoff() as a way to allow subclasses to override what happens when a user logs off, without needing to reproduce the hook calls and logging that happens in the public logoff() API method.
- prepareUserTsConfig() : void
- Parse user TSconfig from current user and its groups and set it as $this->userTS.
- regenerateSessionId() : mixed
- Regenerate the session ID and transfer the session to new ID Call this method whenever a user proceeds to a higher authorization level e.g. when an anonymous session is now authenticated.
- releaseLockedRecords() : mixed
- Remove any "locked records" added for editing for the given user (= current backend user)
- removeSensitiveLoginDataForLoggingInfo() : mixed
- Removes any sensitive data from the incoming data (either from loginData, processedLogin data or the user record from the DB).
- setDefaultWorkspace() : void
- Sets the default workspace in the context of the current backend user.
- setSessionCookie() : mixed
- Sets the setCookie directive to "Send", which will then result in appending a new cookie to the PSR-7 response, see appendCookieToResponse().
- shallSetSessionCookie() : bool
- Determines whether setting the session cookie is generally enabled, or the current session is a non-session cookie (FE permalogin).
- unpack_uc() : mixed
- Unserializes the user configuration from the user record into $this->>uc
- updateLoginTimestamp() : mixed
- Updates the last login column in the user with the given id
- userConstraints() : QueryRestrictionContainerInterface
- This returns the restrictions needed to select the user respecting enable columns and flags like deleted, hidden, starttime, endtime and rootLevel
- workspaceInit() : void
- Initializing workspace settings after all TSconfig has been parsed.
Constants
ROLE_SYSTEMMAINTAINER
public
mixed
ROLE_SYSTEMMAINTAINER
= 'systemMaintainer'
Properties
$checkPid
If set, the user-record must be stored at the page defined by $checkPid_value
public
bool
$checkPid
= true
$checkPid_value
The page id the user record must be stored at, can also hold a comma separated list of pids
public
int|string|null
$checkPid_value
= 0
$enablecolumns
Enable field columns of user table
public
array<string|int, mixed>
$enablecolumns
= ['rootLevel' => 1, 'deleted' => 'deleted', 'disabled' => 'disable', 'starttime' => 'starttime', 'endtime' => 'endtime']
$errorMsg
Contains last error message
public
string
$errorMsg
= ''
should only be used from within TYPO3 Core
$firstMainGroup
public
int
$firstMainGroup
= 0
should only be used from within TYPO3 Core
$groupData
holds lists of eg. tables, fields and other values related to the permission-system. See fetchGroupData
public
array<string|int, mixed>
$groupData
= ['allowed_languages' => '', 'tables_select' => '', 'tables_modify' => '', 'pagetypes_select' => '', 'non_exclude_fields' => '', 'explicit_allowdeny' => '', 'custom_options' => '', 'file_permissions' => '']
$lastLogin_column
Column name for last login timestamp
public
string
$lastLogin_column
= 'lastlogin'
$loginType
Login type, used for services.
public
string
$loginType
= 'BE'
$name
Session/Cookie name
public
string
$name
= ''
$uc
User Settings (= preferences)
public
array<string|int, mixed>
$uc
= []
$uc_default
User Config Default values: The array may contain other fields for configuration.
public
array<string|int, mixed>
$uc_default
= [
// serialized content that is used to store interface pane and menu positions. Set by the logout.php-script
'moduleData' => [],
// user-data for the modules
'emailMeAtLogin' => 0,
'titleLen' => 50,
'edit_docModuleUpload' => '1',
]
For this, see "setup" extension and "TSconfig" document (User TSconfig, "setup.[xxx]....") Reserved keys for other storage of session data: moduleData moduleSessionID
should only be used from within TYPO3 Core
$user
public
array<string|int, mixed>|null
$user
contains user- AND session-data from database (joined tables)
$user_table
Table in database with user data
public
string
$user_table
= 'be_users'
$usergroup_column
Should be set to the usergroup-column (id-list) in the user-record
public
string
$usergroup_column
= 'usergroup'
$usergroup_table
The name of the group-table
public
string
$usergroup_table
= 'be_groups'
$userGroups
This array will hold the groups that the user is a member of
public
array<string|int, mixed>
$userGroups
= []
$userGroupsUID
This array holds the uid's of the groups in the listed order
public
array<string|int, mixed>
$userGroupsUID
= []
$userid_column
Column for user-id
public
string
$userid_column
= 'uid'
$userident_column
Column for password
public
string
$userident_column
= 'password'
$username_column
Column for login-name
public
string
$username_column
= 'username'
$workspace
User workspace.
public
int
$workspace
= -99
-99 is ERROR (none available) 0 is online
0 is custom workspaces
$workspaceRec
Custom workspace record if any
public
array<string|int, mixed>
$workspaceRec
= []
$writeAttemptLog
If the writelog() functions is called if a login-attempt has be tried without success.
public
bool
$writeAttemptLog
= false
$writeStdLog
Decides if the writelog() function is called at login and logout.
public
bool
$writeStdLog
= false
$checkWorkspaceCurrent_cache
Cache for checkWorkspaceCurrent()
protected
array<string|int, mixed>|null
$checkWorkspaceCurrent_cache
$dontSetCookie
Will prevent the setting of the session cookie
protected
bool
$dontSetCookie
= false
$filePermissions
protected
array<string|int, mixed>|null
$filePermissions
$fileStorages
protected
array<string|int, ResourceStorage>
$fileStorages
$formfield_status
Formfield_status should be set to "". The value this->formfield_status is set to empty in order to disable login-attempts to the backend account through this script
protected
string
$formfield_status
= ''
$formfield_uident
Form field with password.
protected
string
$formfield_uident
= ''
$formfield_uname
Form field with login name.
protected
string
$formfield_uname
= ''
$loginSessionStarted
Will be set to TRUE if the login session is actually written during auth-check.
protected
bool
$loginSessionStarted
= false
$setCookie
If set, this cookie will be set to the response.
protected
SetCookieBehavior
$setCookie
= \TYPO3\CMS\Core\Http\SetCookieBehavior::None
$userSession
protected
UserSession|null
$userSession
= null
$userSessionManager
protected
UserSessionManager
$userSessionManager
$userTsConfig
protected
UserTsConfig|null
$userTsConfig
= null
$userTSUpdated
True if the user TSconfig was parsed and needs to be cached.
protected
bool
$userTSUpdated
= false
Tags
Methods
__construct()
Constructor
public
__construct() : mixed
appendCookieToResponse()
Used to apply a cookie to a PSR-7 Response.
public
appendCookieToResponse(ResponseInterface $response[, NormalizedParams|null $normalizedParams = null ]) : ResponseInterface
Parameters
- $response : ResponseInterface
- $normalizedParams : NormalizedParams|null = null
Tags
Return values
ResponseInterfacebackendCheckLogin()
Implementing the access checks that the TYPO3 CMS bootstrap script does before a user is ever logged in.
public
backendCheckLogin([ServerRequestInterface|null $request = null ]) : bool
Used in the frontend.
Parameters
- $request : ServerRequestInterface|null = null
Return values
bool —Returns TRUE if access is OK
backendSetUC()
Initialize the internal ->uc array for the backend user (UC - user configuration is a serialized array inside the user object). Will make the overrides if necessary, and write the UC back to the be_users record if changes has happened.
public
backendSetUC() : mixed
calcPerms()
Returns a combined binary representation of the current users permissions for the page-record, $row.
public
calcPerms(array<string|int, mixed> $row) : int
The perms for user, group and everybody is OR'ed together (provided that the page-owner is the user and for the groups that the user is a member of the group. If the user is admin, 31 is returned (full permissions for all five flags)
Parameters
- $row : array<string|int, mixed>
-
Input page row with all perms_* fields available.
Return values
int —Bitwise representation of the users permissions in relation to input page row, $row
check()
Returns TRUE if the $value is found in the list in a $this->groupData[] index pointed to by $type (array key).
public
check(string $type, string|int $value) : bool
Can thus be users to check for modules, exclude-fields, select/modify permissions for tables etc. If user is admin TRUE is also returned
Parameters
- $type : string
-
The type value; "webmounts", "filemounts", "pagetypes_select", "tables_select", "tables_modify", "non_exclude_fields", "modules", "available_widgets", "mfa_providers"
- $value : string|int
-
String to search for in the groupData-list, can also be an integer for "pagetypes_select" or "allowed_languages")
Return values
bool —TRUE if permission is granted (that is, the value was found in the groupData list - or the BE_USER is "admin")
checkAuthentication()
Checks if a submission of username and password is present or use other authentication by auth services
public
checkAuthentication(ServerRequestInterface $request) : mixed
Parameters
- $request : ServerRequestInterface
Tags
checkAuthMode()
Checking the authMode of a select field with authMode set
public
checkAuthMode(string $table, string $field, string $value) : bool
Parameters
- $table : string
-
Table name
- $field : string
-
Field name (must be configured in TCA and of type "select" with authMode set!)
- $value : string
-
Value to evaluation (single value, must not contain any of the chars ":,|")
Return values
bool —Whether access is granted or not
checkFullLanguagesAccess()
Check if user has access to all existing localizations for a certain record
public
checkFullLanguagesAccess(string $table, array<string|int, mixed> $record) : bool
Parameters
- $table : string
-
The table
- $record : array<string|int, mixed>
-
The current record
Return values
boolcheckLanguageAccess()
Checking if a language value (-1, 0 and >0) is allowed to be edited by the user.
public
checkLanguageAccess(int|SiteLanguage|string $langValue) : bool
Parameters
- $langValue : int|SiteLanguage|string
-
Language value to evaluate
Return values
bool —Returns TRUE if the language value is allowed, otherwise FALSE.
checkWorkspace()
Checking if a workspace is allowed for backend user
public
checkWorkspace(int|array<string|int, mixed> $wsRec) : array<string|int, mixed>|false
Parameters
- $wsRec : int|array<string|int, mixed>
-
If integer, workspace record is looked up, if array it is seen as a Workspace record with at least uid, title, members and adminusers columns. Can be faked for workspaces uid 0 (live)
should only be used from within TYPO3 Core
Return values
array<string|int, mixed>|false —Output will also show how access was granted. Admin users will have a true output regardless of input.
createUserSession()
Creates a user session record and returns its values.
public
createUserSession(array<string|int, mixed> $userRecordCandidate) : UserSession
Parameters
- $userRecordCandidate : array<string|int, mixed>
-
User data array
Return values
UserSession —The session data for the newly created session.
doesUserHaveAccess()
Checks if the permissions is granted based on a page-record ($row) and $perms (binary and'ed)
public
doesUserHaveAccess(array<string|int, mixed> $row, int $perms) : bool
Bits for permissions, see $perms variable:
1 - Show: See/Copy page and the pagecontent. 2 - Edit page: Change/Move the page, eg. change title, startdate, hidden. 4 - Delete page: Delete the page and pagecontent. 8 - New pages: Create new pages under the page. 16 - Edit pagecontent: Change/Add/Delete/Move pagecontent.
Parameters
- $row : array<string|int, mixed>
-
Is the pagerow for which the permissions is checked
- $perms : int
-
Is the binary representation of the permission we are going to check. Every bit in this number represents a permission that must be set. See function explanation.
Return values
boolenforceNewSessionId()
Regenerates the session ID and sets the cookie again.
public
enforceNewSessionId() : mixed
evaluateUserSpecificFileFilterSettings()
Adds filters based on what the user has set this should be done in this place, and called whenever needed, but only when needed
public
evaluateUserSpecificFileFilterSettings() : mixed
fetchGroupData()
Initializes a lot of stuff like the access-lists, database-mountpoints and filemountpoints This method is called by ->backendCheckLogin() (from extending BackendUserAuthentication) if the backend user login has verified OK.
public
fetchGroupData() : mixed
Generally this is required initialization of a backend user.
getAuthInfoArray()
Returns an info array which provides additional information for auth services
public
getAuthInfoArray(ServerRequestInterface $request) : array<string|int, mixed>
Parameters
- $request : ServerRequestInterface
Return values
array<string|int, mixed>getCategoryMountPoints()
Returns an array of category mount points. The category permissions from BE Groups are also taken into consideration and are merged into User permissions.
public
getCategoryMountPoints() : array<string|int, mixed>
Return values
array<string|int, mixed>getCookieName()
Returns the configured cookie name
public
static getCookieName() : string
Return values
stringgetFileMountRecords()
Returns an array of file mount records, taking workspaces and user home and group home directories into account Needs to be called AFTER the groups have been loaded.
public
getFileMountRecords() : array<string|int, mixed>
Return values
array<string|int, mixed>getFilePermissions()
Returns the information about file permissions.
public
getFilePermissions() : array<string|int, mixed>
Previously, this was stored in the DB field fileoper_perms now it is file_permissions. Besides it can be handled via user TSconfig
permissions.file.default { addFile = 1 readFile = 1 writeFile = 1 copyFile = 1 moveFile = 1 renameFile = 1 deleteFile = 1
addFolder = 1 readFolder = 1 writeFolder = 1 copyFolder = 1 moveFolder = 1 renameFolder = 1 deleteFolder = 1 recursivedeleteFolder = 1 }
overwrite settings for a specific storageObject
permissions.file.storage.StorageUid { readFile = 1 recursivedeleteFolder = 0 }
Please note that these permissions only apply, if the storage has the capabilities (browseable, writable), and if the driver allows for writing etc
Return values
array<string|int, mixed>getFileStorages()
Returns an array with the filemounts for the user.
public
getFileStorages() : array<string|int, ResourceStorage>
Each filemount is represented with an array of a "name", "path" and "type". If no filemounts an empty array is returned.
Return values
array<string|int, ResourceStorage>getLoginFormData()
Returns an info array with Login/Logout data submitted by a form or params
public
getLoginFormData(ServerRequestInterface $request) : array<string|int, mixed>
Parameters
- $request : ServerRequestInterface
Return values
array<string|int, mixed>getModuleData()
Gets module data for a module (from a loaded ->uc array)
public
getModuleData(string $module[, string $type = '' ]) : mixed
Parameters
- $module : string
-
Is the identifier of the module, e.g. "web_info"
- $type : string = ''
-
If $type = 'ses' then module data is returned only if it was stored in the current session, otherwise data from a previous session will be returned (if available).
Return values
mixed —The module data if available: $this->uc['moduleData'][$module];
getOriginalUserIdWhenInSwitchUserMode()
Returns the uid of the backend user to return to.
public
getOriginalUserIdWhenInSwitchUserMode() : int|null
This is set when the current session is a "switch-user" session.
should only be used from within TYPO3 Core
Return values
int|null —The user id
getPagePermsClause()
Returns a WHERE-clause for the pages-table where user permissions according to input argument, $perms, is validated.
public
getPagePermsClause(int $perms) : string
$perms is the "mask" used to select. Fx. if $perms is 1 then you'll get all pages that a user can actually see! 2^0 = show (1) 2^1 = edit (2) 2^2 = delete (4) 2^3 = new (8) If the user is 'admin' " 1=1" is returned (no effect) If the user is not set at all (->user is not an array), then " 1=0" is returned (will cause no selection results at all) The 95% use of this function is "->getPagePermsClause(1)" which will return WHERE clauses for selecting pages in backend listings - in other words this will check read permissions.
Parameters
- $perms : int
-
Permission mask to use, see function description
should only be used from within TYPO3 Core, use PagePermissionDatabaseRestriction instead.
Return values
string —Part of where clause. Prefix " AND " to this.
getRawUserByName()
Fetching raw user record with username=$name
public
getRawUserByName(string $name) : array<string|int, mixed>
Parameters
- $name : string
-
The username to look up.
Tags
Return values
array<string|int, mixed> —user record or FALSE
getRawUserByUid()
Fetching raw user record with uid=$uid
public
getRawUserByUid(int $uid) : array<string|int, mixed>
Parameters
- $uid : int
-
The UID of the backend user to set in ->user
Return values
array<string|int, mixed> —user record or FALSE
getSession()
public
getSession() : UserSession
Return values
UserSessiongetSessionData()
Returns the session data stored for $key.
public
getSessionData(string $key) : mixed
The data will last only for this login session since it is stored in the user session.
Parameters
- $key : string
-
The key associated with the session data
getTSConfig()
Returns full parsed user TSconfig array, merged with TSconfig from groups.
public
getTSConfig() : array<string|int, mixed>
Example: [ 'options.' => [ 'fooEnabled' => '0', 'fooEnabled.' => [ 'tt_content' => 1, ], ], ]
Return values
array<string|int, mixed> —Parsed and merged user TSconfig array
getUserId()
public
getUserId() : int|null
Return values
int|nullgetUserName()
public
getUserName() : string|null
Return values
string|nullgetUserTsConfig()
Return the full user TSconfig object instead of just the array as in getTSConfig()
public
getUserTsConfig() : UserTsConfig|null
for now until API stabilized
Return values
UserTsConfig|nullgetWebmounts()
Returns an unique array with the webmounts.
public
getWebmounts() : array<int, int>
If no webmounts, and empty array is returned. Webmounts permissions are checked in fetchGroupData()
Return values
array<int, int> —of web mounts uids (may include 0)
handleUserLoggedIn()
Is called after a user has sucesfully logged in. So either by using only one factor (e.g. username/password) or after the multi-factor authentication process has been passed.
public
handleUserLoggedIn([ServerRequestInterface|null $request = null ]) : void
Parameters
- $request : ServerRequestInterface|null = null
initializeBackendLogin()
public
initializeBackendLogin([ServerRequestInterface|null $request = null ]) : void
Parameters
- $request : ServerRequestInterface|null = null
initializeUserSessionManager()
Currently needed for various unit tests, until start() and checkAuthentication() methods are smaller and extracted from this class.
public
initializeUserSessionManager([UserSessionManager|null $userSessionManager = null ]) : void
Parameters
- $userSessionManager : UserSessionManager|null = null
initializeWebmountsForElementBrowser()
Checks for alternative web mount points for the element browser.
public
initializeWebmountsForElementBrowser() : mixed
If there is a temporary mount point active in the page tree it will be used.
If the user TSconfig options.pageTree.altElementBrowserMountPoints is not empty the pages configured there are used as web mounts If options.pageTree.altElementBrowserMountPoints.append is enabled, they are appended to the existing webmounts.
- do not use in your own extension
isActiveLogin()
public
isActiveLogin(ServerRequestInterface $request) : bool
Parameters
- $request : ServerRequestInterface
Return values
boolisAdmin()
Returns TRUE if user is admin Basically this function evaluates if the ->user[admin] field has bit 0 set. If so, user is admin.
public
isAdmin() : bool
Return values
boolisExportEnabled()
Returns if export functionality is available for current user
public
isExportEnabled() : bool
Return values
boolisImportEnabled()
Returns if import functionality is available for current user
public
isImportEnabled() : bool
Return values
boolisInWebMount()
Checks if the page id or page record ($idOrRow) is found within the webmounts set up for the user.
public
isInWebMount(int|array<string|int, mixed> $idOrRow[, string $readPerms = '' ]) : int|null
This should ALWAYS be checked for any page id a user works with, whether it's about reading, writing or whatever. The point is that this will add the security that a user can NEVER touch parts outside his mounted pages in the page tree. This is otherwise possible if the raw page permissions allows for it. So this security check just makes it easier to make safe user configurations. If the user is admin then it returns "1" right away Otherwise the function will return the uid of the webmount which was first found in the rootline of the input page $id
Parameters
- $idOrRow : int|array<string|int, mixed>
-
Page ID or full page record to check
- $readPerms : string = ''
-
Content of "->getPagePermsClause(1)" (read-permissions). If not set, they will be internally calculated (but if you have the correct value right away you can save that database lookup!)
Tags
Return values
int|null —The page UID of a page in the rootline that matched a mount point
isMfaSetupRequired()
Evaluate whether the user is required to set up MFA, based on user TSconfig and global configuration
public
isMfaSetupRequired() : bool
Return values
boolisSystemMaintainer()
Checks if the user is in the valid list of allowed system maintainers. if the list is not set, then all admins are system maintainers. If the list is empty, no one is system maintainer (good for production systems). If the currently logged in user is in "switch user" mode, this method will return false.
public
isSystemMaintainer([bool $pure = false ]) : bool
Parameters
- $pure : bool = false
-
Whether to apply pure behavior (ignore development & skip fallback for empty setting)
Return values
boolisUserAllowedToLogin()
Determines whether a backend user is allowed to access the backend.
public
isUserAllowedToLogin() : bool
The conditions are:
- backend user is a regular user and adminOnly is not defined
- backend user is an admin user
- backend user is used in CLI context and adminOnly is explicitly set to "2" (see CommandLineUserAuthentication)
- backend user is being controlled by an admin user
Return values
bool —Whether a backend user is allowed to access the backend
jsConfirmation()
Returns TRUE or FALSE, depending if an alert popup (a javascript confirmation) should be shown call like $GLOBALS['BE_USER']->jsConfirmation($BITMASK).
public
jsConfirmation(int $bitmask) : bool
Parameters
- $bitmask : int
-
Bitmask, one of \TYPO3\CMS\Core\Authentication\JsConfirmation
Tags
Return values
bool —TRUE if the confirmation should be shown
logoff()
Logs out the current user and clears the form protection tokens.
public
logoff() : mixed
mayMakeShortcut()
Returns TRUE if the BE_USER is allowed to *create* shortcuts in the backend modules
public
mayMakeShortcut() : bool
Return values
booloverrideUC()
Override: Call this function every time the uc is updated.
public
overrideUC() : mixed
That is 1) by reverting to default values, 2) in the setup-module, 3) userTS changes (userauthgroup)
processLoginData()
Processes Login data submitted by a form or params
public
processLoginData(array<string|int, mixed> $loginData, ServerRequestInterface $request) : array<string|int, mixed>
Parameters
- $loginData : array<string|int, mixed>
-
Login data array
- $request : ServerRequestInterface
Return values
array<string|int, mixed>pushModuleData()
Stores data for a module.
public
pushModuleData(string $module, mixed $data[, bool $dontPersistImmediately = false ]) : void
The data is stored with the session ID, so you can even check upon retrieval if the module data is from a previous session or from the current session.
Parameters
- $module : string
-
Is the identifier of the module, e.g. "web_info"
- $data : mixed
-
Is the data you want to store for that module (array, string, ...)
- $dontPersistImmediately : bool = false
-
If set, then the ->uc array (which carries all kinds of user data) is NOT written immediately, but must be written by some subsequent call.
recordEditAccessInternals()
Checking if a user has editing access to a record from a $GLOBALS['TCA'] table.
public
recordEditAccessInternals(string $table, int|array<string|int, mixed> $idOrRow[, bool $newRecord = false ][, bool $deletedRecord = false ][, bool $checkFullLanguageAccess = false ]) : bool
The checks does not take page permissions and other "environmental" things into account. It only deal with record internals; If any values in the record fields disallows it. For instance languages settings, authMode selector boxes are evaluated (and maybe more in the future). It will check for workspace dependent access. The function takes an ID (int) or row (array) as second argument.
Parameters
- $table : string
-
Table name
- $idOrRow : int|array<string|int, mixed>
-
If integer, then this is the ID of the record. If Array this just represents fields in the record.
- $newRecord : bool = false
-
Set, if testing a new (non-existing) record array. Will disable certain checks that doesn't make much sense in that context.
- $deletedRecord : bool = false
-
Set, if testing a deleted record array.
- $checkFullLanguageAccess : bool = false
-
Set, whenever access to all translations of the record is required
should only be used from within TYPO3 Core
Return values
bool —TRUE if OK, otherwise FALSE
removeCookie()
Empty / unset the cookie
public
removeCookie([string|null $cookieName = null ]) : mixed
Parameters
- $cookieName : string|null = null
-
usually, this is $this->name
resetUC()
Clears the user[uc] and ->uc to blank strings. Then calls ->backendSetUC() to fill it again with reset contents
public
resetUC() : mixed
returnWebmounts()
Returns an array with the webmounts.
public
returnWebmounts() : array<int, numeric-string>
will be removed in TYPO3 v14, use getWebmounts() instead.
If no webmounts, and empty array is returned. Webmounts permissions are checked in fetchGroupData()
Return values
array<int, numeric-string> —of web mounts uids (may include '0')
setAndSaveSessionData()
Sets the session data ($data) for $key and writes all session data (from ->user['ses_data']) to the database.
public
setAndSaveSessionData(string $key, mixed $data) : mixed
The data will last only for this login session since it is stored in the session table.
Parameters
- $key : string
-
Pointer to an associative key in the session data array which is stored serialized in the field "ses_data" of the session table.
- $data : mixed
-
The data to store in index $key
setBeUserByName()
Raw initialization of the be_user with username=$name
public
setBeUserByName(string $name) : mixed
Parameters
- $name : string
-
The username to look up.
Tags
setBeUserByUid()
Raw initialization of the be_user with uid=$uid This will circumvent all login procedures and select a be_users record from the database and set the content of ->user to the record selected.
public
setBeUserByUid(int $uid) : mixed
Thus the BE_USER object will appear like if a user was authenticated - however without a session id and the fields from the session table of course. Will check the users for disabled, start/endtime, etc. ($this->user_where_clause())
Parameters
- $uid : int
-
The UID of the backend user to set in ->user
setSessionData()
Set session data by key.
public
setSessionData(string $key, mixed $data) : mixed
The data will last only for this login session since it is stored in the user session.
Parameters
- $key : string
-
A non empty string to store the data under
- $data : mixed
-
Data store store in session
setTemporaryWorkspace()
Sets a temporary workspace in the context of the current backend user.
public
setTemporaryWorkspace(int $workspaceId) : bool
Parameters
- $workspaceId : int
should only be used from within TYPO3 Core
Return values
boolsetWebmounts()
Initializes the given mount points for the current Backend user.
public
setWebmounts(array<string|int, mixed> $mountPointUids[, bool $append = false ]) : mixed
Parameters
- $mountPointUids : array<string|int, mixed>
-
Page UIDs that should be used as web mountpoints
- $append : bool = false
-
If TRUE the given mount point will be appended. Otherwise the current mount points will be replaced.
setWorkspace()
Setting workspace ID
public
setWorkspace(int $workspaceId) : mixed
Parameters
- $workspaceId : int
-
ID of workspace to set for backend user. If not valid the default workspace for BE user is found and set.
should only be used from within TYPO3 Core
shallDisplayDebugInformation()
Returns whether debug information shall be displayed to the user
public
shallDisplayDebugInformation() : bool
Return values
boolstart()
Starts a user session Typical configurations will: a) check if session cookie was set and if not, set one, b) check if a password/username was sent and if so, try to authenticate the user c) Lookup a session attached to a user and check timeout etc.
public
start(ServerRequestInterface $request) : mixed
d) Garbage collection, setting of no-cache headers. If a user is authenticated the database record of the user (array) will be set in the ->user internal variable.
Parameters
- $request : ServerRequestInterface
workspaceAllowsLiveEditingInTable()
Checks if a record is allowed to be edited in the current workspace.
public
workspaceAllowsLiveEditingInTable(string $table) : bool
This is not bound to an actual record, but to the mere fact if the user is in a workspace and depending on the table settings.
Parameters
- $table : string
should only be used from within TYPO3 Core
Return values
boolworkspaceCanCreateNewRecord()
Evaluates if a record from $table can be created. If the table is not set up for versioning, and the "live edit" flag of the page is set, return false. In live workspace this is always true, as all records can be created in live workspace
public
workspaceCanCreateNewRecord(string $table) : bool
Parameters
- $table : string
-
Table name
should only be used from within TYPO3 Core
Return values
boolworkspaceCheckStageForCurrent()
Checks if an element stage allows access for the user in the current workspace In live workspace (= 0) access is always granted for any stage.
public
workspaceCheckStageForCurrent(int $stage) : bool
Admins are always allowed. An option for custom workspaces allows members to also edit when the stage is "Review"
Parameters
- $stage : int
-
Stage id from an element: -1,0 = editing, 1 = reviewer, >1 = owner
should only be used from within TYPO3 Core
Return values
bool —TRUE if user is allowed access
writelog()
Writes an entry in the logfile/table Documentation in "TYPO3 Core API"
public
writelog(int $type, int $action, int $error, int $details_nr, string $details, array<string|int, mixed> $data[, string $tablename = '' ][, int|string $recuid = '' ][, int|string $recpid = '' ][, int $event_pid = -1 ][, string $NEWid = '' ][, int $userId = 0 ]) : int
Parameters
- $type : int
-
Denotes which module that has submitted the entry. See "TYPO3 Core API". Use "4" for extensions.
- $action : int
-
Denotes which specific operation that wrote the entry. Use "0" when no sub-categorizing applies
- $error : int
-
Flag. 0 = message, 1 = error (user problem), 2 = System Error (which should not happen), 3 = security notice (admin)
- $details_nr : int
-
The message number. Specific for each $type and $action. This will make it possible to translate errormessages to other languages
- $details : string
-
Default text that follows the message (in english!). Possibly translated by identification through type/action/details_nr
- $data : array<string|int, mixed>
-
Data that follows the log. Might be used to carry special information. If an array the first 5 entries (0-4) will be sprintf'ed with the details-text
- $tablename : string = ''
-
Table name. Special field used by tce_main.php.
- $recuid : int|string = ''
-
Record UID. Special field used by tce_main.php.
- $recpid : int|string = ''
-
Record PID. Special field used by tce_main.php. OBSOLETE
- $event_pid : int = -1
-
The page_uid (pid) where the event occurred. Used to select log-content for specific pages.
- $NEWid : string = ''
-
Special field used by tce_main.php. NEWid string of newly created records.
- $userId : int = 0
-
Alternative Backend User ID (used for logging login actions where this is not yet known).
Return values
int —Log entry ID.
writeUC()
This writes $this->>uc to the user-record. This is a way of providing session-data.
public
writeUC() : mixed
You can fetch the data again through $this->uc in this class!
checkWorkspaceCurrent()
Uses checkWorkspace() to check if current workspace is available for user.
protected
checkWorkspaceCurrent() : false|array<string|int, mixed>|null
This function caches the result and so can be called many times with no performance loss.
should only be used from within TYPO3 Core
Tags
Return values
false|array<string|int, mixed>|nullevaluateMfaRequirements()
This method checks if the user is authenticated but has not succeeded in passing his MFA challenge. This method can therefore only be used if a user has been authenticated against his first authentication method (username+password or any other authentication token).
protected
evaluateMfaRequirements() : void
fetchPossibleUsers()
Loads users from various sources (= authentication services) as an array of arrays.
protected
fetchPossibleUsers(array<string|int, mixed> $loginData, bool $activeLogin, bool $isExistingSession, array<string|int, mixed>|null $authenticatedUserFromSession, ServerRequestInterface $request) : array<string|int, mixed>
Parameters
- $loginData : array<string|int, mixed>
- $activeLogin : bool
- $isExistingSession : bool
- $authenticatedUserFromSession : array<string|int, mixed>|null
-
if we have a user from an existing session, this is set here, otherwise null
- $request : ServerRequestInterface
Return values
array<string|int, mixed>fetchValidUserFromSessionOrDestroySession()
If the session is bound to a user, this method fetches the user record, and returns it.
protected
fetchValidUserFromSessionOrDestroySession([bool $skipSessionUpdate = false ]) : array<string|int, mixed>|null
If the session has a timeout, the session date is extended if needed. Also the ìs_online flag is updated for the user.
However, if the session has expired the session is removed and the request is treated as an anonymous session.
Parameters
- $skipSessionUpdate : bool = false
Return values
array<string|int, mixed>|nullfilterValidWebMounts()
Checking read access to web mounts, but keeps "0" or empty strings.
protected
filterValidWebMounts(string $listOfWebMounts) : array<string|int, mixed>
In any case, checks if the list of pages is visible for the backend user but also if the page is not deleted.
Parameters
- $listOfWebMounts : string
-
a comma-separated list of webmounts, could also be empty, or contain "0"
Return values
array<string|int, mixed> —a list of all valid web mounts the user has access to
getAuthServiceConfiguration()
"auth" services configuration array from $GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']
protected
getAuthServiceConfiguration() : array<string|int, mixed>
Return values
array<string|int, mixed>getAuthServices()
Initializes authentication services to be used in a foreach loop
protected
getAuthServices(string $subType, array<string|int, mixed> $loginData, array<string|int, mixed>|null $authenticatedUserFromSession, ServerRequestInterface $request) : Traversable
Parameters
- $subType : string
-
e.g. getUserFE
- $loginData : array<string|int, mixed>
- $authenticatedUserFromSession : array<string|int, mixed>|null
-
the user which was loaded from the session, or null if none was found
- $request : ServerRequestInterface
Return values
Traversable —A generator of service objects
getDefaultWorkspace()
Return default workspace ID for user, if EXT:workspaces is not installed the user will be pushed to the Live workspace, if he has access to. If no workspace is available for the user, the workspace ID is set to "-99"
protected
getDefaultWorkspace() : int
should only be used from within TYPO3 Core
Return values
int —Default workspace id.
hasEditAccessToLiveWorkspace()
If a user is in a workspace, but previews the live workspace (GET keyword "LIVE") even if the user has no editing permissions for this, it should still be visible, even though "be_users.workspace_perms" is set to "0".
protected
hasEditAccessToLiveWorkspace() : bool
If this ain't true, users without the live permission cannot see the live page, only the preview of the workspace of the user.
Return values
boolinitializeDbMountpointsInWorkspace()
Limiting the DB mountpoints if there are any selected in the workspace record
protected
initializeDbMountpointsInWorkspace() : mixed
initializeFileStorages()
Sets up all file storages for a user.
protected
initializeFileStorages() : mixed
Needs to be called AFTER the groups have been loaded.
isCookieSet()
Returns whether this request is going to set a cookie or a cookie was already found in the system
protected
isCookieSet() : bool
Return values
bool —Returns TRUE if a cookie is set
isMemberOfGroup()
Returns TRUE if the current user is a member of group $groupId $groupId must be set. $this->userGroupsUID must contain groups Will return TRUE also if the user is a member of a group through subgroups.
protected
isMemberOfGroup(int $groupId) : bool
Parameters
- $groupId : int
should only be used from within TYPO3 Core, use Context API for quicker access
Return values
boolisRefreshTimeBasedCookie()
Determine whether a non-session cookie needs to be set (lifetime>0)
protected
isRefreshTimeBasedCookie() : bool
Return values
boolisSetSessionCookie()
Determine whether a session cookie needs to be set (lifetime=0)
protected
isSetSessionCookie() : bool
Return values
boolperformLogoff()
Perform the logoff action. Called from logoff() as a way to allow subclasses to override what happens when a user logs off, without needing to reproduce the hook calls and logging that happens in the public logoff() API method.
protected
performLogoff() : mixed
prepareUserTsConfig()
Parse user TSconfig from current user and its groups and set it as $this->userTS.
protected
prepareUserTsConfig() : void
regenerateSessionId()
Regenerate the session ID and transfer the session to new ID Call this method whenever a user proceeds to a higher authorization level e.g. when an anonymous session is now authenticated.
protected
regenerateSessionId() : mixed
releaseLockedRecords()
Remove any "locked records" added for editing for the given user (= current backend user)
protected
releaseLockedRecords(int $userId) : mixed
Parameters
- $userId : int
removeSensitiveLoginDataForLoggingInfo()
Removes any sensitive data from the incoming data (either from loginData, processedLogin data or the user record from the DB).
protected
removeSensitiveLoginDataForLoggingInfo(mixed|array<string|int, mixed> $data[, bool $isUserRecord = false ]) : mixed
No type hinting is added because it might be possible that the incoming data is of any other type.
Parameters
- $data : mixed|array<string|int, mixed>
- $isUserRecord : bool = false
setDefaultWorkspace()
Sets the default workspace in the context of the current backend user.
protected
setDefaultWorkspace() : void
should only be used from within TYPO3 Core
setSessionCookie()
Sets the setCookie directive to "Send", which will then result in appending a new cookie to the PSR-7 response, see appendCookieToResponse().
protected
setSessionCookie() : mixed
In case this method is called, the cookie needs to be set later.
shallSetSessionCookie()
Determines whether setting the session cookie is generally enabled, or the current session is a non-session cookie (FE permalogin).
protected
shallSetSessionCookie() : bool
Return values
boolunpack_uc()
Unserializes the user configuration from the user record into $this->>uc
protected
unpack_uc() : mixed
updateLoginTimestamp()
Updates the last login column in the user with the given id
protected
updateLoginTimestamp(int $userId) : mixed
Parameters
- $userId : int
userConstraints()
This returns the restrictions needed to select the user respecting enable columns and flags like deleted, hidden, starttime, endtime and rootLevel
protected
userConstraints() : QueryRestrictionContainerInterface
Return values
QueryRestrictionContainerInterfaceworkspaceInit()
Initializing workspace settings after all TSconfig has been parsed.
protected
workspaceInit() : void
Called from within fetchGroupData()