TYPO3 CMS  TYPO3_6-2
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
TYPO3\CMS\Core\FormProtection\BackendFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\BackendFormProtection:
TYPO3\CMS\Core\FormProtection\AbstractFormProtection t3lib_formprotection_BackendFormProtection

Public Member Functions

 __construct ()
 
 persistSessionToken ()
 
 setSessionTokenFromRegistry ()
 
 storeSessionTokenInRegistry ()
 
 removeSessionTokenFromRegistry ()
 
 injectRegistry (\TYPO3\CMS\Core\Registry $registry)
 
- Public Member Functions inherited from TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 __destruct ()
 
 clean ()
 
 generateToken ($formName, $action='', $formInstanceName='')
 
 validateToken ($tokenId, $formName, $action='', $formInstanceName='')
 
 persistSessionToken ()
 

Protected Member Functions

 isAjaxRequest ()
 
 retrieveSessionToken ()
 
 getRegistry ()
 
 isAuthorizedBackendSession ()
 
 getLanguageService ()
 
- Protected Member Functions inherited from TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 getSessionToken ()
 
 generateSessionToken ()
 
 createValidationErrorMessage ()
 
 retrieveSessionToken ()
 

Protected Attributes

 $backendUser
 
 $registry
 
- Protected Attributes inherited from TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 $sessionToken
 

Detailed Description

This file is part of the TYPO3 CMS project.

It is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, either version 2 of the License, or any later version.

For the full copyright and license information, please read the LICENSE.txt file that was distributed with this source code.

The TYPO3 project - inspiring people to share! This class provides protection against cross-site request forgery (XSRF/CSRF) for forms in the BE.

How to use:

For each form in the BE (or link that changes some data), create a token and insert is as a hidden form element. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = TYPO3::get()
->generateToken(
'BE user setup', 'edit'
);
$this->content .= '<input type="hidden" name="formToken" value="' .
$formToken . '">';

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. BE user setup and editing a tt_content record) or different records (with different UIDs) from the same table, those values should be different.

For editing a tt_content record, the call could look like this:

$formToken = ::get()
->getFormProtection()->generateToken(
'tt_content', 'edit', $uid
);

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && TYPO3::get()
->validateToken(
::_POST('formToken'),
'BE user setup', 'edit
)
) {
processes the data
} else {
no need to do anything here as the BE form protection will create a
flash message for an invalid token
}

Backend form protection

Author
Oliver Klee typo3.nosp@m.-cod.nosp@m.ing@o.nosp@m.live.nosp@m.rklee.nosp@m..de
Helmut Hummel helmu.nosp@m.t.hu.nosp@m.mmel@.nosp@m.typo.nosp@m.3.org

Definition at line 75 of file BackendFormProtection.php.

Constructor & Destructor Documentation

◆ __construct()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::__construct ( )

Only allow construction if we have a backend session

Definition at line 96 of file BackendFormProtection.php.

References $GLOBALS, TYPO3\CMS\Core\FormProtection\AbstractFormProtection\createValidationErrorMessage(), TYPO3\CMS\Core\FormProtection\BackendFormProtection\getLanguageService(), TYPO3\CMS\Core\FormProtection\BackendFormProtection\isAjaxRequest(), TYPO3\CMS\Core\FormProtection\BackendFormProtection\isAuthorizedBackendSession(), and TYPO3\CMS\Core\Utility\GeneralUtility\makeInstance().

Member Function Documentation

◆ getLanguageService()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::getLanguageService ( )
protected

Return language service instance

Returns

Definition at line 233 of file BackendFormProtection.php.

References $GLOBALS.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().

◆ getRegistry()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::getRegistry ( )
protected

Returns the instance of the registry.

Returns

Definition at line 201 of file BackendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\BackendFormProtection\$registry, and TYPO3\CMS\Core\Utility\GeneralUtility\makeInstance().

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\removeSessionTokenFromRegistry(), TYPO3\CMS\Core\FormProtection\BackendFormProtection\setSessionTokenFromRegistry(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\storeSessionTokenInRegistry().

◆ injectRegistry()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::injectRegistry ( \TYPO3\CMS\Core\Registry  $registry)

Inject the registry. Currently only used in unit tests.

private

Parameters
\TYPO3\CMS\Core\Registry$registry
Returns
void

Definition at line 215 of file BackendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\BackendFormProtection\$registry.

◆ isAjaxRequest()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::isAjaxRequest ( )
protected

Checks if the current request is an Ajax request

Returns
bool

Definition at line 131 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().

◆ isAuthorizedBackendSession()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::isAuthorizedBackendSession ( )
protected

Checks if a user is logged in and the session is active.

Returns
boolean

Definition at line 224 of file BackendFormProtection.php.

References $GLOBALS.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::persistSessionToken ( )

Saves the tokens so that they can be used by a later incarnation of this class.

private

Returns
void

Definition at line 156 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\retrieveSessionToken().

◆ removeSessionTokenFromRegistry()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::removeSessionTokenFromRegistry ( )

Removes the session token for the user from the registry.

private

Definition at line 192 of file BackendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\BackendFormProtection\getRegistry().

◆ retrieveSessionToken()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::retrieveSessionToken ( )
protected

Retrieves the saved session token or generates a new one.

Returns
string

Definition at line 140 of file BackendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken, TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateSessionToken(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\persistSessionToken().

◆ setSessionTokenFromRegistry()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::setSessionTokenFromRegistry ( )

Sets the session token for the user from the registry and returns it additionally.

private

Returns
string
Exceptions

Definition at line 168 of file BackendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken, and TYPO3\CMS\Core\FormProtection\BackendFormProtection\getRegistry().

◆ storeSessionTokenInRegistry()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::storeSessionTokenInRegistry ( )

Stores the session token in the registry to have it available during re-login of the user.

private

Returns
void

Definition at line 183 of file BackendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\BackendFormProtection\getRegistry().

Member Data Documentation

◆ $backendUser

TYPO3\CMS\Core\FormProtection\BackendFormProtection::$backendUser
protected

Definition at line 83 of file BackendFormProtection.php.

◆ $registry

TYPO3\CMS\Core\FormProtection\BackendFormProtection::$registry
protected

Definition at line 91 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\getRegistry(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\injectRegistry().