TYPO3 CMS  TYPO3_7-6
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
TYPO3\CMS\Core\FormProtection\FrontendFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\FrontendFormProtection:
TYPO3\CMS\Core\FormProtection\AbstractFormProtection

Public Member Functions

 __construct (FrontendUserAuthentication $frontendUser, \Closure $validationFailedCallback=null)
 
 persistSessionToken ()
 
- Public Member Functions inherited from TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 __destruct ()
 
 clean ()
 
 generateToken ($formName, $action='', $formInstanceName='')
 
 validateToken ($tokenId, $formName, $action='', $formInstanceName='')
 
 persistSessionToken ()
 

Protected Member Functions

 retrieveSessionToken ()
 
 isAuthorizedFrontendSession ()
 
- Protected Member Functions inherited from TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 getSessionToken ()
 
 generateSessionToken ()
 
 createValidationErrorMessage ()
 
 retrieveSessionToken ()
 

Protected Attributes

 $frontendUser
 
- Protected Attributes inherited from TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 $validationFailedCallback
 
 $sessionToken
 

Detailed Description

This class provides protection against cross-site request forgery (XSRF/CSRF) for actions in the frontend that change data.

How to use:

For each form (or link that changes some data), create a token and insert is as a hidden form element or use it as GET argument. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = TYPO3::get()
->generateToken(
'User setup', 'edit'
);
$this->content .= '<input type="hidden" name="formToken" value="' .
$formToken . '">';

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. User setup and editing a news record) or different records (with different UIDs) from the same table, those values should be different.

For editing a news record, the call could look like this:

$formToken = ::get()
->getFormProtection()->generateToken(
'news', 'edit', $uid
);

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && ::get()
->validateToken(
::_POST('formToken'),
'User setup', 'edit
)
) {
Processes the data.
} else {
Create a flash message for the invalid token or just discard this request.
}

Definition at line 70 of file FrontendFormProtection.php.

Constructor & Destructor Documentation

◆ __construct()

TYPO3\CMS\Core\FormProtection\FrontendFormProtection::__construct ( FrontendUserAuthentication  $frontendUser,
\Closure  $validationFailedCallback = null 
)

Only allow construction if we have an authorized frontend session

Parameters
FrontendUserAuthentication$frontendUser
\Closure$validationFailedCallback
Exceptions

Definition at line 87 of file FrontendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\FrontendFormProtection\$frontendUser, TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$validationFailedCallback, and TYPO3\CMS\Core\FormProtection\FrontendFormProtection\isAuthorizedFrontendSession().

Member Function Documentation

◆ isAuthorizedFrontendSession()

TYPO3\CMS\Core\FormProtection\FrontendFormProtection::isAuthorizedFrontendSession ( )
protected

Checks if a user is logged in and the session is active.

Returns
bool

Definition at line 128 of file FrontendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\FrontendFormProtection\__construct().

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\FrontendFormProtection::persistSessionToken ( )

Saves the tokens so that they can be used by a later incarnation of this class.

private

Returns
void

Definition at line 118 of file FrontendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\FrontendFormProtection\retrieveSessionToken().

◆ retrieveSessionToken()

TYPO3\CMS\Core\FormProtection\FrontendFormProtection::retrieveSessionToken ( )
protected

Retrieves the saved session token or generates a new one.

Returns
string

Definition at line 101 of file FrontendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken, TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateSessionToken(), and TYPO3\CMS\Core\FormProtection\FrontendFormProtection\persistSessionToken().

Member Data Documentation

◆ $frontendUser

TYPO3\CMS\Core\FormProtection\FrontendFormProtection::$frontendUser
protected

Definition at line 78 of file FrontendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\FrontendFormProtection\__construct().