TYPO3 CMS  TYPO3_7-6
Public Member Functions | Protected Member Functions | List of all members
TYPO3\CMS\Core\FormProtection\InstallToolFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\InstallToolFormProtection:
TYPO3\CMS\Core\FormProtection\AbstractFormProtection

Public Member Functions

 persistSessionToken ()
 
- Public Member Functions inherited from TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 __destruct ()
 
 clean ()
 
 generateToken ($formName, $action='', $formInstanceName='')
 
 validateToken ($tokenId, $formName, $action='', $formInstanceName='')
 
 persistSessionToken ()
 

Protected Member Functions

 retrieveSessionToken ()
 
- Protected Member Functions inherited from TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 getSessionToken ()
 
 generateSessionToken ()
 
 createValidationErrorMessage ()
 
 retrieveSessionToken ()
 

Additional Inherited Members

- Protected Attributes inherited from TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 $validationFailedCallback
 
 $sessionToken
 

Detailed Description

This class provides protection against cross-site request forgery (XSRF/CSRF) in the install tool.

How to use this in the install tool:

For each form in the install tool (or link that changes some data), create a token and insert is as a hidden form element. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = $this->formProtection->generateToken(
'installToolPassword', 'change'
);
then puts the generated form token in a hidden field in the template

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. the password change and editing a the configuration), those values should be different.

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && $this->formProtection()->validateToken(
$_POST['formToken'],
'installToolPassword',
'change'
) {
processes the data
} else {
no need to do anything here as the install tool form protection will
create an error message for an invalid token
}

Install Tool form protection

Definition at line 59 of file InstallToolFormProtection.php.

Member Function Documentation

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\InstallToolFormProtection::persistSessionToken ( )

Saves the tokens so that they can be used by a later incarnation of this class.

Returns
void

Definition at line 82 of file InstallToolFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken.

Referenced by TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\retrieveSessionToken().

◆ retrieveSessionToken()

TYPO3\CMS\Core\FormProtection\InstallToolFormProtection::retrieveSessionToken ( )
protected

Retrieves or generates the session token.

Returns
void

Definition at line 66 of file InstallToolFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateSessionToken(), and TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\persistSessionToken().