‪TYPO3CMS  ‪main
TYPO3\CMS\Core\FormProtection\BackendFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\BackendFormProtection:
TYPO3\CMS\Core\FormProtection\AbstractFormProtection TYPO3\CMS\Core\Security\BlockSerializationTrait

Public Member Functions

 __construct (BackendUserAuthentication $backendUser, Registry $registry, ?\Closure $validationFailedCallback=null)
 
 persistSessionToken ()
 
string setSessionTokenFromRegistry ()
 
 storeSessionTokenInRegistry ()
 
 removeSessionTokenFromRegistry ()
 
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 clean ()
 
string generateToken ($formName, $action='', $formInstanceName='')
 
bool validateToken ($tokenId, $formName, $action='', $formInstanceName='')
 
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\Security\BlockSerializationTrait
 __wakeup ()
 

Protected Member Functions

string retrieveSessionToken ()
 
bool isAuthorizedBackendSession ()
 
- ‪Protected Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
string getSessionToken ()
 
string generateSessionToken ()
 
 createValidationErrorMessage ()
 

Protected Attributes

BackendUserAuthentication $backendUser
 
Registry $registry
 
- ‪Protected Attributes inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
Closure null $validationFailedCallback
 
string null $sessionToken
 

Detailed Description

This class provides protection against cross-site request forgery (XSRF/CSRF) for forms in the BE.

How to use:

For each form in the BE (or link that changes some data), create a token and insert is as a hidden form element. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('backend')
->generateToken(
'BE user setup', 'edit'
);
$this->content .= '<input type="hidden" name="formToken" value="' .
$formToken . '" >';

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. BE user setup and editing a tt_content record) or different records (with different UIDs) from the same table, those values should be different.

For editing a tt_content record, the call could look like this:

$formToken = GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('backend')
->getFormProtection()->generateToken(
'tt_content', 'edit', $uid
);

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('backend')
->validateToken(
\TYPO3\CMS\Core\Utility\GeneralUtility::_POST('formToken'),
'BE user setup', 'edit
)
) {
processes the data
} else {
no need to do anything here as the BE form protection will create a
flash message for an invalid token
}

Definition at line 74 of file BackendFormProtection.php.

Constructor & Destructor Documentation

◆ __construct()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::__construct ( BackendUserAuthentication  $backendUser,
Registry  $registry,
?\Closure  $validationFailedCallback = null 
)

Member Function Documentation

◆ isAuthorizedBackendSession()

bool TYPO3\CMS\Core\FormProtection\BackendFormProtection::isAuthorizedBackendSession ( )
protected

Checks if a user is logged in and the session is active.

Returns
‪bool

Definition at line 174 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::persistSessionToken ( )

Saves the tokens so that they can be used by a later incarnation of this class.

Reimplemented from TYPO3\CMS\Core\FormProtection\AbstractFormProtection.

Definition at line 126 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\retrieveSessionToken().

◆ removeSessionTokenFromRegistry()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::removeSessionTokenFromRegistry ( )

Removes the session token for the user from the registry.

Definition at line 164 of file BackendFormProtection.php.

◆ retrieveSessionToken()

string TYPO3\CMS\Core\FormProtection\BackendFormProtection::retrieveSessionToken ( )
protected

◆ setSessionTokenFromRegistry()

string TYPO3\CMS\Core\FormProtection\BackendFormProtection::setSessionTokenFromRegistry ( )

Sets the session token for the user from the registry and returns it additionally.

Returns
‪string
Exceptions

Definition at line 139 of file BackendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken.

◆ storeSessionTokenInRegistry()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::storeSessionTokenInRegistry ( )

Stores the session token in the registry to have it available during re-login of the user.

Definition at line 154 of file BackendFormProtection.php.

Member Data Documentation

◆ $backendUser

BackendUserAuthentication TYPO3\CMS\Core\FormProtection\BackendFormProtection::$backendUser
protected

Keeps the instance of the user which existed during creation of the object.

Definition at line 81 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().

◆ $registry

Registry TYPO3\CMS\Core\FormProtection\BackendFormProtection::$registry
protected

Instance of the registry, which is used to permanently persist the session token so that it can be restored during re-login.

Definition at line 88 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().