‪TYPO3CMS  ‪main
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
TYPO3\CMS\Core\FormProtection\FrontendFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\FrontendFormProtection:
TYPO3\CMS\Core\FormProtection\AbstractFormProtection TYPO3\CMS\Core\Security\BlockSerializationTrait

Public Member Functions

 __construct (FrontendUserAuthentication $frontendUser, \Closure $validationFailedCallback=null)
 
 persistSessionToken ()
 
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 clean ()
 
string generateToken ($formName, $action='', $formInstanceName='')
 
bool validateToken ($tokenId, $formName, $action='', $formInstanceName='')
 
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\Security\BlockSerializationTrait
 __wakeup ()
 

Protected Member Functions

string retrieveSessionToken ()
 
bool isAuthorizedFrontendSession ()
 
- ‪Protected Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
string getSessionToken ()
 
string generateSessionToken ()
 
 createValidationErrorMessage ()
 

Protected Attributes

FrontendUserAuthentication $frontendUser
 
- ‪Protected Attributes inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
Closure null $validationFailedCallback
 
string null $sessionToken
 

Detailed Description

This class provides protection against cross-site request forgery (XSRF/CSRF) for actions in the frontend that change data.

How to use:

For each form (or link that changes some data), create a token and insert is as a hidden form element or use it as GET argument. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('frontend')
->generateToken(
'User setup', 'edit'
);
$this->content .= '<input type="hidden" name="formToken" value="' .
$formToken . '" >';

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. User setup and editing a news record) or different records (with different UIDs) from the same table, those values should be different.

For editing a news record, the call could look like this:

$formToken = GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('frontend')
->getFormProtection()->generateToken(
'news', 'edit', $uid
);

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('frontend')
->validateToken(
\TYPO3\CMS\Core\Utility\GeneralUtility::_POST('formToken'),
'User setup', 'edit
)
) {
Processes the data.
} else {
Create a flash message for the invalid token or just discard this request.
}

Definition at line 72 of file FrontendFormProtection.php.

Constructor & Destructor Documentation

◆ __construct()

TYPO3\CMS\Core\FormProtection\FrontendFormProtection::__construct ( FrontendUserAuthentication  $frontendUser,
\Closure  $validationFailedCallback = null 
)

Only allow construction if we have an authorized frontend session

Exceptions

Definition at line 86 of file FrontendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\FrontendFormProtection\$frontendUser, TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$validationFailedCallback, and TYPO3\CMS\Core\FormProtection\FrontendFormProtection\isAuthorizedFrontendSession().

Member Function Documentation

◆ isAuthorizedFrontendSession()

bool TYPO3\CMS\Core\FormProtection\FrontendFormProtection::isAuthorizedFrontendSession ( )
protected

Checks if a user is logged in and the session is active.

Returns
‪bool

Definition at line 126 of file FrontendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\FrontendFormProtection\__construct().

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\FrontendFormProtection::persistSessionToken ( )

Saves the tokens so that they can be used by a later incarnation of this class.

Reimplemented from TYPO3\CMS\Core\FormProtection\AbstractFormProtection.

Definition at line 116 of file FrontendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\FrontendFormProtection\retrieveSessionToken().

◆ retrieveSessionToken()

string TYPO3\CMS\Core\FormProtection\FrontendFormProtection::retrieveSessionToken ( )
protected

Retrieves the saved session token or generates a new one.

Returns
‪string

Reimplemented from TYPO3\CMS\Core\FormProtection\AbstractFormProtection.

Definition at line 100 of file FrontendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken, TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateSessionToken(), and TYPO3\CMS\Core\FormProtection\FrontendFormProtection\persistSessionToken().

Member Data Documentation

◆ $frontendUser

FrontendUserAuthentication TYPO3\CMS\Core\FormProtection\FrontendFormProtection::$frontendUser
protected

Keeps the instance of the user which existed during creation of the object.

Definition at line 79 of file FrontendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\FrontendFormProtection\__construct().