BackendFormProtection extends AbstractFormProtection
This class provides protection against cross-site request forgery (XSRF/CSRF) for forms in the BE.
How to use:
For each form in the BE (or link that changes some data), create a token and insert is as a hidden form element. The name of the form element does not matter; you only need it to get the form token for verifying it.
$formToken = GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('backend')
->generateToken(
'BE user setup', 'edit'
);
$this->content .= '';
The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. BE user setup and editing a tt_content record) or different records (with different UIDs) from the same table, those values should be different.
For editing a tt_content record, the call could look like this:
$formToken = GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('backend')
->getFormProtection()->generateToken(
'tt_content', 'edit', $uid
);
When processing the data that has been submitted by the form, you can check that the form token is valid like this:
if ($dataHasBeenSubmitted && GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('backend')
->validateToken(
\TYPO3\CMS\Core\Utility\GeneralUtility::_POST('formToken'),
'BE user setup', 'edit
)
) {
processes the data
} else {
no need to do anything here as the BE form protection will create a
flash message for an invalid token
}
Table of Contents
Properties
- $backendUser : BackendUserAuthentication
- Keeps the instance of the user which existed during creation of the object.
- $registry : Registry
- Instance of the registry, which is used to permanently persist the session token so that it can be restored during re-login.
- $sessionToken : string|null
- The session token which is used to be hashed during token generation.
- $validationFailedCallback : Closure|null
Methods
- __construct() : mixed
- Only allow construction if we have an authorized backend session
- __wakeup() : mixed
- Deny object deserialization.
- clean() : mixed
- Deletes the session token and persists the (empty) token.
- generateToken() : string
- Generates a token for a form by hashing the given parameters with the secret session token.
- persistSessionToken() : mixed
- Saves the tokens so that they can be used by a later incarnation of this class.
- removeSessionTokenFromRegistry() : mixed
- Removes the session token for the user from the registry.
- setSessionTokenFromRegistry() : string
- Sets the session token for the user from the registry and returns it additionally.
- storeSessionTokenInRegistry() : mixed
- Stores the session token in the registry to have it available during re-login of the user.
- validateToken() : bool
- Checks whether the token $tokenId is valid in the form $formName with $formInstanceName.
- createValidationErrorMessage() : mixed
- Creates or displays an error message telling the user that the submitted form token is invalid.
- generateSessionToken() : string
- Generates the random token which is used in the hash for the form tokens.
- getSessionToken() : string
- isAuthorizedBackendSession() : bool
- Checks if a user is logged in and the session is active.
- retrieveSessionToken() : string
- Retrieves the saved session token or generates a new one.
Properties
$backendUser
Keeps the instance of the user which existed during creation of the object.
protected
BackendUserAuthentication
$backendUser
$registry
Instance of the registry, which is used to permanently persist the session token so that it can be restored during re-login.
protected
Registry
$registry
$sessionToken
The session token which is used to be hashed during token generation.
protected
string|null
$sessionToken
$validationFailedCallback
protected
Closure|null
$validationFailedCallback
Methods
__construct()
Only allow construction if we have an authorized backend session
public
__construct(BackendUserAuthentication $backendUser, Registry $registry[, Closure|null $validationFailedCallback = null ]) : mixed
Parameters
- $backendUser : BackendUserAuthentication
- $registry : Registry
- $validationFailedCallback : Closure|null = null
Tags
__wakeup()
Deny object deserialization.
public
__wakeup() : mixed
clean()
Deletes the session token and persists the (empty) token.
public
clean() : mixed
This function is intended to be called when a user logs on or off.
generateToken()
Generates a token for a form by hashing the given parameters with the secret session token.
public
generateToken(string $formName[, string $action = '' ][, string $formInstanceName = '' ]) : string
Calling this function two times with the same parameters will create the same valid token during one user session.
Parameters
- $formName : string
- $action : string = ''
- $formInstanceName : string = ''
Tags
Return values
string —the 32-character hex ID of the generated token
persistSessionToken()
Saves the tokens so that they can be used by a later incarnation of this class.
public
persistSessionToken() : mixed
removeSessionTokenFromRegistry()
Removes the session token for the user from the registry.
public
removeSessionTokenFromRegistry() : mixed
setSessionTokenFromRegistry()
Sets the session token for the user from the registry and returns it additionally.
public
setSessionTokenFromRegistry() : string
Tags
Return values
stringstoreSessionTokenInRegistry()
Stores the session token in the registry to have it available during re-login of the user.
public
storeSessionTokenInRegistry() : mixed
validateToken()
Checks whether the token $tokenId is valid in the form $formName with $formInstanceName.
public
validateToken(string $tokenId, string $formName[, string $action = '' ][, string $formInstanceName = '' ]) : bool
Parameters
- $tokenId : string
- $formName : string
- $action : string = ''
- $formInstanceName : string = ''
Return values
boolcreateValidationErrorMessage()
Creates or displays an error message telling the user that the submitted form token is invalid.
protected
createValidationErrorMessage() : mixed
generateSessionToken()
Generates the random token which is used in the hash for the form tokens.
protected
generateSessionToken() : string
Return values
stringgetSessionToken()
protected
getSessionToken() : string
Return values
stringisAuthorizedBackendSession()
Checks if a user is logged in and the session is active.
protected
isAuthorizedBackendSession() : bool
Return values
boolretrieveSessionToken()
Retrieves the saved session token or generates a new one.
protected
retrieveSessionToken() : string