Security
class Security extends Controller implements TemplateGlobalProvider (View source)
Implements a basic security model
Properties
public | string | $class | from SS_Object | |
protected | array | $extension_instances | from SS_Object | |
protected | $beforeExtendCallbacks | List of callbacks to call prior to extensions having extend called on them, each grouped by methodName. |
from SS_Object | |
protected | $afterExtendCallbacks | List of callbacks to call after extensions having extend called on them, each grouped by methodName. |
from SS_Object | |
protected | ViewableData | $failover | A failover object to attempt to get data from if it is not present on this object. |
from ViewableData |
protected | ViewableData | $customisedObject | from ViewableData | |
protected | SS_HTTPRequest | $request | from RequestHandler | |
protected | $model | The DataModel for this request |
from RequestHandler | |
protected | bool | $brokenOnConstruct | This variable records whether RequestHandler::construct() was called or not. Useful for checking if subclasses have called parent::construct() |
from RequestHandler |
protected | array | $urlParams | from Controller | |
protected | array | $requestParams | from Controller | |
protected | string | $action | from Controller | |
protected | $session | The Session object for this controller |
from Controller | |
protected static | $controller_stack | Stack of current controllers. |
from Controller | |
protected | $basicAuthEnabled | from Controller | ||
protected | SS_HTTPResponse | $response | from Controller | |
protected | $baseInitCalled | from Controller | ||
protected static | string | $default_username | Default user name. Only used in dev-mode by setDefaultAdmin() |
|
protected static | string | $default_password | Default password. Only used in dev-mode by setDefaultAdmin() |
|
protected static | bool | $strict_path_checking | If set to TRUE to prevent sharing of the session across several sites in the domain. |
|
public static | bool | $force_database_is_ready | ||
public static | bool | $database_is_ready | When the database has once been verified as ready, it will not do the checks again. |
|
protected static | $ignore_disallowed_actions |
Methods
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
Allows user code to hook into Object::extend prior to control being delegated to extensions. Each callback will be reset once called.
Allows user code to hook into Object::extend after control being delegated to extensions. Each callback will be reset once called.
An implementation of the factory method, allows you to create an instance of a class
Creates a class instance by the "singleton" design pattern.
Create an object from a string representation. It treats it as a PHP constructor without the 'new' keyword. It also manages to construct the object without the use of eval().
Parses a class-spec, such as "Versioned('Stage','Live')", as passed to create_from_string().
Similar to Object::create(), except that classes are only overloaded if you set the $strong parameter to TRUE when using Object::useCustomClass()
This class allows you to overload classes with other classes when they are constructed using the factory method Object::create()
If a class has been overloaded, get the class name it has been overloaded with - otherwise return the class name
Get the value of a static property of a class, even in that property is declared protected (but not private), without any inheritance, merging or parent lookup if it doesn't exist on the given class.
Return TRUE if a class has a specified extension.
Add an extension to a specific class.
No description
Attemps to locate and call a method dynamically added to a class at runtime if a default cannot be located
Return the names of all the methods available on this object
Add methods from the ViewableData::$failover object, as well as wrapping any methods prefixed with an underscore into a ViewableData::cachedCall().
Add all the methods from an object property (which is an Extension) to this object.
Add all the methods from an object property (which is an Extension) to this object.
Add a wrapper method - a method which points to another method with a different name. For example, Thumbnail(x) can be wrapped to generateThumbnail(x)
Add an extra method using raw PHP code passed as a string
Check if this class is an instance of a specific class, or has that class as one of its parents
Calls a method if available on both this object and all applied Extensions, and then attempts to merge all results into an array
Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed
Get an extension instance attached to this object by name.
Returns TRUE if this object instance has a specific extension applied in $extension_instances. Extension instances are initialized at constructor time, meaning if you use add_extension() afterwards, the added extension will just be added to new instances of the extended class. Use the static method has_extension() to check if a class (not an instance) has a specific extension.
Get all extension instances for this specific object instance.
Cache the results of an instance method in this object to a file, or if it is already cache return the cached results
Clears the cache for the given cacheToFile call
Loads a cache from the filesystem if a valid on is present and within the specified lifetime
Save a piece of cached data to the file system
Strip a file name of special characters so it is suitable for use as a cache file name
Converts a field spec into an object creator. For example: "Int" becomes "new Int($fieldName);" and "Varchar(50)" becomes "new Varchar($fieldName, 50);".
Convert a field schema (e.g. "Varchar(50)") into a casting object creator array that contains both a className and castingHelper constructor code. See castingObjectCreator for more information about the constructor.
Check if a field exists on this object or its failover.
Get the value of a property/field on this object. This will check if a method called get{$property} exists, then check if a field is available using ViewableData::getField(), then fall back on a failover object.
Set a property/field on this object. This will check for the existence of a method called set{$property}, then use the ViewableData::setField() method.
Set a failover object to attempt to get data from if it is not present on this object.
Check if a field exists on this object. This should be overloaded in child classes.
Get the value of a field on this object. This should be overloaded in child classes.
Set a field on this object. This should be overloaded in child classes.
Method to facilitate deprecation of underscore-prefixed methods automatically being cached.
Merge some arbitrary data in with this object. This method returns a ViewableData_Customised instance with references to both this and the new custom data.
Get the class a field on this object would be casted to, as well as the casting helper for casting a field to an object (see ViewableData::castingHelper() for information on casting helpers).
Return the "casting helper" (a piece of PHP code that when evaluated creates a casted value object) for a field on this object.
Get the class name a field on this object will be casted to
Return the string-format type for the given field.
Save the casting cache for this object (including data from any failovers) into a variable
Render this object into the template, and get the result as a string. You can pass one of the following as the $template parameter:
- a template name (e.g. Page)
- an array of possible template names - the first valid one will be used
- an SSViewer instance
Generate the cache name for a field
Get the value of a field on this object, automatically inserting the value into any available casting objects that have been specified.
A simple wrapper around ViewableData::obj() that automatically caches the result so it can be used again without re-running the method.
Checks if a given method/field has a valid value. If the result is an object, this will return the result of the exists method, otherwise will check if the result is not just an empty paragraph tag.
Get the string value of a field on this object that has been suitable escaped to be inserted directly into a template.
Return the value of the field without any escaping being applied.
Return the value of a field in an SQL-safe format.
Return the value of a field in a JavaScript-save format.
Return the value of a field escaped suitable to be inserted into an XML node attribute.
Get an array of XML-escaped values by field name
Return a single-item iterator so you can iterate over the fields of a single record.
When rendering some objects it is necessary to iterate over the object being rendered, to do this, you need access to itself.
Return the directory if the current active theme (relative to the site root).
Get part of the current classes ancestry to be used as a CSS class.
Return debug information about this object that can be rendered into a template
Executes this controller, and return an SS_HTTPResponse object with the result.
Controller's default action handler. It will call the method named in $Action, if that method exists.
Get a array of allowed actions defined on this controller, any parent classes or extensions.
Checks if this request handler has a specific action, even if the current user cannot access it.
Return the class that defines the given action, so that we know where to check allowed_actions.
Check that the given action is allowed to be called from a URL.
Throws a HTTP error response encased in a SS_HTTPResponse_Exception, which is later caught in RequestHandler::handleAction() and returned to the user.
Returns the SS_HTTPRequest object that this controller is using.
Typically the request is set through handleAction() or handleRequest(), but in some based we want to set it manually.
Returns the SS_HTTPResponse object that this controller is building up.
Sets the SS_HTTPResponse object that this controller is building up.
Return the object that is going to own a form that's being processed, and handle its execution.
This is the default action handler used if a method doesn't exist.
Removes all the "action" part of the current URL and returns the result.
Returns TRUE if this controller has a template that is specifically designed to handle a specific action.
Render the current controller with the templates determined by getViewer().
Call this to disable site-wide basic authentication for a specific contoller.
Tests whether we have a currently active controller or not
Returns true if the member is allowed to do the given action.
Redirect back. Uses either the HTTP_REFERER or a manually set request-variable called "BackURL".
Joins two or more link segments together, putting a slash between them if necessary.
Set the default message set used in permissions failures.
Register that we've had a permission failure trying to view the given page
This action is available as a keep alive, so user sessions don't timeout. A common use is in the admin.
Perform pre-login checking and prepare a response if available prior to login
Prepare the controller for handling the response to this request
Determine the list of templates to use for rendering the given action
Combine the given forms into a formset with a tabbed interface
Get the HTML Content for the $Content area during login
Show the "password sent" page, after a user has requested to reset their password.
Return an existing member with administrator privileges, or create one of necessary.
Checks if the passed credentials are matching the default-admin.
Set the password encryption algorithm
Encrypt a password according to the current password encryption settings.
Checks the database is in a state to perform security checks.
Enable or disable recording of login attempts through the LoginRecord object.
Set to true to ignore access to disallowed actions, rather than returning permission failure Note that this is just a flag that other code needs to check with Security::ignore_disallowed_actions()
Details
static Config_ForClass|null
config()
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
protected
beforeExtending(string $method, callable $callback)
Allows user code to hook into Object::extend prior to control being delegated to extensions. Each callback will be reset once called.
protected
afterExtending(string $method, callable $callback)
Allows user code to hook into Object::extend after control being delegated to extensions. Each callback will be reset once called.
static SS_Object
create()
An implementation of the factory method, allows you to create an instance of a class
This method first for strong class overloads (singletons & DB interaction), then custom class overloads. If an overload is found, an instance of this is returned rather than the original class. To overload a class, use Object::useCustomClass()
This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create('SiteTree'); $list = SiteTree::get();
static SS_Object
singleton()
Creates a class instance by the "singleton" design pattern.
It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).
static
create_from_string($classSpec, $firstArg = null)
Create an object from a string representation. It treats it as a PHP constructor without the 'new' keyword. It also manages to construct the object without the use of eval().
Construction itself is done with Object::create(), so that Object::useCustomClass() calls are respected.
Object::create_from_string("Versioned('Stage','Live')")
will return the result of
Versioned::create('Stage', 'Live);
It is designed for simple, clonable objects. The first time this method is called for a given string it is cached, and clones of that object are returned.
If you pass the $firstArg argument, this will be prepended to the constructor arguments. It's impossible to pass null as the firstArg argument.
Object::create_from_string("Varchar(50)", "MyField")
will return the result of
Vachar::create('MyField', '50');
Arguments are always strings, although this is a quirk of the current implementation rather than something that can be relied upon.
static
parse_class_spec($classSpec)
Parses a class-spec, such as "Versioned('Stage','Live')", as passed to create_from_string().
Returns a 2-elemnent array, with classname and arguments
static SS_Object
strong_create()
Similar to Object::create(), except that classes are only overloaded if you set the $strong parameter to TRUE when using Object::useCustomClass()
static
useCustomClass(string $oldClass, string $newClass, bool $strong = false)
This class allows you to overload classes with other classes when they are constructed using the factory method Object::create()
static string
getCustomClass(string $class)
If a class has been overloaded, get the class name it has been overloaded with - otherwise return the class name
static any
static_lookup($class, $name, null $default = null)
Get the value of a static property of a class, even in that property is declared protected (but not private), without any inheritance, merging or parent lookup if it doesn't exist on the given class.
static
get_static($class, $name, $uncached = false)
deprecated
deprecated
No description
static
set_static($class, $name, $value)
deprecated
deprecated
No description
static
uninherited_static($class, $name, $uncached = false)
deprecated
deprecated
No description
static
combined_static($class, $name, $ceiling = false)
deprecated
deprecated
No description
static
addStaticVars($class, $properties, $replace = false)
deprecated
deprecated
No description
static
add_static_var($class, $name, $value, $replace = false)
deprecated
deprecated
No description
static
has_extension(string $classOrExtension, string $requiredExtension = null, bool $strict = false)
Return TRUE if a class has a specified extension.
This supports backwards-compatible format (static Object::has_extension($requiredExtension)) and new format ($object->has_extension($class, $requiredExtension))
static
add_extension(string $classOrExtension, string $extension = null)
Add an extension to a specific class.
The preferred method for adding extensions is through YAML config, since it avoids autoloading the class, and is easier to override in more specific configurations.
As an alternative, extensions can be added to a specific class directly in the Object::$extensions array. See SiteTree::$extensions for examples. Keep in mind that the extension will only be applied to new instances, not existing ones (including all instances created through singleton()).
static
remove_extension(string $extension)
Remove an extension from a class.
Keep in mind that this won't revert any datamodel additions of the extension at runtime, unless its used before the schema building kicks in (in your _config.php). Doesn't remove the extension from any Object instances which are already created, but will have an effect on new extensions. Clears any previously created singletons through singleton() to avoid side-effects from stale extension information.
static array
get_extensions(string $class, bool $includeArgumentString = false)
No description
static
get_extra_config_sources($class = null)
No description
__construct()
No description
mixed
__call(string $method, array $arguments)
Attemps to locate and call a method dynamically added to a class at runtime if a default cannot be located
You can add extra methods to a class using Extensions}, {@link Object::createMethod() or Object::addWrapperMethod()
bool
hasMethod(string $method)
Return TRUE if a method exists on this object
This should be used rather than PHP's inbuild method_exists() as it takes into account methods added via extensions
array
allMethodNames(bool $custom = false)
Return the names of all the methods available on this object
defineMethods()
Add methods from the ViewableData::$failover object, as well as wrapping any methods prefixed with an underscore into a ViewableData::cachedCall().
protected array
findMethodsFromExtension(object $extension)
No description
protected
addMethodsFrom(string $property, string|int $index = null)
Add all the methods from an object property (which is an Extension) to this object.
protected
removeMethodsFrom(string $property, string|int $index = null)
Add all the methods from an object property (which is an Extension) to this object.
protected
addWrapperMethod(string $method, string $wrap)
Add a wrapper method - a method which points to another method with a different name. For example, Thumbnail(x) can be wrapped to generateThumbnail(x)
protected
createMethod(string $method, string $code)
Add an extra method using raw PHP code passed as a string
stat($name, $uncached = false)
No description
set_stat($name, $value)
No description
uninherited($name)
No description
bool
exists()
Return true if this object "exists" i.e. has a sensible value
This method should be overriden in subclasses to provide more context about the classes state. For example, a DataObject class could return false when it is deleted from the database
string
parentClass()
No description
bool
is_a(string $class)
Check if this class is an instance of a specific class, or has that class as one of its parents
string
__toString()
No description
mixed
invokeWithExtensions(string $method, mixed $argument = null)
Calls a method if available on both this object and all applied Extensions, and then attempts to merge all results into an array
array
extend(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)
Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed
Currently returns an array, with an index resulting every time the function is called. Only adds returns if they're not NULL, to avoid bogus results from methods just defined on the parent extension. This is important for permission-checks through extend, as they use min() to determine if any of the returns is FALSE. As min() doesn't do type checking, an included NULL return would fail the permission checks.
The extension methods are defined during __construct()} in {@link defineMethods().
Extension
getExtensionInstance(string $extension)
Get an extension instance attached to this object by name.
bool
hasExtension(string $extension)
Returns TRUE if this object instance has a specific extension applied in $extension_instances. Extension instances are initialized at constructor time, meaning if you use add_extension() afterwards, the added extension will just be added to new instances of the extended class. Use the static method has_extension() to check if a class (not an instance) has a specific extension.
Caution: Don't use singleton(
array
getExtensionInstances()
Get all extension instances for this specific object instance.
See get_extensions() to get all applied extension classes for this class (not the instance).
mixed
cacheToFile(string $method, int $lifetime = 3600, string $ID = false, array $arguments = array())
Cache the results of an instance method in this object to a file, or if it is already cache return the cached results
clearCache($method, $ID = false, $arguments = array())
Clears the cache for the given cacheToFile call
protected mixed
loadCache(string $cache, int $lifetime = 3600)
Loads a cache from the filesystem if a valid on is present and within the specified lifetime
protected
saveCache(string $cache, mixed $data)
Save a piece of cached data to the file system
protected string
sanitiseCachename(string $name)
Strip a file name of special characters so it is suitable for use as a cache file name
static string
castingObjectCreator(string $fieldSchema)
Converts a field spec into an object creator. For example: "Int" becomes "new Int($fieldName);" and "Varchar(50)" becomes "new Varchar($fieldName, 50);".
static array
castingObjectCreatorPair(string $fieldSchema)
Convert a field schema (e.g. "Varchar(50)") into a casting object creator array that contains both a className and castingHelper constructor code. See castingObjectCreator for more information about the constructor.
bool
__isset(string $property)
Check if a field exists on this object or its failover.
mixed
__get(string $property)
Get the value of a property/field on this object. This will check if a method called get{$property} exists, then check if a field is available using ViewableData::getField(), then fall back on a failover object.
__set(string $property, mixed $value)
Set a property/field on this object. This will check for the existence of a method called set{$property}, then use the ViewableData::setField() method.
setFailover(ViewableData $failover)
Set a failover object to attempt to get data from if it is not present on this object.
ViewableData|null
getFailover()
Get the current failover object if set
bool
hasField(string $field)
Check if a field exists on this object. This should be overloaded in child classes.
mixed
getField(string $field)
Get the value of a field on this object. This should be overloaded in child classes.
setField(string $field, mixed $value)
Set a field on this object. This should be overloaded in child classes.
unknown
deprecatedCachedCall($method, $args = null, string $identifier = null)
Method to facilitate deprecation of underscore-prefixed methods automatically being cached.
ViewableData_Customised
customise(array|ViewableData $data)
Merge some arbitrary data in with this object. This method returns a ViewableData_Customised instance with references to both this and the new custom data.
Note that any fields you specify will take precedence over the fields on this object.
ViewableData
getCustomisedObj()
No description
setCustomisedObj(ViewableData $object)
No description
array
castingHelperPair(string $field)
Get the class a field on this object would be casted to, as well as the casting helper for casting a field to an object (see ViewableData::castingHelper() for information on casting helpers).
The returned array contains two keys:
- className: the class the field would be casted to (e.g. "Varchar")
- castingHelper: the casting helper for casting the field (e.g. "return new Varchar($fieldName)")
string
castingHelper(string $field)
Return the "casting helper" (a piece of PHP code that when evaluated creates a casted value object) for a field on this object.
string
castingClass(string $field)
Get the class name a field on this object will be casted to
string
escapeTypeForField(string $field)
Return the string-format type for the given field.
buildCastingCache(reference $cache)
Save the casting cache for this object (including data from any failovers) into a variable
HTMLText
renderWith(string|array|SSViewer $template, array $customFields = null)
Render this object into the template, and get the result as a string. You can pass one of the following as the $template parameter:
- a template name (e.g. Page)
- an array of possible template names - the first valid one will be used
- an SSViewer instance
protected
objCacheName(string $fieldName, array $arguments)
Generate the cache name for a field
protected mixed
objCacheGet(string $key)
Get a cached value from the field cache
protected
objCacheSet(string $key, mixed $value)
Store a value in the field cache
obj(string $fieldName, array $arguments = null, bool $forceReturnedObject = true, bool $cache = false, string $cacheName = null)
Get the value of a field on this object, automatically inserting the value into any available casting objects that have been specified.
cachedCall(string $field, array $arguments = null, string $identifier = null)
A simple wrapper around ViewableData::obj() that automatically caches the result so it can be used again without re-running the method.
bool
hasValue(string $field, array $arguments = null, bool $cache = true)
Checks if a given method/field has a valid value. If the result is an object, this will return the result of the exists method, otherwise will check if the result is not just an empty paragraph tag.
XML_val($field, $arguments = null, $cache = false)
Get the string value of a field on this object that has been suitable escaped to be inserted directly into a template.
RAW_val($field, $arguments = null, $cache = true)
Return the value of the field without any escaping being applied.
SQL_val($field, $arguments = null, $cache = true)
Return the value of a field in an SQL-safe format.
JS_val($field, $arguments = null, $cache = true)
Return the value of a field in a JavaScript-save format.
ATT_val($field, $arguments = null, $cache = true)
Return the value of a field escaped suitable to be inserted into an XML node attribute.
array
getXMLValues($fields)
Get an array of XML-escaped values by field name
ArrayIterator
getIterator()
Return a single-item iterator so you can iterate over the fields of a single record.
This is useful so you can use a single record inside a <% control %> block in a template - and then use to access individual fields on this object.
ViewableData
Me()
When rendering some objects it is necessary to iterate over the object being rendered, to do this, you need access to itself.
string
ThemeDir(string $subtheme = false)
Return the directory if the current active theme (relative to the site root).
This method is useful for things such as accessing theme images from your template without hardcoding the theme page - e.g. .
This method should only be used when a theme is currently active. However, it will fall over to the current project directory.
string
CSSClasses(string $stopAtClass = 'ViewableData')
Get part of the current classes ancestry to be used as a CSS class.
This method returns an escaped string of CSS classes representing the current classes ancestry until it hits a stop point - e.g. "Page DataObject ViewableData".
ViewableData_Debugger
Debug()
Return debug information about this object that can be rendered into a template
setDataModel($model)
Set the DataModel for this request.
SS_HTTPResponse|RequestHandler|string|array
handleRequest(SS_HTTPRequest $request, DataModel $model)
Executes this controller, and return an SS_HTTPResponse object with the result.
This method first does a few set-up activities:
- Push this controller ont to the controller stack - see Controller::curr() for information about this.
- Call init()
- Defer to RequestHandler->handleRequest() to determine which action should be executed
Note: $requestParams['executeForm'] support was removed, make the following change in your URLs: "/?executeForm=FooBar" -> "/FooBar" Also make sure "FooBar" is in the $allowed_actions of your controller class.
Note: You should rarely need to overload run() - this kind of change is only really appropriate for things like nested controllers - ModelAsController} and {@link RootURLController are two examples here. If you want to make more orthodox functionality, it's better to overload init()} or {@link index().
Important: If you are going to overload handleRequest, make sure that you start the method with $this->pushCurrent() and end the method with $this->popCurrent(). Failure to do this will create weird session errors.
protected
findAction($request)
No description
protected SS_HTTPResponse
handleAction($request, $action)
Controller's default action handler. It will call the method named in $Action, if that method exists.
If $Action isn't given, it will use "index" as a default.
array|null
allowedActions(string $limitToClass = null)
Get a array of allowed actions defined on this controller, any parent classes or extensions.
Caution: Since 3.1, allowed_actions definitions only apply to methods on the controller they're defined on, so it is recommended to use the $class argument when invoking this method.
bool
hasAction(string $action)
Checks if this request handler has a specific action, even if the current user cannot access it.
Includes class ancestry and extensions in the checks.
protected
definingClassForAction($action)
Return the class that defines the given action, so that we know where to check allowed_actions.
Overrides RequestHandler to also look at defined templates
checkAccessAction($action)
Check that the given action is allowed to be called from a URL.
It will interrogate self::$allowed_actions to determine this.
httpError(int $errorCode, string $errorMessage = null)
Throws a HTTP error response encased in a SS_HTTPResponse_Exception, which is later caught in RequestHandler::handleAction() and returned to the user.
SS_HTTPRequest|NullHTTPRequest
getRequest()
Returns the SS_HTTPRequest object that this controller is using.
Returns a placeholder NullHTTPRequest object unless handleAction()} or {@link handleRequest() have been called, which adds a reference to an actual SS_HTTPRequest object.
setRequest($request)
Typically the request is set through handleAction() or handleRequest(), but in some based we want to set it manually.
string
Link(string $action = null)
Get a link to a security action
init()
Initialisation function that is run before any action on the controller is called.
setURLParams($urlParams)
No description
array
getURLParams()
No description
getResponse()
Returns the SS_HTTPResponse object that this controller is building up.
Can be used to set the status code and headers
Controller
setResponse(SS_HTTPResponse $response)
Sets the SS_HTTPResponse object that this controller is building up.
getFormOwner()
Return the object that is going to own a form that's being processed, and handle its execution.
Note that the result needn't be an actual controller object.
defaultAction($action)
This is the default action handler used if a method doesn't exist.
It will process the controller object with the template returned by getViewer()
getAction()
Returns the action that is being executed on this controller.
SSViewer
getViewer($action)
Return an SSViewer object to process the data
static string
removeAction($fullURL, $action = null)
Removes all the "action" part of the current URL and returns the result.
If no action parameter is present, returns the full URL
bool
hasActionTemplate(string $action)
Returns TRUE if this controller has a template that is specifically designed to handle a specific action.
string
render(array $params = null)
Render the current controller with the templates determined by getViewer().
disableBasicAuth()
Call this to disable site-wide basic authentication for a specific contoller.
This must be called before Controller::init(). That is, you must call it in your controller's init method before it calls parent::init().
static Controller
curr()
Returns the current controller
static bool
has_curr()
Tests whether we have a currently active controller or not
bool
can($perm, $member = null)
Returns true if the member is allowed to do the given action.
pushCurrent()
Pushes this controller onto the stack of current controllers.
This means that any redirection, session setting, or other things that rely on Controller::curr() will now write to this controller object.
popCurrent()
Pop this controller off the top of the stack.
SS_HTTPResponse
redirect($url, $code = 302)
Redirect to the given URL.
redirectBack()
Redirect back. Uses either the HTTP_REFERER or a manually set request-variable called "BackURL".
This variable is needed in scenarios where not HTTP-Referer is sent ( e.g when calling a page by location.href in IE). If none of the two variables is available, it will redirect to the base URL (see Director::baseURL()).
string
redirectedTo()
Tests whether a redirection has been requested.
Session
getSession()
Get the Session object representing this Controller's session
setSession(Session $session)
Set the Session object.
static string
join_links()
Joins two or more link segments together, putting a slash between them if necessary.
Use this for building the results of Link() methods. If either of the links have query strings, then they will be combined and put at the end of the resulting url.
Caution: All parameters are expected to be URI-encoded already.
static array
get_template_global_variables()
Defines global accessible templates variables.
static
get_word_list()
deprecated
deprecated
Get location of word list file
static
set_word_list(string $wordListFile)
deprecated
deprecated
Set location of word list file
static
set_default_message_set(string|array $messageSet)
deprecated
deprecated
Set the default message set used in permissions failures.
static SS_HTTPResponse
permissionFailure(Controller $controller = null, string|array $messageSet = null)
Register that we've had a permission failure trying to view the given page
This will redirect to a login page. If you don't provide a messageSet, a default will be used.
index()
No description
protected string
getAuthenticator()
Get the selected authenticator for this request
Form
LoginForm()
Get the login form to process according to the submitted data
array
GetLoginForms()
Get the login forms for all available authentication methods
ping()
This action is available as a keep alive, so user sessions don't timeout. A common use is in the admin.
logout(bool $redirect = true)
Log the currently logged in user out
protected SS_HTTPResponse
preLogin()
Perform pre-login checking and prepare a response if available prior to login
protected Controller
getResponseController(string $title)
Prepare the controller for handling the response to this request
array
getTemplatesFor(string $action)
Determine the list of templates to use for rendering the given action
protected string
generateLoginFormSet(array $forms)
Combine the given forms into a formset with a tabbed interface
protected string
getLoginMessage(string $messageType = null)
Get the HTML Content for the $Content area during login
string|SS_HTTPResponse
login()
Show the "login" page
For multiple authenticators, Security_MultiAuthenticatorLogin is used. See getTemplatesFor and getIncludeTemplate for how to override template logic
basicauthlogin()
No description
string
lostpassword()
Show the "lost password" page
Form
LostPasswordForm()
Factory method for the lost password form
string
passwordsent(SS_HTTPRequest $request)
Show the "password sent" page, after a user has requested to reset their password.
static
getPasswordResetLink(Member $member, $autologinToken)
Create a link to the password reset form.
GET parameters used:
- m: member ID
- t: plaintext token
string
changepassword()
Show the "change password" page.
This page can either be called directly by logged-in users (in which case they need to provide their old password), or through a link emailed through lostpassword(). In this case no old password is required, authentication is ensured through the Member.AutoLoginHash property.
Form
ChangePasswordForm()
Factory method for the lost password form
string|array
getIncludeTemplate($name)
Gets the template for an include used for security.
For use in any subclass.
static Member
findAnAdministrator()
Return an existing member with administrator privileges, or create one of necessary.
Will create a default 'Administrators' group if no group is found with an ADMIN permission. Will create a new 'Admin' member with administrative permissions if no existing Member with these permissions is found.
Important: Any newly created administrator accounts will NOT have valid login credentials (Email/Password properties), which means they can't be used for login purposes outside of any default credentials set through Security::setDefaultAdmin().
static
clear_default_admin()
Flush the default admin credentials
static
setDefaultAdmin(string $username, string $password)
Set a default admin in dev-mode
This will set a static default-admin which is not existing as a database-record. By this workaround we can test pages in dev-mode with a unified login. Submitted login-credentials are first checked against this static information in Security::authenticate().
static bool
check_default_admin(string $username, string $password)
Checks if the passed credentials are matching the default-admin.
Compares cleartext-password set through Security::setDefaultAdmin().
static
has_default_admin()
Check that the default admin account has been set.
static string
default_admin_username()
Get default admin username
static string
default_admin_password()
Get default admin password
static
setStrictPathChecking(bool $strictPathChecking)
deprecated
deprecated
Set strict path checking
This prevents sharing of the session across several sites in the domain.
static bool
getStrictPathChecking()
deprecated
deprecated
Get strict path checking
static bool
set_password_encryption_algorithm(string $algorithm)
deprecated
deprecated
Set the password encryption algorithm
static string
get_password_encryption_algorithm()
deprecated
deprecated
No description
static mixed
encrypt_password(string $password, string $salt = null, string $algorithm = null, Member $member = null)
Encrypt a password according to the current password encryption settings.
If the settings are so that passwords shouldn't be encrypted, the result is simple the clear text password with an empty salt except when a custom algorithm ($algorithm parameter) was passed.
static bool
database_is_ready()
Checks the database is in a state to perform security checks.
See DatabaseAdmin->init() for more information.
static
set_login_recording(bool $bool)
deprecated
deprecated
Enable or disable recording of login attempts through the LoginRecord object.
static bool
login_recording()
deprecated
deprecated
No description
static
set_default_login_dest($dest)
deprecated
deprecated
No description
static
default_login_dest()
deprecated
deprecated
Get the default login dest.
static
set_ignore_disallowed_actions($flag)
Set to true to ignore access to disallowed actions, rather than returning permission failure Note that this is just a flag that other code needs to check with Security::ignore_disallowed_actions()
static
ignore_disallowed_actions()
No description
static
set_login_url($loginUrl)
deprecated
deprecated
Set a custom log-in URL if you have built your own log-in page.
static string
login_url()
Get the URL of the log-in page.
To update the login url use the "Security.login_url" config setting.
static string
logout_url()
Get the URL of the logout page.
To update the logout url use the "Security.logout_url" config setting.
static string
lost_password_url()
Get the URL of the logout page.
To update the logout url use the "Security.logout_url" config setting.