class SecurityToken extends SS_Object implements TemplateGlobalProvider (View source)

Cross Site Request Forgery (CSRF) protection for the {@link Form} class and other GET links.

Can be used globally (through {@link SecurityToken::inst()}) or on a form-by-form basis {@link Form->getSecurityToken()}.

Usage in forms

This protective measure is automatically turned on for all new {@link Form} instances, and can be globally disabled through {@link disable()}.

Usage in custom controller actions

class MyController extends Controller { function mygetaction($request) { if(!SecurityToken::inst()->checkRequest($request)) return $this->httpError(400);

    // valid action logic ...
}

}

Properties

static private array $extensions

An array of extension names and parameters to be applied to this object upon construction.

from  SS_Object
string $class from  SS_Object

Methods

static Config_ForClass|null
config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).

static SS_Object
create()

An implementation of the factory method, allows you to create an instance of a class

static SS_Object
singleton()

Creates a class instance by the "singleton" design pattern.

static 
create_from_string($classSpec, $firstArg = null)

Create an object from a string representation. It treats it as a PHP constructor without the 'new' keyword. It also manages to construct the object without the use of eval().

static 
parse_class_spec($classSpec)

Parses a class-spec, such as "Versioned('Stage','Live')", as passed to create_from_string().

static SS_Object
strong_create()

Similar to {@link Object::create()}, except that classes are only overloaded if you set the $strong parameter to TRUE when using {@link Object::useCustomClass()}

static 
useCustomClass(string $oldClass, string $newClass, bool $strong = false)

This class allows you to overload classes with other classes when they are constructed using the factory method {@link Object::create()}

static string
getCustomClass(string $class)

If a class has been overloaded, get the class name it has been overloaded with - otherwise return the class name

static any
static_lookup($class, $name, null $default = null)

Get the value of a static property of a class, even in that property is declared protected (but not private), without any inheritance, merging or parent lookup if it doesn't exist on the given class.

static 
get_static($class, $name, $uncached = false) deprecated

No description

static 
set_static($class, $name, $value) deprecated

No description

static 
uninherited_static($class, $name, $uncached = false) deprecated

No description

static 
combined_static($class, $name, $ceiling = false) deprecated

No description

static 
addStaticVars($class, $properties, $replace = false) deprecated

No description

static 
add_static_var($class, $name, $value, $replace = false) deprecated

No description

static 
has_extension(string $classOrExtension, string $requiredExtension = null, bool $strict = false)

Return TRUE if a class has a specified extension.

static 
add_extension(string $classOrExtension, string $extension = null)

Add an extension to a specific class.

static 
remove_extension(string $extension)

Remove an extension from a class.

static array
get_extensions(string $class, bool $includeArgumentString = false)

No description

static 
get_extra_config_sources($class = null)

No description

__construct($name = null)

No description

mixed
__call(string $method, array $arguments)

Attemps to locate and call a method dynamically added to a class at runtime if a default cannot be located

bool
hasMethod(string $method)

Return TRUE if a method exists on this object

array
allMethodNames(bool $custom = false)

Return the names of all the methods available on this object

stat($name, $uncached = false)

No description

set_stat($name, $value)

No description

uninherited($name)

No description

bool
exists()

Return true if this object "exists" i.e. has a sensible value

string
parentClass()

No description

bool
is_a(string $class)

Check if this class is an instance of a specific class, or has that class as one of its parents

string
__toString()

No description

mixed
invokeWithExtensions(string $method, mixed $argument = null)

Calls a method if available on both this object and all applied {@link Extensions}, and then attempts to merge all results into an array

array
extend(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)

Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed

getExtensionInstance(string $extension)

Get an extension instance attached to this object by name.

bool
hasExtension(string $extension)

Returns TRUE if this object instance has a specific extension applied in {@link $extension_instances}. Extension instances are initialized at constructor time, meaning if you use {@link add_extension()} afterwards, the added extension will just be added to new instances of the extended class. Use the static method {@link has_extension()} to check if a class (not an instance) has a specific extension.

array
getExtensionInstances()

Get all extension instances for this specific object instance.

mixed
cacheToFile(string $method, int $lifetime = 3600, string $ID = false, array $arguments = array())

Cache the results of an instance method in this object to a file, or if it is already cache return the cached results

clearCache($method, $ID = false, $arguments = array())

Clears the cache for the given cacheToFile call

static SecurityToken
inst()

Gets a global token (or creates one if it doesnt exist already).

static 
disable()

Globally disable the token (override with {@link NullSecurityToken}) implementation. Note: Does not apply for

static 
enable()

Globally enable tokens that have been previously disabled through {@link disable}.

static bool
is_enabled()

No description

static string
get_default_name()

No description

static int
getSecurityID()

Returns the value of an the global SecurityToken in the current session

string
setName($name)

No description

string
getName()

No description

string
getValue()

No description

setValue(string $val)

No description

reset()

Reset the token to a new value.

bool
check(string $compare)

Checks for an existing CSRF token in the current users session.

bool
checkRequest(SS_HTTPRequest $request)

See {@link check()}.

HiddenField|false
updateFieldSet(FieldList $fieldset)

Note: Doesn't call {@link FormField->setForm()} on the returned {@link HiddenField}, you'll need to take care of this yourself.

string
addToUrl(string $url)

No description

bool
isEnabled()

You can't disable an existing instance, it will need to be overwritten like this: $old = SecurityToken::inst(); // isEnabled() returns true SecurityToken::disable(); $new = SecurityToken::inst(); // isEnabled() returns false

static array
get_template_global_variables()

Called by SSViewer to get a list of global variables to expose to the template, the static method to call on this class to get the value for those variables, and the class to use for casting the returned value for use in a template

Details

static Config_ForClass|null config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).

Return Value

Config_ForClass|null

static SS_Object create()

An implementation of the factory method, allows you to create an instance of a class

This method first for strong class overloads (singletons & DB interaction), then custom class overloads. If an overload is found, an instance of this is returned rather than the original class. To overload a class, use {@link Object::useCustomClass()}

This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create('SiteTree'); $list = SiteTree::get();

Return Value

SS_Object

static SS_Object singleton()

Creates a class instance by the "singleton" design pattern.

It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).

Return Value

SS_Object

The singleton instance

static create_from_string($classSpec, $firstArg = null)

Create an object from a string representation. It treats it as a PHP constructor without the 'new' keyword. It also manages to construct the object without the use of eval().

Construction itself is done with Object::create(), so that Object::useCustomClass() calls are respected.

Object::create_from_string("Versioned('Stage','Live')") will return the result of Versioned::create('Stage', 'Live);

It is designed for simple, clonable objects. The first time this method is called for a given string it is cached, and clones of that object are returned.

If you pass the $firstArg argument, this will be prepended to the constructor arguments. It's impossible to pass null as the firstArg argument.

Object::create_from_string("Varchar(50)", "MyField") will return the result of Vachar::create('MyField', '50');

Arguments are always strings, although this is a quirk of the current implementation rather than something that can be relied upon.

Parameters

$classSpec
$firstArg

static parse_class_spec($classSpec)

Parses a class-spec, such as "Versioned('Stage','Live')", as passed to create_from_string().

Returns a 2-elemnent array, with classname and arguments

Parameters

$classSpec

static SS_Object strong_create()

Similar to {@link Object::create()}, except that classes are only overloaded if you set the $strong parameter to TRUE when using {@link Object::useCustomClass()}

Return Value

SS_Object

static useCustomClass(string $oldClass, string $newClass, bool $strong = false)

This class allows you to overload classes with other classes when they are constructed using the factory method {@link Object::create()}

Parameters

string $oldClass

the class to replace

string $newClass

the class to replace it with

bool $strong

allows you to enforce a certain class replacement under all circumstances. This is used in singletons and DB interaction classes

static string getCustomClass(string $class)

If a class has been overloaded, get the class name it has been overloaded with - otherwise return the class name

Parameters

string $class

the class to check

Return Value

string

the class that would be created if you called {@link Object::create()} with the class

static any static_lookup($class, $name, null $default = null)

Get the value of a static property of a class, even in that property is declared protected (but not private), without any inheritance, merging or parent lookup if it doesn't exist on the given class.

Parameters

$class
  • The class to get the static from
$name
  • The property to get from the class
null $default
  • The value to return if property doesn't exist on class

Return Value

any
  • The value of the static property $name on class $class, or $default if that property is not defined

static get_static($class, $name, $uncached = false) deprecated

deprecated

Parameters

$class
$name
$uncached

static set_static($class, $name, $value) deprecated

deprecated

Parameters

$class
$name
$value

static uninherited_static($class, $name, $uncached = false) deprecated

deprecated

Parameters

$class
$name
$uncached

static combined_static($class, $name, $ceiling = false) deprecated

deprecated

Parameters

$class
$name
$ceiling

static addStaticVars($class, $properties, $replace = false) deprecated

deprecated

Parameters

$class
$properties
$replace

static add_static_var($class, $name, $value, $replace = false) deprecated

deprecated

Parameters

$class
$name
$value
$replace

static has_extension(string $classOrExtension, string $requiredExtension = null, bool $strict = false)

Return TRUE if a class has a specified extension.

This supports backwards-compatible format (static Object::has_extension($requiredExtension)) and new format ($object->has_extension($class, $requiredExtension))

Parameters

string $classOrExtension

if 1 argument supplied, the class name of the extension to check for; if 2 supplied, the class name to test

string $requiredExtension

used only if 2 arguments supplied

bool $strict

if the extension has to match the required extension and not be a subclass

static add_extension(string $classOrExtension, string $extension = null)

Add an extension to a specific class.

The preferred method for adding extensions is through YAML config, since it avoids autoloading the class, and is easier to override in more specific configurations.

As an alternative, extensions can be added to a specific class directly in the {@link Object::$extensions} array. See {@link SiteTree::$extensions} for examples. Keep in mind that the extension will only be applied to new instances, not existing ones (including all instances created through {@link singleton()}).

Parameters

string $classOrExtension

Class that should be extended - has to be a subclass of {@link Object}

string $extension

Subclass of {@link Extension} with optional parameters as a string, e.g. "Versioned" or "Translatable('Param')"

See also

http://doc.silverstripe.org/framework/en/trunk/reference/dataextension

static remove_extension(string $extension)

Remove an extension from a class.

Keep in mind that this won't revert any datamodel additions of the extension at runtime, unless its used before the schema building kicks in (in your _config.php). Doesn't remove the extension from any {@link Object} instances which are already created, but will have an effect on new extensions. Clears any previously created singletons through {@link singleton()} to avoid side-effects from stale extension information.

Parameters

string $extension

Classname of an {@link Extension} subclass, without parameters

static array get_extensions(string $class, bool $includeArgumentString = false)

Parameters

string $class
bool $includeArgumentString

Include the argument string in the return array, FALSE would return array("Versioned"), TRUE returns array("Versioned('Stage','Live')").

Return Value

array

Numeric array of either {@link DataExtension} classnames, or eval'ed classname strings with constructor arguments.

static get_extra_config_sources($class = null)

Parameters

$class

__construct($name = null)

Parameters

$name

mixed __call(string $method, array $arguments)

Attemps to locate and call a method dynamically added to a class at runtime if a default cannot be located

You can add extra methods to a class using {@link Extensions}, {@link Object::createMethod()} or {@link Object::addWrapperMethod()}

Parameters

string $method
array $arguments

Return Value

mixed

bool hasMethod(string $method)

Return TRUE if a method exists on this object

This should be used rather than PHP's inbuild method_exists() as it takes into account methods added via extensions

Parameters

string $method

Return Value

bool

array allMethodNames(bool $custom = false)

Return the names of all the methods available on this object

Parameters

bool $custom

include methods added dynamically at runtime

Return Value

array

stat($name, $uncached = false)

Parameters

$name
$uncached

See also

SS_Object::get_static

set_stat($name, $value)

Parameters

$name
$value

See also

SS_Object::set_static

uninherited($name)

Parameters

$name

See also

SS_Object::uninherited_static

bool exists()

Return true if this object "exists" i.e. has a sensible value

This method should be overriden in subclasses to provide more context about the classes state. For example, a {@link DataObject} class could return false when it is deleted from the database

Return Value

bool

string parentClass()

Return Value

string

this classes parent class

bool is_a(string $class)

Check if this class is an instance of a specific class, or has that class as one of its parents

Parameters

string $class

Return Value

bool

string __toString()

Return Value

string

the class name

mixed invokeWithExtensions(string $method, mixed $argument = null)

Calls a method if available on both this object and all applied {@link Extensions}, and then attempts to merge all results into an array

Parameters

string $method

the method name to call

mixed $argument

a single argument to pass

Return Value

mixed

array extend(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)

Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed

Currently returns an array, with an index resulting every time the function is called. Only adds returns if they're not NULL, to avoid bogus results from methods just defined on the parent extension. This is important for permission-checks through extend, as they use min() to determine if any of the returns is FALSE. As min() doesn't do type checking, an included NULL return would fail the permission checks.

The extension methods are defined during {@link __construct()} in {@link defineMethods()}.

Parameters

string $method

the name of the method to call on each extension

mixed $a1
mixed $a2
mixed $a3
mixed $a4
mixed $a5
mixed $a6
mixed $a7

Return Value

array

Extension getExtensionInstance(string $extension)

Get an extension instance attached to this object by name.

Parameters

string $extension

Return Value

Extension

bool hasExtension(string $extension)

Returns TRUE if this object instance has a specific extension applied in {@link $extension_instances}. Extension instances are initialized at constructor time, meaning if you use {@link add_extension()} afterwards, the added extension will just be added to new instances of the extended class. Use the static method {@link has_extension()} to check if a class (not an instance) has a specific extension.

Caution: Don't use singleton()->hasExtension() as it will give you inconsistent results based on when the singleton was first accessed.

Parameters

string $extension

Classname of an {@link Extension} subclass without parameters

Return Value

bool

array getExtensionInstances()

Get all extension instances for this specific object instance.

See {@link get_extensions()} to get all applied extension classes for this class (not the instance).

Return Value

array

Map of {@link DataExtension} instances, keyed by classname.

mixed cacheToFile(string $method, int $lifetime = 3600, string $ID = false, array $arguments = array())

Cache the results of an instance method in this object to a file, or if it is already cache return the cached results

Parameters

string $method

the method name to cache

int $lifetime

the cache lifetime in seconds

string $ID

custom cache ID to use

array $arguments

an optional array of arguments

Return Value

mixed

the cached data

clearCache($method, $ID = false, $arguments = array())

Clears the cache for the given cacheToFile call

Parameters

$method
$ID
$arguments

static SecurityToken inst()

Gets a global token (or creates one if it doesnt exist already).

Return Value

SecurityToken

static disable()

Globally disable the token (override with {@link NullSecurityToken}) implementation. Note: Does not apply for

static enable()

Globally enable tokens that have been previously disabled through {@link disable}.

static bool is_enabled()

Return Value

bool

static string get_default_name()

Return Value

string

static int getSecurityID()

Returns the value of an the global SecurityToken in the current session

Return Value

int

string setName($name)

Parameters

$name

Return Value

string

string getName()

Return Value

string

string getValue()

Return Value

string

setValue(string $val)

Parameters

string $val

reset()

Reset the token to a new value.

bool check(string $compare)

Checks for an existing CSRF token in the current users session.

This check is automatically performed in {@link Form->httpSubmission()} if a form has security tokens enabled. This direct check is mainly used for URL actions on {@link FormField} that are not routed through {@link Form->httpSubmission()}.

Typically you'll want to check {@link Form->securityTokenEnabled()} before calling this method.

Parameters

string $compare

Return Value

bool

bool checkRequest(SS_HTTPRequest $request)

See {@link check()}.

Parameters

SS_HTTPRequest $request

Return Value

bool

HiddenField|false updateFieldSet(FieldList $fieldset)

Note: Doesn't call {@link FormField->setForm()} on the returned {@link HiddenField}, you'll need to take care of this yourself.

Parameters

FieldList $fieldset

Return Value

HiddenField|false

string addToUrl(string $url)

Parameters

string $url

Return Value

string

bool isEnabled()

You can't disable an existing instance, it will need to be overwritten like this: $old = SecurityToken::inst(); // isEnabled() returns true SecurityToken::disable(); $new = SecurityToken::inst(); // isEnabled() returns false

Return Value

bool

static array get_template_global_variables()

Called by SSViewer to get a list of global variables to expose to the template, the static method to call on this class to get the value for those variables, and the class to use for casting the returned value for use in a template

If the method to call is not included for a particular template variable, a method named the same as the template variable will be called

If the casting class is not specified for a particular template variable, ViewableData::$default_cast is used

The first letter of the template variable is case-insensitive. However the method name is always case sensitive.

Return Value

array

Returns an array of items. Each key => value pair is one of three forms:

  • template name (no key)
  • template name => method name
  • template name => array(), where the array can contain these key => value pairs
    • "method" => method name
    • "casting" => casting class to use (i.e., Varchar, HTMLText, etc)