Security
class Security extends Controller implements TemplateGlobalProvider (View source)
Implements a basic security model
Traits
Allows an object to have extensions applied to it.
A class that can be instantiated or replaced via DI
Provides extensions to this object to integrate it with standard config API methods.
Allows an object to declare a set of custom methods
Config options
| extensions | array | An array of extension names and parameters to be applied to this object upon construction. |
from Extensible |
| unextendable_classes | array | Classes that cannot be extended |
from Extensible |
| casting | array | An array of objects to cast certain fields to. This is set up as an array in the format: |
from ViewableData |
| default_cast | string | The default object to cast scalar fields to if casting information is not specified, and casting to an object is required. |
from ViewableData |
| casting_cache | array | from ViewableData | |
| url_segment | string|null | Optional url_segment for this request handler |
from RequestHandler |
| url_handlers | array | Default URL handlers. |
from Controller |
| allowed_actions | |||
| strict_path_checking | bool | If set to TRUE to prevent sharing of the session across several sites in the domain. |
|
| password_encryption_algorithm | string | The password encryption algorithm to use by default. |
|
| autologin_enabled | bool | Showing "Remember me"-checkbox on loginform, and saving encrypted credentials to a cookie. |
|
| remember_username | bool | Determine if login username may be remembered between login sessions If set to false this will disable auto-complete and prevent username persisting in the session |
|
| word_list | string | Location of word list to use for generating passwords |
|
| template | string | ||
| template_main | string | Template that is used to render the pages. |
|
| page_class | string | Class to use for page rendering |
|
| default_message_set | array|string | Default message set used in permission failures. |
|
| login_url | string | The default login URL |
|
| logout_url | string | The default logout URL |
|
| lost_password_url | string | The default lost password URL |
|
| frame_options | string | Value of X-Frame-Options header |
|
| robots_tag | string | Value of the X-Robots-Tag header (for the Security section) |
|
| login_recording | bool | Enable or disable recording of login attempts through the LoginAttempt object. |
|
| default_login_dest | string | ||
| default_reset_password_dest | string |
Properties
| protected static | array | $extra_methods | Custom method sources |
from CustomMethods |
| protected | array | $extra_method_registers | Name of methods to invoke by defineMethods for this instance |
from CustomMethods |
| protected static | array | $built_in_methods | Non-custom methods |
from CustomMethods |
| protected | Extension[] | $extension_instances | from Extensible | |
| protected | callable[][] | $beforeExtendCallbacks | List of callbacks to call prior to extensions having extend called on them, each grouped by methodName. |
from Extensible |
| protected | callable[][] | $afterExtendCallbacks | List of callbacks to call after extensions having extend called on them, each grouped by methodName. |
from Extensible |
| protected | ViewableData | $failover | A failover object to attempt to get data from if it is not present on this object. |
from ViewableData |
| protected | ViewableData | $customisedObject | from ViewableData | |
| protected | HTTPRequest | $request | from RequestHandler | |
| protected | $model | The DataModel for this request |
from RequestHandler | |
| protected | bool | $brokenOnConstruct | This variable records whether RequestHandler::construct() was called or not. Useful for checking if subclasses have called parent::construct() |
from RequestHandler |
| protected | array | $urlParams | An array of arguments extracted from the URL. |
from Controller |
| protected | array | $requestParams | Contains all GET and POST parameters passed to the current HTTPRequest. |
from Controller |
| protected | string | $action | The URL part matched on the current controller as determined by the "$Action" part of the $url_handlers definition. Should correlate to a public method on this controller. |
from Controller |
| protected static | array | $controller_stack | Stack of current controllers. Controller::$controller_stack[0] is the current controller. |
from Controller |
| protected | array | $templates | Assign templates for this controller. |
from Controller |
| protected deprecated | bool | $basicAuthEnabled | from Controller | |
| protected | HTTPResponse | $response | The response object that the controller returns. |
from Controller |
| protected | bool | $baseInitCalled | from Controller | |
| protected static | bool | $force_database_is_ready | ||
| protected static | bool | $database_is_ready | When the database has once been verified as ready, it will not do the checks again. |
|
| protected static | Member | $currentUser | ||
| protected static | $ignore_disallowed_actions |
Methods
Attempts to locate and call a method dynamically added to a class at runtime if a default cannot be located
Adds any methods from Extension instances attached to this object.
Register an callback to invoke that defines extra methods
Return TRUE if a method exists on this object
Get meta-data details on a named method
Return the names of all the methods available on this object
Add all the methods from an object property (which is an Extension) to this object.
Add all the methods from an object property (which is an Extension) to this object.
Add a wrapper method - a method which points to another method with a different name. For example, Thumbnail(x) can be wrapped to generateThumbnail(x)
Add callback as a method.
Allows user code to hook into Object::extend prior to control being delegated to extensions. Each callback will be reset once called.
Allows user code to hook into Object::extend after control being delegated to extensions. Each callback will be reset once called.
Adds any methods from Extension instances attached to this object.
Add an extension to a specific class.
No description
Get extra config sources for this class
Return TRUE if a class has a specified extension.
Calls a method if available on both this object and all applied Extensions, and then attempts to merge all results into an array
Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed
Get an extension instance attached to this object by name.
Returns TRUE if this object instance has a specific extension applied in $extension_instances. Extension instances are initialized at constructor time, meaning if you use add_extension() afterwards, the added extension will just be added to new instances of the extended class. Use the static method has_extension() to check if a class (not an instance) has a specific extension.
Get all extension instances for this specific object instance.
An implementation of the factory method, allows you to create an instance of a class
Creates a class instance by the "singleton" design pattern.
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
Gets the uninherited value for the given config option
Check if a field exists on this object or its failover.
Get the value of a property/field on this object. This will check if a method called get{$property} exists, then check if a field is available using ViewableData::getField(), then fall back on a failover object.
Set a property/field on this object. This will check for the existence of a method called set{$property}, then use the ViewableData::setField() method.
Set a failover object to attempt to get data from if it is not present on this object.
Check if a field exists on this object. This should be overloaded in child classes.
Get the value of a field on this object. This should be overloaded in child classes.
Set a field on this object. This should be overloaded in child classes.
Merge some arbitrary data in with this object. This method returns a ViewableData_Customised instance with references to both this and the new custom data.
Return true if this object "exists" i.e. has a sensible value
Return the "casting helper" (a piece of PHP code that when evaluated creates a casted value object) for a field on this object. This helper will be a subclass of DBField.
Get the class name a field on this object will be casted to.
Return the string-format type for the given field.
Render this object into the template, and get the result as a string. You can pass one of the following as the $template parameter:
- a template name (e.g. Page)
- an array of possible template names - the first valid one will be used
- an SSViewer instance
Generate the cache name for a field
Store a value in the field cache
Get the value of a field on this object, automatically inserting the value into any available casting objects that have been specified.
A simple wrapper around ViewableData::obj() that automatically caches the result so it can be used again without re-running the method.
Checks if a given method/field has a valid value. If the result is an object, this will return the result of the exists method, otherwise will check if the result is not just an empty paragraph tag.
Get the string value of a field on this object that has been suitable escaped to be inserted directly into a template.
Get an array of XML-escaped values by field name
Return a single-item iterator so you can iterate over the fields of a single record.
Find appropriate templates for SSViewer to use to render this object
When rendering some objects it is necessary to iterate over the object being rendered, to do this, you need access to itself.
Get part of the current classes ancestry to be used as a CSS class.
Return debug information about this object that can be rendered into a template
Executes this controller, and return an HTTPResponse object with the result.
Controller's default action handler. It will call the method named in "$Action", if that method exists. If "$Action" isn't given, it will use "index" as a default.
Get a array of allowed actions defined on this controller, any parent classes or extensions.
Return the class that defines the given action, so that we know where to check allowed_actions.
Check that the given action is allowed to be called from a URL.
Throws a HTTP error response encased in a HTTPResponse_Exception, which is later caught in RequestHandler::handleAction() and returned to the user.
Typically the request is set through handleAction() or handleRequest(), but in some based we want to set it manually.
Safely get the value of the BackURL param, if provided via querystring / posted var
Redirect back. Uses either the HTTP-Referer or a manually set request-variable called "BackURL".
A stand in function to protect the init function from failing to be called as well as providing before and after hooks for the init function itself
Prepare the response (we can receive an assortment of response types (strings/objects/HTTPResponses) and changes the controller response object appropriately
Returns the parameters extracted from the URL by the Director.
Returns the HTTPResponse object that this controller is building up. Can be used to set the status code and headers.
Sets the HTTPResponse object that this controller is building up.
This is the default action handler used if a method doesn't exist. It will process the controller object with the template returned by getViewer().
Returns the action that is being executed on this controller.
Return the viewer identified being the default handler for this Controller/Action combination.
Removes all the "action" part of the current URL and returns the result. If no action parameter is present, returns the full URL.
Returns TRUE if this controller has a template that is specifically designed to handle a specific action.
Render the current controller with the templates determined by getViewer().
Call this to disable site-wide basic authentication for a specific controller. This must be called before Controller::init(). That is, you must call it in your controller's init method before it calls parent::init().
Tests whether we have a currently active controller or not. True if there is at least 1 controller in the stack.
Returns true if the member is allowed to do the given action. Defaults to the currently logged in user.
Pushes this controller onto the stack of current controllers. This means that any redirection, session setting, or other things that rely on Controller::curr() will now write to this controller object.
Tests whether a redirection has been requested. If redirect() has been called, it will return the URL redirected to. Otherwise, it will return null.
Joins two or more link segments together, putting a slash between them if necessary. Use this for building the results of Link() methods. If either of the links have query strings, then they will be combined and put at the end of the resulting url.
Get the selected authenticator for this request
Get all registered authenticators
Register that we've had a permission failure trying to view the given page
The intended uses of this function is to temporarily change the current user for things such as canView() checks or unit tests. It is stateless and will not persist between requests. Importantly it also will not call any logic that may be present in the current IdentityStore logIn() or logout() methods
This action is available as a keep alive, so user sessions don't timeout. A common use is in the admin.
Perform pre-login checking and prepare a response if available prior to login
Prepare the controller for handling the response to this request
Combine the given forms into a formset with a tabbed interface
Get the HTML Content for the $Content area during login
Set the next message to display for the security login page. Defaults to warning
Log the currently logged in user out
Get authenticators for the given service, optionally filtered by the ID parameter of the current request
Aggregate tabbed forms from each handler to fragments ready to be rendered.
We have three possible scenarios.
Delegate to a number of handlers and aggregate the results. This is used, for example, to build the log-in page where there are multiple authenticators active.
Delegate to another RequestHandler, rendering any fragment arrays into an appropriate.
Render the given fragments into a security page controller with the given title.
Create a link to the password reset form.
Determine the list of templates to use for rendering the given action.
Return an existing member with administrator privileges, or create one of necessary.
Checks if the passed credentials are matching the default-admin.
Encrypt a password according to the current password encryption settings.
Checks the database is in a state to perform security checks.
For the database_is_ready call to return a certain value - used for testing
Set to true to ignore access to disallowed actions, rather than returning permission failure Note that this is just a flag that other code needs to check with Security::ignore_disallowed_actions()
Details
mixed
__call(string $method, array $arguments)
Attempts to locate and call a method dynamically added to a class at runtime if a default cannot be located
You can add extra methods to a class using Extensions}, {@link Object::createMethod() or Object::addWrapperMethod()
protected
defineMethods()
Adds any methods from Extension instances attached to this object.
All these methods can then be called directly on the instance (transparently mapped through __call()}), or called explicitly through {@link extend().
protected
registerExtraMethodCallback(string $name, callable $callback)
Register an callback to invoke that defines extra methods
bool
hasMethod(string $method)
Return TRUE if a method exists on this object
This should be used rather than PHP's inbuild method_exists() as it takes into account methods added via extensions
protected array
getExtraMethodConfig(string $method)
Get meta-data details on a named method
array
allMethodNames(bool $custom = false)
Return the names of all the methods available on this object
protected array
findMethodsFromExtension(object $extension)
deprecated
deprecated
No description
protected
addMethodsFrom(string $property, string|int $index = null)
Add all the methods from an object property (which is an Extension) to this object.
protected
removeMethodsFrom(string $property, string|int $index = null)
Add all the methods from an object property (which is an Extension) to this object.
protected
addWrapperMethod(string $method, string $wrap)
Add a wrapper method - a method which points to another method with a different name. For example, Thumbnail(x) can be wrapped to generateThumbnail(x)
protected
addCallbackMethod(string $method, callable $callback)
Add callback as a method.
protected
beforeExtending(string $method, callable $callback)
Allows user code to hook into Object::extend prior to control being delegated to extensions. Each callback will be reset once called.
protected
afterExtending(string $method, callable $callback)
Allows user code to hook into Object::extend after control being delegated to extensions. Each callback will be reset once called.
protected
constructExtensions()
deprecated
deprecated
No description
protected
defineExtensionMethods()
Adds any methods from Extension instances attached to this object.
All these methods can then be called directly on the instance (transparently mapped through __call()}), or called explicitly through {@link extend().
static bool
add_extension(string $classOrExtension, string $extension = null)
Add an extension to a specific class.
The preferred method for adding extensions is through YAML config, since it avoids autoloading the class, and is easier to override in more specific configurations.
As an alternative, extensions can be added to a specific class directly in the Object::$extensions array. See SiteTree::$extensions for examples. Keep in mind that the extension will only be applied to new instances, not existing ones (including all instances created through singleton()).
static
remove_extension(string $extension)
Remove an extension from a class.
Note: This will not remove extensions from parent classes, and must be called directly on the class assigned the extension.
Keep in mind that this won't revert any datamodel additions of the extension at runtime, unless its used before the schema building kicks in (in your _config.php). Doesn't remove the extension from any Object instances which are already created, but will have an effect on new extensions. Clears any previously created singletons through singleton() to avoid side-effects from stale extension information.
static array
get_extensions(string $class = null, bool $includeArgumentString = false)
No description
static array|null
get_extra_config_sources(string $class = null)
Get extra config sources for this class
static bool
has_extension(string $classOrExtension, string $requiredExtension = null, bool $strict = false)
Return TRUE if a class has a specified extension.
This supports backwards-compatible format (static Object::has_extension($requiredExtension)) and new format ($object->has_extension($class, $requiredExtension))
array
invokeWithExtensions(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)
Calls a method if available on both this object and all applied Extensions, and then attempts to merge all results into an array
array
extend(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)
Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed
Currently returns an array, with an index resulting every time the function is called. Only adds returns if they're not NULL, to avoid bogus results from methods just defined on the parent extension. This is important for permission-checks through extend, as they use min() to determine if any of the returns is FALSE. As min() doesn't do type checking, an included NULL return would fail the permission checks.
The extension methods are defined during __construct()} in {@link defineMethods().
Extension|null
getExtensionInstance(string $extension)
Get an extension instance attached to this object by name.
bool
hasExtension(string $extension)
Returns TRUE if this object instance has a specific extension applied in $extension_instances. Extension instances are initialized at constructor time, meaning if you use add_extension() afterwards, the added extension will just be added to new instances of the extended class. Use the static method has_extension() to check if a class (not an instance) has a specific extension.
Caution: Don't use singleton(
Extension[]
getExtensionInstances()
Get all extension instances for this specific object instance.
See get_extensions() to get all applied extension classes for this class (not the instance).
This method also provides lazy-population of the extension_instances property.
static Injectable
create(mixed ...$args)
An implementation of the factory method, allows you to create an instance of a class
This method will defer class substitution to the Injector API, which can be customised via the Config API to declare substitution classes.
This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create(SiteTree::class); $list = SiteTree::get();
static Injectable
singleton(string $class = null)
Creates a class instance by the "singleton" design pattern.
It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).
static Config_ForClass
config()
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
mixed
stat(string $name)
deprecated
deprecated
Get inherited config value
mixed
uninherited(string $name)
Gets the uninherited value for the given config option
$this
set_stat(string $name, mixed $value)
deprecated
deprecated
Update the config value for a given property
__construct()
No description
bool
__isset(string $property)
Check if a field exists on this object or its failover.
Note that, unlike the core isset() implementation, this will return true if the property is defined and set to null.
mixed
__get(string $property)
Get the value of a property/field on this object. This will check if a method called get{$property} exists, then check if a field is available using ViewableData::getField(), then fall back on a failover object.
__set(string $property, mixed $value)
Set a property/field on this object. This will check for the existence of a method called set{$property}, then use the ViewableData::setField() method.
setFailover(ViewableData $failover)
Set a failover object to attempt to get data from if it is not present on this object.
ViewableData|null
getFailover()
Get the current failover object if set
bool
hasField(string $field)
Check if a field exists on this object. This should be overloaded in child classes.
mixed
getField(string $field)
Get the value of a field on this object. This should be overloaded in child classes.
$this
setField(string $field, mixed $value)
Set a field on this object. This should be overloaded in child classes.
ViewableData_Customised
customise(array|ViewableData $data)
Merge some arbitrary data in with this object. This method returns a ViewableData_Customised instance with references to both this and the new custom data.
Note that any fields you specify will take precedence over the fields on this object.
bool
exists()
Return true if this object "exists" i.e. has a sensible value
This method should be overridden in subclasses to provide more context about the classes state. For example, a DataObject class could return false when it is deleted from the database
string
__toString()
No description
ViewableData
getCustomisedObj()
No description
setCustomisedObj(ViewableData $object)
No description
string
castingHelper(string $field)
Return the "casting helper" (a piece of PHP code that when evaluated creates a casted value object) for a field on this object. This helper will be a subclass of DBField.
string
castingClass(string $field)
Get the class name a field on this object will be casted to.
string
escapeTypeForField(string $field)
Return the string-format type for the given field.
DBHTMLText
renderWith(string|array|SSViewer $template, array $customFields = null)
Render this object into the template, and get the result as a string. You can pass one of the following as the $template parameter:
- a template name (e.g. Page)
- an array of possible template names - the first valid one will be used
- an SSViewer instance
protected string
objCacheName(string $fieldName, array $arguments)
Generate the cache name for a field
protected mixed
objCacheGet(string $key)
Get a cached value from the field cache
protected $this
objCacheSet(string $key, mixed $value)
Store a value in the field cache
protected $this
objCacheClear()
Clear object cache
object|DBField
obj(string $fieldName, array $arguments = [], bool $cache = false, string $cacheName = null)
Get the value of a field on this object, automatically inserting the value into any available casting objects that have been specified.
object|DBField
cachedCall(string $field, array $arguments = [], string $identifier = null)
A simple wrapper around ViewableData::obj() that automatically caches the result so it can be used again without re-running the method.
bool
hasValue(string $field, array $arguments = [], bool $cache = true)
Checks if a given method/field has a valid value. If the result is an object, this will return the result of the exists method, otherwise will check if the result is not just an empty paragraph tag.
string
XML_val(string $field, array $arguments = [], bool $cache = false)
Get the string value of a field on this object that has been suitable escaped to be inserted directly into a template.
array
getXMLValues(array $fields)
Get an array of XML-escaped values by field name
ArrayIterator
getIterator()
Return a single-item iterator so you can iterate over the fields of a single record.
This is useful so you can use a single record inside a <% control %> block in a template - and then use to access individual fields on this object.
array
getViewerTemplates(string $suffix = '')
Find appropriate templates for SSViewer to use to render this object
ViewableData
Me()
When rendering some objects it is necessary to iterate over the object being rendered, to do this, you need access to itself.
string
ThemeDir()
deprecated
deprecated
Return the directory if the current active theme (relative to the site root).
This method is useful for things such as accessing theme images from your template without hardcoding the theme
page - e.g. 
.
This method should only be used when a theme is currently active. However, it will fall over to the current project directory.
string
CSSClasses(string $stopAtClass = self::class)
Get part of the current classes ancestry to be used as a CSS class.
This method returns an escaped string of CSS classes representing the current classes ancestry until it hits a stop point - e.g. "Page DataObject ViewableData".
ViewableData_Debugger
Debug()
Return debug information about this object that can be rendered into a template
HTTPResponse|RequestHandler|string|array
handleRequest(HTTPRequest $request)
Executes this controller, and return an HTTPResponse object with the result.
This method defers to RequestHandler->handleRequest() to determine which action should be executed
Note: You should rarely need to overload handleRequest() - this kind of change is only really appropriate for things like nested controllers - ModelAsController} and {@link RootURLController are two examples here. If you want to make more orthodox functionality, it's better to overload init()} or {@link index().
Important: If you are going to overload handleRequest, make sure that you start the method with $this->beforeHandleRequest() and end the method with $this->afterHandleRequest()
protected array
findAction(HTTPRequest $request)
No description
protected string
addBackURLParam(string $link)
No description
protected HTTPResponse
handleAction($request, $action)
Controller's default action handler. It will call the method named in "$Action", if that method exists. If "$Action" isn't given, it will use "index" as a default.
array|null
allowedActions(string $limitToClass = null)
Get a array of allowed actions defined on this controller, any parent classes or extensions.
Caution: Since 3.1, allowed_actions definitions only apply to methods on the controller they're defined on, so it is recommended to use the $class argument when invoking this method.
bool
hasAction(string $action)
No description
protected string
definingClassForAction(string $action)
Return the class that defines the given action, so that we know where to check allowed_actions.
Overrides RequestHandler to also look at defined templates.
bool
checkAccessAction(string $action)
Check that the given action is allowed to be called from a URL.
It will interrogate self::$allowed_actions to determine this.
httpError(int $errorCode, string $errorMessage = null)
Throws a HTTP error response encased in a HTTPResponse_Exception, which is later caught in RequestHandler::handleAction() and returned to the user.
HTTPRequest
getRequest()
Returns the HTTPRequest object that this controller is using.
Returns a placeholder NullHTTPRequest object unless handleAction()} or {@link handleRequest() have been called, which adds a reference to an actual HTTPRequest object.
$this
setRequest(HTTPRequest $request)
Typically the request is set through handleAction() or handleRequest(), but in some based we want to set it manually.
string
Link(string $action = null)
Get a link to a security action
HTTPResponse
redirect(string $url, int $code = 302)
Redirect to the given URL.
string
getBackURL()
Safely get the value of the BackURL param, if provided via querystring / posted var
string
getReferer()
Get referer
HTTPResponse
redirectBack()
Redirect back. Uses either the HTTP-Referer or a manually set request-variable called "BackURL".
This variable is needed in scenarios where HTTP-Referer is not sent (e.g when calling a page by location.href in IE). If none of the two variables is available, it will redirect to the base URL (see Director::baseURL()).
protected
init()
Initialisation function that is run before any action on the controller is called.
doInit()
A stand in function to protect the init function from failing to be called as well as providing before and after hooks for the init function itself
This should be called on all controllers before handling requests
protected
beforeHandleRequest(HTTPRequest $request)
A bootstrap for the handleRequest method
protected
afterHandleRequest()
Cleanup for the handleRequest method
protected
prepareResponse(HTTPResponse|object $response)
Prepare the response (we can receive an assortment of response types (strings/objects/HTTPResponses) and changes the controller response object appropriately
$this
setURLParams(array $urlParams)
No description
array
getURLParams()
Returns the parameters extracted from the URL by the Director.
HTTPResponse
getResponse()
Returns the HTTPResponse object that this controller is building up. Can be used to set the status code and headers.
$this
setResponse(HTTPResponse $response)
Sets the HTTPResponse object that this controller is building up.
DBHTMLText
defaultAction(string $action)
This is the default action handler used if a method doesn't exist. It will process the controller object with the template returned by getViewer().
string
getAction()
Returns the action that is being executed on this controller.
SSViewer
getViewer(string $action)
Return the viewer identified being the default handler for this Controller/Action combination.
string
removeAction(string $fullURL, null|string $action = null)
Removes all the "action" part of the current URL and returns the result. If no action parameter is present, returns the full URL.
bool
hasActionTemplate(string $action)
Returns TRUE if this controller has a template that is specifically designed to handle a specific action.
string
render(array $params = null)
Render the current controller with the templates determined by getViewer().
disableBasicAuth()
deprecated
deprecated
Call this to disable site-wide basic authentication for a specific controller. This must be called before Controller::init(). That is, you must call it in your controller's init method before it calls parent::init().
static Controller
curr()
Returns the current controller.
static bool
has_curr()
Tests whether we have a currently active controller or not. True if there is at least 1 controller in the stack.
bool
can(string $perm, null|member $member = null)
Returns true if the member is allowed to do the given action. Defaults to the currently logged in user.
pushCurrent()
Pushes this controller onto the stack of current controllers. This means that any redirection, session setting, or other things that rely on Controller::curr() will now write to this controller object.
Note: Ensure this controller is assigned a request with a valid session before pushing it to the stack.
popCurrent()
Pop this controller off the top of the stack.
null|string
redirectedTo()
Tests whether a redirection has been requested. If redirect() has been called, it will return the URL redirected to. Otherwise, it will return null.
static string
join_links(string|array $arg = null)
Joins two or more link segments together, putting a slash between them if necessary. Use this for building the results of Link() methods. If either of the links have query strings, then they will be combined and put at the end of the resulting url.
Caution: All parameters are expected to be URI-encoded already.
static array
get_template_global_variables()
Defines global accessible templates variables.
Authenticator[]
getAuthenticators()
No description
setAuthenticators(array $authenticators)
No description
index()
No description
protected Authenticator
getAuthenticator(string $name = 'default')
Get the selected authenticator for this request
Authenticator[]
getApplicableAuthenticators(int $service = Authenticator::LOGIN)
Get all registered authenticators
bool
hasAuthenticator(string $authenticator)
Check if a given authenticator is registered
static HTTPResponse
permissionFailure(Controller $controller = null, string|array $messageSet = null)
Register that we've had a permission failure trying to view the given page
This will redirect to a login page. If you don't provide a messageSet, a default will be used.
static
setCurrentUser(null|Member $currentUser = null)
The intended uses of this function is to temporarily change the current user for things such as canView() checks or unit tests. It is stateless and will not persist between requests. Importantly it also will not call any logic that may be present in the current IdentityStore logIn() or logout() methods
If you are unit testing and calling FunctionalTest::get() or FunctionalTest::post() and you need to change the current user, you should instead use SapphireTest::logInAs() / logOut() which itself will call Injector::inst()->get(IdentityStore::class)->logIn($member) / logout()
static null|Member
getCurrentUser()
No description
array
getLoginForms()
deprecated
deprecated
Get the login forms for all available authentication methods
ping()
This action is available as a keep alive, so user sessions don't timeout. A common use is in the admin.
protected HTTPResponse
preLogin()
Perform pre-login checking and prepare a response if available prior to login
protected Controller
getResponseController(string $title)
Prepare the controller for handling the response to this request
protected string
generateTabbedFormSet(array|Form[] $forms)
Combine the given forms into a formset with a tabbed interface
protected string
getSessionMessage(string $messageType = null)
Get the HTML Content for the $Content area during login
setSessionMessage(string $message, string $messageType = ValidationResult::TYPE_WARNING, string $messageCast = ValidationResult::CAST_TEXT)
Set the next message to display for the security login page. Defaults to warning
static
clearSessionMessage()
Clear login message
HTTPResponse|string
login(null|HTTPRequest $request = null, int $service = Authenticator::LOGIN)
Show the "login" page
For multiple authenticators, Security_MultiAuthenticatorLogin is used. See getTemplatesFor and getIncludeTemplate for how to override template logic
HTTPResponse|string
logout(null|HTTPRequest $request = null, int $service = Authenticator::LOGOUT)
Log the currently logged in user out
Logging out without ID-parameter in the URL, will log the user out of all applicable Authenticators.
Adding an ID will only log the user out of that Authentication method.
protected array|Authenticator[]
getServiceAuthenticatorsFromRequest(int $service, HTTPRequest $request)
Get authenticators for the given service, optionally filtered by the ID parameter of the current request
protected array
aggregateTabbedForms(array $results)
Aggregate tabbed forms from each handler to fragments ready to be rendered.
protected array|HTTPResponse
aggregateAuthenticatorResponses(array $results)
We have three possible scenarios.
We get back Content (e.g. Password Reset) We get back a Form (no token set for logout) We get back a HTTPResponse, telling us to redirect. Return the first one, which is the default response, as that covers all required scenarios
protected array|HTTPResponse|RequestHandler|DBHTMLText|string
delegateToMultipleHandlers(array $handlers, string $title, array $templates, callable $aggregator)
Delegate to a number of handlers and aggregate the results. This is used, for example, to build the log-in page where there are multiple authenticators active.
If a single handler is passed, delegateToHandler() will be called instead
protected array|HTTPResponse|RequestHandler|DBHTMLText|string
delegateToHandler(RequestHandler $handler, string $title, array $templates = [])
Delegate to another RequestHandler, rendering any fragment arrays into an appropriate.
controller.
protected HTTPResponse|DBHTMLText
renderWrappedController(string $title, array $fragments, array $templates)
Render the given fragments into a security page controller with the given title.
basicauthlogin()
No description
string
lostpassword()
Show the "lost password" page
string|HTTPRequest
changepassword()
Show the "change password" page.
This page can either be called directly by logged-in users (in which case they need to provide their old password), or through a link emailed through lostpassword(). In this case no old password is required, authentication is ensured through the Member.AutoLoginHash property.
static string
getPasswordResetLink(Member $member, string $autologinToken)
Create a link to the password reset form.
GET parameters used:
- m: member ID
- t: plaintext token
array
getTemplatesFor(string $action)
Determine the list of templates to use for rendering the given action.
static Member
findAnAdministrator()
deprecated
deprecated
Return an existing member with administrator privileges, or create one of necessary.
Will create a default 'Administrators' group if no group is found with an ADMIN permission. Will create a new 'Admin' member with administrative permissions if no existing Member with these permissions is found.
Important: Any newly created administrator accounts will NOT have valid login credentials (Email/Password properties), which means they can't be used for login purposes outside of any default credentials set through Security::setDefaultAdmin().
static
clear_default_admin()
deprecated
deprecated
Flush the default admin credentials
static bool
setDefaultAdmin(string $username, string $password)
deprecated
deprecated
Set a default admin in dev-mode
This will set a static default-admin which is not existing as a database-record. By this workaround we can test pages in dev-mode with a unified login. Submitted login-credentials are first checked against this static information in Security::authenticate().
static bool
check_default_admin(string $username, string $password)
deprecated
deprecated
Checks if the passed credentials are matching the default-admin.
Compares cleartext-password set through Security::setDefaultAdmin().
static
has_default_admin()
deprecated
deprecated
Check that the default admin account has been set.
static string
default_admin_username()
deprecated
deprecated
Get default admin username
static string
default_admin_password()
deprecated
deprecated
Get default admin password
static mixed
encrypt_password(string $password, string $salt = null, string $algorithm = null, Member $member = null)
Encrypt a password according to the current password encryption settings.
If the settings are so that passwords shouldn't be encrypted, the result is simple the clear text password with an empty salt except when a custom algorithm ($algorithm parameter) was passed.
static bool
database_is_ready()
Checks the database is in a state to perform security checks.
See DatabaseAdmin->init() for more information.
static
clear_database_is_ready()
Resets the database_is_ready cache
static
force_database_is_ready(bool $isReady)
For the database_is_ready call to return a certain value - used for testing
static
set_ignore_disallowed_actions(bool $flag)
Set to true to ignore access to disallowed actions, rather than returning permission failure Note that this is just a flag that other code needs to check with Security::ignore_disallowed_actions()
static
ignore_disallowed_actions()
No description
static string
login_url()
Get the URL of the log-in page.
To update the login url use the "Security.login_url" config setting.
static string
logout_url()
Get the URL of the logout page.
To update the logout url use the "Security.logout_url" config setting.
static string
lost_password_url()
Get the URL of the logout page.
To update the logout url use the "Security.logout_url" config setting.