Security
class Security extends Controller implements TemplateGlobalProvider
Implements a basic security model
Config options
| strict_path_checking | bool | If set to TRUE to prevent sharing of the session across several sites in the domain. | |
| password_encryption_algorithm | string | The password encryption algorithm to use by default. | |
| autologin_enabled | bool | Showing "Remember me"-checkbox on loginform, and saving encrypted credentials to a cookie. | |
| remember_username | bool | Determine if login username may be remembered between login sessions If set to false this will disable autocomplete and prevent username persisting in the session | |
| word_list | string | Location of word list to use for generating passwords | |
| template | string | ||
| template_main | string | Template thats used to render the pages. | |
| default_message_set | array|string | Default message set used in permission failures. | |
| token | String | Random secure token, can be used as a crypto key internally. | |
| login_url | string | The default login URL | |
| logout_url | string | The default logout URL | |
| lost_password_url | string | The default lost password URL | |
| frame_options | string | Value of X-Frame-Options header | |
| robots_tag | string | Value of the X-Robots-Tag header (for the Security section) | |
| login_recording | boolean | Enable or disable recording of login attempts through the {@link LoginRecord} object. | |
| default_login_dest | string |
Properties
| string | $class | from SS_Object | |
| static boolean | $force_database_is_ready | ||
| static bool | $database_is_ready | When the database has once been verified as ready, it will not do the checks again. |
Methods
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .
An implementation of the factory method, allows you to create an instance of a class
Creates a class instance by the "singleton" design pattern.
Create an object from a string representation. It treats it as a PHP constructor without the 'new' keyword. It also manages to construct the object without the use of eval().
Parses a class-spec, such as "Versioned('Stage','Live')", as passed to create_from_string().
Similar to {@link Object::create()}, except that classes are only overloaded if you set the $strong parameter to TRUE when using {@link Object::useCustomClass()}
This class allows you to overload classes with other classes when they are constructed using the factory method {@link Object::create()}
If a class has been overloaded, get the class name it has been overloaded with - otherwise return the class name
Get the value of a static property of a class, even in that property is declared protected (but not private), without any inheritance, merging or parent lookup if it doesn't exist on the given class.
Return TRUE if a class has a specified extension.
Add an extension to a specific class.
No description
Attemps to locate and call a method dynamically added to a class at runtime if a default cannot be located
Return the names of all the methods available on this object
Check if this class is an instance of a specific class, or has that class as one of its parents
Calls a method if available on both this object and all applied {@link Extensions}, and then attempts to merge all results into an array
Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed
Get an extension instance attached to this object by name.
Returns TRUE if this object instance has a specific extension applied in {@link $extension_instances}. Extension instances are initialized at constructor time, meaning if you use {@link add_extension()} afterwards, the added extension will just be added to new instances of the extended class. Use the static method {@link has_extension()} to check if a class (not an instance) has a specific extension.
Get all extension instances for this specific object instance.
Cache the results of an instance method in this object to a file, or if it is already cache return the cached results
Clears the cache for the given cacheToFile call
Converts a field spec into an object creator. For example: "Int" becomes "new Int($fieldName);" and "Varchar(50)" becomes "new Varchar($fieldName, 50);".
Convert a field schema (e.g. "Varchar(50)") into a casting object creator array that contains both a className and castingHelper constructor code. See {@link castingObjectCreator} for more information about the constructor.
Check if a field exists on this object or its failover.
Get the value of a property/field on this object. This will check if a method called get{$property} exists, then check if a field is available using {@link ViewableData::getField()}, then fall back on a failover object.
Set a property/field on this object. This will check for the existence of a method called set{$property}, then use the {@link ViewableData::setField()} method.
Set a failover object to attempt to get data from if it is not present on this object.
Check if a field exists on this object. This should be overloaded in child classes.
Get the value of a field on this object. This should be overloaded in child classes.
Set a field on this object. This should be overloaded in child classes.
Add methods from the {@link ViewableData::$failover} object, as well as wrapping any methods prefixed with an underscore into a {@link ViewableData::cachedCall()}.
Method to facilitate deprecation of underscore-prefixed methods automatically being cached.
Merge some arbitrary data in with this object. This method returns a {@link ViewableData_Customised} instance with references to both this and the new custom data.
Get the class a field on this object would be casted to, as well as the casting helper for casting a field to an object (see {@link ViewableData::castingHelper()} for information on casting helpers).
Return the "casting helper" (a piece of PHP code that when evaluated creates a casted value object) for a field on this object.
Get the class name a field on this object will be casted to
Return the string-format type for the given field.
Save the casting cache for this object (including data from any failovers) into a variable
Render this object into the template, and get the result as a string. You can pass one of the following as the $template parameter: - a template name (e.g. Page) - an array of possible template names - the first valid one will be used - an SSViewer instance
Get the value of a field on this object, automatically inserting the value into any available casting objects that have been specified.
A simple wrapper around {@link ViewableData::obj()} that automatically caches the result so it can be used again without re-running the method.
Checks if a given method/field has a valid value. If the result is an object, this will return the result of the exists method, otherwise will check if the result is not just an empty paragraph tag.
Get the string value of a field on this object that has been suitable escaped to be inserted directly into a template.
Return the value of the field without any escaping being applied.
Return the value of a field in an SQL-safe format.
Return the value of a field in a JavaScript-save format.
Return the value of a field escaped suitable to be inserted into an XML node attribute.
Return a single-item iterator so you can iterate over the fields of a single record.
When rendering some objects it is necessary to iterate over the object being rendered, to do this, you need access to itself.
Return the directory if the current active theme (relative to the site root).
Get part of the current classes ancestry to be used as a CSS class.
Return debug information about this object that can be rendered into a template
Executes this controller, and return an {@link SS_HTTPResponse} object with the result.
Get a array of allowed actions defined on this controller, any parent classes or extensions.
Checks if this request handler has a specific action, even if the current user cannot access it.
Check that the given action is allowed to be called from a URL.
Throws a HTTP error response encased in a {@link SS_HTTPResponse_Exception}, which is later caught in {@link RequestHandler::handleAction()} and returned to the user.
Returns the SS_HTTPRequest object that this controller is using.
Typically the request is set through {@link handleAction()} or {@link handleRequest()}, but in some based we want to set it manually.
Get a link to a security action
Initialisation function that is run before any action on the controller is called.
Returns the SS_HTTPResponse object that this controller is building up.
Sets the SS_HTTPResponse object that this controller is building up.
Return the object that is going to own a form that's being processed, and handle its execution.
This is the default action handler used if a method doesn't exist.
Removes all the "action" part of the current URL and returns the result.
Returns TRUE if this controller has a template that is specifically designed to handle a specific action.
Render the current controller with the templates determined by {@link getViewer()}.
Call this to disable site-wide basic authentication for a specific contoller.
Tests whether we have a currently active controller or not
Returns true if the member is allowed to do the given action.
Redirect back. Uses either the HTTP_REFERER or a manually set request-variable called "BackURL".
Joins two or more link segments together, putting a slash between them if necessary.
Defines global accessible templates variables.
Set the default message set used in permissions failures.
Register that we've had a permission failure trying to view the given page
No description
Get the login forms for all available authentication methods
This action is available as a keep alive, so user sessions don't timeout. A common use is in the admin.
Log the currently logged in user out
Determine the list of templates to use for rendering the given action
Show the "login" page
No description
Show the "lost password" page
Factory method for the lost password form
Show the "password sent" page, after a user has requested to reset their password.
Create a link to the password reset form.
Show the "change password" page.
Factory method for the lost password form
Gets the template for an include used for security.
Return an existing member with administrator privileges, or create one of necessary.
Flush the default admin credentials
Set a default admin in dev-mode
Checks if the passed credentials are matching the default-admin.
Check that the default admin account has been set.
Get default admin username
Get default admin password
Set the password encryption algorithm
Encrypt a password according to the current password encryption settings.
Checks the database is in a state to perform security checks.
Enable or disable recording of login attempts through the {@link LoginRecord} object.
Set to true to ignore access to disallowed actions, rather than returning permission failure Note that this is just a flag that other code needs to check with Security::ignore_disallowed_actions()
No description
Get the URL of the log-in page.
Get the URL of the logout page.
Get the URL of the logout page.
Details
in SS_Object at line 60
static Config_ForClass|null
config()
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .
....).
in SS_Object at line 132
static SS_Object
create()
An implementation of the factory method, allows you to create an instance of a class
This method first for strong class overloads (singletons & DB interaction), then custom class overloads. If an overload is found, an instance of this is returned rather than the original class. To overload a class, use {@link Object::useCustomClass()}
This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create('SiteTree'); $list = SiteTree::get();
in SS_Object at line 155
static SS_Object
singleton()
Creates a class instance by the "singleton" design pattern.
It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).
in SS_Object at line 190
static
create_from_string($classSpec, $firstArg = null)
Create an object from a string representation. It treats it as a PHP constructor without the 'new' keyword. It also manages to construct the object without the use of eval().
Construction itself is done with Object::create(), so that Object::useCustomClass() calls are respected.
Object::create_from_string("Versioned('Stage','Live')") will return the result of
Versioned::create('Stage', 'Live);
It is designed for simple, clonable objects. The first time this method is called for a given string it is cached, and clones of that object are returned.
If you pass the $firstArg argument, this will be prepended to the constructor arguments. It's impossible to pass null as the firstArg argument.
Object::create_from_string("Varchar(50)", "MyField") will return the result of
Vachar::create('MyField', '50');
Arguments are always strings, although this is a quirk of the current implementation rather than something that can be relied upon.
in SS_Object at line 215
static
parse_class_spec($classSpec)
Parses a class-spec, such as "Versioned('Stage','Live')", as passed to create_from_string().
Returns a 2-elemnent array, with classname and arguments
in SS_Object at line 341
static SS_Object
strong_create()
Similar to {@link Object::create()}, except that classes are only overloaded if you set the $strong parameter to TRUE when using {@link Object::useCustomClass()}
in SS_Object at line 361
static
useCustomClass(string $oldClass, string $newClass, bool $strong = false)
This class allows you to overload classes with other classes when they are constructed using the factory method {@link Object::create()}
in SS_Object at line 375
static string
getCustomClass(string $class)
If a class has been overloaded, get the class name it has been overloaded with - otherwise return the class name
in SS_Object at line 396
static any
static_lookup($class, $name, null $default = null)
Get the value of a static property of a class, even in that property is declared protected (but not private), without any inheritance, merging or parent lookup if it doesn't exist on the given class.
in SS_Object at line 436
static
get_static($class, $name, $uncached = false)
deprecated
deprecated
in SS_Object at line 444
static
set_static($class, $name, $value)
deprecated
deprecated
in SS_Object at line 452
static
uninherited_static($class, $name, $uncached = false)
deprecated
deprecated
in SS_Object at line 460
static
combined_static($class, $name, $ceiling = false)
deprecated
deprecated
in SS_Object at line 470
static
addStaticVars($class, $properties, $replace = false)
deprecated
deprecated
in SS_Object at line 478
static
add_static_var($class, $name, $value, $replace = false)
deprecated
deprecated
in SS_Object at line 494
static
has_extension(string $classOrExtension, string $requiredExtension = null, boolean $strict = false)
Return TRUE if a class has a specified extension.
This supports backwards-compatible format (static Object::has_extension($requiredExtension)) and new format ($object->has_extension($class, $requiredExtension))
in SS_Object at line 536
static
add_extension(string $classOrExtension, string $extension = null)
Add an extension to a specific class.
The preferred method for adding extensions is through YAML config, since it avoids autoloading the class, and is easier to override in more specific configurations.
As an alternative, extensions can be added to a specific class directly in the {@link Object::$extensions} array. See {@link SiteTree::$extensions} for examples. Keep in mind that the extension will only be applied to new instances, not existing ones (including all instances created through {@link singleton()}).
in SS_Object at line 594
static
remove_extension(string $extension)
Remove an extension from a class.
Keep in mind that this won't revert any datamodel additions of the extension at runtime, unless its used before the schema building kicks in (in your _config.php). Doesn't remove the extension from any {@link Object} instances which are already created, but will have an effect on new extensions. Clears any previously created singletons through {@link singleton()} to avoid side-effects from stale extension information.
in SS_Object at line 633
static array
get_extensions(string $class, bool $includeArgumentString = false)
in SS_Object at line 655
static
get_extra_config_sources($class = null)
in RequestHandler at line 118
__construct()
in SS_Object at line 725
mixed
__call(string $method, array $arguments)
Attemps to locate and call a method dynamically added to a class at runtime if a default cannot be located
You can add extra methods to a class using {@link Extensions}, {@link Object::createMethod()} or {@link Object::addWrapperMethod()}
in SS_Object at line 792
bool
hasMethod(string $method)
Return TRUE if a method exists on this object
This should be used rather than PHP's inbuild method_exists() as it takes into account methods added via extensions
in SS_Object at line 802
array
allMethodNames(bool $custom = false)
Return the names of all the methods available on this object
in SS_Object at line 963
stat($name, $uncached = false)
in SS_Object at line 970
set_stat($name, $value)
in SS_Object at line 977
uninherited($name)
in SS_Object at line 991
bool
exists()
Return true if this object "exists" i.e. has a sensible value
This method should be overriden in subclasses to provide more context about the classes state. For example, a {@link DataObject} class could return false when it is deleted from the database
in SS_Object at line 998
string
parentClass()
in SS_Object at line 1008
bool
is_a(string $class)
Check if this class is an instance of a specific class, or has that class as one of its parents
in SS_Object at line 1015
string
__toString()
in SS_Object at line 1030
mixed
invokeWithExtensions(string $method, mixed $argument = null)
Calls a method if available on both this object and all applied {@link Extensions}, and then attempts to merge all results into an array
in SS_Object at line 1058
array
extend(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)
Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed
Currently returns an array, with an index resulting every time the function is called. Only adds returns if they're not NULL, to avoid bogus results from methods just defined on the parent extension. This is important for permission-checks through extend, as they use min() to determine if any of the returns is FALSE. As min() doesn't do type checking, an included NULL return would fail the permission checks.
The extension methods are defined during {@link __construct()} in {@link defineMethods()}.
in SS_Object at line 1097
Extension
getExtensionInstance(string $extension)
Get an extension instance attached to this object by name.
in SS_Object at line 1115
bool
hasExtension(string $extension)
Returns TRUE if this object instance has a specific extension applied in {@link $extension_instances}. Extension instances are initialized at constructor time, meaning if you use {@link add_extension()} afterwards, the added extension will just be added to new instances of the extended class. Use the static method {@link has_extension()} to check if a class (not an instance) has a specific extension.
Caution: Don't use singleton(
in SS_Object at line 1126
array
getExtensionInstances()
Get all extension instances for this specific object instance.
See {@link get_extensions()} to get all applied extension classes for this class (not the instance).
in SS_Object at line 1142
mixed
cacheToFile(string $method, int $lifetime = 3600, string $ID = false, array $arguments = array())
Cache the results of an instance method in this object to a file, or if it is already cache return the cached results
in SS_Object at line 1171
clearCache($method, $ID = false, $arguments = array())
Clears the cache for the given cacheToFile call
in ViewableData at line 72
static string
castingObjectCreator(string $fieldSchema)
Converts a field spec into an object creator. For example: "Int" becomes "new Int($fieldName);" and "Varchar(50)" becomes "new Varchar($fieldName, 50);".
in ViewableData at line 83
static array
castingObjectCreatorPair(string $fieldSchema)
Convert a field schema (e.g. "Varchar(50)") into a casting object creator array that contains both a className and castingHelper constructor code. See {@link castingObjectCreator} for more information about the constructor.
in ViewableData at line 95
bool
__isset(string $property)
Check if a field exists on this object or its failover.
in ViewableData at line 117
mixed
__get(string $property)
Get the value of a property/field on this object. This will check if a method called get{$property} exists, then check if a field is available using {@link ViewableData::getField()}, then fall back on a failover object.
in ViewableData at line 138
__set(string $property, mixed $value)
Set a property/field on this object. This will check for the existence of a method called set{$property}, then use the {@link ViewableData::setField()} method.
in ViewableData at line 151
setFailover(ViewableData $failover)
Set a failover object to attempt to get data from if it is not present on this object.
in ViewableData at line 166
ViewableData|null
getFailover()
Get the current failover object if set
in ViewableData at line 176
bool
hasField(string $field)
Check if a field exists on this object. This should be overloaded in child classes.
in ViewableData at line 186
mixed
getField(string $field)
Get the value of a field on this object. This should be overloaded in child classes.
in ViewableData at line 196
setField(string $field, mixed $value)
Set a field on this object. This should be overloaded in child classes.
in ViewableData at line 206
defineMethods()
Add methods from the {@link ViewableData::$failover} object, as well as wrapping any methods prefixed with an underscore into a {@link ViewableData::cachedCall()}.
in ViewableData at line 236
unknown
deprecatedCachedCall($method, $args = null, $identifier = null)
Method to facilitate deprecation of underscore-prefixed methods automatically being cached.
in ViewableData at line 255
ViewableData_Customised
customise(array|ViewableData $data)
Merge some arbitrary data in with this object. This method returns a {@link ViewableData_Customised} instance with references to both this and the new custom data.
Note that any fields you specify will take precedence over the fields on this object.
in ViewableData at line 272
ViewableData
getCustomisedObj()
in ViewableData at line 279
setCustomisedObj(ViewableData $object)
in ViewableData at line 296
array
castingHelperPair(string $field)
Get the class a field on this object would be casted to, as well as the casting helper for casting a field to an object (see {@link ViewableData::castingHelper()} for information on casting helpers).
The returned array contains two keys: - className: the class the field would be casted to (e.g. "Varchar") - castingHelper: the casting helper for casting the field (e.g. "return new Varchar($fieldName)")
in ViewableData at line 308
string
castingHelper(string $field)
Return the "casting helper" (a piece of PHP code that when evaluated creates a casted value object) for a field on this object.
in ViewableData at line 331
string
castingClass(string $field)
Get the class name a field on this object will be casted to
in ViewableData at line 346
string
escapeTypeForField(string $field)
Return the string-format type for the given field.
in ViewableData at line 357
buildCastingCache(reference $cache)
Save the casting cache for this object (including data from any failovers) into a variable
in ViewableData at line 394
HTMLText
renderWith(string|array|SSViewer $template, array $customFields = null)
Render this object into the template, and get the result as a string. You can pass one of the following as the $template parameter: - a template name (e.g. Page) - an array of possible template names - the first valid one will be used - an SSViewer instance
in ViewableData at line 456
obj(string $fieldName, array $arguments = null, bool $forceReturnedObject = true, bool $cache = false, string $cacheName = null)
Get the value of a field on this object, automatically inserting the value into any available casting objects that have been specified.
in ViewableData at line 503
cachedCall(string $field, array $arguments = null, string $identifier = null)
A simple wrapper around {@link ViewableData::obj()} that automatically caches the result so it can be used again without re-running the method.
in ViewableData at line 516
bool
hasValue(string $field, array $arguments = null, bool $cache = true)
Checks if a given method/field has a valid value. If the result is an object, this will return the result of the exists method, otherwise will check if the result is not just an empty paragraph tag.
in ViewableData at line 538
XML_val($field, $arguments = null, $cache = false)
Get the string value of a field on this object that has been suitable escaped to be inserted directly into a template.
in ViewableData at line 546
RAW_val($field, $arguments = null, $cache = true)
Return the value of the field without any escaping being applied.
in ViewableData at line 553
SQL_val($field, $arguments = null, $cache = true)
Return the value of a field in an SQL-safe format.
in ViewableData at line 560
JS_val($field, $arguments = null, $cache = true)
Return the value of a field in a JavaScript-save format.
in ViewableData at line 567
ATT_val($field, $arguments = null, $cache = true)
Return the value of a field escaped suitable to be inserted into an XML node attribute.
in ViewableData at line 579
array
getXMLValues($fields)
Get an array of XML-escaped values by field name
in ViewableData at line 599
ArrayIterator
getIterator()
Return a single-item iterator so you can iterate over the fields of a single record.
This is useful so you can use a single record inside a <% control %> block in a template - and then use to access individual fields on this object.
in ViewableData at line 611
ViewableData
Me()
When rendering some objects it is necessary to iterate over the object being rendered, to do this, you need access to itself.
in ViewableData at line 627
string
ThemeDir(string $subtheme = false)
Return the directory if the current active theme (relative to the site root).
This method is useful for things such as accessing theme images from your template without hardcoding the theme
page - e.g. 
.
This method should only be used when a theme is currently active. However, it will fall over to the current project directory.
in ViewableData at line 648
string
CSSClasses(string $stopAtClass = 'ViewableData')
Get part of the current classes ancestry to be used as a CSS class.
This method returns an escaped string of CSS classes representing the current classes ancestry until it hits a stop point - e.g. "Page DataObject ViewableData".
in ViewableData at line 671
ViewableData_Debugger
Debug()
Return debug information about this object that can be rendered into a template
in RequestHandler at line 133
setDataModel($model)
Set the DataModel for this request.
in Controller at line 123
SS_HTTPResponse|RequestHandler|string|array
handleRequest(SS_HTTPRequest $request, DataModel $model)
Executes this controller, and return an {@link SS_HTTPResponse} object with the result.
This method first does a few set-up activities: - Push this controller ont to the controller stack - see {@link Controller::curr()} for information about this. - Call {@link init()} - Defer to {@link RequestHandler->handleRequest()} to determine which action should be executed
Note: $requestParams['executeForm'] support was removed, make the following change in your URLs: "/?executeForm=FooBar" -> "/FooBar" Also make sure "FooBar" is in the $allowed_actions of your controller class.
Note: You should rarely need to overload run() - this kind of change is only really appropriate for things like nested controllers - {@link ModelAsController} and {@link RootURLController} are two examples here. If you want to make more orthodox functionality, it's better to overload {@link init()} or {@link index()}.
Important: If you are going to overload handleRequest, make sure that you start the method with $this->pushCurrent() and end the method with $this->popCurrent(). Failure to do this will create weird session errors.
in RequestHandler at line 316
array|null
allowedActions(String $limitToClass = null)
Get a array of allowed actions defined on this controller, any parent classes or extensions.
Caution: Since 3.1, allowed_actions definitions only apply to methods on the controller they're defined on, so it is recommended to use the $class argument when invoking this method.
in Controller at line 315
bool
hasAction(string $action)
Checks if this request handler has a specific action, even if the current user cannot access it.
Includes class ancestry and extensions in the checks.
in RequestHandler at line 413
checkAccessAction($action)
Check that the given action is allowed to be called from a URL.
It will interrogate {@link self::$allowed_actions} to determine this.
in RequestHandler at line 472
httpError(int $errorCode, string $errorMessage = null)
Throws a HTTP error response encased in a {@link SS_HTTPResponse_Exception}, which is later caught in {@link RequestHandler::handleAction()} and returned to the user.
in RequestHandler at line 494
SS_HTTPRequest|NullHTTPRequest
getRequest()
Returns the SS_HTTPRequest object that this controller is using.
Returns a placeholder {@link NullHTTPRequest} object unless {@link handleAction()} or {@link handleRequest()} have been called, which adds a reference to an actual {@link SS_HTTPRequest} object.
in RequestHandler at line 504
setRequest(SS_HTTPRequest $request)
Typically the request is set through {@link handleAction()} or {@link handleRequest()}, but in some based we want to set it manually.
at line 403
string
Link(string $action = null)
Get a link to a security action
at line 334
init()
Initialisation function that is run before any action on the controller is called.
in Controller at line 205
setURLParams($urlParams)
in Controller at line 212
array
getURLParams()
in Controller at line 220
getResponse()
Returns the SS_HTTPResponse object that this controller is building up.
Can be used to set the status code and headers
in Controller at line 233
Controller
setResponse(SS_HTTPResponse $response)
Sets the SS_HTTPResponse object that this controller is building up.
in Controller at line 244
getFormOwner()
Return the object that is going to own a form that's being processed, and handle its execution.
Note that the result needn't be an actual controller object.
in Controller at line 263
defaultAction($action)
This is the default action handler used if a method doesn't exist.
It will process the controller object with the template returned by {@link getViewer()}
in Controller at line 270
getAction()
Returns the action that is being executed on this controller.
in Controller at line 278
SSViewer
getViewer($action)
Return an SSViewer object to process the data
in Controller at line 325
String
removeAction($fullURL, $action = null)
Removes all the "action" part of the current URL and returns the result.
If no action parameter is present, returns the full URL
in Controller at line 359
bool
hasActionTemplate(string $action)
Returns TRUE if this controller has a template that is specifically designed to handle a specific action.
in Controller at line 380
string
render(array $params = null)
Render the current controller with the templates determined by {@link getViewer()}.
in Controller at line 396
disableBasicAuth()
Call this to disable site-wide basic authentication for a specific contoller.
This must be called before Controller::init(). That is, you must call it in your controller's init method before it calls parent::init().
in Controller at line 404
static Controller
curr()
Returns the current controller
in Controller at line 416
static boolean
has_curr()
Tests whether we have a currently active controller or not
in Controller at line 427
boolean
can(perm $perm, member $member = null)
Returns true if the member is allowed to do the given action.
in Controller at line 447
pushCurrent()
Pushes this controller onto the stack of current controllers.
This means that any redirection, session setting, or other things that rely on Controller::curr() will now write to this controller object.
in Controller at line 462
popCurrent()
Pop this controller off the top of the stack.
in Controller at line 476
SS_HTTPResponse
redirect($url, $code = 302)
Redirect to the given URL.
in Controller at line 500
redirectBack()
Redirect back. Uses either the HTTP_REFERER or a manually set request-variable called "BackURL".
This variable is needed in scenarios where not HTTP-Referer is sent ( e.g when calling a page by location.href in IE). If none of the two variables is available, it will redirect to the base URL (see {@link Director::baseURL()}).
in Controller at line 536
string
redirectedTo()
Tests whether a redirection has been requested.
in Controller at line 544
Session
getSession()
Get the Session object representing this Controller's session
in Controller at line 551
setSession(Session $session)
Set the Session object.
in Controller at line 566
static String
join_links()
Joins two or more link segments together, putting a slash between them if necessary.
Use this for building the results of {@link Link()} methods. If either of the links have query strings, then they will be combined and put at the end of the resulting url.
Caution: All parameters are expected to be URI-encoded already.
at line 1184
static array
get_template_global_variables()
Defines global accessible templates variables.
at line 162
static
get_word_list()
deprecated
deprecated 4.0 Use the "Security.word_list" config setting instead
Get location of word list file
at line 196
static
set_word_list(string $wordListFile)
deprecated
deprecated 4.0 Use the "Security.word_list" config setting instead
Set location of word list file
at line 207
static
set_default_message_set(string|array $messageSet)
deprecated
deprecated 4.0 Use the "Security.default_message_set" config setting instead
Set the default message set used in permissions failures.
at line 238
static SS_HTTPResponse
permissionFailure(Controller $controller = null, string|array $messageSet = null)
Register that we've had a permission failure trying to view the given page
This will redirect to a login page. If you don't provide a messageSet, a default will be used.
at line 346
index()
at line 371
Form
LoginForm()
Get the login form to process according to the submitted data
at line 385
array
GetLoginForms()
Get the login forms for all available authentication methods
at line 415
ping()
This action is available as a keep alive, so user sessions don't timeout. A common use is in the admin.
at line 429
logout(bool $redirect = true)
Log the currently logged in user out
at line 499
array
getTemplatesFor(string $action)
Determine the list of templates to use for rendering the given action
at line 546
string|SS_HTTPResponse
login()
Show the "login" page
For multiple authenticators, Security_MultiAuthenticatorLogin is used. See getTemplatesFor and getIncludeTemplate for how to override template logic
at line 591
basicauthlogin()
at line 601
string
lostpassword()
Show the "lost password" page
at line 628
Form
LostPasswordForm()
Factory method for the lost password form
at line 653
string
passwordsent(SS_HTTPRequest $request)
Show the "password sent" page, after a user has requested to reset their password.
at line 689
static
getPasswordResetLink($member, $autologinToken)
Create a link to the password reset form.
GET parameters used: - m: member ID - t: plaintext token
at line 708
string
changepassword()
Show the "change password" page.
This page can either be called directly by logged-in users (in which case they need to provide their old password), or through a link emailed through {@link lostpassword()}. In this case no old password is required, authentication is ensured through the Member.AutoLoginHash property.
at line 786
Form
ChangePasswordForm()
Factory method for the lost password form
at line 796
string|array
getIncludeTemplate($name)
Gets the template for an include used for security.
For use in any subclass.
at line 813
static Member
findAnAdministrator()
Return an existing member with administrator privileges, or create one of necessary.
Will create a default 'Administrators' group if no group is found with an ADMIN permission. Will create a new 'Admin' member with administrative permissions if no existing Member with these permissions is found.
Important: Any newly created administrator accounts will NOT have valid login credentials (Email/Password properties), which means they can't be used for login purposes outside of any default credentials set through {@link Security::setDefaultAdmin()}.
at line 866
static
clear_default_admin()
Flush the default admin credentials
at line 883
static
setDefaultAdmin(string $username, string $password)
Set a default admin in dev-mode
This will set a static default-admin which is not existing as a database-record. By this workaround we can test pages in dev-mode with a unified login. Submitted login-credentials are first checked against this static information in {@link Security::authenticate()}.
at line 901
static bool
check_default_admin(string $username, string $password)
Checks if the passed credentials are matching the default-admin.
Compares cleartext-password set through Security::setDefaultAdmin().
at line 912
static
has_default_admin()
Check that the default admin account has been set.
at line 921
static string
default_admin_username()
Get default admin username
at line 930
static string
default_admin_password()
Get default admin password
at line 944
static
setStrictPathChecking(boolean $strictPathChecking)
deprecated
deprecated 4.0 Use the "Security.strict_path_checking" config setting instead
Set strict path checking
This prevents sharing of the session across several sites in the domain.
at line 956
static boolean
getStrictPathChecking()
deprecated
deprecated 4.0 Use the "Security.strict_path_checking" config setting instead
Get strict path checking
at line 970
static bool
set_password_encryption_algorithm(string $algorithm)
deprecated
deprecated 4.0 Use the "Security.password_encryption_algorithm" config setting instead
Set the password encryption algorithm
at line 980
static String
get_password_encryption_algorithm()
deprecated
deprecated 4.0 Use the "Security.password_encryption_algorithm" config setting instead
at line 1012
static mixed
encrypt_password(string $password, string $salt = null, string $algorithm = null, Member $member = null)
Encrypt a password according to the current password encryption settings.
If the settings are so that passwords shouldn't be encrypted, the result is simple the clear text password with an empty salt except when a custom algorithm ($algorithm parameter) was passed.
at line 1035
static bool
database_is_ready()
Checks the database is in a state to perform security checks.
See {@link DatabaseAdmin->init()} for more information.
at line 1077
static
set_login_recording(boolean $bool)
deprecated
deprecated 4.0 Use the "Security.login_recording" config setting instead
Enable or disable recording of login attempts through the {@link LoginRecord} object.
at line 1086
static boolean
login_recording()
deprecated
deprecated 4.0 Use the "Security.login_recording" config setting instead
at line 1103
static
set_default_login_dest($dest)
deprecated
deprecated 4.0 Use the "Security.default_login_dest" config setting instead
at line 1113
static
default_login_dest()
deprecated
deprecated 4.0 Use the "Security.default_login_dest" config setting instead
Get the default login dest.
at line 1125
static
set_ignore_disallowed_actions($flag)
Set to true to ignore access to disallowed actions, rather than returning permission failure Note that this is just a flag that other code needs to check with Security::ignore_disallowed_actions()
at line 1129
static
ignore_disallowed_actions()
at line 1139
static
set_login_url($loginUrl)
deprecated
deprecated 4.0 Use the "Security.login_url" config setting instead.
Set a custom log-in URL if you have built your own log-in page.
at line 1152
static string
login_url()
Get the URL of the log-in page.
To update the login url use the "Security.login_url" config setting.
at line 1164
static string
logout_url()
Get the URL of the logout page.
To update the logout url use the "Security.logout_url" config setting.
at line 1175
static string
lost_password_url()
Get the URL of the logout page.
To update the logout url use the "Security.logout_url" config setting.