SecurityToken
class SecurityToken extends SS_Object implements TemplateGlobalProvider
Cross Site Request Forgery (CSRF) protection for the {@link Form} class and other GET links.
Can be used globally (through {@link SecurityToken::inst()}) or on a form-by-form basis {@link Form->getSecurityToken()}.
Usage in forms
This protective measure is automatically turned on for all new {@link Form} instances, and can be globally disabled through {@link disable()}.
Usage in custom controller actions
class MyController extends Controller {
function mygetaction($request) {
if(!SecurityToken::inst()->checkRequest($request)) return $this->httpError(400);
// valid action logic ...
}
}
Properties
| string | $class | from SS_Object |
Methods
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .
An implementation of the factory method, allows you to create an instance of a class
Creates a class instance by the "singleton" design pattern.
Create an object from a string representation. It treats it as a PHP constructor without the 'new' keyword. It also manages to construct the object without the use of eval().
Parses a class-spec, such as "Versioned('Stage','Live')", as passed to create_from_string().
Similar to {@link Object::create()}, except that classes are only overloaded if you set the $strong parameter to TRUE when using {@link Object::useCustomClass()}
This class allows you to overload classes with other classes when they are constructed using the factory method {@link Object::create()}
If a class has been overloaded, get the class name it has been overloaded with - otherwise return the class name
Get the value of a static property of a class, even in that property is declared protected (but not private), without any inheritance, merging or parent lookup if it doesn't exist on the given class.
Return TRUE if a class has a specified extension.
Add an extension to a specific class.
No description
No description
Attemps to locate and call a method dynamically added to a class at runtime if a default cannot be located
Return the names of all the methods available on this object
Check if this class is an instance of a specific class, or has that class as one of its parents
Calls a method if available on both this object and all applied {@link Extensions}, and then attempts to merge all results into an array
Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed
Get an extension instance attached to this object by name.
Returns TRUE if this object instance has a specific extension applied in {@link $extension_instances}. Extension instances are initialized at constructor time, meaning if you use {@link add_extension()} afterwards, the added extension will just be added to new instances of the extended class. Use the static method {@link has_extension()} to check if a class (not an instance) has a specific extension.
Get all extension instances for this specific object instance.
Cache the results of an instance method in this object to a file, or if it is already cache return the cached results
Clears the cache for the given cacheToFile call
Gets a global token (or creates one if it doesnt exist already).
Globally disable the token (override with {@link NullSecurityToken}) implementation. Note: Does not apply for
Globally enable tokens that have been previously disabled through {@link disable}.
No description
No description
Returns the value of an the global SecurityToken in the current session
No description
No description
No description
No description
Reset the token to a new value.
Checks for an existing CSRF token in the current users session.
Note: Doesn't call {@link FormField->setForm()} on the returned {@link HiddenField}, you'll need to take care of this yourself.
No description
You can't disable an existing instance, it will need to be overwritten like this:
$old = SecurityToken::inst(); // isEnabled() returns true
SecurityToken::disable();
$new = SecurityToken::inst(); // isEnabled() returns false
Called by SSViewer to get a list of global variables to expose to the template, the static method to call on this class to get the value for those variables, and the class to use for casting the returned value for use in a template
Details
in SS_Object at line 60
static Config_ForClass|null
config()
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .
....).
in SS_Object at line 132
static SS_Object
create()
An implementation of the factory method, allows you to create an instance of a class
This method first for strong class overloads (singletons & DB interaction), then custom class overloads. If an overload is found, an instance of this is returned rather than the original class. To overload a class, use {@link Object::useCustomClass()}
This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create('SiteTree'); $list = SiteTree::get();
in SS_Object at line 155
static SS_Object
singleton()
Creates a class instance by the "singleton" design pattern.
It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).
in SS_Object at line 190
static
create_from_string($classSpec, $firstArg = null)
Create an object from a string representation. It treats it as a PHP constructor without the 'new' keyword. It also manages to construct the object without the use of eval().
Construction itself is done with Object::create(), so that Object::useCustomClass() calls are respected.
Object::create_from_string("Versioned('Stage','Live')") will return the result of
Versioned::create('Stage', 'Live);
It is designed for simple, clonable objects. The first time this method is called for a given string it is cached, and clones of that object are returned.
If you pass the $firstArg argument, this will be prepended to the constructor arguments. It's impossible to pass null as the firstArg argument.
Object::create_from_string("Varchar(50)", "MyField") will return the result of
Vachar::create('MyField', '50');
Arguments are always strings, although this is a quirk of the current implementation rather than something that can be relied upon.
in SS_Object at line 215
static
parse_class_spec($classSpec)
Parses a class-spec, such as "Versioned('Stage','Live')", as passed to create_from_string().
Returns a 2-elemnent array, with classname and arguments
in SS_Object at line 341
static SS_Object
strong_create()
Similar to {@link Object::create()}, except that classes are only overloaded if you set the $strong parameter to TRUE when using {@link Object::useCustomClass()}
in SS_Object at line 361
static
useCustomClass(string $oldClass, string $newClass, bool $strong = false)
This class allows you to overload classes with other classes when they are constructed using the factory method {@link Object::create()}
in SS_Object at line 375
static string
getCustomClass(string $class)
If a class has been overloaded, get the class name it has been overloaded with - otherwise return the class name
in SS_Object at line 396
static any
static_lookup($class, $name, null $default = null)
Get the value of a static property of a class, even in that property is declared protected (but not private), without any inheritance, merging or parent lookup if it doesn't exist on the given class.
in SS_Object at line 436
static
get_static($class, $name, $uncached = false)
deprecated
deprecated
in SS_Object at line 444
static
set_static($class, $name, $value)
deprecated
deprecated
in SS_Object at line 452
static
uninherited_static($class, $name, $uncached = false)
deprecated
deprecated
in SS_Object at line 460
static
combined_static($class, $name, $ceiling = false)
deprecated
deprecated
in SS_Object at line 470
static
addStaticVars($class, $properties, $replace = false)
deprecated
deprecated
in SS_Object at line 478
static
add_static_var($class, $name, $value, $replace = false)
deprecated
deprecated
in SS_Object at line 494
static
has_extension(string $classOrExtension, string $requiredExtension = null, boolean $strict = false)
Return TRUE if a class has a specified extension.
This supports backwards-compatible format (static Object::has_extension($requiredExtension)) and new format ($object->has_extension($class, $requiredExtension))
in SS_Object at line 536
static
add_extension(string $classOrExtension, string $extension = null)
Add an extension to a specific class.
The preferred method for adding extensions is through YAML config, since it avoids autoloading the class, and is easier to override in more specific configurations.
As an alternative, extensions can be added to a specific class directly in the {@link Object::$extensions} array. See {@link SiteTree::$extensions} for examples. Keep in mind that the extension will only be applied to new instances, not existing ones (including all instances created through {@link singleton()}).
in SS_Object at line 594
static
remove_extension(string $extension)
Remove an extension from a class.
Keep in mind that this won't revert any datamodel additions of the extension at runtime, unless its used before the schema building kicks in (in your _config.php). Doesn't remove the extension from any {@link Object} instances which are already created, but will have an effect on new extensions. Clears any previously created singletons through {@link singleton()} to avoid side-effects from stale extension information.
in SS_Object at line 633
static array
get_extensions(string $class, bool $includeArgumentString = false)
in SS_Object at line 655
static
get_extra_config_sources($class = null)
at line 56
__construct($name = null)
in SS_Object at line 725
mixed
__call(string $method, array $arguments)
Attemps to locate and call a method dynamically added to a class at runtime if a default cannot be located
You can add extra methods to a class using {@link Extensions}, {@link Object::createMethod()} or {@link Object::addWrapperMethod()}
in SS_Object at line 792
bool
hasMethod(string $method)
Return TRUE if a method exists on this object
This should be used rather than PHP's inbuild method_exists() as it takes into account methods added via extensions
in SS_Object at line 802
array
allMethodNames(bool $custom = false)
Return the names of all the methods available on this object
in SS_Object at line 963
stat($name, $uncached = false)
in SS_Object at line 970
set_stat($name, $value)
in SS_Object at line 977
uninherited($name)
in SS_Object at line 991
bool
exists()
Return true if this object "exists" i.e. has a sensible value
This method should be overriden in subclasses to provide more context about the classes state. For example, a {@link DataObject} class could return false when it is deleted from the database
in SS_Object at line 998
string
parentClass()
in SS_Object at line 1008
bool
is_a(string $class)
Check if this class is an instance of a specific class, or has that class as one of its parents
in SS_Object at line 1015
string
__toString()
in SS_Object at line 1030
mixed
invokeWithExtensions(string $method, mixed $argument = null)
Calls a method if available on both this object and all applied {@link Extensions}, and then attempts to merge all results into an array
in SS_Object at line 1058
array
extend(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)
Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed
Currently returns an array, with an index resulting every time the function is called. Only adds returns if they're not NULL, to avoid bogus results from methods just defined on the parent extension. This is important for permission-checks through extend, as they use min() to determine if any of the returns is FALSE. As min() doesn't do type checking, an included NULL return would fail the permission checks.
The extension methods are defined during {@link __construct()} in {@link defineMethods()}.
in SS_Object at line 1097
Extension
getExtensionInstance(string $extension)
Get an extension instance attached to this object by name.
in SS_Object at line 1115
bool
hasExtension(string $extension)
Returns TRUE if this object instance has a specific extension applied in {@link $extension_instances}. Extension instances are initialized at constructor time, meaning if you use {@link add_extension()} afterwards, the added extension will just be added to new instances of the extended class. Use the static method {@link has_extension()} to check if a class (not an instance) has a specific extension.
Caution: Don't use singleton(
in SS_Object at line 1126
array
getExtensionInstances()
Get all extension instances for this specific object instance.
See {@link get_extensions()} to get all applied extension classes for this class (not the instance).
in SS_Object at line 1142
mixed
cacheToFile(string $method, int $lifetime = 3600, string $ID = false, array $arguments = array())
Cache the results of an instance method in this object to a file, or if it is already cache return the cached results
in SS_Object at line 1171
clearCache($method, $ID = false, $arguments = array())
Clears the cache for the given cacheToFile call
at line 66
static SecurityToken
inst()
Gets a global token (or creates one if it doesnt exist already).
at line 76
static
disable()
Globally disable the token (override with {@link NullSecurityToken}) implementation. Note: Does not apply for
at line 84
static
enable()
Globally enable tokens that have been previously disabled through {@link disable}.
at line 92
static boolean
is_enabled()
at line 99
static String
get_default_name()
at line 107
static int
getSecurityID()
Returns the value of an the global SecurityToken in the current session
at line 115
String
setName($name)
at line 124
String
getName()
at line 131
String
getValue()
at line 146
setValue(String $val)
at line 153
reset()
Reset the token to a new value.
at line 169
Boolean
check(String $compare)
Checks for an existing CSRF token in the current users session.
This check is automatically performed in {@link Form->httpSubmission()} if a form has security tokens enabled. This direct check is mainly used for URL actions on {@link FormField} that are not routed through {@link Form->httpSubmission()}.
Typically you'll want to check {@link Form->securityTokenEnabled()} before calling this method.
at line 179
Boolean
checkRequest(SS_HTTPRequest $request)
See {@link check()}.
at line 191
HiddenField|false
updateFieldSet(FieldList $fieldset)
Note: Doesn't call {@link FormField->setForm()} on the returned {@link HiddenField}, you'll need to take care of this yourself.
at line 205
String
addToUrl(String $url)
at line 219
boolean
isEnabled()
You can't disable an existing instance, it will need to be overwritten like this:
$old = SecurityToken::inst(); // isEnabled() returns true
SecurityToken::disable();
$new = SecurityToken::inst(); // isEnabled() returns false
at line 233
static array
get_template_global_variables()
Called by SSViewer to get a list of global variables to expose to the template, the static method to call on this class to get the value for those variables, and the class to use for casting the returned value for use in a template
If the method to call is not included for a particular template variable, a method named the same as the template variable will be called
If the casting class is not specified for a particular template variable, ViewableData::$default_cast is used
The first letter of the template variable is case-insensitive. However the method name is always case sensitive.