SecurityToken
class SecurityToken implements TemplateGlobalProvider
Cross Site Request Forgery (CSRF) protection for the {@link Form} class and other GET links.
Can be used globally (through {@link SecurityToken::inst()}) or on a form-by-form basis {@link Form->getSecurityToken()}.
Usage in forms
This protective measure is automatically turned on for all new {@link Form} instances, and can be globally disabled through {@link disable()}.
Usage in custom controller actions
class MyController extends Controller {
function mygetaction($request) {
if(!SecurityToken::inst()->checkRequest($request)) return $this->httpError(400);
// valid action logic ...
}
}
Traits
Methods
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .
Gets the uninherited value for the given config option
An implementation of the factory method, allows you to create an instance of a class
Creates a class instance by the "singleton" design pattern.
No description
Gets a global token (or creates one if it doesnt exist already).
Globally disable the token (override with {@link NullSecurityToken}) implementation. Note: Does not apply for
Globally enable tokens that have been previously disabled through {@link disable}.
No description
No description
Returns the value of an the global SecurityToken in the current session
No description
No description
No description
No description
Reset the token to a new value.
Checks for an existing CSRF token in the current users session.
Note: Doesn't call {@link FormField->setForm()} on the returned {@link HiddenField}, you'll need to take care of this yourself.
No description
You can't disable an existing instance, it will need to be overwritten like this:
$old = SecurityToken::inst(); // isEnabled() returns true
SecurityToken::disable();
$new = SecurityToken::inst(); // isEnabled() returns false
Called by SSViewer to get a list of global variables to expose to the template, the static method to call on this class to get the value for those variables, and the class to use for casting the returned value for use in a template
Details
in Configurable at line 20
static Config_ForClass
config()
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .
....).
in Configurable at line 32
mixed
stat(string $name)
deprecated
deprecated 5.0 Use ->config()->get() instead
Get inherited config value
in Configurable at line 44
mixed
uninherited(string $name)
Gets the uninherited value for the given config option
in Configurable at line 57
$this
set_stat(string $name, mixed $value)
deprecated
deprecated 5.0 Use ->config()->set() instead
Update the config value for a given property
in Injectable at line 26
static Injectable
create(array $args)
An implementation of the factory method, allows you to create an instance of a class
This method will defer class substitution to the Injector API, which can be customised via the Config API to declare substitution classes.
This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create('SiteTree'); $list = SiteTree::get();
in Injectable at line 43
static Injectable
singleton(string $class = null)
Creates a class instance by the "singleton" design pattern.
It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).
at line 68
__construct(string $name = null)
at line 78
static SecurityToken
inst()
Gets a global token (or creates one if it doesnt exist already).
at line 91
static
disable()
Globally disable the token (override with {@link NullSecurityToken}) implementation. Note: Does not apply for
at line 100
static
enable()
Globally enable tokens that have been previously disabled through {@link disable}.
at line 109
static boolean
is_enabled()
at line 117
static string
get_default_name()
at line 126
static int
getSecurityID()
Returns the value of an the global SecurityToken in the current session
at line 135
setName(string $name)
at line 145
string
getName()
at line 153
string
getValue()
at line 171
$this
setValue(string $val)
at line 197
reset()
Reset the token to a new value.
at line 214
boolean
check(string $compare)
Checks for an existing CSRF token in the current users session.
This check is automatically performed in {@link Form->httpSubmission()} if a form has security tokens enabled. This direct check is mainly used for URL actions on {@link FormField} that are not routed through {@link Form->httpSubmission()}.
Typically you'll want to check {@link Form->securityTokenEnabled()} before calling this method.
at line 225
bool
checkRequest(HTTPRequest $request)
See {@link check()}.
at line 257
HiddenField|false
updateFieldSet(FieldList $fieldset)
Note: Doesn't call {@link FormField->setForm()} on the returned {@link HiddenField}, you'll need to take care of this yourself.
at line 272
string
addToUrl(string $url)
at line 287
boolean
isEnabled()
You can't disable an existing instance, it will need to be overwritten like this:
$old = SecurityToken::inst(); // isEnabled() returns true
SecurityToken::disable();
$new = SecurityToken::inst(); // isEnabled() returns false
at line 303
static array
get_template_global_variables()
Called by SSViewer to get a list of global variables to expose to the template, the static method to call on this class to get the value for those variables, and the class to use for casting the returned value for use in a template
If the method to call is not included for a particular template variable, a method named the same as the template variable will be called
If the casting class is not specified for a particular template variable, ViewableData::$default_cast is used
The first letter of the template variable is case-insensitive. However the method name is always case sensitive.