* All rights reserved * * This script is part of the TYPO3 project. The TYPO3 project is * free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * The GNU General Public License can be found at * http://www.gnu.org/copyleft/gpl.html. * * This script is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * This copyright notice MUST APPEAR in all copies of the script! ***************************************************************/ /** * Class t3lib_formprotection_BackendFormProtection. * * This class provides protection against cross-site request forgery (XSRF/CSRF) * for forms in the BE. * * How to use: * * For each form in the BE (or link that changes some data), create a token and * insert is as a hidden form element. The name of the form element does not * matter; you only need it to get the form token for verifying it. * *
* $formToken = t3lib_formprotection_Factory::get( * t3lib_formprotection_Factory::TYPE_BACK_END * )->generateToken( * 'BE user setup', 'edit' * ); * $this->content .= ''; ** * The three parameters $formName, $action and $formInstanceName can be * arbitrary strings, but they should make the form token as specific as * possible. For different forms (e.g. BE user setup and editing a tt_content * record) or different records (with different UIDs) from the same table, * those values should be different. * * For editing a tt_content record, the call could look like this: * *
* $formToken = t3lib_formprotection_Factory::get( * t3lib_formprotection_Factory::TYPE_BACK_END * )->getFormProtection()->generateToken( * 'tt_content', 'edit', $uid * ); ** * At the end of the form, you need to persist the tokens. This makes sure that * generated tokens get saved, and also that removed tokens stay removed: * *
* t3lib_formprotection_Factory::get( * t3lib_formprotection_Factory::TYPE_BACK_END * )->persistTokens(); ** * In BE lists, it might be necessary to generate hundreds of tokens. So the * tokens do not get automatically persisted after creation for performance * reasons. * * * When processing the data that has been submitted by the form, you can check * that the form token is valid like this: * *
* if ($dataHasBeenSubmitted && t3lib_formprotection_Factory::get( * t3lib_formprotection_Factory::TYPE_BACK_END * )->validateToken( * (string) t3lib_div::_POST('formToken'), * 'BE user setup', 'edit * ) * ) { * // processes the data * } else { * // no need to do anything here as the BE form protection will create a * // flash message for an invalid token * } ** * Note that validateToken invalidates the token with the token ID. So calling * validate with the same parameters two times in a row will always return FALSE * for the second call. * * It is important that the tokens get validated before the tokens are * persisted. This makes sure that the tokens that get invalidated by * validateToken cannot be used again. * * $Id$ * * @package TYPO3 * @subpackage t3lib * * @author Oliver Klee