class CMSSecurity extends Security

Provides a security interface functionality within the cms

Traits

Allows an object to have extensions applied to it.
A class that can be instantiated or replaced via DI
Provides extensions to this object to integrate it with standard config API methods.
Allows an object to declare a set of custom methods

Config options

reauth_enabled boolean Enable in-cms reauthentication

Methods

mixed
__call(string $method, array $arguments)

Attempts to locate and call a method dynamically added to a class at runtime if a default cannot be located

bool
hasMethod(string $method)

Return TRUE if a method exists on this object

array
allMethodNames(bool $custom = false)

Return the names of all the methods available on this object

static bool
add_extension(string $classOrExtension, string $extension = null)

Add an extension to a specific class.

static 
remove_extension(string $extension)

Remove an extension from a class.

static array
get_extensions(string $class = null, bool $includeArgumentString = false)

No description

static array|null
get_extra_config_sources(string $class = null)

Get extra config sources for this class

static bool
has_extension(string $classOrExtension, string $requiredExtension = null, boolean $strict = false)

Return TRUE if a class has a specified extension.

array
invokeWithExtensions(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)

Calls a method if available on both this object and all applied {@link Extensions}, and then attempts to merge all results into an array

array
extend(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)

Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed

Extension|null
getExtensionInstance(string $extension)

Get an extension instance attached to this object by name.

bool
hasExtension(string $extension)

Returns TRUE if this object instance has a specific extension applied in {@link $extension_instances}. Extension instances are initialized at constructor time, meaning if you use {@link add_extension()} afterwards, the added extension will just be added to new instances of the extended class. Use the static method {@link has_extension()} to check if a class (not an instance) has a specific extension.

getExtensionInstances()

Get all extension instances for this specific object instance.

static Injectable
create(array $args)

An implementation of the factory method, allows you to create an instance of a class

static Injectable
singleton(string $class = null)

Creates a class instance by the "singleton" design pattern.

static Config_ForClass
config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .

mixed
stat(string $name) deprecated

Get inherited config value

mixed
uninherited(string $name)

Gets the uninherited value for the given config option

$this
set_stat(string $name, mixed $value) deprecated

Update the config value for a given property

__construct()

No description

bool
__isset(string $property)

Check if a field exists on this object or its failover.

mixed
__get(string $property)

Get the value of a property/field on this object. This will check if a method called get{$property} exists, then check if a field is available using {@link ViewableData::getField()}, then fall back on a failover object.

__set(string $property, mixed $value)

Set a property/field on this object. This will check for the existence of a method called set{$property}, then use the {@link ViewableData::setField()} method.

setFailover(ViewableData $failover)

Set a failover object to attempt to get data from if it is not present on this object.

getFailover()

Get the current failover object if set

bool
hasField(string $field)

Check if a field exists on this object. This should be overloaded in child classes.

mixed
getField(string $field)

Get the value of a field on this object. This should be overloaded in child classes.

$this
setField(string $field, mixed $value)

Set a field on this object. This should be overloaded in child classes.

defineMethods()

Add methods from the {@link ViewableData::$failover} object, as well as wrapping any methods prefixed with an underscore into a {@link ViewableData::cachedCall()}.

customise(array|ViewableData $data)

Merge some arbitrary data in with this object. This method returns a {@link ViewableData_Customised} instance with references to both this and the new custom data.

bool
exists()

Return true if this object "exists" i.e. has a sensible value

string
__toString()

No description

getCustomisedObj()

No description

setCustomisedObj(ViewableData $object)

No description

string
castingHelper(string $field)

Return the "casting helper" (a piece of PHP code that when evaluated creates a casted value object) for a field on this object. This helper will be a subclass of DBField.

string
castingClass(string $field)

Get the class name a field on this object will be casted to.

string
escapeTypeForField(string $field)

Return the string-format type for the given field.

renderWith(string|array|SSViewer $template, array $customFields = null)

Render this object into the template, and get the result as a string. You can pass one of the following as the $template parameter: - a template name (e.g. Page) - an array of possible template names - the first valid one will be used - an SSViewer instance

Object|DBField
obj(string $fieldName, array $arguments = [], bool $cache = false, string $cacheName = null)

Get the value of a field on this object, automatically inserting the value into any available casting objects that have been specified.

Object|DBField
cachedCall(string $field, array $arguments = [], string $identifier = null)

A simple wrapper around {@link ViewableData::obj()} that automatically caches the result so it can be used again without re-running the method.

bool
hasValue(string $field, array $arguments = [], bool $cache = true)

Checks if a given method/field has a valid value. If the result is an object, this will return the result of the exists method, otherwise will check if the result is not just an empty paragraph tag.

string
XML_val(string $field, array $arguments = [], bool $cache = false)

Get the string value of a field on this object that has been suitable escaped to be inserted directly into a template.

array
getXMLValues(array $fields)

Get an array of XML-escaped values by field name

getIterator()

Return a single-item iterator so you can iterate over the fields of a single record.

array
getViewerTemplates(string $suffix = '')

Find appropriate templates for SSViewer to use to render this object

Me()

When rendering some objects it is necessary to iterate over the object being rendered, to do this, you need access to itself.

string
ThemeDir() deprecated

Return the directory if the current active theme (relative to the site root).

string
CSSClasses(string $stopAtClass = self::class)

Get part of the current classes ancestry to be used as a CSS class.

Debug()

Return debug information about this object that can be rendered into a template

handleRequest(HTTPRequest $request)

Executes this controller, and return an {@link HTTPResponse} object with the result.

array|null
allowedActions(string $limitToClass = null)

Get a array of allowed actions defined on this controller, any parent classes or extensions.

bool
hasAction(string $action)

No description

bool
checkAccessAction(string $action)

Check that the given action is allowed to be called from a URL.

httpError(int $errorCode, string $errorMessage = null)

Throws a HTTP error response encased in a {@link HTTPResponse_Exception}, which is later caught in {@link RequestHandler::handleAction()} and returned to the user.

getRequest()

Returns the HTTPRequest object that this controller is using.

from Security
$this
setRequest(HTTPRequest $request)

Typically the request is set through {@link handleAction()} or {@link handleRequest()}, but in some based we want to set it manually.

string
Link(string $action = null)

Get a link to a security action

redirect(string $url, int $code = 302)

Redirect to the given URL.

string
getBackURL()

Safely get the value of the BackURL param, if provided via querystring / posted var

string
getReferer()

Get referer

redirectBack()

Redirect back. Uses either the HTTP-Referer or a manually set request-variable called "BackURL".

doInit()

A stand in function to protect the init function from failing to be called as well as providing before and after hooks for the init function itself

$this
setURLParams(array $urlParams)

No description

array
getURLParams()

Returns the parameters extracted from the URL by the {@link Director}.

getResponse()

Returns the HTTPResponse object that this controller is building up. Can be used to set the status code and headers.

$this
setResponse(HTTPResponse $response)

Sets the HTTPResponse object that this controller is building up.

defaultAction(string $action)

This is the default action handler used if a method doesn't exist. It will process the controller object with the template returned by {@link getViewer()}.

string
getAction()

Returns the action that is being executed on this controller.

getViewer(string $action)

Return the viewer identified being the default handler for this Controller/Action combination.

string
removeAction(string $fullURL, null|string $action = null)

Removes all the "action" part of the current URL and returns the result. If no action parameter is present, returns the full URL.

bool
hasActionTemplate(string $action)

Returns TRUE if this controller has a template that is specifically designed to handle a specific action.

string
render(array $params = null)

Render the current controller with the templates determined by {@link getViewer()}.

disableBasicAuth() deprecated

Call this to disable site-wide basic authentication for a specific controller. This must be called before Controller::init(). That is, you must call it in your controller's init method before it calls parent::init().

static Controller
curr()

Returns the current controller.

static bool
has_curr()

Tests whether we have a currently active controller or not. True if there is at least 1 controller in the stack.

bool
can(string $perm, null|member $member = null)

Returns true if the member is allowed to do the given action. Defaults to the currently logged in user.

pushCurrent()

Pushes this controller onto the stack of current controllers. This means that any redirection, session setting, or other things that rely on Controller::curr() will now write to this controller object.

popCurrent()

Pop this controller off the top of the stack.

null|string
redirectedTo()

Tests whether a redirection has been requested. If redirect() has been called, it will return the URL redirected to. Otherwise, it will return null.

static string
join_links($arg = null)

Joins two or more link segments together, putting a slash between them if necessary. Use this for building the results of {@link Link()} methods. If either of the links have query strings, then they will be combined and put at the end of the resulting url.

static array
get_template_global_variables()

Defines global accessible templates variables.

from Security
getAuthenticators()

No description

from Security
setAuthenticators(array $authenticators)

No description

from Security
index()

No description

from Security
getApplicableAuthenticators(int $service = Authenticator::CMS_LOGIN)

Get all registered authenticators

bool
hasAuthenticator(string $authenticator)

Check if a given authenticator is registered

from Security
static HTTPResponse
permissionFailure(Controller $controller = null, string|array $messageSet = null)

Register that we've had a permission failure trying to view the given page

from Security
static 
setCurrentUser(null|Member $currentUser = null)

No description

from Security
static null|Member
getCurrentUser()

No description

from Security
array
getLoginForms() deprecated

Get the login forms for all available authentication methods

from Security
ping()

This action is available as a keep alive, so user sessions don't timeout. A common use is in the admin.

from Security
setSessionMessage(string $message, string $messageType = ValidationResult::TYPE_WARNING, string $messageCast = ValidationResult::CAST_TEXT)

Set the next message to display for the security login page. Defaults to warning

from Security
static 
clearSessionMessage()

Clear login message

from Security
HTTPResponse|string
login(null|HTTPRequest $request = null, int $service = Authenticator::CMS_LOGIN)

Show the "login" page

HTTPResponse|string
logout(null|HTTPRequest $request = null, int $service = Authenticator::LOGOUT)

Log the currently logged in user out

from Security
basicauthlogin()

No description

from Security
string
lostpassword()

Show the "lost password" page

from Security
string|HTTPRequest
changepassword()

Show the "change password" page.

from Security
static string
getPasswordResetLink(Member $member, string $autologinToken)

Create a link to the password reset form.

from Security
array
getTemplatesFor(string $action)

Determine the list of templates to use for rendering the given action.

from Security
static Member
findAnAdministrator() deprecated

Return an existing member with administrator privileges, or create one of necessary.

from Security
static 
clear_default_admin() deprecated

Flush the default admin credentials

from Security
static bool
setDefaultAdmin(string $username, string $password) deprecated

Set a default admin in dev-mode

from Security
static bool
check_default_admin(string $username, string $password) deprecated

Checks if the passed credentials are matching the default-admin.

from Security
static 
has_default_admin() deprecated

Check that the default admin account has been set.

from Security
static string
default_admin_username() deprecated

Get default admin username

from Security
static string
default_admin_password() deprecated

Get default admin password

from Security
static mixed
encrypt_password(string $password, string $salt = null, string $algorithm = null, Member $member = null)

Encrypt a password according to the current password encryption settings.

from Security
static bool
database_is_ready()

Checks the database is in a state to perform security checks.

from Security
static 
clear_database_is_ready()

Resets the database_is_ready cache

from Security
static 
force_database_is_ready(bool $isReady)

For the database_is_ready call to return a certain value - used for testing

from Security
static 
set_ignore_disallowed_actions(bool $flag)

Set to true to ignore access to disallowed actions, rather than returning permission failure Note that this is just a flag that other code needs to check with Security::ignore_disallowed_actions()

from Security
static 
ignore_disallowed_actions()

No description

from Security
static string
login_url()

Get the URL of the log-in page.

from Security
static string
logout_url()

Get the URL of the logout page.

from Security
static string
lost_password_url()

Get the URL of the logout page.

from Security
getTargetMember()

Get known logged out member

getResponseController($title)

No description

bool
getIsloggedIn()

Check if there is a logged in member

bool
enabled()

Determine if CMSSecurity is enabled

success()

Given a successful login, tell the parent frame to close the dialog

Details

in CustomMethods at line 47
mixed __call(string $method, array $arguments)

Attempts to locate and call a method dynamically added to a class at runtime if a default cannot be located

You can add extra methods to a class using {@link Extensions}, {@link Object::createMethod()} or {@link Object::addWrapperMethod()}

Parameters

string $method
array $arguments

Return Value

mixed

Exceptions

BadMethodCallException

in CustomMethods at line 146
bool hasMethod(string $method)

Return TRUE if a method exists on this object

This should be used rather than PHP's inbuild method_exists() as it takes into account methods added via extensions

Parameters

string $method

Return Value

bool

in CustomMethods at line 176
array allMethodNames(bool $custom = false)

Return the names of all the methods available on this object

Parameters

bool $custom include methods added dynamically at runtime

Return Value

array

in Extensible at line 172
static bool add_extension(string $classOrExtension, string $extension = null)

Add an extension to a specific class.

The preferred method for adding extensions is through YAML config, since it avoids autoloading the class, and is easier to override in more specific configurations.

As an alternative, extensions can be added to a specific class directly in the {@link Object::$extensions} array. See {@link SiteTree::$extensions} for examples. Keep in mind that the extension will only be applied to new instances, not existing ones (including all instances created through {@link singleton()}).

Parameters

string $classOrExtension Class that should be extended - has to be a subclass of {@link Object}
string $extension Subclass of {@link Extension} with optional parameters as a string, e.g. "Versioned" or "Translatable('Param')"

Return Value

bool Flag if the extension was added

See also

http://doc.silverstripe.org/framework/en/trunk/reference/dataextension

in Extensible at line 236
static remove_extension(string $extension)

Remove an extension from a class.

Note: This will not remove extensions from parent classes, and must be called directly on the class assigned the extension.

Keep in mind that this won't revert any datamodel additions of the extension at runtime, unless its used before the schema building kicks in (in your _config.php). Doesn't remove the extension from any {@link Object} instances which are already created, but will have an effect on new extensions. Clears any previously created singletons through {@link singleton()} to avoid side-effects from stale extension information.

Parameters

string $extension class name of an {@link Extension} subclass, without parameters

in Extensible at line 278
static array get_extensions(string $class = null, bool $includeArgumentString = false)

Parameters

string $class If omitted, will get extensions for the current class
bool $includeArgumentString Include the argument string in the return array, FALSE would return array("Versioned"), TRUE returns array("Versioned('Stage','Live')").

Return Value

array Numeric array of either {@link DataExtension} class names, or eval'ed class name strings with constructor arguments.

in Extensible at line 312
static array|null get_extra_config_sources(string $class = null)

Get extra config sources for this class

Parameters

string $class Name of class. If left null will return for the current class

Return Value

array|null

in Extensible at line 373
static bool has_extension(string $classOrExtension, string $requiredExtension = null, boolean $strict = false)

Return TRUE if a class has a specified extension.

This supports backwards-compatible format (static Object::has_extension($requiredExtension)) and new format ($object->has_extension($class, $requiredExtension))

Parameters

string $classOrExtension Class to check extension for, or the extension name to check if the second argument is null.
string $requiredExtension If the first argument is the parent class, this is the extension to check. If left null, the first parameter will be treated as the extension.
boolean $strict if the extension has to match the required extension and not be a subclass

Return Value

bool Flag if the extension exists

in Extensible at line 415
array invokeWithExtensions(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)

Calls a method if available on both this object and all applied {@link Extensions}, and then attempts to merge all results into an array

Parameters

string $method the method name to call
mixed $a1
mixed $a2
mixed $a3
mixed $a4
mixed $a5
mixed $a6
mixed $a7

Return Value

array List of results with nulls filtered out

in Extensible at line 450
array extend(string $method, mixed $a1 = null, mixed $a2 = null, mixed $a3 = null, mixed $a4 = null, mixed $a5 = null, mixed $a6 = null, mixed $a7 = null)

Run the given function on all of this object's extensions. Note that this method originally returned void, so if you wanted to return results, you're hosed

Currently returns an array, with an index resulting every time the function is called. Only adds returns if they're not NULL, to avoid bogus results from methods just defined on the parent extension. This is important for permission-checks through extend, as they use min() to determine if any of the returns is FALSE. As min() doesn't do type checking, an included NULL return would fail the permission checks.

The extension methods are defined during {@link __construct()} in {@link defineMethods()}.

Parameters

string $method the name of the method to call on each extension
mixed $a1
mixed $a2
mixed $a3
mixed $a4
mixed $a5
mixed $a6
mixed $a7

Return Value

array

in Extensible at line 497
Extension|null getExtensionInstance(string $extension)

Get an extension instance attached to this object by name.

Parameters

string $extension

Return Value

Extension|null

in Extensible at line 526
bool hasExtension(string $extension)

Returns TRUE if this object instance has a specific extension applied in {@link $extension_instances}. Extension instances are initialized at constructor time, meaning if you use {@link add_extension()} afterwards, the added extension will just be added to new instances of the extended class. Use the static method {@link has_extension()} to check if a class (not an instance) has a specific extension.

Caution: Don't use singleton()->hasExtension() as it will give you inconsistent results based on when the singleton was first accessed.

Parameters

string $extension Classname of an {@link Extension} subclass without parameters

Return Value

bool

in Extensible at line 540
Extension[] getExtensionInstances()

Get all extension instances for this specific object instance.

See {@link get_extensions()} to get all applied extension classes for this class (not the instance).

This method also provides lazy-population of the extension_instances property.

Return Value

Extension[] Map of {@link DataExtension} instances, keyed by classname.

in Injectable at line 26
static Injectable create(array $args)

An implementation of the factory method, allows you to create an instance of a class

This method will defer class substitution to the Injector API, which can be customised via the Config API to declare substitution classes.

This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create('SiteTree'); $list = SiteTree::get();

Parameters

array $args

Return Value

Injectable

in Injectable at line 43
static Injectable singleton(string $class = null)

Creates a class instance by the "singleton" design pattern.

It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).

Parameters

string $class Optional classname to create, if the called class should not be used

Return Value

Injectable The singleton instance

in Configurable at line 20
static Config_ForClass config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .

....).

Return Value

Config_ForClass

in Configurable at line 32
mixed stat(string $name) deprecated

deprecated 5.0 Use ->config()->get() instead

Get inherited config value

Parameters

string $name

Return Value

mixed

in Configurable at line 44
mixed uninherited(string $name)

Gets the uninherited value for the given config option

Parameters

string $name

Return Value

mixed

in Configurable at line 57
$this set_stat(string $name, mixed $value) deprecated

deprecated 5.0 Use ->config()->set() instead

Update the config value for a given property

Parameters

string $name
mixed $value

Return Value

$this

in RequestHandler at line 121
__construct()

in ViewableData at line 106
bool __isset(string $property)

Check if a field exists on this object or its failover.

Note that, unlike the core isset() implementation, this will return true if the property is defined and set to null.

Parameters

string $property

Return Value

bool

in ViewableData at line 129
mixed __get(string $property)

Get the value of a property/field on this object. This will check if a method called get{$property} exists, then check if a field is available using {@link ViewableData::getField()}, then fall back on a failover object.

Parameters

string $property

Return Value

mixed

in ViewableData at line 152
__set(string $property, mixed $value)

Set a property/field on this object. This will check for the existence of a method called set{$property}, then use the {@link ViewableData::setField()} method.

Parameters

string $property
mixed $value

in ViewableData at line 167
setFailover(ViewableData $failover)

Set a failover object to attempt to get data from if it is not present on this object.

Parameters

ViewableData $failover

in ViewableData at line 183
ViewableData|null getFailover()

Get the current failover object if set

Return Value

ViewableData|null

in ViewableData at line 194
bool hasField(string $field)

Check if a field exists on this object. This should be overloaded in child classes.

Parameters

string $field

Return Value

bool

in ViewableData at line 205
mixed getField(string $field)

Get the value of a field on this object. This should be overloaded in child classes.

Parameters

string $field

Return Value

mixed

in ViewableData at line 217
$this setField(string $field, mixed $value)

Set a field on this object. This should be overloaded in child classes.

Parameters

string $field
mixed $value

Return Value

$this

in ViewableData at line 232
defineMethods()

Add methods from the {@link ViewableData::$failover} object, as well as wrapping any methods prefixed with an underscore into a {@link ViewableData::cachedCall()}.

Exceptions

LogicException

in ViewableData at line 258
ViewableData_Customised customise(array|ViewableData $data)

Merge some arbitrary data in with this object. This method returns a {@link ViewableData_Customised} instance with references to both this and the new custom data.

Note that any fields you specify will take precedence over the fields on this object.

Parameters

array|ViewableData $data

Return Value

ViewableData_Customised

in ViewableData at line 281
bool exists()

Return true if this object "exists" i.e. has a sensible value

This method should be overriden in subclasses to provide more context about the classes state. For example, a {@link DataObject} class could return false when it is deleted from the database

Return Value

bool

in ViewableData at line 289
string __toString()

Return Value

string the class name

in ViewableData at line 297
ViewableData getCustomisedObj()

Return Value

ViewableData

in ViewableData at line 305
setCustomisedObj(ViewableData $object)

Parameters

ViewableData $object

in ViewableData at line 320
string castingHelper(string $field)

Return the "casting helper" (a piece of PHP code that when evaluated creates a casted value object) for a field on this object. This helper will be a subclass of DBField.

Parameters

string $field

Return Value

string Casting helper As a constructor pattern, and may include arguments.

Exceptions

Exception

in ViewableData at line 352
string castingClass(string $field)

Get the class name a field on this object will be casted to.

Parameters

string $field

Return Value

string

in ViewableData at line 365
string escapeTypeForField(string $field)

Return the string-format type for the given field.

Parameters

string $field

Return Value

string 'xml'|'raw'

in ViewableData at line 389
DBHTMLText renderWith(string|array|SSViewer $template, array $customFields = null)

Render this object into the template, and get the result as a string. You can pass one of the following as the $template parameter: - a template name (e.g. Page) - an array of possible template names - the first valid one will be used - an SSViewer instance

Parameters

string|array|SSViewer $template the template to render into
array $customFields fields to customise() the object with before rendering

Return Value

DBHTMLText

in ViewableData at line 471
Object|DBField obj(string $fieldName, array $arguments = [], bool $cache = false, string $cacheName = null)

Get the value of a field on this object, automatically inserting the value into any available casting objects that have been specified.

Parameters

string $fieldName
array $arguments
bool $cache Cache this object
string $cacheName a custom cache name

Return Value

Object|DBField

in ViewableData at line 516
Object|DBField cachedCall(string $field, array $arguments = [], string $identifier = null)

A simple wrapper around {@link ViewableData::obj()} that automatically caches the result so it can be used again without re-running the method.

Parameters

string $field
array $arguments
string $identifier an optional custom cache identifier

Return Value

Object|DBField

in ViewableData at line 530
bool hasValue(string $field, array $arguments = [], bool $cache = true)

Checks if a given method/field has a valid value. If the result is an object, this will return the result of the exists method, otherwise will check if the result is not just an empty paragraph tag.

Parameters

string $field
array $arguments
bool $cache

Return Value

bool

in ViewableData at line 545
string XML_val(string $field, array $arguments = [], bool $cache = false)

Get the string value of a field on this object that has been suitable escaped to be inserted directly into a template.

Parameters

string $field
array $arguments
bool $cache

Return Value

string

in ViewableData at line 558
array getXMLValues(array $fields)

Get an array of XML-escaped values by field name

Parameters

array $fields an array of field names

Return Value

array

in ViewableData at line 579
ArrayIterator getIterator()

Return a single-item iterator so you can iterate over the fields of a single record.

This is useful so you can use a single record inside a <% control %> block in a template - and then use to access individual fields on this object.

Return Value

ArrayIterator

in ViewableData at line 592
array getViewerTemplates(string $suffix = '')

Find appropriate templates for SSViewer to use to render this object

Parameters

string $suffix

Return Value

array

in ViewableData at line 603
ViewableData Me()

When rendering some objects it is necessary to iterate over the object being rendered, to do this, you need access to itself.

Return Value

ViewableData

in ViewableData at line 620
string ThemeDir() deprecated

deprecated 4.0.0:5.0.0 Use $resourcePath or $resourceURL template helpers instead

Return the directory if the current active theme (relative to the site root).

This method is useful for things such as accessing theme images from your template without hardcoding the theme page - e.g. .

This method should only be used when a theme is currently active. However, it will fall over to the current project directory.

Return Value

string URL to the current theme

in ViewableData at line 647
string CSSClasses(string $stopAtClass = self::class)

Get part of the current classes ancestry to be used as a CSS class.

This method returns an escaped string of CSS classes representing the current classes ancestry until it hits a stop point - e.g. "Page DataObject ViewableData".

Parameters

string $stopAtClass the class to stop at (default: ViewableData)

Return Value

string

in ViewableData at line 676
ViewableData_Debugger Debug()

Return debug information about this object that can be rendered into a template

Return Value

ViewableData_Debugger

in Controller at line 199
HTTPResponse|RequestHandler|string|array handleRequest(HTTPRequest $request)

Executes this controller, and return an {@link HTTPResponse} object with the result.

This method defers to {@link RequestHandler->handleRequest()} to determine which action should be executed

Note: You should rarely need to overload handleRequest() - this kind of change is only really appropriate for things like nested controllers - {@link ModelAsController} and {@link RootURLController} are two examples here. If you want to make more orthodox functionality, it's better to overload {@link init()} or {@link index()}.

Important: If you are going to overload handleRequest, make sure that you start the method with $this->beforeHandleRequest() and end the method with $this->afterHandleRequest()

Parameters

HTTPRequest $request The object that is reponsible for distributing URL parsing

Return Value

HTTPResponse|RequestHandler|string|array

in RequestHandler at line 345
array|null allowedActions(string $limitToClass = null)

Get a array of allowed actions defined on this controller, any parent classes or extensions.

Caution: Since 3.1, allowed_actions definitions only apply to methods on the controller they're defined on, so it is recommended to use the $class argument when invoking this method.

Parameters

string $limitToClass

Return Value

array|null

in Controller at line 427
bool hasAction(string $action)

Parameters

string $action

Return Value

bool

in RequestHandler at line 456
bool checkAccessAction(string $action)

Check that the given action is allowed to be called from a URL.

It will interrogate {@link self::$allowed_actions} to determine this.

Parameters

string $action

Return Value

bool

Exceptions

Exception

in RequestHandler at line 516
httpError(int $errorCode, string $errorMessage = null)

Throws a HTTP error response encased in a {@link HTTPResponse_Exception}, which is later caught in {@link RequestHandler::handleAction()} and returned to the user.

Parameters

int $errorCode
string $errorMessage Plaintext error message

Exceptions

HTTPResponse_Exception

in Security at line 543
HTTPRequest getRequest()

Returns the HTTPRequest object that this controller is using.

Returns a placeholder {@link NullHTTPRequest} object unless {@link handleAction()} or {@link handleRequest()} have been called, which adds a reference to an actual {@link HTTPRequest} object.

Return Value

HTTPRequest

in Controller at line 145
$this setRequest(HTTPRequest $request)

Typically the request is set through {@link handleAction()} or {@link handleRequest()}, but in some based we want to set it manually.

Parameters

HTTPRequest $request

Return Value

$this

Get a link to a security action

Parameters

string $action Optional action

Return Value

string

in Controller at line 634
HTTPResponse redirect(string $url, int $code = 302)

Redirect to the given URL.

Parameters

string $url
int $code

Return Value

HTTPResponse

in RequestHandler at line 601
string getBackURL()

Safely get the value of the BackURL param, if provided via querystring / posted var

Return Value

string

in RequestHandler at line 642
string getReferer()

Get referer

Return Value

string

in RequestHandler at line 661
HTTPResponse redirectBack()

Redirect back. Uses either the HTTP-Referer or a manually set request-variable called "BackURL".

This variable is needed in scenarios where HTTP-Referer is not sent (e.g when calling a page by location.href in IE). If none of the two variables is available, it will redirect to the base URL (see {@link Director::baseURL()}).

Return Value

HTTPResponse

in Controller at line 120
doInit()

A stand in function to protect the init function from failing to be called as well as providing before and after hooks for the init function itself

This should be called on all controllers before handling requests

in Controller at line 314
$this setURLParams(array $urlParams)

Parameters

array $urlParams

Return Value

$this

in Controller at line 325
array getURLParams()

Returns the parameters extracted from the URL by the {@link Director}.

Return Value

array

in Controller at line 336
HTTPResponse getResponse()

Returns the HTTPResponse object that this controller is building up. Can be used to set the status code and headers.

Return Value

HTTPResponse

in Controller at line 351
$this setResponse(HTTPResponse $response)

Sets the HTTPResponse object that this controller is building up.

Parameters

HTTPResponse $response

Return Value

$this

in Controller at line 369
DBHTMLText defaultAction(string $action)

This is the default action handler used if a method doesn't exist. It will process the controller object with the template returned by {@link getViewer()}.

Parameters

string $action

Return Value

DBHTMLText

in Controller at line 379
string getAction()

Returns the action that is being executed on this controller.

Return Value

string

in Controller at line 391
SSViewer getViewer(string $action)

Return the viewer identified being the default handler for this Controller/Action combination.

Parameters

string $action

Return Value

SSViewer

in Controller at line 441
string removeAction(string $fullURL, null|string $action = null)

Removes all the "action" part of the current URL and returns the result. If no action parameter is present, returns the full URL.

Parameters

string $fullURL
null|string $action

Return Value

string

in Controller at line 491
bool hasActionTemplate(string $action)

Returns TRUE if this controller has a template that is specifically designed to handle a specific action.

Parameters

string $action

Return Value

bool

in Controller at line 515
string render(array $params = null)

Render the current controller with the templates determined by {@link getViewer()}.

Parameters

array $params

Return Value

string

in Controller at line 537
disableBasicAuth() deprecated

deprecated 4.1.0:5.0.0 Add this controller's url to SilverStripe\Security\BasicAuthMiddleware.URLPatterns injected property instead of setting false

Call this to disable site-wide basic authentication for a specific controller. This must be called before Controller::init(). That is, you must call it in your controller's init method before it calls parent::init().

in Controller at line 551
static Controller curr()

Returns the current controller.

Return Value

Controller

in Controller at line 566
static bool has_curr()

Tests whether we have a currently active controller or not. True if there is at least 1 controller in the stack.

Return Value

bool

in Controller at line 580
bool can(string $perm, null|member $member = null)

Returns true if the member is allowed to do the given action. Defaults to the currently logged in user.

Parameters

string $perm
null|member $member

Return Value

bool

in Controller at line 604
pushCurrent()

Pushes this controller onto the stack of current controllers. This means that any redirection, session setting, or other things that rely on Controller::curr() will now write to this controller object.

Note: Ensure this controller is assigned a request with a valid session before pushing it to the stack.

in Controller at line 614
popCurrent()

Pop this controller off the top of the stack.

in Controller at line 652
null|string redirectedTo()

Tests whether a redirection has been requested. If redirect() has been called, it will return the URL redirected to. Otherwise, it will return null.

Return Value

null|string

Joins two or more link segments together, putting a slash between them if necessary. Use this for building the results of {@link Link()} methods. If either of the links have query strings, then they will be combined and put at the end of the resulting url.

Caution: All parameters are expected to be URI-encoded already.

Parameters

$arg

Return Value

string

in Security at line 1363
static array get_template_global_variables()

Defines global accessible templates variables.

Return Value

array Returns an array of items. Each key => value pair is one of three forms: - template name (no key) - template name => method name - template name => array(), where the array can contain these key => value pairs - "method" => method name - "casting" => casting class to use (i.e., Varchar, HTMLFragment, etc)

in Security at line 203
Authenticator[] getAuthenticators()

Return Value

Authenticator[]

in Security at line 211
setAuthenticators(array $authenticators)

Parameters

array $authenticators

in Security at line 233
index()

at line 63
Authenticator[] getApplicableAuthenticators(int $service = Authenticator::CMS_LOGIN)

Get all registered authenticators

Parameters

int $service The type of service that is requested

Return Value

Authenticator[] Return an array of Authenticator objects

in Security at line 287
bool hasAuthenticator(string $authenticator)

Check if a given authenticator is registered

Parameters

string $authenticator The configured identifier of the authenicator

Return Value

bool Returns TRUE if the authenticator is registered, FALSE otherwise.

in Security at line 319
static HTTPResponse permissionFailure(Controller $controller = null, string|array $messageSet = null)

Register that we've had a permission failure trying to view the given page

This will redirect to a login page. If you don't provide a messageSet, a default will be used.

Parameters

Controller $controller The controller that you were on to cause the permission failure.
string|array $messageSet The message to show to the user. This can be a string, or a map of different messages for different contexts. If you pass an array, you can use the following keys: - default: The default message - alreadyLoggedIn: The message to show if the user is already logged in and lacks the permission to access the item.

The alreadyLoggedIn value can contain a '%s' placeholder that will be replaced with a link to log in.

Return Value

HTTPResponse

in Security at line 441
static setCurrentUser(null|Member $currentUser = null)

Parameters

null|Member $currentUser

in Security at line 449
static null|Member getCurrentUser()

Return Value

null|Member

in Security at line 463
array getLoginForms() deprecated

deprecated 5.0.0 Now handled by {@link static::delegateToMultipleHandlers}

Get the login forms for all available authentication methods

Return Value

array Returns an array of available login forms (array of Form objects).

in Security at line 496
ping()

This action is available as a keep alive, so user sessions don't timeout. A common use is in the admin.

in Security at line 640
setSessionMessage(string $message, string $messageType = ValidationResult::TYPE_WARNING, string $messageCast = ValidationResult::CAST_TEXT)

Set the next message to display for the security login page. Defaults to warning

Parameters

string $message Message
string $messageType Message type. One of ValidationResult::TYPE_*
string $messageCast Message cast. One of ValidationResult::CAST_*

in Security at line 656
static clearSessionMessage()

Clear login message

at line 47
HTTPResponse|string login(null|HTTPRequest $request = null, int $service = Authenticator::CMS_LOGIN)

Show the "login" page

For multiple authenticators, Security_MultiAuthenticatorLogin is used. See getTemplatesFor and getIncludeTemplate for how to override template logic

Parameters

null|HTTPRequest $request
int $service

Return Value

HTTPResponse|string Returns the "login" page as HTML code.

Exceptions

HTTPResponse_Exception

in Security at line 720
HTTPResponse|string logout(null|HTTPRequest $request = null, int $service = Authenticator::LOGOUT)

Log the currently logged in user out

Logging out without ID-parameter in the URL, will log the user out of all applicable Authenticators.

Adding an ID will only log the user out of that Authentication method.

Parameters

null|HTTPRequest $request
int $service

Return Value

HTTPResponse|string

in Security at line 952
basicauthlogin()

in Security at line 963
string lostpassword()

Show the "lost password" page

Return Value

string Returns the "lost password" page as HTML code.

in Security at line 994
string|HTTPRequest changepassword()

Show the "change password" page.

This page can either be called directly by logged-in users (in which case they need to provide their old password), or through a link emailed through {@link lostpassword()}. In this case no old password is required, authentication is ensured through the Member.AutoLoginHash property.

Return Value

string|HTTPRequest Returns the "change password" page as HTML code, or a redirect response

See also

ChangePasswordForm

Create a link to the password reset form.

GET parameters used: - m: member ID - t: plaintext token

Parameters

Member $member Member object associated with this link.
string $autologinToken The auto login token.

Return Value

string

in Security at line 1036
array getTemplatesFor(string $action)

Determine the list of templates to use for rendering the given action.

Parameters

string $action

Return Value

array Template list

in Security at line 1066
static Member findAnAdministrator() deprecated

deprecated 4.0.0:5.0.0 Please use DefaultAdminService::findOrCreateDefaultAdmin()

Return an existing member with administrator privileges, or create one of necessary.

Will create a default 'Administrators' group if no group is found with an ADMIN permission. Will create a new 'Admin' member with administrative permissions if no existing Member with these permissions is found.

Important: Any newly created administrator accounts will NOT have valid login credentials (Email/Password properties), which means they can't be used for login purposes outside of any default credentials set through {@link Security::setDefaultAdmin()}.

Return Value

Member

in Security at line 1079
static clear_default_admin() deprecated

deprecated 4.0.0:5.0.0 Please use DefaultAdminService::clearDefaultAdmin()

Flush the default admin credentials

in Security at line 1100
static bool setDefaultAdmin(string $username, string $password) deprecated

deprecated 4.0.0:5.0.0 Please use DefaultAdminService::setDefaultAdmin($username, $password)

Set a default admin in dev-mode

This will set a static default-admin which is not existing as a database-record. By this workaround we can test pages in dev-mode with a unified login. Submitted login-credentials are first checked against this static information in {@link Security::authenticate()}.

Parameters

string $username The user name
string $password The password (in cleartext)

Return Value

bool True if successfully set

in Security at line 1118
static bool check_default_admin(string $username, string $password) deprecated

deprecated 4.0.0:5.0.0 Use DefaultAdminService::isDefaultAdminCredentials() instead

Checks if the passed credentials are matching the default-admin.

Compares cleartext-password set through Security::setDefaultAdmin().

Parameters

string $username
string $password

Return Value

bool

in Security at line 1131
static has_default_admin() deprecated

deprecated 4.0.0:5.0.0 Use DefaultAdminService::hasDefaultAdmin() instead

Check that the default admin account has been set.

in Security at line 1144
static string default_admin_username() deprecated

deprecated 4.0.0:5.0.0 Use DefaultAdminService::getDefaultAdminUsername()

Get default admin username

Return Value

string

in Security at line 1157
static string default_admin_password() deprecated

deprecated 4.0.0:5.0.0 Use DefaultAdminService::getDefaultAdminPassword()

Get default admin password

Return Value

string

in Security at line 1192
static mixed encrypt_password(string $password, string $salt = null, string $algorithm = null, Member $member = null)

Encrypt a password according to the current password encryption settings.

If the settings are so that passwords shouldn't be encrypted, the result is simple the clear text password with an empty salt except when a custom algorithm ($algorithm parameter) was passed.

Parameters

string $password The password to encrypt
string $salt Optional: The salt to use. If it is not passed, but needed, the method will automatically create a random salt that will then be returned as return value.
string $algorithm Optional: Use another algorithm to encrypt the password (so that the encryption algorithm can be changed over the time).
Member $member Optional

Return Value

mixed Returns an associative array containing the encrypted password and the used salt in the form: array( 'password' => string, 'salt' => string, 'algorithm' => string, 'encryptor' => PasswordEncryptor instance ) If the passed algorithm is invalid, FALSE will be returned.

Exceptions

PasswordEncryptor_NotFoundException

See also

encrypt_passwords()

in Security at line 1218
static bool database_is_ready()

Checks the database is in a state to perform security checks.

See {@link DatabaseAdmin->init()} for more information.

Return Value

bool

in Security at line 1270
static clear_database_is_ready()

Resets the database_is_ready cache

in Security at line 1281
static force_database_is_ready(bool $isReady)

For the database_is_ready call to return a certain value - used for testing

Parameters

bool $isReady

in Security at line 1310
static set_ignore_disallowed_actions(bool $flag)

Set to true to ignore access to disallowed actions, rather than returning permission failure Note that this is just a flag that other code needs to check with Security::ignore_disallowed_actions()

Parameters

bool $flag True or false

in Security at line 1315
static ignore_disallowed_actions()

in Security at line 1327
static string login_url()

Get the URL of the log-in page.

To update the login url use the "Security.login_url" config setting.

Return Value

string

in Security at line 1340
static string logout_url()

Get the URL of the logout page.

To update the logout url use the "Security.logout_url" config setting.

Return Value

string

in Security at line 1353
static string lost_password_url()

Get the URL of the logout page.

To update the logout url use the "Security.logout_url" config setting.

Return Value

string

at line 73
Member getTargetMember()

Get known logged out member

Return Value

Member

at line 83
getResponseController($title)

Parameters

$title

at line 108
bool getIsloggedIn()

Check if there is a logged in member

Return Value

bool

at line 161
bool enabled()

Determine if CMSSecurity is enabled

Return Value

bool

at line 176
HTTPResponse|DBField success()

Given a successful login, tell the parent frame to close the dialog

Return Value

HTTPResponse|DBField