EnforcementManager
class EnforcementManager (View source)
The EnforcementManager class is responsible for making decisions regarding multi-factor authentication app flow, e.g. "should we redirect to the MFA section", "can the user skip MFA registration" etc.
Traits
Provides extensions to this object to integrate it with standard config API methods.
A class that can be instantiated or replaced via DI
Config options
required_mfa_methods | int | Indicate how many MFA methods the user must authenticate with before they are considered logged in |
|
requires_admin_access | bool | If true, redirects to MFA will only provided when the current user has access to some part of the CMS or administration area. |
|
enabled | bool | Whether enforcement of MFA is enabled. If this is disabled, users will not be redirected to MFA registration or verification on login flows. |
Properties
Methods
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
Gets the uninherited value for the given config option
An implementation of the factory method, allows you to create an instance of a class
Creates a class instance by the "singleton" design pattern.
Whether the authentication process should redirect the provided user to MFA registration or login.
Check if the provided member has registered the required MFA methods. This includes the default backup method if configured, and at least one other method.
Whether MFA is required for eligible users. This takes into account whether a grace period is set and whether we're currently inside the window for it.
Specifically determines whether the MFA Grace Period is currently active.
Decides whether the provided user has access to any LeftAndMain controller, which indicates some level of access to the CMS.
Details
static Config_ForClass
config()
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
mixed
uninherited(string $name)
Gets the uninherited value for the given config option
static Injectable
create(mixed ...$args)
An implementation of the factory method, allows you to create an instance of a class
This method will defer class substitution to the Injector API, which can be customised via the Config API to declare substitution classes.
This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create(SiteTree::class); $list = SiteTree::get();
static Injectable
singleton(string $class = null)
Creates a class instance by the "singleton" design pattern.
It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).
bool
canSkipMFA(Member $member)
Whether the provided member can skip the MFA registration process.
This is determined by a combination of:
- Whether MFA is enabled and there are methods available for use
- Whether the user has admin access (MFA is disabled by default for users that don't)
- Whether MFA is required - EnforcementManager::isMFARequired()
- Whether the user has registered MFA methods already
bool
shouldRedirectToMFA(Member $member)
Whether the authentication process should redirect the provided user to MFA registration or login.
This is determined by a combination of:
- Whether MFA is enabled and there are methods available for use
- Whether the user has admin access (MFA is disabled by default for users that don't)
- Whether the user has existing MFA methods registered
- Whether a grace period is in effect (we always redirect eligible users in this case)
- Whether MFA is mandatory (without a grace period or after it has expired)
- Whether the user has previously opted to skip the registration process
bool
hasCompletedRegistration(Member $member)
Check if the provided member has registered the required MFA methods. This includes the default backup method if configured, and at least one other method.
bool
isMFARequired()
Whether MFA is required for eligible users. This takes into account whether a grace period is set and whether we're currently inside the window for it.
Note that in determining this, we ignore whether or not MFA is enabled for the site in general.
bool
isGracePeriodInEffect()
Specifically determines whether the MFA Grace Period is currently active.
protected bool
hasAdminAccess(Member $member)
Decides whether the provided user has access to any LeftAndMain controller, which indicates some level of access to the CMS.
protected bool
isEnabled()
MFA is enabled if:
- The EnforcementManager::enabled configuration is set to true
- There is at least one non-backup method available to register