class EnforcementManager (View source)

The EnforcementManager class is responsible for making decisions regarding multi-factor authentication app flow, e.g. "should we redirect to the MFA section", "can the user skip MFA registration" etc.

Traits

Provides extensions to this object to integrate it with standard config API methods.

A class that can be instantiated or replaced via DI

Config options

required_mfa_methods int

Indicate how many MFA methods the user must authenticate with before they are considered logged in

requires_admin_access bool

If true, redirects to MFA will only provided when the current user has access to some part of the CMS or administration area.

enabled bool

Whether enforcement of MFA is enabled. If this is disabled, users will not be redirected to MFA registration or verification on login flows.

Properties

Methods

public static 
config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).

public
mixed
uninherited(string $name)

Gets the uninherited value for the given config option

public static 
create(mixed ...$args)

An implementation of the factory method, allows you to create an instance of a class

public static 
singleton(string $class = null)

Creates a class instance by the "singleton" design pattern.

public
bool
canSkipMFA(Member $member)

Whether the provided member can skip the MFA registration process.

public
bool
shouldRedirectToMFA(Member $member)

Whether the authentication process should redirect the provided user to MFA registration or login.

public
bool
hasCompletedRegistration(Member $member)

Check if the provided member has registered the required MFA methods. This includes the default backup method if configured, and at least one other method.

public
bool
isMFARequired()

Whether MFA is required for eligible users. This takes into account whether a grace period is set and whether we're currently inside the window for it.

public
bool
isGracePeriodInEffect()

Specifically determines whether the MFA Grace Period is currently active.

protected
bool
hasAdminAccess(Member $member)

Decides whether the provided user has access to any LeftAndMain controller, which indicates some level of access to the CMS.

protected
bool
isEnabled()

MFA is enabled if:

Details

static Config_ForClass config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).

Return Value

Config_ForClass

mixed uninherited(string $name)

Gets the uninherited value for the given config option

Parameters

string $name

Return Value

mixed

static Injectable create(mixed ...$args)

An implementation of the factory method, allows you to create an instance of a class

This method will defer class substitution to the Injector API, which can be customised via the Config API to declare substitution classes.

This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create(SiteTree::class); $list = SiteTree::get();

Parameters

mixed ...$args

Return Value

Injectable

static Injectable singleton(string $class = null)

Creates a class instance by the "singleton" design pattern.

It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).

Parameters

string $class

Optional classname to create, if the called class should not be used

Return Value

Injectable

The singleton instance

bool canSkipMFA(Member $member)

Whether the provided member can skip the MFA registration process.

This is determined by a combination of:

  • Whether MFA is enabled and there are methods available for use
  • Whether the user has admin access (MFA is disabled by default for users that don't)
  • Whether MFA is required - EnforcementManager::isMFARequired()
  • Whether the user has registered MFA methods already

Parameters

Member $member

Return Value

bool

bool shouldRedirectToMFA(Member $member)

Whether the authentication process should redirect the provided user to MFA registration or login.

This is determined by a combination of:

  • Whether MFA is enabled and there are methods available for use
  • Whether the user has admin access (MFA is disabled by default for users that don't)
  • Whether the user has existing MFA methods registered
  • Whether a grace period is in effect (we always redirect eligible users in this case)
  • Whether MFA is mandatory (without a grace period or after it has expired)
  • Whether the user has previously opted to skip the registration process

Parameters

Member $member

Return Value

bool

bool hasCompletedRegistration(Member $member)

Check if the provided member has registered the required MFA methods. This includes the default backup method if configured, and at least one other method.

Parameters

Member $member

Return Value

bool

bool isMFARequired()

Whether MFA is required for eligible users. This takes into account whether a grace period is set and whether we're currently inside the window for it.

Note that in determining this, we ignore whether or not MFA is enabled for the site in general.

Return Value

bool

bool isGracePeriodInEffect()

Specifically determines whether the MFA Grace Period is currently active.

Return Value

bool

protected bool hasAdminAccess(Member $member)

Decides whether the provided user has access to any LeftAndMain controller, which indicates some level of access to the CMS.

Parameters

Member $member

Return Value

bool

See also

LeftAndMain::init

protected bool isEnabled()

MFA is enabled if:

  • The EnforcementManager::enabled configuration is set to true
  • There is at least one non-backup method available to register

Return Value

bool