A basic TYPO3 installation

Installation with Composer is covered in the Getting Started Guide (see Installation chapter).

You can also download TYPO3 from our official page

If you are starting out we would suggest using the latest TYPO3 version with long term support.

A basic site package

To get started you need a basic site package.

You can use the official Site Package Builder to generate one for you or follow the site package tutorial.

Getting help with TYPO3

Meet the TYPO3 Community. You can chat with us on Slack, go to meetings in your local user group or meet us at events.

You can discuss TYPO3 related questions in the https://talk.typo3.org/ forum.

If you think you have found a bug in the TYPO3 Core code, have a look at our issue tracker on forge where you can check if the bug has already been reported or not.

Introduction

The TYPO3 component responsible for rendering the HTML and adding assets to a TYPO3 frontend or backend page is called \TYPO3\CMS\Core\Page\PageRenderer .

The PageRenderer collects all assets to be rendered, takes care of options such as concatenation or compression and finally generates the necessary tags.

There are multiple ways to add assets to the PageRenderer in TYPO3. For configuration options via TypoScript (usually used for the main theme files), see the TypoScript Reference. In extensions, both directly using the PageRenderer as well as using the more convenient AssetCollector is possible.

Asset collector

With the \TYPO3\CMS\Core\Page\AssetCollector class, CSS and JavaScript code (inline or external) can be added multiple times, but rendered only once in the output. The class may be used directly in PHP code or the assets can be added via the <f:asset.css> and <f:asset.script> ViewHelpers.

The priority flag (default: false) controls where the asset is inserted:

• JavaScript will be output inside <head> if $priority == true, or at the bottom of the <body> tag if $priority == false.
• CSS will always be output inside <head>, yet grouped by $priority.

The asset collector helps to work with content elements as components, effectively reducing the CSS to be loaded. It takes advantage of HTTP/2, which removes the necessity to concatenate all files in one file.

The asset collector class is implemented as a singleton ( \TYPO3\CMS\Core\SingletonInterface ). It replaces various other existing options in TypoScript and methods in PHP for inserting JavaScript and CSS code.

The asset collector also collects information about images on a page, which can be used in cached and non-cached components.

<?php

declare(strict_types=1);

namespace MyVendor\MyExtension\MyClass;

use TYPO3\CMS\Core\Page\AssetCollector;

final class MyClass
{
    public function __construct(
        private readonly AssetCollector $assetCollector,
    ) {}

    public function doSomething()
    {
        // $this->assetCollector can now be used
        // see examples below
    }
}

$this->assetCollector->addJavaScript(
    'my_ext_foo',
    'EXT:my_extension/Resources/Public/JavaScript/foo.js',
    ['data-foo' => 'bar']
);

$this->assetCollector->addJavaScript(
    'my_ext_foo',
    'EXT:my_extension/Resources/Public/JavaScript/foo.js',
    ['data-foo' => 'bar'],
    ['priority' => true]
);

$this->assetCollector->addJavaScript(
    'my_ext_foo',
    'EXT:my_extension/Resources/Public/JavaScript/foo.js',
    ['type' => 'module']
);

if ($this->assetCollector->hasJavaScript($identifier)) {
    // result: true - JavaScript with identifier $identifier exists
} else {
    // result: false - JavaScript with identifier $identifier does not exist
}

Former methods to add assets

<?php

declare(strict_types=1);

namespace MyVendor\MyExtension\MyClass;

use TYPO3\CMS\Core\Page\PageRenderer;

final class MyClass
{
    public function __construct(
        private readonly PageRenderer $pageRenderer,
    ) {}

    public function doSomething()
    {
        // $this->pageRenderer can now be used
        // see examples below
    }
}

$GLOBALS['TSFE']->additionalHeaderData[$name] = $javaScriptCode;

Why Use Services?

Services provide the flexibility needed for such a complex process of authentication, where many methods may be desirable (single sign-on, IP-based authentication, third-party servers such as LDAP, etc.) depending on the context.

The ease with which such services can be developed is a strong point in favor of TYPO3, especially in corporate environments.

Being able to toy with priority and quality allows for precise fine-tuning of the authentication chain.

Alternative services are available in the TYPO3 Extension Repository. It is thus possible to find solutions for using LDAP as an authentication server, for example.

You can check which authentication services are installed using the System > Reports > Installed Services view:

composer require typo3/cms-reports

The Authentication Process

The authentication process is not managed entirely by services. It is handled essentially by class \TYPO3\CMS\Core\Authentication\BackendUserAuthentication for the backend (BE) and by class \TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication for the frontend (FE), which both inherit from class \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication . The objects for these classes are available via $GLOBALS['BE_USER'] for BackendUserAuthentication and "frontend.user" request attribute for FrontendUserAuthentication These classes are called by the bootstrapping process. They manage the workflow of the authentication process. Services are used strictly to identify and validate users based on whatever form of credentials a given service relies on (by default, a username and a password).

The authentication process kicks in on every page request, be it in the FE or the BE. However if a valid session already exists, that session is kept. Strictly speaking, no authentication is performed in such a case.

Using JWT's HS256 (HMAC signed based on SHA256) allows to determine whether a session cookie is valid before comparing with server-side stored session data. This enhances the overall performance a bit, since sessions cookies would be checked for every request to TYPO3's backend and frontend.

The session cookies can be pre-validated without querying the database, which can filter invalid requests and might improve overall performance a bit.

As a consequence session tokens are not sent "as is", but are wrapped in a corresponding JWT message, which contains the following payload:

• identifier reflects the actual session identifier
• time reflects the time of creating the cookie (RFC 3339 format)

The login data

There is a typical set of data that is transmitted to authentication service in order to enable them to do their work:

uname

This is the user name. This can be whatever makes sense for the available authentication services. For the default service, this will match data from the "username" column of the "be_users" or "fe_users" table for BE or FE authentication respectively.

uident

This is the password, possibly encrypted.

uident_text

This is the clear text value of the password. If the password is originally submitted in clear text, both "uident" and "uident_text" contain the same value.

Inside an authentication service, this data is available in $this->login.

The "auth" services API

The services of type "auth" are further divided into subtypes, which correspond to various steps in the authentication process. Most subtypes exist for both FE and BE and are differentiated accordingly.

To each subtype corresponds a part of the "auth" services public API. They are listed below in the order in which they are called during the authentication process.

processLoginDataBE, processLoginDataFE

This subtype performs preprocessing on the submitted login data.

The method to implement is processLoginData(). It receives as argument the login data and the password transmission strategy (which corresponds to the login security level, where only 'normal' can be used. It returns the boolean value true, when the login data has been successfully processed .

It may also return a numerical value equal to 200 or greater, which indicates that no further login data processing should take place (see The service chain).

In particular, this subtype is implemented by the TYPO3 Core AuthenticationService, which trims the given login data.

getUserFE, getUserBE

This subtype corresponds to the operation of searching in the database if the credentials that were given correspond to an existing user. The method to implement is getUser(). It is expected to return an array containing the user information or false if no user was found.

authUserFE, authUserBE

This subtype performs the actual authentication based on the provided credentials. The method to implement is authUser(). It receives the user information (as returned by getUser()) as an input and is expected to return a numerical value, which is described later.

The service chain

No matter what subtype, authentication services are always called in a chain. This means that all registered "auth" services will be called, in order of decreasing priority and quality.

However, for some subtypes, there are ways to stop the chain.

For "processLoginDataBE" and "processLoginDataFE" subtypes, the processLoginData() method may return a numerical value of 200 or more. In such a case no further services are called and login data is not further processed. This makes it possible for a service to perform a form of final transformation on the login data.

For "authUserFE" and "authUserBE" subtypes, the authUser() method may return different values:

• a negative value or 0 (<=0) indicates that the authentication has definitely failed and that no other "auth" service should be called up.
• a value larger than 0 and smaller than 100 indicates that the authentication was successful, but that further services should also perform their own authentication.
• a value of 100 or more (>= 100) indicates that the user was not authenticated, this service is not responsible for the authentication and that further services should authenticate.
• a value of 200 or more (>=200) indicates that the authentication was successful and that no further tries should be made by other services down the chain.

For "getUserFE" and "getUserBE" subtypes, the logic is reversed. The service chain will stop as soon as one user is found.

Developing an authentication service

Use the Service API to implement your service class. When developing your own "auth" services, the chances are high that you will want to implement only the "getUser*" and "authUser*" subtypes.

There are several public extensions providing such services, so you should be able to find examples to inspire and guide you. Anyway authentication services can be very different from one another, so it wouldn't make much sense to try and provide an example in this manual.

One important thing to know is that the TYPO3 authentication process needs to have users inside database records ("fe_users" or "be_users"). This means that if you interface with a third-party server, you will need to create records on the TYPO3 side. It is up to you to choose whether this process happens on the fly (during authentication) or if you want to create an import process (as a Scheduler task, for example) that will synchronize users between TYPO3 and the remote system.

For the authUser() method, you will want to take care about the return values. If your service should be the final authority for authentication, it should not only have a high priority, but also return values which stop the service chain (i.e. a negative value for failed authentication, 200 or more for a successful one). On the other hand, if your service is an alternative authentication, but should fall back on TYPO3 if unavailable, you will want to return 100 on failure, so that the default service can take over.

Things can get a bit hairy if you have a scenario with mixed sources, for example some users come from a third-party server but others exist only in TYPO3. In such a case, you want to make sure that your service returns definite authentication failures only for those users which depend on the remote system and let the default authentication proceed for "local" TYPO3 users.

Advanced Options

There are some special configuration options which can be used to modify the behaviour of the authentication process. Some impact the inner working of the services themselves, others influence when services are called.

It is possible to force TYPO3 to go through the authentication process for every request no matter any existing session. By setting the following local configuration either for the FE or the BE:

$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup']['BE_alwaysFetchUser'] = true;
$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup']['BE_alwaysAuthUser'] = true;

$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup']['FE_alwaysFetchUser'] = true;
$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup']['FE_alwaysAuthUser'] = true;

the authentication process will be fully run on each request. Both flags may not be necessary depending on what your service does exactly.

A more fine-grained approach allows for triggering the authentication process only when a valid session does not yet exist. The settings are:

$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup']['BE_fetchUserIfNoSession'] = true;
$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup']['FE_fetchUserIfNoSession'] = true;

The authentication process can also be forced to go through all services for the "getUser*" subtype by setting:

$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup']['BE_fetchAllUsers'] = true;
$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup']['FE_fetchAllUsers'] = true;

for BE or FE respectively. This will collect all possible users rather than stopping at the first one available.

Workflow

The sequence looks like the following:

1. Retrieve nonce and request token values

   This happens on the previous legitimate visit on a page that offers a corresponding form that shall be protected. The RequestToken and Nonce objects (later created implicitly in this example) are organized in the \TYPO3\CMS\Core\Context\SecurityAspect .

   EXT:my_extension/Classes/Controller/MyController.php

   <?php
   
   use TYPO3\CMS\Core\Security\RequestToken;
   use TYPO3\CMS\Fluid\View\StandaloneView;
   
   final class MyController
   {
       private StandaloneView $view;
   
       public function showFormAction()
       {
           // creating new request token with scope 'my/process' and hand over to view
           $requestToken = RequestToken::create('my/process');
           $this->view->assign('requestToken', $requestToken);
           // ...
       }
   
       public function processAction()
       {
           // for the implementation, see below
       }
   }
   

   Copied!
   EXT:my_extension/Resources/Private/Templates/ShowForm.html

   <!-- Assign request token object for ViewHelper -->
   <f:form action="process" requestToken="{requestToken}">
       ...
   </f:form>

   Copied!

   The HTTP response on calling the shown controller action above will be like this:

   HTTP/1.1 200 OK
   Content-Type: text/html; charset=utf-8
   Set-Cookie: typo3nonce_[hash]=[nonce-as-jwt]; path=/; httponly; samesite=strict
   
   ...
   <form action="/my/process" method="post">
       ...
       <input type="hidden" name="__request_token" value="[request-token-as-jwt]">
       ...
   </form>

   Copied!

2. Invoke action request and provide nonce and request token values

   When submitting the form and invoking the corresponding action, same-site cookies typo3nonce_[hash] and request-token value __RequestToken are sent back to the server. Without using a separate nonce in a scope that is protected by the client, the corresponding request token could be easily extracted from markup and used without having the possibility to verify the procedural integrity.

   The middleware \TYPO3\CMS\Core\Middleware\RequestTokenMiddleware takes care of providing the received nonce and received request token values in \TYPO3\CMS\Core\Context\SecurityAspect . The handling controller action needs to verify that the request token has the expected 'my/process' scope.

   EXT:my_extension/Classes/Controller/MyController.php

   <?php
   
   use TYPO3\CMS\Core\Context\Context;
   use TYPO3\CMS\Core\Context\SecurityAspect;
   use TYPO3\CMS\Core\Utility\GeneralUtility;
   
   final class MyController
   {
       public function showFormAction()
       {
           // for the implementation, see above
       }
   
       public function processAction()
       {
           $context = GeneralUtility::makeInstance(Context::class);
           $securityAspect = SecurityAspect::provideIn($context);
           $requestToken = $securityAspect->getReceivedRequestToken();
   
           if ($requestToken === null) {
               // No request token was provided in the request
               // for example, (overridden) templates need to be adjusted
           } elseif ($requestToken === false) {
               // There was a request token, which could not be verified with the nonce
               // for example, when nonce cookie has been overridden by another HTTP request
           } elseif ($requestToken->scope !== 'my/process') {
               // There was a request token, but for a different scope
               // for example, when a form with different scope was submitted
           } else {
               // The request token was valid and for the expected scope
               $this->doTheMagic();
               // The middleware takes care to remove the cookie in case no other
               // nonce value shall be emitted during the current HTTP request
               if ($requestToken->getSigningSecretIdentifier() !== null) {
                   $securityAspect->getSigningSecretResolver()->revokeIdentifier(
                       $requestToken->getSigningSecretIdentifier(),
                   );
               }
           }
       }
   }
   

   Copied!

Introduction

TYPO3 is capable of authentication via multiple factors, in short "multi-factor authentication" or "MFA". This is sometimes also referred to "2FA" as a 2-factor authentication process, where - in order to log in - the user needs

1. "something to know" (= the password) and
2. "something to own" (= an authenticator device, or an authenticator app on mobile phones or desktop devices).

Read more about the concepts of MFA here: https://en.wikipedia.org/wiki/Multi-factor_authentication

TYPO3 ships with some built-in MFA providers by default. But more importantly, TYPO3 provides an API to allow extension authors to integrate their own MFA providers.

The API is designed in a way to allow providers to be used for TYPO3 backend authentication or frontend authentication with a multi-factor step in-between.

Managing MFA providers is currently possible via the User Settings module in the tab called Account security.

The Account security tab displays the current state:

• whether MFA can be configured
• whether MFA is activated or
• whether some MFA providers are locked

Included MFA providers

TYPO3 Core includes two MFA providers:

Time-based one-time password (TOTP)

TOTP is the most common MFA implementation. A QR code is scanned (or alternatively, a shared secret can be entered) to connect an authenticator app such as Google Authenticator, Microsoft Authenticator, 1Password, Authly, or others to the system and then synchronize a token, which changes every 30 seconds.

On each log-in, after successfully entering the password, the six-digit code shown by the authenticator app must be entered.

Recovery codes

This is a special provider which can only be activated, if at least one other provider is active. It is only meant as a fallback provider, in case the authentication credentials for the "main" provider(s) are lost. It is encouraged to activate this provider, and keep the codes at a safe place.

Setting up MFA for a backend user

Each provider is displayed with its icon, the name and a short description in the MFA configuration module. In case a provider is active, this is indicated by a corresponding label, next to the provider's title. The same goes for a locked provider - an active provider, which can currently not be used since the provider-specific implementation detected some unusual behaviour, for example, too many false authentication attempts. Additionally, the configured default provider indicates this state with a "star" icon, next to the provider's title.

Each inactive provider contains a Setup button which opens the corresponding configuration view. This view can be different depending on the MFA provider.

Each provider contains an Edit/Change button, which allows to adjust the provider's settings. This view allows, for example, to set a provider as the default (primary) provider, to be used on authentication.

Note

The default provider setting will be automatically applied on activation of the first provider, or in case it is the recommended provider for this user.

In case the provider is locked, the Edit/Change button changes its button title to Unlock. This button can be used to unlock the provider. This, depending on the provider to unlock, may require further actions by the user.

The Deactivate button can be used to deactivate the provider. Depending on the provider, this will usually completely remove all provider-specific settings.

The "Authentication view" is displayed as soon as a user with at least one active provider has successfully passed the username and password mask.

As for the other views, it is up to the specific provider, used for the current multi-factor authentication attempt, what content is displayed in which view. If the user has further active providers, the view displays them as "Alternative providers" in the footer to allow the user to switch between all activated providers on every authentication attempt.

All providers need to define a locking functionality. In case of the TOTP and recovery code providers, this, for example, includes an attempts count. These providers are locked in case a wrong OTP was entered three times in a row. The count is automatically reset as soon as a correct OTP is entered or the user unlocks the provider in the backend.

All TYPO3 Core providers also feature the "Last used" and "Last updated" information which can be retrieved in the "Edit/Change" view.

By default, the field in the User Settings module is displayed for every backend user. It is possible to disable it for specific users via user TSconfig:

setup.fields.mfaProviders.disabled = 1

Copied!

Administration of user's MFA providers

If a user is not able to access the backend anymore, for example, because all of their active providers are locked, MFA needs to be disabled by an administrator for this specific user.

Administrators are able to manage the user's MFA providers in the corresponding user record. The new Multi-factor authentication field displays a list of active providers and a button to deactivate MFA for the user, or only a specific MFA provider.

Note

All of these deactivate buttons are executed immediately, after confirming the dialog, and cannot be undone.

The listing of backend users in the System > Backend Users module also displays for each user, whether MFA is enabled or currently locked. This allows an administrator to analyze the MFA usage of their users at a glance.

The System > Configuration admininistration module shows an overview of all currently registered providers in the installation. This is especially helpful to find out the exact provider identifier, needed for some user TSconfig options.

auth.mfa.required = 1

auth.mfa.disableProviders := addToList(totp)

auth.mfa.recommendedProvider = totp

services:
  # Place here the default dependency injection configuration

  MyVendor\MyExtension\Authentication\Mfa\MyProvider:
    tags:
      - name: mfa.provider
        identifier: 'my-provider'
        title: 'LLL:EXT:my_extension/Resources/Private/Language/locallang.xlf:myProvider.title'
        description: 'LLL:EXT:my_extension/Resources/Private/Language/locallang.xlf:myProvider.description'
        setupInstructions: 'LLL:EXT:my_extension/Resources/Private/Language/locallang.xlf:myProvider.setupInstructions'
        icon: 'tx-myextension-provider-icon'

services:
  # Place here the default dependency injection configuration

  TYPO3\CMS\Core\Authentication\Mfa\Provider\TotpProvider: ~

services:
  # Place here the default dependency injection configuration

  MyVendor\MyExtension\Authentication\Mfa\MyFirstProvider:
    tags:
      - name: mfa.provider
        identifier: 'my-provider-1'
        title: 'LLL:EXT:my_extension/Resources/Private/Language/locallang.xlf:myProvider1.title'
        description: 'LLL:EXT:my_extension/Resources/Private/Language/locallang.xlf:myProvider1.description'
        setupInstructions: 'LLL:EXT:my_extension/Resources/Private/Language/locallang.xlf:myProvider1.setupInstructions'
        icon: 'tx-myextension-provider1-icon'

  MyVendor\MyExtension\Authentication\Mfa\MySecondProvider:
    class: TYPO3\CMS\Core\Authentication\Mfa\Provider\TotpProvider
    tags:
      - name: mfa.provider
        identifier: 'my-provider-2'
        title: 'LLL:EXT:my_extension/Resources/Private/Language/locallang.xlf:myProvider2.title'
        description: 'LLL:EXT:my_extension/Resources/Private/Language/locallang.xlf:myProvider2.description'
        setupInstructions: 'LLL:EXT:my_extension/Resources/Private/Language/locallang.xlf:myProvider2.setupInstructions'
        icon: 'tx-myextension-provider2-icon'
        # Important so that this provider acts as a fallback
        defaultProviderAllowed: true
        before: 'recovery-codes'
        # Execute after the primary totp
        after: 'totp'

About makeInstance()

\TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance() is a generic way throughout Core and extensions to create objects. It takes care of singleton and XCLASS handling.

A developer can instantiate classes using makeInstance() - if dependency injection cannot be used. There are some situations where new is used over makeInstance(), effectively dropping especially the direct ability to XCLASS:

• Data transfer objects are often created with new. A good example are PSR-14 events: The calling class creates a data transfer object that is hand over to the consumer. These DTOs must never be changed by an extension, since they are a contract both caller and consumer must stick to. They are thus created using new to prevent XCLASSing.
• Structures with a dedicated API that allows own implementations on a configuration level sometimes do not use makeInstance: Many Core constructs come with an API to allow custom classes by dedicated configuration. Those implement a factory pattern to deal with this. An example is the PSR-15 middleware stack.

Autoloading classes

There is one autoloader used, the one of Composer. No matter if you run TYPO3 in Composer mode or not (Classic mode), TYPO3 uses the Composer autoloader to resolve all class file locations.

Loading classes with Composer mode

In Composer mode, the autoloader checks for (classmap and PSR-4) autoloading information inside your extension's composer.json. If you do not provide any information, the autoloader falls back to the classmap autoloading like in non-Composer mode.

$ tree vendor/composer
.
├── ClassLoader.php
├── LICENSE
├── autoload_classmap.php
├── autoload_files.php
├── autoload_namespaces.php
├── autoload_psr4.php
├── autoload_real.php
├── autoload_static.php
├── include_paths.php
└── installed.json

Loading classes without Composer mode

This means, you did not install TYPO3 via a require statement inside your composer.json. It's a regular old-school install where the TYPO3 source and the symlinks (typo3/index.php) are setup manually.

In this case, every time you install an extension, the autoloader scans the whole extension directory for classes. No matter if they follow any convention at all. There is just one rule: put each class into its own file. This also means that there can only be a single class per file.

You can also explicitly configure autoloading in the ext_emconf.php.

The generated typo3conf/autoload_classmap.php is a large array with a mapping of classnames to their location on the disk:

<?php

// autoload_classmap.php @generated by TYPO3

$typo3InstallDir = \TYPO3\CMS\Core\Core\Environment::getPublicPath();

return array(
    'Schnitzler\\Templavoila\\Clipboard\\Clipboard' => $typo3InstallDir . 'typo3conf/ext/templavoila/Classes/Clipboard/Clipboard.php',
    'tx_templavoila_pi1' => $typo3InstallDir . 'typo3conf/ext/templavoila/Compatibility/class.tx_templavoila_pi1.php',
    ...
);

This method is failsafe unless the autoload information cannot be written. In this case, check the Install Tool for warnings and make sure that typo3temp/ is writable.

Best practices

• If you didn't do so before, have a look at the PSR-4 standard. It defines very good rules for naming classes and the files they reside in. Really, read the specs and start using PSR-4 in your projects. It's unlikely that there will be any other more advanced standard in the near future in the PHP world. PSR-4 is the way to go and you should embrace it.
• Even if you do not use Composer mode and the class mapping of the autoloader allows you to use whatever you want, stick to PSR-4. It's not only a very good standard to find classes, but it will also help organizing your code.
• PSR-4 is all about namespaces. No matter if you like namespaces or not, use them. Namespaces exist since PHP 5.3, so you will be able to use them in any modern TYPO3 project due to the minimum PHP requirements of TYPO3 itself.

Further reading

Integrating Composer class loader into TYPO3

In our efforts to make TYPO3 faster and closer oriented to common PHP standard systems, we looked into the integration of the class loader that is used by all Composer-based projects. We consider this functionality a crucial feature for the future of TYPO3 on the base level, but also as a dramatic increase of the overall performance of every request inside TYPO3.

Understanding the TYPO3 class loader

The TYPO3 class loader is instantiated within the TYPO3 Bootstrap at a very early point. It does a lot of logic (checking ext_autoload.php, ClassAliasMap.php), and caches this logic away on a per-class basis by default in typo3temp/Cache/ to store all information for a class. This information contains: The full path to the class, the namespaced class name itself and possible class aliases.

The latter part looks into all extensions and checks the Migrations/ClassAliasMap.php file for any possible “legacy class” that could be used (e.g. t3lib_extmgm). This way, all extensions still using non-namespaced class that are shipped with the TYPO3 core are still made available.

The information is stored in a SimpleFileBackend via the built-in Caching Framework by default. At the early stage of the bootstrap process some classes need to be included manually as the whole TYPO3 core engine has not been loaded yet. This is done for all PHP classes in use, which may result in 500+ files inside typo3temp/Cache which are created one by one on an initial request with no caches set up. This is done by intention on a per-file-basis during runtime as a cache file is only created if a PHP class is requested to be instantiated. On a second hit, the caching framework does not create the cache files, but fetches one by one for each class used in the request via a separate file_get_contents() call.

When debugging TYPO3 on an initial request, there are a lot of file_get_contents() and file_put_contents() calls to store and fetch this information. This is quite a lot of overhead for loading PHP classes. Even without a lot of class aliases (e.g. in CMS7) this overhead of writing / storing the file caches still exists. Some overhead however is already taken care, especially if a class is loaded which is shipped with the core and no class alias is used.

This is all built in a way so a lot of backwards-compatibility can be ensured.

Understanding the Composer class loader

Compared to the TYPO3 class loader, the Composer class loader concept differs in the following major points:

Integration Approach

The Composer class loader is injected inside the Bootstrap process of TYPO3 and registered before the TYPO3 class loader. This means that a lookup on a class name is first checked via the Composer logic, and if none found, the regular TYPO3 class loader takes over.

The support for class aliases is quite important for TYPO3, but is not supported by Composer by default. There is a separate Composer package created by Helmut Hummel (available on GitHub) which serves as a facade to the Composer class loader and creates not just the information for the prefixes but also the available class aliases for a class and loads them as well.

The necessary information about the “which namespaced classes can be found at which place” is created before every release and shipped inside the typo3_src directory. The generated class information is available under typo3/contrib/vendor/composer/. For TYPO3 installations that are set up with composer, the TYPO3 bootstrap checks Packages/Libraries/autoload.php first which can be shipped with any Composer-based project and include many more PHP Composer packages than just TYPO3 extensions. To ensure maximum backwards-compatibility, the option to load from Packages/Library/autoload.php instead of the shipped "required-core-packages-only" needs to be activated via an environment variable called TYPO3_COMPOSER_AUTOLOAD which needs to be set on server-side level.

If the Composer-based logic is not used in some legacy cases (for extensions etc), the usual TYPO3 class loader comes into play and does the same logic as before.

Project setup and extension considerations

If you already use Composer to set up your project, and the composer.json and their extensions ship a valid composer.json, the Composer class loader generates the valid PSR-4 cache file with all prefixes on installation and update. Running "composer update" will automatically re-generate the PSR-4 cache file.

The Composer class loader also supports PSR-0 and static inclusion of files, which can be used as well.

As a base line: Any regular installation will see a proper speed improvement after the update to the Composer class loader.

Users

Each user of the backend must be represented with a single record in the table "be_users". This record contains the username and password, other meta data and some permissions settings.

The above screenshot shows a part of the editing form for the backend user "simple_editor" from the Introduction Package. If you have an Introduction Package available, you can check further properties of that user. It is part of the "Simple editors" group, has a name, an email address and its default language for the backend is English.

It is possible to assign rights directly to a user, but it is much better done using groups. Furthermore groups offer far more options.

Groups

Each user can also be a member of one or more groups (from the "be_groups" table) and each group can include sub-groups. Groups contain the main permission settings you can set for a user. Many users can be a member of the same group and thus share permissions.

When a user is a member of many groups (including sub-groups) then the permission settings are added together so that the more groups a user is a member of, the more access is granted to him.

This screenshot shows just an extract of the group editing form. It contains many more fields!

See Access Control Options for details.

The "admin" user

There is a special kind of backend users called "Admin". When creating a backend user, just check the "Admin!" box in the "General" tab and that user will become an administrator. There's no need to set further access options for such a user: an admin user can access every single feature of the TYPO3 backend, like the "root" user on a UNIX system.

All systems must have at least one "admin" user and most systems should have only "admin" users for the developers - not for any editor. Make sure to not share TYPO3 accounts with multiple users but create dedicated accounts for everyone. Not even "super users" should be allowed "admin" access since that will most likely grant them access to more than they need.

Admin users are differentiated with an orange icon.

Location of users and groups

Since both backend users and backend groups are represented by records in the database, they are edited just as any other record in the system. However backend users and groups are configured to exist only in the root of the page tree where only admin users have access:

Records located in the page tree root are identified by having their "pid" fields set to zero. The "pid" field normally contains the relation to the page where a record belongs. Since no pages can have the id of zero, this is the id of the root. Notice that only "admin" users can edit records in the page root!

If you need non-admin users to create new backend users, have a look at the TYPO3 system extension sys_action for a possible solution.

Notes on security

• When having multiple users with the same email address, no reset functionality is provided.
• No information disclosure is built-in, so if the email address is not in the system, it is not disclosed to the outside.
• Rate limiting is enabled so that three emails can be sent per email address within 30 minutes.
• Tokens are stored in the database but hashed again just like the password.
• When a user has logged in successfully (for example, because they remembered the password), the token is removed from the database, effectively invalidating all existing email links.

Global configuration

The feature is enabled by default and can be deactivated entirely via the system-wide configuration option:

$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordReset'] = false;

Optionally, it is possible to restrict this feature to non-admins only by setting the following system-wide option to false.

$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordResetForAdmins'] = false;

Both options can be configured in the Admin Tools > Settings module or in the Install Tool, but can also be set manually via config/system/settings.php or config/system/additional.php.

Reset password for user

Administrators can reset a user's password. This is useful primarily for security reasons, so that an administrator does not have to send a password over to a user in plain text (for example, by email).

The administrator can use the CLI command:

vendor/bin/typo3 backend:resetpassword https://example.com/typo3/ editor@example.com

typo3/sysext/core/bin/typo3 backend:resetpassword https://example.com/typo3/ editor@example.com

where usage is described like this:

backend:resetpassword <backend_url> <email_address>

Access Lists

Access lists are defined at group-level. Usage of access lists for defining user rights is described in chapter Setting up User Permissions. The various access lists are described here for reference, with additional technical details, where necessary.

Modules

This is a list of submodules a user may be given access to. Access to a main module is implicit, as soon as a user has access to at least one of its submodules.

Not all submodules appear in this list. It is possible to restrict a submodule to admin users only. This is the case, in particular, for all Admin Tools and System modules, as well as the Web > Template module.

Note

This is the only access list that is also available for definition at user-level.

Dashboard widgets

A list of the available dashboard widgets a user may be allowed to use on the dashboard.

Note

This section is only available with activated dashboard system extension.

Tables for listing

A list of all tables a user may be allowed to read in the backend. Again this in not a list of all tables in the database. Some tables are low level and never appear in the backend at all, even for admin users. Other tables are restricted to admin users and thus do not show up in the access list.

Restricting a table to admin users only is done using the TCA property "adminOnly".

Note

All tables that are allowed for modification (see below) are also allowed for read access, so no need to select them in this list as well.

Tables for editing

This is exactly the same list of tables as before, but for granting modification rights.

Page types

TYPO3 CMS defines a number of page types. A user can be restricted to access only some of them.

For a full discussion on page types, please refer to the page types chapter.

Excludefields

When defining column tables in TCA, it is possible to set the "exclude" property to "1". This ensures that the field is hidden to users by default. Access to it must be explicitly granted in this access list.

Explicitly allow/deny field values

When a field offers a list of options to select from, it is possible to tell TYPO3 CMS that access to these options is restricted and should be granted explicitly. Such fields and their values appear here.

The related TCA property is "authMode".

Limit to languages

By default users can edit records regardless of what language they are assigned to. Using this list it is possible to restrict users to working only in selected languages.

When a user is a member of more than one group, the access lists for the groups are "added" together.

Mounts

TYPO3 CMS natively supports two kinds of hierarchical tree structures: the page tree (typically visible in the Web module) and the folder tree (typically visible in the File module). Each tree is generated based on the mount points configured for the current user. So a page tree is drawn from the DB Mounts which are one or more page ids telling the Core from which "start page" to draw the tree(s). Likewise is the folder tree drawn based on filemounts configured for the user.

DB mounts (page mounts) are set by pointing out the page that should be mounted for the user (at user or group-level):

This is what the user will see:

File Mounts are a little more difficult to set up, as they involve several steps. First of all, you need to have at least one File Storage. By default, you will always have one, pointing to the fileadmin directory. It is created by TYPO3 CMS upon installation.

A File Storage is essentially defined by a File Driver and the path to which it points.

Next we can create a File Mount record (on the root page), which refers to a File Storage:

When defining a File Mount, you can point to a specific folder within the chosen File Storage. Finally the mount is assigned to a user or group:

After a successful configuration, the file mount will appear to the user:

DB and File Mounts can be set for both the user and group records. Having more than one DB or File Mount will just result in more than one mount point appearing in the trees. However the backend users records have two flags which determine whether the DB/File Mounts of the groups the user belongs to will be mounted as well! This is the default behaviour. So make sure to unset these flags if users should see only their "private" mount points and not those from their groups:

"Admin" users do not need mount points. As always, they have access to every part of the installation.

Page Permissions

Page permissions are designed to work like file permissions on UNIX systems. Each page record has an owner user and group and permission settings for the owner, the group and "everybody". This is summarized here:

• Every page has an owner, group and everybody-permission
• The owner and group of a page can be empty. Nothing matches with an empty user/group (except "admin" users).

• Every page has permissions for owner, group and everybody in these five categories (next to the label is the corresponding value):

  Show (1)

  See/Copy page and the page content.

  Edit page content (16)

  Change/Add/Delete/Move page content.

  Edit page (2)

  Change/Move the page, eg. change title, startdate, hidden flag.

  Delete page (4)

  Delete the page and page content.

  New pages (8)

  Create new pages under the page.

Note

Here "Page content" means all records related to that page, except other pages.

Page permissions are set and viewed with the module System > Access module:

Editing permissions is described in details in chapter Page Permissions.

A user must be "admin" or the owner of a page in order to edit its permissions.

When a user creates new pages in TYPO3 CMS they will by default get the creating user as owner. The owner group will be set to the first listed user group configured for the users record (if any). These defaults can be changed through page TSconfig.

User TSconfig

User TSconfig is a hierarchical configuration structure entered in plain text TypoScript. It can be used by all kinds of applications inside of TYPO3 CMS to retrieve customized settings for users which relates to a certain module or part. The options available are described in the document TSconfig .

Backend users

Default language

This is the language in which the backend will be localized for the user. The users can change the language themselves in the User Settings module.

Note

Language packs must be downloaded using the Admin Tools > Maintenance > Manage Language Packs module. As long as the language packs are not available, the backend will still display in English.

Fileoperation permissions

This is a complement to the File Mounts and defines exactly which operations the user is allowed to perform on both files and folders.

Access options

A backend user can be disabled (first flag in the "General" tab). A disabled user cannot log into the backend anymore. Furthermore, in the "Access" tab a start and end time can be given, defining a time interval during which the user will be allowed to log into the backend. Authentication before the start time and after the end time will automatically fail.

Lock to domain

This setting constrains the user to use a specific domain for logging into the TYPO3 backend. This is very useful in setups with multiple sites.

Backend Groups

Disable

Setting this flag will immediately disable the group for all members

Lock to domain

This restricts a group to a given domain. If a user logs in from another domain, that group membership will be ignored.

Hide in lists

This flag will prevent the group from appearing in various listings in TYPO3. This includes modules like System > Access.

Inherit settings from groups (Sub Groups)

Assigns sub-groups to this group. Sub-groups are evaluated before the group including them. If a user is a member of a group which includes one or more sub-groups, the user will also be a member of the sub-groups.

Create a new filemount

To create a new filemount go to the module File > Filelist and create the folder for the mount if it didn't exist yet. Then open the context menu on that folder and choose New Filemount, then give the new filemount a name. The entry point is already set.

It is also possible to create a filemount manually in the List module by creating a record of type Filemount. In this case you have to choose the storage and folder manually.

Paths for local driver storage

The file storages based on the "local file system" driver have an option for relative or absolute paths.

"Relative" means that the given path is relative to the fileadmin/ folder (or whatever other folder was configured using $GLOBALS['TYPO3_CONF_VARS']['BE']['fileadminDir']. Absolute paths are full paths starting at the root of the file system (i.e. / on Unix systems).

Absolute paths outside of the web root must be explicitly declared in the global configuration option $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']. Any absolute path that you want to declare in a file storage needs to have its first part match the value of $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] (or of the web root, which can be retrieved with \TYPO3\CMS\Core\Core\Environment::getPublicPath()).

As an example, let's say you want to define two storages, one pointing to /home/foo/bar and one pointing to /home/foo/baz. You could declare $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] to be equal to /home/foo/.

Home directories

TYPO3 CMS also features the concept of "home directories". These are paths that are automatically mounted if they are present at a path configured in the global configuration. Thus they don't need to have a file mount record representing them - they just need a properly named directory to be present.

The parent directory of user/group home directories is defined by $GLOBALS['TYPO3_CONF_VARS']['BE']['userHomePath'] and $GLOBALS['TYPO3_CONF_VARS']['BE']['groupHomePath'] respectively. Let's say we define the following:

$GLOBALS['TYPO3_CONF_VARS']['BE']['userHomePath'] = '1:user_homes/';

The first part of the definition (before the colon :) is the id of a file storage. The second part is a path relative to that file storage. Assuming file storage with a uid of "1" is the default one pointing to fileadmin/, the following path needs to exist on the server: /path/to/web/root/fileadmin/user_homes/.

Then a directory needs to exist for each user. Again let's assume that we have a user with a uid of "3" and a username of "editor", either of those paths would have to exist:

• /path/to/web/root/fileadmin/user_homes/3/
• /path/to/web/root/fileadmin/user_homes/3_editor/

The second possibility is more explicit, but will break if the username is changed.

The same goes for groups, but only using the uid. Assuming a group called "editors" with a uid of "1", and:

$GLOBALS['TYPO3_CONF_VARS']['BE']['groupHomePath'] = '1:groups/';

we have to create a directory /path/to/web/root/fileadmin/groups/1/.

Having set up all these properties and folders, the user should see the following when moving to the FILE > Filelist module:

where only the first mount was explicitly assigned to that user. A different icon visually distinguishes automatic file mounts.

The concept of home directories can be efficiently combined with the TSconfig defaultUploadFolder option, which automatically directs all files uploaded by the user to the given directory.

Comparing Users or Groups

The Backend users module offers the possibility to compare users. Just add users using the "+ Compare" button and then hit the "Compare user list" button. For example, this is the comparison of the three different editors provided by the Introduction Package:

The same functionality is available for user groups, including a comparison of their inherited permissions.

Impersonating Users ("Switch to")

We can impersonate (switch) to a user by clicking the Switch to user action icon:

You will then be logged in as that user (note how the user name is prefixed with "SU" for "Simulated User"). To "switch back", use the "Exit" button (which replaces the usual "Logout" button).

Module configuration options

Debug the module configuration

All registered modules are stored as objects in a registry. They can be viewed in the backend in the System > Configuration > Backend Modules module.

The ModuleProvider API allows extension authors to work with the registered modules.

Backend modules with sudo mode

You can configure the sudo mode in your backend module like this:

<?php

use TYPO3\CMS\Backend\Security\SudoMode\Access\AccessLifetime;

return [
    'tools_ExtensionmanagerExtensionmanager' => [
        // ...
        'routeOptions' => [
            'sudoMode' => [
                'group' => 'systemMaintainer',
                'lifetime' => AccessLifetime::M,
            ],
        ],
    ],
];

See also Custom backend modules requiring the sudo mode.

Example

Registration of an additional third-level module for the Web > Template module in the Configuration/Backend/Modules.php file of an extension:

'web_ts_customts' => [
    'parent' => 'web_ts',
    'access' => 'user',
    'path' => '/module/web/typoscript/custom-ts',
    'iconIdentifier' => 'module-custom-ts',
    'labels' => [
        'title' => 'LLL:EXT:extkey/Resources/Private/Language/locallang.xlf:mod_title',
    ],
    'routes' => [
        '_default' => [
            'target' => CustomTsController::class . '::handleRequest',
        ],
    ],
    'moduleData' => [
        'someOption' => false,
    ],
],

Register a custom toplevel module

Toplevel modules like Web or File are registered in the Configuration/Backend/Modules.php. All toplevel modules provided by the Core are registered in EXT:core so you can look at typo3/sysext/core/Configuration/Backend/Modules.php for reference.

return [
    'myextension' => [
        'labels' => 'LLL:EXT:my_extension/Resources/Private/Language/locallang_mod_web.xlf',
        'iconIdentifier' => 'modulegroup-myextension',
        'navigationComponent' => '@typo3/backend/page-tree/page-tree-element',
    ]
];

DocHeaderComponent API

It has the following methods:

class DocHeaderComponent

Fully qualified name

\TYPO3\CMS\Backend\Template\Components\DocHeaderComponent

DocHeader component class

setMetaInformation ( array $metaInformation)

Set page information

param $metaInformation

Record array

setMetaInformationForResource ( \TYPO3\CMS\Core\Resource\ResourceInterface $resource)

param $resource

the resource

getMenuRegistry ( )

Get moduleMenuRegistry

Returns

\MenuRegistry

getButtonBar ( )

Get ButtonBar

Returns

\ButtonBar

isEnabled ( )

Determines whether this components is enabled.

Returns

bool

enable ( )

Sets the enabled property to TRUE.

disable ( )

Sets the enabled property to FALSE (disabled).

docHeaderContent ( )

Returns the abstract content of the docHeader as an array

Returns

array

Example: Build a module header with buttons and a menu

The following example is extracted from the example Extbase extension EXT:blog_example. See the complete source code at t3doc/blog-example (GitHub).

We use the DocHeaderComponent to register buttons and a menu to the module header.

use Psr\Http\Message\ServerRequestInterface;
use TYPO3\CMS\Backend\Template\ModuleTemplate;
use TYPO3\CMS\Backend\Utility\BackendUtility;
use TYPO3\CMS\Core\Type\Bitmask\Permission;

class BackendController extends ActionController
{
    private function modifyDocHeaderComponent(ModuleTemplate $view): void
    {
        $context = '';
        $menu = $this->buildMenu($view, $context);

        $buttonBar = $view->getDocHeaderComponent()->getButtonBar();
        $this->addPopulateButton($buttonBar);
        $this->addShortCutButton($buttonBar);
        $this->addReloadButton($buttonBar);

        $view->getDocHeaderComponent()->getMenuRegistry()->addMenu($menu);
        $view->setTitle(
            $this->getLanguageService()->sL('LLL:EXT:blog_example/Resources/Private/Language/Module/locallang_mod.xlf:mlang_tabs_tab'),
            $context,
        );

        $permissionClause = $GLOBALS['BE_USER']->getPagePermsClause(Permission::PAGE_SHOW);
        $pageRecord = BackendUtility::readPageAccess(
            $this->pageUid,
            $permissionClause,
        );
        if ($pageRecord) {
            $view->getDocHeaderComponent()->setMetaInformation($pageRecord);
        }
    }

    protected function initializeModuleTemplate(
        ServerRequestInterface $request,
    ): ModuleTemplate {
        $view = $this->moduleTemplateFactory->create($request);

        $this->modifyDocHeaderComponent($view);
        $view->setFlashMessageQueue($this->getFlashMessageQueue());

        return $view;
    }
}

ModuleInterface API

interface ModuleInterface

Fully qualified name

\TYPO3\CMS\Backend\Module\ModuleInterface

An interface representing a TYPO3 Backend module.

getIdentifier ( )

The internal name of the module, used for referencing in permissions etc

Returns

string

getPath ( )

Return the main route path

Returns

string

getIconIdentifier ( )

The icon identifier for the module

Returns

string

getTitle ( )

The title of the module, used in the menu

Returns

string

getDescription ( )

A longer description, common for the "About" section with a long explanation

Returns

string

getShortDescription ( )

A shorter description, used when hovering over a module in the menu as title attribute

Returns

string

isStandalone ( )

Useful for main modules that are also "clickable" such as the dashboard module

Returns

bool

getComponent ( )

Returns the view component responsible for rendering the module (iFrame or name of the web component)

Returns

string

getNavigationComponent ( )

The web component to be rendering the navigation area

Returns

string

getPosition ( )

The position of the module, such as [top] or [bottom] or [after => anotherModule] or [before => anotherModule]

Returns

array

getAppearance ( )

Returns a modules appearance options, e.g. used for module menu

Returns

array

getAccess ( )

Can be user (editor permissions), admin, or systemMaintainer

Returns

string

getWorkspaceAccess ( )

Can be "*" (= empty) or "live" or "offline"

Returns

string

getParentIdentifier ( )

The identifier of the parent module during registration

Returns

string

getParentModule ( )

Get the reference to the next upper menu item

Returns

?\TYPO3\CMS\Backend\Module\ModuleInterface

hasParentModule ( )

Can be checked if the module is a "main module"

Returns

bool

hasSubModule ( string $identifier)

Checks whether this module has a submodule with the given identifier

param $identifier

the identifier

Returns

bool

hasSubModules ( )

Checks if this module has further submodules

Returns

bool

getSubModule ( string $identifier)

Return a submodule given by its full identifier

param $identifier

the identifier

Returns

?\TYPO3\CMS\Backend\Module\ModuleInterface

getSubModules ( )

Return all direct descendants of this module

Returns

\ModuleInterface[]

getDefaultRouteOptions ( )

Returns module related route options - used for the router

Returns

array

getDefaultModuleData ( )

Get allowed and available module data properties and their default values.

Returns

array

getAliases ( )

Return a list of identifiers that are aliases to this module

Returns

array

ModuleProvider API

class ModuleProvider

Fully qualified name

\TYPO3\CMS\Backend\Module\ModuleProvider

This is the central point to retrieve modules from the ModuleRegistry, while performing the necessary access checks, which ModuleRegistry does not deal with.

isModuleRegistered ( string $identifier)

Simple wrapper for the registry, which just checks if a module is registered. Does NOT perform any access checks.

param $identifier

the identifier

Returns

bool

getModule ( string $identifier, ?\TYPO3\CMS\Core\Authentication\BackendUserAuthentication $user = NULL, bool $respectWorkspaceRestrictions = true)

Returns a Module for the given identifier. In case a user is given, also access checks are performed.

param $identifier

the identifier

param $user

the user, default: NULL

param $respectWorkspaceRestrictions

the respectWorkspaceRestrictions, default: true

Returns

?\TYPO3\CMS\Backend\Module\ModuleInterface

getModules ( ?\TYPO3\CMS\Core\Authentication\BackendUserAuthentication $user = NULL, bool $respectWorkspaceRestrictions = true, bool $grouped = true)

Returns all modules either grouped by main modules or flat.

In case a user is given, also access checks are performed.

param $user

the user, default: NULL

param $respectWorkspaceRestrictions

the respectWorkspaceRestrictions, default: true

param $grouped

the grouped, default: true

Returns

\ModuleInterface[]

getModuleForMenu ( string $identifier, \TYPO3\CMS\Core\Authentication\BackendUserAuthentication $user, bool $respectWorkspaceRestrictions = true)

Return the requested (main) module if exist and allowed, prepared for menu generation or similar structured output (nested). Takes TSConfig into account. Does not respect "appearance[renderInModuleMenu]".

param $identifier

the identifier

param $user

the user

param $respectWorkspaceRestrictions

the respectWorkspaceRestrictions, default: true

Returns

?\TYPO3\CMS\Backend\Module\MenuModule

getModulesForModuleMenu ( \TYPO3\CMS\Core\Authentication\BackendUserAuthentication $user, bool $respectWorkspaceRestrictions = true)

Returns all allowed modules for the current user, prepared for module menu generation or similar structured output (nested).

Takes TSConfig and "appearance[renderInModuleMenu]" into account.

param $user

the user

param $respectWorkspaceRestrictions

the respectWorkspaceRestrictions, default: true

Returns

\MenuModule[]

accessGranted ( string $identifier, \TYPO3\CMS\Core\Authentication\BackendUserAuthentication $user, bool $respectWorkspaceRestrictions = true)

Check access of a module for a given user

param $identifier

the identifier

param $user

the user

param $respectWorkspaceRestrictions

the respectWorkspaceRestrictions, default: true

Returns

bool

Example: Create and use a ModuleTemplate in an Extbase Controller

The following example is extracted from the example Extbase extension EXT:blog_example. See the complete source code at t3doc/blog-example (GitHub).

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use T3docs\BlogExample\Domain\Model\Post;
use TYPO3\CMS\Backend\Template\ModuleTemplate;

class BackendController extends ActionController
{
    protected function initializeModuleTemplate(
        ServerRequestInterface $request,
    ): ModuleTemplate {
        $view = $this->moduleTemplateFactory->create($request);

        $this->modifyDocHeaderComponent($view);
        $view->setFlashMessageQueue($this->getFlashMessageQueue());

        return $view;
    }

    public function showPostAction(Post $post): ResponseInterface
    {
        $view = $this->initializeModuleTemplate($this->request);
        $view->assign('post', $post);
        return $view->renderResponse('ShowPost');
    }
}

ModuleTemplateFactory API

class ModuleTemplateFactory

Fully qualified name

\TYPO3\CMS\Backend\Template\ModuleTemplateFactory

A factory class creating backend related ModuleTemplate view objects.

create ( \Psr\Http\Message\ServerRequestInterface $request)

param $request

the request

Returns

\TYPO3\CMS\Backend\Template\ModuleTemplate

Example: Initialize module template

In many backend modules all actions should have the same module header. So it is useful to initialize the backend module template in a function commonly used by all actions:

<?php

declare(strict_types=1);

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use TYPO3\CMS\Backend\Template\ModuleTemplate;
use TYPO3\CMS\Backend\Template\ModuleTemplateFactory;
use TYPO3\CMS\Extbase\Mvc\Controller\ActionController;

final class BackendModuleController extends ActionController
{
    public function __construct(
        private readonly ModuleTemplateFactory $moduleTemplateFactory,
        // ..
    ) {}

    protected function initializeModuleTemplate(ServerRequestInterface $request): ModuleTemplate
    {
        $moduleTemplate = $this->moduleTemplateFactory->create($request);

        // Add common buttons and menues

        return $moduleTemplate;
    }

    public function someAction(): ResponseInterface
    {
        $moduleTemplate = $this->initializeModuleTemplate($this->request);

        $moduleTemplate->assignMultiple([
            'variable1' => 'value 1',
            'variable2' => 'value 2',
        ]);
        return $moduleTemplate->renderResponse('Backend/Some');
    }

}

Authentication in for sudo mode in extensions using the auth service

Albeit default local authentication mechanisms are working well, there are side effects for 3rd party extensions that make use of these auth service chains as well - such as multi-factor authentication or single sign-on handling.

As an alternative, it is possible to confirm actions using the Install Tool password, instead of confirming with user's password (which might be handled with separate remote services).

Services that extend authentication with custom additional factors (2FA/MFA) are advised to intercept only valid login requests instead of all authUser invocations.

<?php

namespace MyVendor\MyExtension\Authentication;

use TYPO3\CMS\Core\Authentication\AbstractAuthenticationService;

class MyAuthenticationService extends AbstractAuthenticationService
{
    public function authUser(array $user)
    {
        // only handle actual login requests
        if (($this->login['status'] ?? '') !== 'login') {
            // skip this service, hand over to next in chain
            return 100;
        }
        // ...
        // usual processing for valid login requests
        // ...
        return 0;
    }
}

Custom backend modules requiring the sudo mode

In general, the configuration for a particular route or module looks like this:

+ 'sudoMode' => [
+     'group' => 'individual-group-name',
+     'lifetime' => AccessLifetime::veryShort,
+ ],

• group (optional): if given, grants access to other objects of the same group without having to verify sudo mode again for a the given lifetime. Example: Admin Tool modules Maintainance and Settings are configured with the same systemMaintainer group - having access to one (after sudo mode verification) grants access to the other automatically.
• lifetime: enum value of \TYPO3\CMS\Backend\Security\SudoMode\Access\AccessLifetime , defining the lifetime of a sudo mode verification, afterwards users have to go through the process again - cases are veryShort (5 minutes), short (10 minutes), medium (15 minutes), long (30 minutes), veryLong (60 minutes)

For backend routes declared via Configuration/Backend/Routes.php, the relevant configuration would look like this:

<?php

use MyVendor\MyExtension\Handlers\MyHandler;
use TYPO3\CMS\Backend\Security\SudoMode\Access\AccessLifetime;

return [
    'my-route' => [
        'path' => '/my/route',
        'target' => MyHandler::class . '::process',
        'sudoMode' => [
            'group' => 'mySudoModeGroup',
            'lifetime' => AccessLifetime::S,
        ],
    ],
];

For backend modules declared via Configuration/Backend/Modules.php, the relevant configuration would look like this:

<?php

use TYPO3\CMS\Backend\Security\SudoMode\Access\AccessLifetime;

return [
    'tools_ExtensionmanagerExtensionmanager' => [
        // ...
        'routeOptions' => [
            'sudoMode' => [
                'group' => 'systemMaintainer',
                'lifetime' => AccessLifetime::M,
            ],
        ],
    ],
];

Configuration