Backend module access gates
New in version 14.2
Existing backend module registrations using the built-in access values continue to work without modification:
useradminsystemMaintainer
The TYPO3 backend module system supports configurable access control through module access gates. Gates determine whether a backend user may access a specific backend module.
TYPO3 provides built-in gates for common access strategies and allows extension authors to register custom gates for project-specific requirements.
Table of contents
Built-in access gates
TYPO3 ships the following built-in access gates:
\TYPO3\(CMS\ Backend\ Module\ Access Gate\ User Gate 'access' => 'user')\TYPO3\(CMS\ Backend\ Module\ Access Gate\ Admin Gate 'access' => 'admin')\TYPO3\(CMS\ Backend\ Module\ Access Gate\ System Maintainer Gate 'access' => 'system)Maintainer'
These gates preserve the traditional backend module access behavior.
UserGate
The
User grants access to:
- Backend administrators
-
Backend users or groups with explicit module permissions configured in:
be_users. user Mods be_groups. group Mods
This corresponds to the module access value:
'access' => 'user',AdminGate
The
Admin grants access only to backend administrator users.
This corresponds to:
'access' => 'admin',SystemMaintainerGate
The
System grants access only to system maintainers.
This corresponds to:
'access' => 'systemMaintainer',Register a custom access gate
Extension authors can implement custom access strategies by creating a class
that implements
\TYPO3\.
Custom gates are registered using the
# PHP attribute.
The gate must return a
\TYPO3\ value.
Possible results are:
ModuleAccess Result:: Granted ModuleAccess Result:: Denied ModuleAccess Result:: Abstain
Example: Custom editor gate
<?php
declare(strict_types=1);
namespace T3docs\Examples\Module\AccessGate;
use TYPO3\CMS\Backend\Module\ModuleAccessGateInterface;
use TYPO3\CMS\Backend\Module\ModuleAccessResult;
use TYPO3\CMS\Backend\Module\ModuleInterface;
use TYPO3\CMS\Core\Attribute\AsModuleAccessGate;
use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
#[AsModuleAccessGate(identifier: 'exampleUser')]
class ExampleGate implements ModuleAccessGateInterface
{
public function decide(
ModuleInterface $module,
BackendUserAuthentication $user,
): ModuleAccessResult {
if ($module->getAccess() !== 'exampleUser') {
return ModuleAccessResult::Abstain;
}
$userTsConfig = $user->getTSConfig();
$exampleUserGroupId = (int)($userTsConfig['options.']['example.']['userGroup'] ?? 0);
$permission = $user->isAdmin() || in_array($exampleUserGroupId, $user->userGroupsUID);
return $permission
? ModuleAccessResult::Granted
: ModuleAccessResult::Denied;
}
}The example above defines a custom access type called
example.
The gate only handles modules whose access option is set to
example. For all other modules, it returns
Module.
The gate accesses information about the currently authenticated backend user
through the
Backend
object passed to the
decide method.
This allows custom gates to implement project-specific permission logic based on user groups, user TSconfig settings, workspace access, user preferences, or other backend user properties.
After registering the gate, use its identifier in the module configuration.
return [
'my_module' => [
'access' => 'exampleUser',
'labels' => 'examples.module.content_examples_clipboard',
// ...
],
];Gate evaluation order
Multiple gates can be registered simultaneously.
The before and after options of the
# attribute define the evaluation order.
use TYPO3\CMS\Backend\Module\ModuleAccessGateInterface;
use TYPO3\CMS\Core\Attribute\AsModuleAccessGate;
#[AsModuleAccessGate(
identifier: 'exampleUser',
after: ['user'],
)]
final readonly class ExampleGate implements ModuleAccessGateInterface
{
// ...
}