I implemented CSRF protection for my user extension TYPO3 (according to the documentation ), and it works great for non-authenticated users as well as for built-in administrators in the interface. The strange thing I noticed is that an error occurs if the non-admin backend user is trying to use the form in an external plugin:
PHP Catchable Fatal Error: Argument 1 passed to TYPO3\CMS\Core\FormProtection\FormProtectionFactory::getMessageClosure() must be an instance of TYPO3\CMS\Lang\LanguageService, null given
I tested using TYPO3 V. 7.6.10 and 7.6.14. The error occurs in both versions.
I took a look at the source code in FormProtectionFactory, and it seems to be $GLOBALS['Lang']initialized for admin users in FE, but empty for regular backend users. In BE, both user groups can access other CSRF protected forms.
According to the official LanguageService link , LanguageService is usually only available in BE:
This class is usually created as a global variable $ GLOBALS ['LANG']. It is available only in the backend and under certain circumstances in the interface.
Does anyone know what these specific circumstances are? Of course, you can exit BE and visit the forms as having failed the user’s verification, but this is obviously very annoying. I think this is the expected behavior, but I do not understand why the problem occurs only for non-admins. Maybe someone has an idea how to make the form available to third-party backend users in FE too?
Any help is appreciated.
Thank!
To complete my call to the CSRF token generator, but I think the “problem” lies in TYPO3 itself (or the expected behavior):
$this->view->assign("csrfToken", FormProtectionFactory::get()->generateToken($this->extensionName,
$this->controllerContext->getRequest()->getControllerActionName(), $additionalObject));
source
share