PHPackages silverstripe/security-extensions - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. silverstripe/security-extensions ActiveSilverstripe-vendormodule[Security](/categories/security) silverstripe/security-extensions ================================ A temporary polyfill repository for security improvements that will be ported into core 4.5.2(2y ago)2197.8k↓15.6%3[6 PRs](https://github.com/silverstripe/silverstripe-security-extensions/pulls)3BSD-3-ClausePHPPHP ^7.4 || ^8.0CI failing Since Jun 26Pushed 3mo ago6 watchersCompare [ Source](https://github.com/silverstripe/silverstripe-security-extensions)[ Packagist](https://packagist.org/packages/silverstripe/security-extensions)[ RSS](/packages/silverstripe-security-extensions/feed)WikiDiscussions 4 Synced 1mo ago READMEChangelog (10)Dependencies (4)Versions (42)Used By (3) Silverstripe Security Extensions ================================ [](#silverstripe-security-extensions) **NOTE**: This module is no longer commercially supported in Silverstripe CMS 5 and it does not provide a CMS5-compatible version. Since Silverstripe CMS 5 it's a part of core functionality. [![CI](https://github.com/silverstripe/silverstripe-security-extensions/actions/workflows/ci.yml/badge.svg)](https://github.com/silverstripe/silverstripe-security-extensions/actions/workflows/ci.yml) Overview -------- [](#overview) This module is a polyfill for some security related features that will become part of the core SilverStripe product, but are required for older Silverstripe 3.7 and 4.x support in the meantime. This module will *not* be made compatible with CMS 5 - instead, its functionality has been folded back into the core modules. Installation ------------ [](#installation) ``` $ composer require silverstripe/security-extensions 1.x-dev ``` Features -------- [](#features) ### Sudo mode [](#sudo-mode) Sudo mode represents a heightened level of permission in that you are more certain that the current user is actually the person whose account is logged in. This is performed by re-validating that the account's password is correct, and will then last for a certain amount of time (configurable) until it will be checked again. Sudo mode will automatically be enabled for the configured lifetime when a user logs into the CMS. Note that if the PHP session lifetime expires before the sudo mode lifetime, that sudo mode will also be cleared (and re-enabled when the user logs in again). If the user leaves their CMS open, or continues to use it, for an extended period of time with automatic refreshing in the background, sudo mode will eventually deactivate once the max lifetime is reached. #### Configuring the lifetime [](#configuring-the-lifetime) The default `SudoModeServiceInterface` implementation is `SudoModeService`, and its lifetime can be configured with YAML. You should read the lifetime value using `SudoModeServiceInterface::getLifetime()`. ``` SilverStripe\SecurityExtensions\Service\SudoModeService: lifetime_minutes: 25 ``` #### Enabling sudo mode for controllers [](#enabling-sudo-mode-for-controllers) You can add the `SilverStripe\SecurityExtensions\Services\SudoModeServiceInterface` as a dependency to a controller that requires sudo mode for one of its actions: ``` class MyController extends Controller { private $sudoModeService; private static $dependencies = ['SudoModeService' => '%$' . SudoModeServiceInterface::class]; public function setSudoModeService(SudoModeServiceInterface $sudoModeService): self { $this->sudoModeService = $sudoModeService; return $this; } } ``` Performing a sudo mode verification check in a controller action is simply using the service to validate the request: ``` public function myAction(HTTPRequest $request): HTTPResponse { if (!$this->sudoModeService->check($request->getSession()) { return $this->httpError(403, 'Sudo mode is required for this action'); } // ... continue with sensitive operations } ``` ### Using sudo mode in a React component [](#using-sudo-mode-in-a-react-component) This module defines a [React Higher-Order-Component](https://reactjs.org/docs/higher-order-components.html) which can be applied to React components in your module or code to intercept component rendering and show a "sudo mode required" information and log in screen, which will validate, activate sudo mode, and re-render the wrapped component afterwards on success. **Note:** the JavaScript injector [does not currently support injecting transformations/HOCs](https://github.com/silverstripe/react-injector/issues/4), so we have coupled the application of these [injector transformations](https://docs.silverstripe.org/en/4/developer_guides/customising_the_admin_interface/reactjs_redux_and_graphql/#transforming-services-using-middleware)into this module itself for the silverstripe/mfa module. Unfortunately, if you want to apply this to your own code you will need to either duplicate the `SudoMode` HOC into your project or module and apply the transformation at that point. [![Sudo mode HOC example](docs/_images/sudomode.png)](docs/_images/sudomode.png) Example implementation: ``` import WithSudoMode from '../containers/SudoMode/SudoMode'; Injector.transform('MyComponentWithSudoMode', (updater) => { updater.component('MyComponent', WithSudoMode); }); ``` #### Requirements for adding to a component [](#requirements-for-adding-to-a-component) While the `sudoModeActive` prop is gathered automatically from the Redux configuration store, backend validation is also implemented to ensure that the frontend UI cannot simply be tampered with to avoid re-validation on sensitive operations. Ensure you protected your endpoints from [cross site request forgery (CSRF)](https://docs.silverstripe.org/en/4/developer_guides/forms/form_security/#cross-site-request-forgery-csrf)at the same time. ### Require password change on next log in [](#require-password-change-on-next-log-in) Administrators with the ability to administer members can see a checkbox in the CMS under the area to set the member's password. Checking this box will set the password expiry to the current date, meaning the next time the member logs in they will be required to choose a new password for their account. The date is set selectively in order to not batter the database with updates to that member's records each time an unrelated setting is changed and saved. The matrix is as follows (`-` indicates no change): Expiry DateCheckedUnchecked**Null**now-**Future**now-**Expired**-nullNo change is made when setting this field and the password is already expired for auditing purposes (an administrator could see how long ago a password expired). Similarly no change is made when unsetting this field and the expiry date is in the future, it should remain so - the checkbox is for immediately requiring a new password on the *next* log in. Given the above two paragraphs, it should not be possible to reach these cases under normal (CMS) usage, as the UI reflects the current state of the PasswordExpiry field on load. The checkbox will be checked if the current password is already expired. Versioning ---------- [](#versioning) This library follows [Semver](http://semver.org). According to Semver, you will be able to upgrade to any minor or patch version of this library without any breaking changes to the public API. Semver also requires that we clearly define the public API for this library. All methods, with `public` visibility, are part of the public API. All other methods are not part of the public API. Where possible, we'll try to keep `protected` methods backwards-compatible in minor/patch versions, but if you're overriding methods then please test your work before upgrading. Reporting Issues ---------------- [](#reporting-issues) Please [create an issue](https://github.com/creative-commoners/silverstripe-security-extensions/issues)for any bugs you've found, or features you're missing. License ------- [](#license) This module is released under the [BSD 3-Clause License](LICENSE.md). ### Health Score 51 — FairBetter than 96% of packages Maintenance55 Moderate activity, may be stable Popularity35 Limited adoption so far Community28 Small or concentrated contributor base Maturity76 Established project with proven stability Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~62 days Recently: every ~153 days Total 33 Last Release 533d ago Major Versions 3.0.0-rc1 → 4.0.0-rc12019-08-09 3.0.0 → 4.0.22020-03-22 3.0.x-dev → 4.0.32020-08-17 PHP version history (3 changes)4.0.0-beta1PHP >=7.1.0 4.2.0PHP ^7.3 || ^8.0 4.3.0PHP ^7.4 || ^8.0 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/654636?v=4)[Aaron Carlino](/maintainers/unclecheese)[@unclecheese](https://github.com/unclecheese) ![](https://www.gravatar.com/avatar/b0cba8b534e20e6ab4fff555a97b237a18436ebca1446fc0b29c8a8b504038b9?d=identicon)[GuySartorelli](/maintainers/GuySartorelli) ![](https://avatars.githubusercontent.com/u/111025?v=4)[Ingo Schommer](/maintainers/chillu)[@chillu](https://github.com/chillu) ![](https://www.gravatar.com/avatar/a25bc04c5720a36869d5a39c6449dde7eb43e19b7c8e666d5f632d6a9ab440b1?d=identicon)[emteknetnz](/maintainers/emteknetnz) ![](https://www.gravatar.com/avatar/afbb3dcc9ef29c1a6eedd6addcae5fce9ab1271915a85a4c349301b71237368d?d=identicon)[silverstripe-machine01](/maintainers/silverstripe-machine01) ![](https://avatars.githubusercontent.com/u/1168676?v=4)[Maxime Rainville](/maintainers/maxime-rainville)[@maxime-rainville](https://github.com/maxime-rainville) ![](https://www.gravatar.com/avatar/df310131241d4c61c7321dd5743b80d9f2e7c057e1b587b942ceb06c5682973a?d=identicon)[Cheddam](/maintainers/Cheddam) --- Top Contributors [![robbieaverill](https://avatars.githubusercontent.com/u/5170590?v=4)](https://github.com/robbieaverill "robbieaverill (37 commits)")[![emteknetnz](https://avatars.githubusercontent.com/u/4809037?v=4)](https://github.com/emteknetnz "emteknetnz (24 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (19 commits)")[![GuySartorelli](https://avatars.githubusercontent.com/u/36352093?v=4)](https://github.com/GuySartorelli "GuySartorelli (16 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (1 commits)")[![NightJar](https://avatars.githubusercontent.com/u/778003?v=4)](https://github.com/NightJar "NightJar (1 commits)")[![dnsl48](https://avatars.githubusercontent.com/u/9313746?v=4)](https://github.com/dnsl48 "dnsl48 (1 commits)")[![sabina-talipova](https://avatars.githubusercontent.com/u/87288324?v=4)](https://github.com/sabina-talipova "sabina-talipova (1 commits)") --- Tags hacktoberfest ### Code Quality TestsPHPUnit Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/silverstripe-security-extensions/health.svg) ``` [![Health](https://phpackages.com/badges/silverstripe-security-extensions/health.svg)](https://phpackages.com/packages/silverstripe-security-extensions) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)