Navigation überspringen

Implementing authorizations

Authorization service

Each object needs his own authorization service, which must extend the AbstractAuthorizationService

Domain model

Each domain model needs a method for getting the own authorizations:

 * @return array
public function getAuthorization(): array
    return NoticeAuthorizationService::getAuthorizationForRecord($this->getUid());


The createMenu method needs some authorization conditions for providing only allowed entries:

$actions = [];
if(AuthorizationUtility::getBackendTableSelect('tx_crm_domain_model_state')) {
    $actions[] = [
        'action' => 'list',
        'controller' => 'Backend\\Configuration\\State',
        'label' => $this->translate('tx_crm_label.module_menu_configuration_list_states'),

The initializeAction needs a authorization condition as well:

 * @throws Exception
public function initializeAction()
    if(!AuthorizationUtility::getBackendTableSelect('tx_crm_domain_model_state')) {
        throw new Exception('Authorization required for tx_crm_domain_model_state!');

TYPO3 list module

Ensure that the list module of TYPO3 (if that module is available for a non admin user) is not able to display unauthorized records. For that you need to insert a conditional authorization service request in crm/Classes/Hook/DatabaseRecordListHook.php, for example:

switch ($table) {
    // ...
    case 'tx_crm_domain_model_notice';
        $parameters['where'][] = NoticeAuthorizationService::getListWhere();
    // ...

CRM list

Selecting rows

@todo muss auch über den service geprüft werden

Displaying action buttons

The action buttons getting their authorizations by the domain model. By using a simple condition the button will be disabled or not:

<crm:variable.set name="authorization" value="{listItem.authorization}" />
<f:if condition="{listItem.authorization.modify}">
        <!-- enabled button -->
        <!-- disabled button -->

Displaying toggle buttons

Toggle buttons need an additional check on field name.

CRM detail view

The CRM detail view check the visible field against the exclude field from the user group. This happens in file crm/Classes/Tca/PrepareDetailFields.php.

CRM admin

Admin users have tx_crm_admin = 1:


Sie können uns jederzeit kontaktieren

Contact request
Screenreader label
Security question