Inside TYPO3

NOT RENDERED: OFFICE:FORMS

This document is intended to be a reference for experienced TYPO3 developers. For intermediates it will help you to become experienced! But the document presumes that you are well familiar with TYPO3 and the concepts herein. Further it will presume knowledge in the technical end; PHP, MySQL, Unix etc.   The result will be this:  
So we are connected to the server (username and password accepted) but we have not yet defined a database. Lets go create a blank one!   After having removed the die() function call in the file .../install/index.php file we can enter the Install Tool (password was "joh316" by default). Then go to the "Basic Configuration" menu item.     If you login you will see this:  

  We find that this is not the case with particularly two directories: uploads/ and typo3temp/. There are a number of other missing directories which issues a warning, but that is because those are typically used with the "cms" extension frontend. That is disabled now. Remember? - Core only! So ... and all is fine. So lets sum up what we have now:
(shared between all websites)
NOTE: In case you want to allow the Extension Manager to update global and system extensions you must also allow writing to "ext/" and "sysext/". Install Tool will warn you.
NOTE: Make sure to properly secure access to the Install Tool!
(specific for each website)temp_CACHED_xxxxxx_ext_localconf.php temp_CACHED_xxxxxx_ext_tables.php:
(specific for each website)
(specific for each website)
Basically we completed these steps to create the files and folders of a bare-bone TYPO3 core installation:
  1. Create symlink to the t3lib/ directory  (shared)
  2. Create symlink to the backend administration directory, typo3/  (shared)
  3. Create directories typo3conf/, uploads/, typo3temp/   (specific)
  4. Create typo3conf/localconf.php file and add a minimum of configuration to get started.   (specific)
There are two (sometimes more) files which we didn't create ourselves; the cached "temp_CACHED_xxxxxx_ext_localconf.php" and "temp_CACHED_xxxxxx_ext_tables.php". These two files are automatically compiled from the currently loaded extensions and written to disk. If you look into the files you can see that they are just scripts automatically collected from the loaded extensions, then concatenated and written to disk. This concept improves parsing a lot since it make it possible to include one file (the cached file) instead of maybe 50 files from different locations.

Notice how few modules are available! This is the default set of features which exists in what we call the core of TYPO3! If you go to the Extension Manager (EM) and enable "Shy extensions" you can see that only the "lang" and the "install" extensions are there. Even the Install Tool is an extension that can be disabled.
 
define('TYPO3_MOD_PATH', 'install/'); $BACK_PATH='../';   define('TYPO3_MOD_PATH', '../typo3conf/my_backend_script/'); $BACK_PATH='../../typo3/';   Modules Modules will typically initiate with basic lines like these: unset($MCONF); require ('conf.php');   Modules in typo3conf/ The short version is this:
The verbose version is this:
gzip_encode
require ('init.php');
$TBE_TEMPLATE
$LANG
$LOCAL_LANG 
$TCA_DESCR
template
language
<?xml version="1.0" encoding="iso-8859-1"?> <?xml-stylesheet href="#internalStyle" type="text/css"?> <!DOCTYPE html      PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head>     <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>     <meta name="GENERATOR" content="TYPO3 3.6.0-dev, http://typo3.com, &#169; Kasper Sk&#197;rh&#248;j 1998-2003, extensions are copyright of their respective owners." />     <title>Dummy document</title>              <link rel="stylesheet" type="text/css" href="stylesheet.css"/>                  <style type="text/css" id="internalStyle">             /*<![CDATA[*/                 A:hover {color: #254D7B}                 H2 {background-color: #9BA1A8;}                 H3 {background-color: #E7DBA8;}                 BODY {background-color: #F7F3EF;}                              /*]]>*/         </style>        </head> <body>   <!-- Wrapping DIV-section for whole page BEGIN --> <div class="typo3-def"> ... [additional content between startPage() and endPage() will be inserted here!] ...     <script type="text/javascript">           /*<![CDATA[*/         if (top.busy && top.busy.loginRefreshed) {             top.busy.loginRefreshed();         }          /*]]>*/     </script>   <!-- Wrapping DIV-section for whole page END --> </div> </body> </html>    
$MLANG
$MCONF
$BACK_PATH
$LOCKED_RECORDS
  4. Positivelist of pageTypes (pages.doktype) that can be selected.
  6. Explicitly allow/deny field values
    This list of checkboxes can be used to allow or deny access to specific values of selector boxes in TYPO3 tables. Some selectorboxes is configured to have their values access controlled. In each case the mode can be that access is explicitly allowed or explicitly denied. This list shows all values that are under such access control.
  7. Limit to languages
    By default users can edit records regardless of what language they are assigned to. But using this list you can limit the user group members to edit only records localized to a certain language.
    There is also a similar list of languages for each user record as well.
    Technical note; To enable localization access control for a table you need to define the field containing the languages. This is done with the TCA/"ctrl" directive "languageField". See "TYPO3 Core API" for more details.
  8. Custom module options
    This item can contain custom permission options added by extensions.
General notes on mountpoints
New pages and records. Precedence order of TSconfig:
Safe mode restrictions $TYPO3_CONF_VARS['BE']['lockRootPath'] ='/my_absolute_path/'; $TYPO3_CONF_VARS['BE']['userHomePath'] ='/my_absolute_path/users/';
            'webspace' => array('allow'=>'', 'deny'=>'php3,php'),
Logging in now, this is what the user will see: Logging in now, this is what the user will see:   Logging in now, this is what the user will see in the Web > List module: Create the Filemount record:   Create the folder "fileadmin/user_uploads/": Add the file mount record to the File mounts of the group "New group":   Make sure the flag "Mount from groups:" / "File Mounts" is set: Logging in now, this is what the user will see in the File > List module:  
$TBE_MODULES = Array (     'web' => 'list,info,perm,func',     'file' => 'list',     'doc' => '',    // This should always be empty!     'user' => '',     'tools' => 'em',     'help' => 'about,cshmanual' );   There are two special keys in the $TBE_MODULES array to be aware of:
  2. $TBE_MODULES['doc'] is a main module which cannot have any sub modules.
 
The backend determines if a module is a core/user or extension module by first looking for a path-entry in $TBE_MODULES['_PATHS'] using "[module]_[submodule]"  as key (this is also the "name" of the module). If an entry is found, this location is set as the path. Otherwise "t3lib_loadmodules" will look first for the module in the core location ("typo3/mod/") and if not found, then in "../typo3conf/". When the backend needs to get a list of available modules for a backend user the class "t3lib_loadmodules" is used. This code snippet does the trick:     // Backend Modules: $loadModules = t3lib_div::makeInstance('t3lib_loadModules'); $loadModules->load($TBE_MODULES); foreach($loadModules->modules as $mainMod => $info)    {    ... } The array $loadModules->modules contains information about the modules that were accessible; their names, types, sub modules (if any) and the filepath to their scripts (relative to PATH_typo3). For main modules: if (TYPO3_MODE=='BE')    {     t3lib_extMgm::addModule('txtempM1','','',t3lib_extMgm::extPath($_EXTKEY).'mod1/'); } For sub modules: if (TYPO3_MODE=='BE')    {     t3lib_extMgm::addModule('web','txtempM2','',t3lib_extMgm::extPath($_EXTKEY).'mod2/'); }
  // Configures path for a core module: define('TYPO3_MOD_PATH',         'mod/web/info/');     // Configures path for an extension module: define('TYPO3_MOD_PATH',         '../typo3conf/ext/temp/mod2/');
  // Configures backpath for a core module: $BACK_PATH = '../../../';     // Configures backpath for extension module:
Applies only to Backend Modules.$MLANG["default"]["tabs_images"]["tab"] =         "moduleicon.gif"; $MLANG["default"]["ll_ref"] =
Applies only to Backend Modules.  // For the "Web" main module: $MCONF['defaultMod'] = 'list'; $MCONF['navFrameScript'] = '../../alt_db_navframe.php'; $MCONF['name'] = 'web'; $MCONF['access'] = 'user,group';     // More common for extension backend modules: $MCONF["access"] = "user,group";
<?php     // DO NOT REMOVE OR CHANGE THESE 3 LINES: define('TYPO3_MOD_PATH', '../typo3conf/ext/temp/mod2/'); $BACK_PATH='../../../../typo3/'; $MCONF["name"]="web_txtempM2";      $MCONF["access"]="user,group"; $MCONF["script"]="index.php"; $MLANG["default"]["tabs_images"]["tab"] = "moduleicon.gif"; $MLANG["default"]["ll_ref"]="LLL:EXT:temp/mod2/locallang_mod.php"; ?>
$MLANG['default']['tabs_images']['tab']
$MLANG['default']['ll_ref']
$MLANG[ language-key ]['labels']['tablabel']
$MLANG[ language-key ]['labels']['tabdescr']
$MLANG[ language-key ]['tabs']['tab']
$MLANG['default']['tabs_images']['tab'] = 'func.gif'; $MLANG['default']['ll_ref']='LLL:EXT:lang/locallang_mod_web_func.php'; <?php # TYPO3 CVS ID: $Id: locallang_mod_web_func.php,v 1.5 2004/04/30 16:19:54 typo3 Exp $ $LOCAL_LANG = Array (     'default' => Array (         'title' => 'Advanced functions',         'clickAPage_content' => 'Please click a page title in the page tree.',         'mlang_labels_tablabel' => 'Advanced functions',         'mlang_labels_tabdescr' => 'You\'ll find general export and import functions here. ... sorting of pages.',         'mlang_tabs_tab' => 'Functions',     ),     'dk' => Array (         'title' => 'Avancerede funktioner',         'clickAPage_content' => 'Klik på en sidetitel i sidetræet.',         'mlang_labels_tablabel' => 'Avancerede funktioner',         'mlang_labels_tabdescr' => 'Her vil du finde generelle eksport og import funktioner. ... sortering af sider.',         'mlang_tabs_tab' => 'Funktioner',     ), ... ); ?>
Examples (Backend Modules):     // Main module (from extension) $MCONF["name"]="txtempM1";     // Submodule of "Web" main module: $MCONF["name"]="web_txtempM2";     // File>Filelist module: Example (Stand-alone scripts):   // Setting pseudo module name   // Setting pseudo module name for CSM item
$MCONF["name"]="xMOD_tx_temp_cm1";
$MCONF['script']
$MCONF['access']
Example:
$MCONF['workspaces']
$MCONF['defaultMod']
$MCONF['navFrameScript']Example (From "Web" main module):
define('TYPO3_MOD_PATH', 'install/'); $BACK_PATH='../'; ... require('../init.php'); unset($MCONF); require('conf.php'); require($BACK_PATH.'init.php'); ... <?php     // DO NOT REMOVE OR CHANGE THESE 3 LINES: define('TYPO3_MOD_PATH', '../typo3conf/ext/temp/cm1/'); $BACK_PATH = '../../../../typo3/'; $MCONF['name'] = 'xMOD_tx_temp_cm1'; ?> <?php     // DO NOT REMOVE OR CHANGE THESE 3 LINES: define('TYPO3_MOD_PATH', '../typo3conf/ext/temp/mod2/'); $BACK_PATH = '../../../../typo3/'; $MCONF['name'] = 'web_txtempM2';      $MCONF['access'] = 'user,group'; $MCONF['script'] = 'index.php'; $MLANG['default']['tabs_images']['tab'] = 'moduleicon.gif'; $MLANG['default']['ll_ref'] = 'LLL:EXT:temp/mod2/locallang_mod.php'; ?>   29:     // DEFAULT initialization of a module [BEGIN]   30: unset($MCONF);   31: require('conf.php');   32: require($BACK_PATH.'init.php');   33: require($BACK_PATH.'template.php');   34: $LANG->includeLLFile('EXT:temp/cm1/locallang.php');   36: require_once (PATH_t3lib.'class.t3lib_scbase.php');   37:     // ....(But no access check here...)   38:     // DEFAULT initialization of a module [END] ...   40: class tx_temp_cm1 extends t3lib_SCbase {
...
132: }
133:
134:
135:  136: if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/temp/cm1/index.php'])    {  137:     include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/temp/cm1/index.php']);  138: }  139:  140:  141:  142:  143: // Make instance:  144: $SOBE = t3lib_div::makeInstance('tx_temp_cm1');  145: $SOBE->init();  146:  147:  148: $SOBE->main();  149: $SOBE->printContent();
  // This checks permissions and exits if the users has no permission for entry. if (!$BE_USER->isAdmin()) die('No access for you...');
if (TYPO3_MODE=='BE')    {     t3lib_extMgm::insertModuleFunction(         'web_func',                 'tx_temp_modfunc1',         t3lib_extMgm::extPath($_EXTKEY).'modfunc1/class.tx_temp_modfunc1.php',         'LLL:EXT:temp/locallang_db.php:moduleFunction.tx_temp_modfunc1'     ); } if (TYPO3_MODE=='BE')    {     t3lib_extMgm::insertModuleFunction(         'web_func',                 'tx_temp_modfunc2',         t3lib_extMgm::extPath($_EXTKEY).'modfunc2/class.tx_temp_modfunc2.php',         'LLL:EXT:temp/locallang_db.php:moduleFunction.tx_temp_modfunc2',         'wiz'         ); }    1: require_once(PATH_t3lib."class.t3lib_extobjbase.php");    2:    3: class tx_temp_modfunc1 extends t3lib_extobjbase {    4:     function modMenu()    {    5:         global $LANG;    6:             7:         return Array (    8:             "tx_temp_modfunc1_check" => "",    9:         );           10:     }   11:   12:     function main()    {   13:             // Initializes the module. Done in this function because we may need to re-initialize if data is submitted!   14:         global $SOBE,$BE_USER,$LANG,$BACK_PATH,$TCA_DESCR,$TCA,$CLIENT,$TYPO3_CONF_VARS;   15:            16:         $theOutput.=$this->pObj->doc->spacer(5);   17:         $theOutput.=$this->pObj->doc->section($LANG->getLL("title"),"Dummy content here...",0,1);   18:            19:         $menu=array();   20:         $menu[]=t3lib_BEfunc::getFuncCheck($this->pObj->id,"SET[tx_temp_modfunc1_check]",$this->pObj->MOD_SETTINGS["tx_temp_modfunc1_check"]).$LANG->getLL("checklabel");   21:         $theOutput.=$this->pObj->doc->spacer(5);   22:         $theOutput.=$this->pObj->doc->section("Menu",implode(" - ",$menu),0,1);   23:   24:         return $theOutput;   25:     }   26: }   27:   28:   29:   30: if (defined("TYPO3_MODE") && $TYPO3_CONF_VARS[TYPO3_MODE]["XCLASS"]["ext/temp/modfunc1/class.tx_temp_modfunc1.php"])    {   31:     include_once($TYPO3_CONF_VARS[TYPO3_MODE]["XCLASS"]["ext/temp/modfunc1/class.tx_temp_modfunc1.php"]);   32: }    1: #! /usr/bin/php -q    2: <?php    3:    4: // *****************************************    5: // Standard initialization of a CLI module:    6: // *****************************************    7:    8:     // Defining circumstances for CLI mode:    9: define('TYPO3_cliMode', TRUE);   10:   11:     // Defining PATH_thisScript here: Must be the ABSOLUTE path of this script in the right context:   12:     // This will work as long as the script is called by it's absolute path!   13: define("PATH_thisScript", $_ENV['_'] ? $_ENV['_'] : $_SERVER['_']);   14:   15:     // Include configuration file:   16: require(dirname(PATH_thisScript).'/conf.php');   17:   18:     // Include init file:   19: require(dirname(PATH_thisScript).'/'.$BACK_PATH.'init.php');   20:   21:   22:   23: # HERE you run your application!   24:   25: ?>
   0:     // DO NOT REMOVE OR CHANGE THESE 3 LINES:    1: define('TYPO3_MOD_PATH', '../typo3conf/ext/user_fi_io/cronmod/');    2: $BACK_PATH = '../../../../typo3/';    3: $MCONF['name'] = '_CLI_userfiio';
    3. any other fields you like .... typically at least:
      1. A title field holding the records title as seen in the backend
      2. A tstamp field holding the last modification time of the record
      3. A sorting order field if records are sorted manually
      4. A "deleted" field which tells TYPO3 that the record is deleted (if set)
# # Table structure for table 'tx_templavoila_datastructure' # # # Table structure for table 'tt_content' #
  1. Display
  2. Versionizing records
  3. Publishing version
  4. Editing records
  5. New records
  6. Moving records
  7. Deleting records
Access(For upgrades from pre-4.0 versions this is done by default).
EditingOption: To allow editing of tables without versioning available.
DB mounts
File mounts
Scheduled publishing
Reviewing
Publishing
Settings
Auto versioning
Swapping
Versioning types
Other notes
Module access
Usage
    1. Notice: "locallang*.php" files is an old alternative still supported but deprecated; They contain the $LOCAL_LANG array in a PHP script which is simply included. Old "locallang.php" files can be converted to llXML files using the extension "extdeveval"
  1. Set up your own translation server:
  2. Use official translation server:
Notice: locallang.php files are deprecated! Use locallang-XML files instead!
$LANG->includeLLFile('EXT:setup/mod/locallang.php');
t3lib_extMgm::addLLrefForTCAdescr('pages','EXT:lang/locallang_csh_pages.php');
Notice: A field key can be prefixed with "_" which will prevent it from being shown in the translation tools. This is useful for "seeAlso" and "image" since they should not be translated to other languages! $key = '_MOD_'.$MCONF['name'];
  2. Examples where "pages" (5 chars) is the unique name:
Syntax:
Example:
function helpCol($key)    {     global $BE_USER;     if ($BE_USER->uc["edit_showFieldHelp"])    {             $hT = trim(t3lib_BEfunc::helpText($this->descrTable,"emconf_".$key,$this->doc->backPath));         return '<td>'.             ($hT?$hT:                 t3lib_BEfunc::helpTextIcon(                     $this->descrTable,                     "emconf_".$key,                     $this->doc->backPath                 )).             '</td>';     } }
index.php: The point of the MD5 hashing of passwords is to not transmit the password in cleartext. That is working as it should: For each login a new random hash is used to "encrypt" the sending of the password. This means that the "userident" string is never the same even though the same password is sent. Your proof-of-concept script only emulates the login-form allowing for making looped login-attempts. Isn't that correct? Pls. comment. NOT FIXED - It works as intended and higher security must - as far as I can see - be obtained by application of other external methods in addition. See  http://typo3.org/doc+M561953c3fc3.0.html   showpic.php/thumbs.php: In these scripts the point of MD5-hashes is simply to make it hard for people  to spontaneously change a parameter to the script. This is made difficult because you'll need computing of the MD5-hash. So this is not meant to be totally impossible, but just plain hard preventing casual users from trying. FIX: I have included a server-known key in the MD5 hash so it can't be reconstructed.   This script exists only with the testsite. This script is therefore not a part of the TYPO3 source code and the responsibility to remove this script - and further make sure that such scripts does not in general exist! - lies on the developer/implementator of a TYPO3 solution. NOT FIXED - the testsite-package will still ship with this script since it's not a part of the TYPO3 source code as such. Users of the testsite-package are responsible of removing this script themselves if it disturbs them. FIXED. FIXED. 4+5 is FIXED. NOTE: The dev/ folder contains scripts which are normally disabled by a die() function call since they are used in special cases. The dev/ folder scripts are not considered a real part of the TYPO3 source and can be removed without any consequenses if a user wants to. The file install/index.php can be protected by a die() function call. Developers are always encouraged to keep the script disabled during the long periods where it is not used. However failure to do so may impose a security hole. In particular if the default Install Tool Password is not changed. The security problem regards only careless use and warnings are plentyful inside the Install Tool! However if any security holes in the PHP-scripts exists that is a more interesting matter. I don't see any. Paranoid users can safely remove this directory if they don't need the install tool or alternatively insert a .htaccess file if they like. NOT FIXED - responsibility is the on the user. Depends on implementation. The "fileadmin/" directory is at the users disposal and not a part of TYPO3's source code. True enough, the testsite-package includes both logfiles and scripts there. NOT FIXED - responsibility is the on the user. localconf.php file is by default placed here. That is correct. The directory must also be writeenabled according to TYPO3's requirements  for a correct installation. Paranoid users can always make a reduced localconf.php file which includes another "outside-of-webroot" file if they like:   <? include("/outside_of_webroot/real_localconf.php"); ?>   As for the sql-file found there it's not a requirement of the source code and in this analysis it stems from the testsite-package. NOT FIXED - responsibility is on the user. It's officially recommended to just remove this directory then. OK Always do. Also see this URL for further security actions you can take: http://typo3.org/doc+M561953c3fc3.0.html FIXED. Both directories are not part of the TYPO3 source code but relates to the specific implementation. Responsibility therefore lies on the developers implementation of a site with TYPO3. See above comments for advises on these issues.
NO LZW: LZW:
<= 4.2.9: 5-5.1.x: 5.2.x: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To top


Valid XHTML 1.0!