For now restrictfe can be only activated and deactivated with
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['enable'] = true;
The exclusion config for IPs and HTTP headers is written in ExtensionManager. We need to remove ExtensionManager config and move all configuration to more granulated array which allow to build more sophisticated conditions for exclusion (if mode is deny all) and inclusion (if mode is deny selectively).
There will be two modes the restrictfe can operate: "allow" and "deny".
"allow" mode
"allow" is needed on production instance which is already live but access to some part of website must be yet hidden for regular frontend users but at the same time is must be accessible in frontend for logged BE users which must edit content on that hidden part .
The best example is multilanguage website. Lets assume there is production with only one language - let it be English. Website owner decided to have new language - Chines. The translation will be done on live directly and will be long few weeks process. During that process client must do content check on frontend but on the same time the translated website must be inaccessible for regular users. The solution is to use restrictfe and put it into allow mode with exclusion for sysLanguageUid=1 (the uid of new langauge).
In such case even if some frontend user will switch to new language by forcing L parameter in url address then such frontend user will see "Login to see the content of this page" warning.
Configuration for above multilang example would be:
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['mode'] = 'allow';
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['rules'] = [
'sys_language_uid' => 1,
];
The second example would be adding new website with new domain in already existing production instance. The situation is the same as above. We do not want regular users to be able to accidentally find our new domain and see unfinished website. So we can deny access to this domain for regular users but allow to see the content for BE logged users which will edit the content.
Configuration for above multi website example would be:
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['mode'] = 'allow';
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['rules'] = [
'domainPregmatch' => '/^sub.example.com$/',
];
"deny" mode
"deny" is good for all staging instances where we want to deny all access except some IPs / HTTP headers etc.
Configuration array for "deny" mode:
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['mode'] = 'deny';
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['restrictfe']['rules'] = [
'ip' => '12.12.2.2,123.12.2.*',
'domain' => 'example.com',
'AND' => [
'domain' => 'example2.com',
'ip' => '126.12.2.2'
],
'sys_language_uid' => 1,
'header' => 'HTTP_TX_RESTRICTFE=foo',
];
which would mean deny for all except:
- IP=12.12.2.2 OR IP mask 123.12.2.*
- OR domain=example.com
- OR (domain=example2.com AND IP=126.12.2.2)
- OR sys_language_uid=1
- OR http header HTTP_TX_RESTRICTFE exists with value equal to "foo"