A TYPO3 extension that removes permanent admin access and lets users elevate to admin only when needed.
Admin users log in without admin privileges. Not only does this satisfy cyber security accreditations*, it allows your admin users to use the website as Editors which means they can quickly see any permissions or UI Bugs, issues and errors
- Meets Cyber Essentials and ISO 27001 requirements*
- See who is an admin and since when
- Resets privileges after 10 minutes of inactivity
- Clears admin privileges after logging out
- Allows admins to sill log in when backend is locked for editors
composer require liquidlight/typo3-elevate-to-admin- Edit backend users and enable "Can elevate to admin" where appropriate (existing admins will have this enabled when they login )
- Selected users can use the dropdown in the corner to elevate to admin
The user can exit admin mode by using the same dropdown.
- Login as regular user - Admin users log in without admin privileges
- Work normally - Browse, edit content, and perform regular tasks
- Elevate when needed - Click the dropdown to become admin for specific tasks
- Auto-logout - Admin privileges automatically expire after 10 minutes of inactivity
The extension dispatches PSR-14 events that allow you to customize the behaviour:
This event is dispatched before the admin elevation processing begins. You can use it to skip the elevation process entirely based on custom conditions.
<?php
namespace MyVendor\MyExtension\EventListener;
use LiquidLight\ElevateToAdmin\Event\BeforeAdminElevationProcessEvent;
use LiquidLight\ElevateToAdmin\Traits\AdminElevationTrait;
use TYPO3\CMS\Core\Core\Environment;
final class DevModeAdminListener
{
use AdminElevationTrait;
public function __invoke(BeforeAdminElevationProcessEvent $event): void
{
if (Environment::getContext()->isDevelopment()) {
$user = $event->getBackendUser();
// Make user admin if they can elevate and aren't already admin
if ($this->canUserElevate($user) && !$user->isAdmin()) {
$this->setAdminElevation((int)$user->user['uid']);
}
// Skip normal processing since we've handled it
$event->skipProcessing();
}
}
}Register the event listener in Configuration/Services.yaml:
services:
MyVendor\MyExtension\EventListener\DevModeAdminListener:
tags:
- name: event.listener
identifier: 'dev-mode-admin'
event: LiquidLight\ElevateToAdmin\Event\BeforeAdminElevationProcessEventThis extension includes comprehensive unit and functional tests with database integration.
Unit tests can be run with
composer i
composer test-unit
Unit tests can be run with
composer i
composer test-functional
Please check to ensure elevation/re-authentication is acceptable for your require security practices and accreditations. After our research, we have found:
The official requirement states "use separate accounts to perform administrative activities only" - but this is ambiguous. It could mean:
- Separate user accounts (strict interpretation)
- Separate administrative sessions/activities (flexible interpretation allowing elevation)
Problem: Some certification bodies explicitly state that "account separation" is mandatory and that privilege elevation methods don't meet requirements, while others may accept properly implemented elevation.
Recommendation: Check with your specific certification body, as interpretations vary.
More flexible approach. The updated standard "does not explicitly require a different user ID for privileged access" and "emphasises the need to re-authenticate prior to receiving privileged access rights."
Elevation with re-authentication is acceptable if it includes:
- Proper re-authentication before privilege escalation
- Session separation and logging
- Clear audit trails
- Cyber Essentials: Unclear - depends on your certification body's interpretation
- ISO 27001:2022: Elevation with proper controls is acceptable
- NCSC Cyber Essentials Requirements: Official Documentation v3.2
- ISO 27001:2022 Control 8.2: Implementation Guidance
- Cyber Essentials Overview: NCSC Website
Always verify requirements with your certification body before implementation