Chapters

29 Chapters | 1:34:37 |

01

Introduction

1:00
02

ManyToOne Doctrine Relationships

4:40
03

Sharing Data between Fixture Classes

1:49
04

Restricting Edit Access to Owners

1:53
05

Using a shortcut Base Controller Class

2:30
06

Using PHPDoc for Auto-Completion

1:26
07

OneToMany: The Inverse Side of a Relationship

5:37
08

Doctrine Extensions: Sluggable and Timestampable

4:30
09

Using the slug in the Event URL

2:04
10

Adding createdAt and updatedAt Timestampable Fields

1:41
11

Creating a Custom orderBy Query

2:11
12

ManyToMany Relationship

2:37
13

Using the ManyToMany so Users can Attend an Event

4:53
14

More with ManyToMany: Avoiding Duplicates

2:51
15

JSON up in your Response

2:50
16

Come on, Set the Content-Type Header!

3:19
17

Adding the AJAX Touch: JavaScript

2:16
18

Customizing Error Pages and How Errors are Handled

6:01
19

Render another Controller in Twig

4:28
20

Creating a Pretty CSV Download

4:19
21

Your Very First Service

4:42
22

Symfony Overlord: The Service Container

4:58
23

Configuration Loading and Type-Hinting

2:01
24

Dependency Inject All the Things

3:14
25

Twig Extensions and Dependency Injection Tags

4:33
26

Doctrine is in your Lifecycle (with Callbacks)

2:08
27

Doctrine Event Listeners

5:59
28

Doctrine Listeners on Update

2:48
29

Keep Going!

1:19

This tutorial has a new version, check it out!

> Symfony 2 > Starting in Symfony2: Course 3 (2.4+)

Buy Access to Course

04.

Restricting Edit Access to Owners

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

Restricting Edit Access to Owners¶

Now that every Event has an owner, let’s prevent that meddling Darth from editing any events that he didn’t create.

This should be pretty easy. If the current logged in User object doesn’t match the Event’s owner, we’ll just deny access. And remember, you can deny access anywhere in your app just by throwing the special AccessDeniedException.

Since we’ll need the same security logic in editAction, updateAction and deleteAction, let’s create a private function called enforceOwnerSecurity that holds it:

// src/Yoda/EventBundle/Controller/EventController.php
// ...

use Symfony\Component\Security\Core\Exception\AccessDeniedException;
// ...

private function enforceOwnerSecurity(Event $event)
{
    $user = $this->getUser();

    if ($user != $event->getOwner()) {
        // if you're using 2.5 or higher
        // throw $this->createAccessDeniedException('You are not the owner!!!');
        throw new AccessDeniedException('You are not the owner!!!');
    }
}

It’s now pretty simple to prevent Darth from doing things with events he didn’t create. Just call this function from editAction, updateAction and deleteAction:

// src/Yoda/EventBundle/Controller/EventController.php
// ...

public function editAction($id)
{
    // ...

    if (!$entity) {
        throw $this->createNotFoundException('Unable to find Event entity.');
    }

    $this->enforceOwnerSecurity($entity);
    // ...
}

// repeate for updateAction and deleteAction

Ok, log in as Darth and try to edit an event. Denied!

In the production environment, the user will see a 403 page that you can customize. And in a few minutes, we’ll show you how.

Tip

There is an even cleaner, but more advanced, approach to restricting access to specific objects called “voters”. You can learn more about these from our Question and Answer Day. An even more advanced approach is available called ACLs.

Now that Darth can only edit an event if he created it, add an if statement around the edit link that hides it for all other users:

{# src/Yoda/EventBundle/Resources/views/Event/show.html.twig #}
{# ... #}

{% if app.user == entity.owner %}
    <a class="button" href="{{ path('event_edit', {'id': entity.id}) }}">edit</a>
{% endif %}

Remember that this works because app.user gives us the User object for whoever is logged in.

3 Comments

Sort By

Junaid Farooq 6 years ago

Hi,

What if i hide the buttons from the front-end by checking whether the currently logged in user is the owner of the event and not enforce the security in the controller. Will that be a bad option?

| Reply |

Victor SFCASTS Junaid Farooq 6 years ago

Hey Junaid,

Yeah, probably a bad option, because if you do it in frontend only - you leave the opportunity to hack the system, someone can inject an HTML/JS code with a tool like Chrome Dev Tools. The ideal is do it in both frontend and backend: hiding it in frontend will give a better UX, in turn, doing it in backend will give you more security.

Cheers!

1 | Reply |

Junaid Farooq Victor 6 years ago

Thanks Victor,

Got it.

| Reply |

Symfony 2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=5.3.3",
        "symfony/symfony": "~2.4", // v2.4.2
        "doctrine/orm": "~2.2,>=2.2.3", // v2.4.2
        "doctrine/doctrine-bundle": "~1.2", // v1.2.0
        "twig/extensions": "~1.0", // v1.0.1
        "symfony/assetic-bundle": "~2.3", // v2.3.0
        "symfony/swiftmailer-bundle": "~2.3", // v2.3.5
        "symfony/monolog-bundle": "~2.4", // v2.5.0
        "sensio/distribution-bundle": "~2.3", // v2.3.4
        "sensio/framework-extra-bundle": "~3.0", // v3.0.0
        "sensio/generator-bundle": "~2.3", // v2.3.4
        "incenteev/composer-parameter-handler": "~2.0", // v2.1.0
        "doctrine/doctrine-fixtures-bundle": "~2.2.0", // v2.2.0
        "ircmaxell/password-compat": "~1.0.3", // 1.0.3
        "phpunit/phpunit": "~4.1", // 4.1.0
        "stof/doctrine-extensions-bundle": "~1.1.0" // v1.1.0
    }
}