Reputation: 965
Secure the removal of an entity with Symfony 2
I'm new to Symfony, and in order to apply what I learned with this framework, I wanted to build a complete app. I have a Message entity, and I would like to secure the removal of this entity. Only the user who created the message and the moderators can remove it. How to secure the removal ? I mean, in my code I've already written something like if($message->$user == $this->user || $this->user->isGranted('ROLE_MODO')), but how to prevent CSRF attack ?
Upvotes: 2
Views: 107
Answers (1)
Reputation: 4251
Have a delete form, that requires the user to submit the form.
Have a standalone controller that deals with this forms submit, and check in there if it is the correct users etc.
Then even if someone guesses the URL of the route / controller, the controller will still check if it is the correct user, plus the delete form will not have been submit correctly with it's CSRF token
Upvotes: 1
Related Questions
- Completely delete Entity from symfony 4
- How do I delete an entity from symfony2
- symfony2: How to remove related entity with doctrine / restrict annotation?
- Symfony Doctrine Prevent Particular Entity's Record Deletion
- Secure deleting object
- How to remove an entity?
- Preventing removal of entity
- Symfony2 - How to delete/move an entity?
- Deleting entities non-destructively in Symfony2
- Delete ACL when deleting an entity in Symfony2