Avoiding using security.context inside a form with Symfony

Question

For each article a list of comment is displayed. I want users to be able to Edit theirs own comments (and only THEIR own comments). I wanted to know if it was OK to use methode 2 or if there was a break of security?

METHODE 1

So far I use the security.context inside my form to check if the current comment author is the current_user. if yes then I can add in my form a textarea with the comment.text so that the user can edit its comment. (But my form must therefore be define as a service so that I can inject security.context)

IN MY FORM (define as a service so that I can inject security.context)

 $current_user = $this->Securitycontext->getToken()->getUser();
 // I add the textarea to allow edit of the comment only if the user is the author of the comment.
 if($current_user == $comment->getAuthor())
 {
      $form->add('comment.text', 'textarea');
 }

METHODE_2

I tried something different and it seems to be working fine (moreover I do not have to define my form as a service because I don't use security.context inside my form.)

I create an EditAutorisation Attribut for my entity Comment. And from the controller, I check if the current_user is the author of the comment. if yes I set EditAutorisation to true.

 if($this->getUser() = $comment->getAuthor()){
     $comment->setEditAutorisation('true');
 }

Then in my form I simply retrieve the value of EditAutorisation

 if($comment->getEditAutorisation() )
 {
      $form->add('comment.text', 'textarea');
 }

PS: in both case I use EventListener PRE_SET_DATA in the form to access the objet $comment

I prefere methode2 not much because of the fact I do not have to define it as a service. But because I can do my test in the controller, and use the test result easily in the FORM in PHP (using eventListener to get $comment->getEditAutorisation()) and in TWIG (using {{ comment.EditAutorisation }} )

Method #2 is a good way to go as well. Also I would like to add a note here - keep in mind that declaring a form as a service in order to obtain the `security.context` is not necessary. You can pass the service as a dependency from your controller when using `$this->createForm()`. — Artamiel, Jul 08 '15 at 15:40
ok thanks Artamiel. I prefere methode2 not much because of the fact I do not have to define it as a service. But because I can do my test in the controller, and use the test result easily in the FORM in PHP (using event to get $comment->getEditAutorisation()) and in TWIG (using {{ comment.EditAutorisation }} ) — Alexis_D, Jul 08 '15 at 15:45
You can still use Method #1 without having to define a service. You can just call `new MyFormType($this->get('security.context'))`, for example. — sjagr, Jul 08 '15 at 15:49
Normally whatever suits your needs better could be the right way to do things. But, keeping a controller as thin as possible is best here. Moving your extra logic somewhere else is preferable, if possible. Take a look at @sjagr comment, that is what I meant in my first comment as possible option. — Artamiel, Jul 08 '15 at 15:51
Any of the above works and is okay. Whatever is "best" is a matter of opinion, which has no place on SO. — sjagr, Jul 08 '15 at 15:53
OK great. was not looking for "best" solution, but just feared that methode2 was lacking security. But if you say it is ok then it is fine. — Alexis_D, Jul 08 '15 at 15:55

score 0 · Answer 1 · answered Jul 08 '15 at 18:19

I don't like method 2 because you need to repeat the security check each time you use the form. Potentially duplicate code. And what happens if you forget?

But your method one needs some work as well.

Take a look at security voters: https://symfony.com/doc/current/cookbook/security/voters_data_permission.html

Instead of:

$current_user = $this->Securitycontext->getToken()->getUser();
if($current_user == $comment->getAuthor()) {
  $form->add('comment.text', 'textarea');
}

You would have:

if ($authChecker->isGranted('edit', $comment)) {
  $form->add('comment.text', 'textarea');
}

By implementing a voter you can, for example, easily allow admin users to edit the comments of any posts. Or maybe have moderators for specific categories of posts.

Voters are your friends. Check them out.

ok thanks Cerad, does the form needs to be a service to use voters into a form? — Alexis_D, Jul 08 '15 at 19:37
Yep. Which is a good thing. It means you can design your form and then forget about it. Once you get comfortable with services then I suspect you will create all your forms as services. Just makes little sense to have to remember how to construct your form when the form system can do it for you. — Cerad, Jul 08 '15 at 19:43

Avoiding using security.context inside a form with Symfony

1 Answers1