Secure method using annotations

Question

I have a page with a form and want to know if it is possible to access it using GET, but only allow logged in users to POST to it.

I know this can be done in security.yml, but am not sure how to do it with annotations.

 /**
     * @param Request $request
     * @return Response
     * @Security("has_role('ROLE_USER')")
     * @Method(methods={"POST"})
     */
    public function calculatorAction(Request $request)
    {

        $form=$this->createForm(new CallRequestType(),$callReq=new CallRequest());


        $form->handleRequest($request);

        if($form->isValid()){
            //blabla
        }


        return $this->render('MyBundle:Pages:calculator.html.twig', array('form' => $form));
    }

This will secure the whole function, but I want to access it, just not POST to it without being logged in. An alternative would be to check if there is a logged in user in the $form->isValid() bracket. But I'm still wondering if it can be done with annotations.

A little point out of the question: The `@Method` annotation is only considered when an action is annotated with `@Route`. — scoolnico, Jan 20 '16 at 14:00
I was thinking the same, but didn't want to. Thought there is an alternative. Guess I'll go with that, then. — George Irimiciuc, Jan 20 '16 at 15:29

score 2 · Accepted Answer · answered Jan 20 '16 at 16:31

You could do something like this.

You can allow both method types anonymously, and check just inside the controller to see if the user is authenticated and is POSTing.

(You don't state which version of symfony you're using, so you might have to substitute the authorization_checker (2.8) for the older security.context service)

/**
 * @param Request $request
 * @return Response
 *
 * @Route("/someroute", name="something")
 * @Method(methods={"POST", "GET"})
 */
public function calculatorAction(Request $request)
{

    if ( !$this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY') && $request->getMethod() == 'POST') {
        throw new AccessDeniedHttpException();
    }


    $form=$this->createForm(new CallRequestType(),$callReq=new CallRequest());


    $form->handleRequest($request);

    // you also need to check submitted or youll fire the validation on every run through.
    if($form->isSubmitted() && $form->isValid()){
        //blabla
    }


    return $this->render('MyBundle:Pages:calculator.html.twig', array('form' => $form));
}

authorization_checker is available before 2.8, too, but yes, I'm using 2.8. This is what I ended up doing. I was looking for a way to check outside the controller. — George Irimiciuc, Jan 20 '16 at 18:32

Secure method using annotations

1 Answers1