Symfony 4 - Is my user's profil system secure?

Question

Bonjour,

I'm starting with Symfony, and I'm trying to get users to see the profile of other users.

My profile template is the same for everyone, the display of information is based on the user name passed in parameters of the URL. I simply compare on twig if the username in session and the one in parameters correspond.

For exemple in my profil view:

{% if app.user.username == userAccount.username %}
My profile
{% else %}
{{ userAccount.username }} profile
{% endif %}

My index method for the route account:

    public function index($username, UserRepository $repo, Request $request{

    $user = $repo->findUserByUsername($username);

    if (!$user){throw $this->createNotFoundException();}

I retrieve the user in BDD according to his username. The problem is that I really get everything back and I would like to know if it's secure? Can someone intercept the query in any way and see all the information retrieved?

I then create a password change page, the route always takes the username as a parameter. However this time, in my controller I indicated that it was necessary to redirect the user in the case where his user name in session was not identical to that to pass in parameters.

public function changePassword($username, Request $request, UserPasswordEncoderInterface $passwordEncoder, ObjectManager $manager, \Swift_Mailer $mailer){
$user = $this->getUser();

 if ($username == null){
 $username = $user->getUsername();}

 if ($user->getUsername() !== $username){
 throw $this->createNotFoundException();}}

Is this a sure way to verify that the user is the right one?

I do not know if my way of doing things is good, so if someone could enlighten me so that I can continue or adapt my work.

Thank you !

score 0 · Answer 1 · answered Feb 20 '19 at 18:03

0

Twig is executed server-side, so if your code is correctly written I don't see any security issues there. The query can't be intercepted that way.

But if you are worried (devs can make mistakes too) I would advise separating the templates and share the same elements.

For the changePassword part, do you really need to pass the username in the request? You already have an authenticated user in the session.

answered Feb 20 '19 at 18:03

Zak

1,005
10
22

Thanks for your answer. The url of password change page is something like /account/{username}/change_password And I don't want than a user can edit the URL with another word (like /account/hello/change_password) It's just visual I think but I want to redirect the user if the username in URL is wrong ^^ . This is why I need to pass the username in the request, but I'm not sure if it's the better way ^^ – Feb 20 '19 at 18:50
1

If you can change the password only for your account (which is normal), the username in the url is a superfluous information for the current user. Your route can simply be `/account/change_password`. Your choice. – Zak Feb 20 '19 at 19:39
Yes you're right but I tought the url was prettier with the username before all actions ^^ – Feb 21 '19 at 12:00

Symfony 4 - Is my user's profil system secure?

1 Answers1