-1

Using Symfony 5, Is there any way to avoid user edit (using browser inspector) on hidden input field?

My use case is:

My website can display to a user A a list of recommended user. For each recommend user displayed, the user A can click on a recommended user to send him a message.

To do that, I am generating a specific form for each recommended users and the form contains an hidden input field with the recommended user ID as value, and a submit button to send the message.

I would like to ensure that the user A do not change the input hidden field in order to contact a user which is not recommended. To do that, I am checking on server side, when the form is sent, that the user id in the form sent is an ID of a recommend user. It is working but I would like to avoid this double check on my side.

Nevertheless, as I am already using CSRF default protection, do you know if Symfony could do that natively? I mean to ensure that this hidden input field has not been changed by the user? By configuring a parameter for this HiddenType field?

Because as I am already using CSRF protection, symfony guarantee the security (against CSRF attacks) when I use $myForm->isValid(). I guess Symfony is storing the CSRF token somewhere... So we could imagine Symfony could store solewhere HiddenType fields that we could flagged as "not-changable". And the $myForm->isValid() could check CSRF token validity as usual + hiddenType field flagged as "not-changable".

What do you think about it? This feature already exists? Is it a good idea? New potential feature?

Kevin D
  • 71
  • 1
  • 4
  • Assuming you are using the Symfony form component then you can make a field 'read only'. Nothing can stop the user from posting changed data but read only data will be ignored. And CSRF is something completely different. – Cerad Feb 11 '21 at 19:38
  • Yes you're right, I am using Symfony form. Yes I know csrf is different but the concept to store the initial value on server side and ensure this value didn't changed when the form is submit could be interesting as a new feature, do not you think? – Kevin D Feb 11 '21 at 19:57
  • 1
    There is no alternative to always validate user input on the server side. – umulmrum Feb 11 '21 at 19:58
  • Open your mind boys. ;-) If they is a solution to check CSRF token validity, we could imagine a solution to cover that need. There is no alternative today, but it could be different tomorrow. :-) Thx for your feedback! – Kevin D Feb 11 '21 at 20:11
  • You can get a array of all changes from `$entityManager->getUnitOfWork()->getEntityChangeSet($entityThatIsSubmitted)` both from subscriber or listener. I use it many times to validate, clear (rollback) or add something after every change that will happened in your system from anywhere and for multiple entities. – Kolovos Konstantinos Feb 12 '21 at 09:52

1 Answers1

0

checking on backend is a must, it will be bad idea to relay on security or a control on client side

yashari
  • 1
  • 3