PHP Symfony - yalnızca nesnenin sahibine kimlik bilgilerini sağlayın

0 Cevap php

Ben Symfony'nin kullanıcı kimlik etrafında başımı sarmak çalışıyorum. Ilgili tavsiyeye ihtiyacınız best practices.

apps/frontend/modules/mymodule/config/security.yml

edit:
  is_secure: true
  credentials: owner

all:
  is_secure: false

When and where do I set $this->getUser()->addCredential('owner')? In a filter of the filter chain?

If I set it there, when do I remove the credentials again? I could just remove in the same filter, if the user is not the owner of that object, but then once the user edited one object, he will have the owner credentials, until he tries to edit something he doesn't own. Is there a drawback to that?

Veya nesnenin id gerekli kimlik bilgilerini ayarlamak için bir yolu var mı? Gibi

edit:
  is_secure: true
  credentials: %%request_id%%

Ve sonra tüm kimlikleri için oturum açma kullanıcı kimlik bilgilerini eklemek?

Herhangi bir fikir çok takdir.

Update 1:

Olur bu iş böyle bir şey? Kodu aslında çalışır eğer şu anda test edemez. Would this be best practice ?

apps/frontend/config/filters.yml

// ...

security:
  class: addOwnerCredentials

// ...

apps/frontend/lib/addOwnerCredentials.class.php

class addOwnerCredentials extends sfBasicSecurityFilter
{

  function execute($filterChain)
  {
    $context = $this->getContext();
    $request = $context->getRequest();
    $user = $context->getUser();

    $user_ids = $user->getAllOwnership();

    // Add owner credential for current user or remove if he has it but shouldn't
    if (in_array($request->getParameter('id'), $user_ids)) {
      $user->addCredential('owner');
    }
    elseif ($user->hasCredential('owner')) {
      $user->removeCredential('owner');
    }

    // Continue down normal filterChain
    parent::execute($filterChain);

    // On the way back, before rendering, remove owner credential again
    // The code after the call to $filterChain->execute() executes after the
    // action execution and before the rendering.
    if ($user->hasCredential('owner')) {
      $user->removeCredential('owner');
    }
  }

}

Update 2: Added to code snippet, to remove the owner credentials, right after they were needed, so the user doesn't have a unnecessary credential in their session.

0 Cevap

etiketler