notejam icon indicating copy to clipboard operation
notejam copied to clipboard
verified publisher icon komarserjio

Symfony: Add authorization constraints on entities

Open malkusch opened this issue 10 years ago • 6 comments

Currently users can view, edit and delete entities of other users:

  1. Login as User-1
  2. Create pad and remember id of that pad from URI.
  3. Login as User-2
  4. With the pad id from 2. you can view and edit the pad.

Deleting the pad doesn't work, but unfortunately deleting the note of another user does.

The authenticated user should be checked against the owner of entities.

malkusch avatar Dec 09 '15 23:12 malkusch

Why would you want to do that @malkusch ? are you proposing to create an admin role that can manage users ?

aminemat avatar Dec 11 '15 15:12 aminemat

Sorry, I was not clear enough. I updated the description above to be more clear about the issue.

malkusch avatar Dec 11 '15 15:12 malkusch

Oh I see, thanks for reporting this, I will make the necessary changes.

aminemat avatar Dec 11 '15 15:12 aminemat

The easy solution is to find an entity based on two params: entity id + user id. So nothing is found if an entity is requested by not an owner. Example: https://github.com/komarserjio/notejam/blob/master/cakephp/notejam/src/Controller/NotesController.php#L135

komarserjio avatar Dec 11 '15 21:12 komarserjio

@komarserjio Now that you mention it, is NotesController::create() protected against a post request with a pad id from another user's pad?

malkusch avatar Dec 12 '15 00:12 malkusch

Good point. No, there is no protection from another user's pad. This case should be added as a unit test and implemented across all apps.

komarserjio avatar Dec 12 '15 21:12 komarserjio