Avoid "user cross access" in Symfony

Question

I am currently working on a project based on Symfony 1.4. I am using the sfDoctrineGuardPlugin to authenticate my two kinds of users : users and admins. For each module and each action in a module, I am using credentials to prevent unauthorized actions execution.

But I am facing a problem : if an user wants to edit a project, for example, the URL will look like frontend.php/project/edit/id/1. Here, we suppose that the project #1 belongs to him. Now, let's suppose that project #2 does not belong to him. If he types the URL frontend.php/project/edit/id/2, he will have access to the edit form, and will be able to edit a project that does not belong to him.

How can I prevent that behaviour ?

I would like to avoid verifying the ownership of each editable model before displaying the edit form... But can I do differently ?

Do you have any good practice or advices to prevent this behaviour ?

Thanks a lot !

j0k j0k · Accepted Answer · 2012-05-20T15:53:37

Since you will have to check in the projet to know if the current user is allowed to edit the project, I don't think you will have other way than verifying before the edit, in the action part. Why don't you want to do it this way?

This check can be done inside the preExcute function:

public function preExecute()
{
  $request = $this->getRequest()
  if ($request->hasParameter('id'))
  {
    $project = Doctrine_Core::getTable('Project')->find($request->getParameter('id'));
    $user_id = $this->getUser()->getGuardUser()->getId();

    $this->forward404If(
      $project->getUserId() !== $user_id, 
      'User #'.$user_id.' is not allowed to edit project #'.$project->getId()
    );
  }
}

Avoid "user cross access" in Symfony

1 Answers