I'm trying to wrap my head around symfony's user authentication. Advice on best practices is required.
apps / frontend / modules / mymodule / config / security.yml
edit: is_secure: true credentials: owner all: is_secure: False When and where I $ this-> getUser () - & gt; Can I set addCredential ('owner') ? In a filter series of filters?
If I set it there, then when should I remove the credential again? If I am not the owner of that object, but once the user edits an object, then he will have the credentials of the owner, unless he tries to edit what he himself does not do. Is there any flaw in this?
Or is there a way to determine the necessary identity in the object ID? Like
edit: is_secure: correct credentials: %% request_id %% and then add user credentials on login for all your IDs?
Any insights will be greatly appreciated.
Update 1:
Will such a thing work? If the code actually works then it can not be tested right now would be the best practice ?
apps / frontend / config / filters.yml
// ... Security: Category: addOwnerCredentials // ... app / frontend / lib / addOwnerCredentials.class.php
class addOwnerCredentials sfBasicSecurityFilter extended {function executed ($ filter selection) {$ Context = $ this- & gt; GetContext (); $ Request = $ context- & gt; GetRequest (); $ User = $ context- & gt; GetUser (); $ User_ids = $ user- & gt; All the ownership (); // Add the owner's identity to the existing user or remove it if he does not want it, but if you do not want it ($ request-> getParameter ('id'), $ user_ids)) {$ user- & gt; ; AddCredential ('Owner'); } Otherwise ($ user-> is credential ('owner')) {$ user- & gt; Delete credentials ('owner'); } // continue the normal filter Chain Parent :: Execution ($ Filter Chain); // On the way back, before render, remove the owner's credentials again. After calling the $ code to filter $ Chain-> Execute () / / execution and rendering after the execution of the action. If ($ user- & gt; is credentials ('owner')) {$ user- & gt; Delete credentials ('owner'); }}} Update 2: , added to the code snippet to remove the owner's credentials, immediately after their requirement, therefore not users There is an unnecessary authentication in your session
I have placed my custom filter which adds arbitrary credentials to the user Earlier security filters, did not convert them. It looks just like the difference between our approach :)
So, I would say yes, this (I mean UPD1) is best practice
Comments
Post a Comment