Symfony2 - handle HTTP/Entity user access restrictions

87 views Asked by At

We have a little discussion in my team how to handle http restriction in our app.

In our app a user can create products. So we have routes like /products and /product/1/show to list and show products of a user. A user can not see products of another user. The app uses a REST endpoint to fetch the data. The API call looks like this /api/product/1/ to fetch a single product.

We have more routes/API endpoint for other kinds of entities.

The question is how to protect a route/API request against other users?

We have two solutions:

  1. use the firewall and voters. The voter gets the current url /product/1/show and checks if given product is owned by the current logged in user.

  2. use a voter without the firewall: http://symfony.com/doc/current/cookbook/security/voters_data_permission.html

  3. use the role system: http://jmsyst.com/bundles/JMSSecurityExtraBundle/master/annotations

I prefer solution 1. because all information we need (who is the owner of the product) still exist. We only need to fetch the entity and do a check. In solution 2. we have to spread the voter logic over several controllers.

Are there recommendations or experiences on this problem?

1

There are 1 answers

1
Frank B On

If i have to choose between those three it would be 1. But i suggest a different route. I assume that the digit 1 in /product/1/show stands for the user number? If that is the case i suggest that you make new routes without the numbers e.g. /my-products/show . The controller must then use the id of the currently logged in user.