I think the filtering code in preExecute (model layer) is not ok.
In my opinion you need to make changes in a couple of places:
1. Filters
Make sure the filter always includes the user_id in the list of conditions.
See the getFilters() function in the autogenerated backend code.
This solves the listing part.
2. Form (new/edit/save)
Update the form, there are two things to be done:
2.a. overriding the form->save() method to do an additional check for
user_id and/or
2.b. using post validator that checks if an object belongs to the user
doing the changes
I think the post validator method is nicer cause the form is no longer
processed in case the validation fails.
3. Delete action
You need to override the delete action to make sure the deletion can not be
done by an unauthorized user.
gabriel
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
