Thanks for your help, i'll try that ;) On 27 déc, 14:49, Gabriel Petchesi <pghora...@gmail.com> wrote: > I think the filtering code in preExecute (model layer) is not ok. > > In my opinion you need to make changes in a couple of places: > > 1. Filters > Make sure the filter always includes the user_id in the list of conditions. > See the getFilters() function in the autogenerated backend code. > This solves the listing part. > > 2. Form (new/edit/save) > Update the form, there are two things to be done: > 2.a. overriding the form->save() method to do an additional check for > user_id and/or > 2.b. using post validator that checks if an object belongs to the user > doing the changes > I think the post validator method is nicer cause the form is no longer > processed in case the validation fails. > > 3. Delete action > You need to override the delete action to make sure the deletion can not be > done by an unauthorized user. > > gabriel
-- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en
