Symfony Security - 循环删除按钮

I am wondering about the security of my application. I'm simply using twig loop to display all of my records in database. And everything is all right when I make separate site to display the details and there are buttons to e.g. delete this thing. It usually happens DELETE method and somebody can display only own details. But I want to have button to delete specific record in basic view where every records displayed e.g. next to title of item.

I cant do this by CreateFormBuilder because I cannot send the current id of the item from the form (or I just don't know how to do it). But is it secure? Everyone can change the id parameter of button and delete other record.
I can use AJAX and simply button in twig but this is the same case. Everyone can change e.g. data-id parameter in button and delete other record.

What I should to do in this situation? How you usually solve this problem?

Summarising I want to make a secure button to delete item next to each displayed record.

Have a nice day!

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongyan1625 2018-07-15 22:26
关注
It really boils down to what kind of app you want to build:

more traditional app - with full page refresh/navigation cycle

AJAX based - with all sorts of async calls to your server

In any case you choose, it is your responsibility to check whether the current user is authorized to make any change (deletion included) to an object. This comes as especially important in case of id being integer, which is predictable.

So, first, make sure your routes are protected from anonymous users, and second, make sure that you put in place permission strategy which allows/denies user's specific action.

Most of the permission-related stuff can be achived via Voters, but if you are really in need of heavy-lifting you can turn to ACL.

Hope this helps...
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

Symfony Security - 循环删除按钮 ajax php symfony
2018-07-15 20:20

回答 2 已采纳 It really boils down to what kind of app you want to build: more traditional app - with full pa
Symfony 2 - 非捆绑库集成和位置 php symfony
2017-05-28 21:26

回答 1 已采纳 as mentioned by b.enoit.be create a service from the class. MyBundle/Service/MyServiceClass.php
Symfony 3.4 - 没有为帐户配置编码器 mysql php symfony
2019-04-03 06:41

回答 2 已采纳 Try this: security: encoders: Site\PagesBundle\Entity\User: bcrypt Because your Ent
security-acl：Symfony安全ACL组件
2021-02-05 23:47

安全组件-ACL（访问控制列表）安全性为复杂的授权系统提供了基础结构，这使得可以轻松地将实际授权逻辑与持有用户凭据的... $ cd path/to/Symfony/Component/Security/Acl/ $ composer.phar install --dev $ phpunit
Symfony 4 - 显示模板问题css css php symfony
2019-03-13 16:15

回答 1 已采纳 It could be a name conflict. Try to change the name of your css file like : banana.css and make t
Symfony 3.4 - 返回数组JsonResponse json php symfony
2018-07-31 07:29

回答 1 已采纳 Implement jsonSerialize on entity classes that are going to be serialized and sent in json format
Symfony 4 - KNP菜单 - 未调用MenuBuilder php symfony
2018-04-17 03:48

回答 1 已采纳 Thank you all for your time. This gist was helpful: https://gist.github.com/lsv/4d8044d21819f28f0
symfony-tp-security-username
2021-03-12 15:26

symfony-tp-security-username
Symfony 4 - 上传文件的端点 php symfony
2018-11-02 16:48

回答 1 已采纳 Why not just simply add the URL into a field of the JSON response object, where you can access the
Symfony4 - 如何“setParameter” php symfony
2018-05-22 09:45

回答 1 已采纳 You can set a parameter inside the container before it is compiled. It's designed to store configu
Symfony 4 - 设置Braintree Payments集成 php symfony
2019-01-04 08:25

回答 1 已采纳 Best practice is to keep Controllers as thin as possible. Controller method should: accept the r
Symfony4-REST-API
2021-02-06 00:27

Symfony4-REST-API
Symfony2 - 上传文件（编辑表格） php symfony
2015-10-14 09:44

回答 2 已采纳 Well, I found (finally!) the solution for this problem. The UpdateAction from Controller has to c
symfony4-oauth2-服务器联盟
2021-02-06 03:35

symfony4-oauth2-服务器联盟
symfony4-vue：具有Vue，Vuex，Vue-router和Webpack的Symfony 4框架
2021-02-06 01:39

symfony4-vue 带有Vue，Vuex，Vue路由器和Webpack的Symfony 4骨架（还有更多！）包含什么-Symfony 4.1.0骨架-Docker组成的开发环境-Redis缓存-Twig，Annotations，Webserver和Maker捆绑包-Encore Webpack配置了Vue...
docker-Symfony4.1-PHP7.2
2021-04-30 05:42

DOCKER symfony-4.1 php-7.2安装打开外壳并键入以下命令。创建容器docker build . -t php72:symfony4环境利用启动容器docker run -p 80:80 -v $(pwd)/web:/docker/web -ti php72:symfony4 bin/bash环境初始化项目cd...
symfony2-ci-example
2021-01-30 07:43

Symfony2持续集成示例内容这是一个用于持续集成的Symfony2项目的简单示例配置。该存储库包括：有效的Ant build.xml文件（ build.xml ）。它执行： PHP语法检查。 PHPUnit测试。使用三叶草测试覆盖率分析。生成...
symfony3.4-auth-mange-artical
2021-02-13 22:05

基于Symfony 3.4的演示项目安装1.克隆或下载存储库https://github.com/edlef/symfony-demo.git2.运行作曲家composer install3.运行安装脚本以创建数据库并加载固定装置sh bin/install.sh4.运行服务器并转到或设置VH ...
symfony-clean-tags-composer-plugin
2021-02-06 03:28

Symfony Clean Tags Composer插件动机最近发现，Composer在具有很多历史标记的程序包上消耗大量CPU +内存。参见这意味着composer + packagist基础结构存在可伸缩性问题：随着时间的流逝，每个软件包的标签列表会...
没有解决我的问题, 去提问

悬赏问题

¥30 这是哪个作者做的宝宝起名网站
¥60 版本过低apk如何修改可以兼容新的安卓系统
¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
¥50 有数据，怎么建立模型求影响全要素生产率的因素
¥50 有数据，怎么用matlab求全要素生产率
¥15 TI的insta-spin例程
¥15 完成下列问题完成下列问题
¥15 C#算法问题, 不知道怎么处理这个数据的转换
¥15 YoloV5 第三方库的版本对照问题
¥15 请完成下列相关问题！

Symfony Security - 循环删除按钮

2条回答 默认 最新

悬赏问题

2条回答默认最新