vendredi 10 avril 2015

Form and Security in Symfony

Let's say I want a form so users can change/update their own comments. (comment that they leave for an article for exemple).


Let's say I get all comments linked to an article (comments of any users)... and I incorpore then into a form.


Controller



$comments = $em->getrepository('comment')->getAllComments_from_an_article($article); // retrun all comments related to an article whatever the author/users of the comments.
$comments = array('comments' => $comments);
$form = $this->createForm(new CommentsType(), $comments);


CommentsType



builder->add('comments','collection', array('type'=> new commentType() ));


CommentType



builder->add('comment_text','textarea');


Now I display only comment that belong to the current user:



{% for comment in form.comments %}
{% if app.user = comment.user %} {{ form.widget(comment.comment_text) }}
{% endfor %}


My question is, will it be secure like this or there is a risk that the current user might be able to edit comment of other users?


Aucun commentaire:

Enregistrer un commentaire