Let's say I want a form so users can change/update their own comments. (comment that they leave for an article for exemple).
Let's say I get all comments linked to an article (comments of any users)... and I incorpore then into a form.
Controller
$comments = $em->getrepository('comment')->getAllComments_from_an_article($article); // retrun all comments related to an article whatever the author/users of the comments.
$comments = array('comments' => $comments);
$form = $this->createForm(new CommentsType(), $comments);
CommentsType
builder->add('comments','collection', array('type'=> new commentType() ));
CommentType
builder->add('comment_text','textarea');
Now I display only comment that belong to the current user:
{% for comment in form.comments %}
{% if app.user = comment.user %} {{ form.widget(comment.comment_text) }}
{% endfor %}
My question is, will it be secure like this or there is a risk that the current user might be able to edit comment of other users?
Aucun commentaire:
Enregistrer un commentaire