Buy
This tutorial has a new version, check it out!

Restricting Edit Access to Owners

Restricting Edit Access to Owners

Now that every Event has an owner, let’s prevent that meddling Darth from editing any events that he didn’t create.

This should be pretty easy. If the current logged in User object doesn’t match the Event’s owner, we’ll just deny access. And remember, you can deny access anywhere in your app just by throwing the special AccessDeniedException.

Since we’ll need the same security logic in editAction, updateAction and deleteAction, let’s create a private function called enforceOwnerSecurity that holds it:

// src/Yoda/EventBundle/Controller/EventController.php
// ...

use Symfony\Component\Security\Core\Exception\AccessDeniedException;
// ...

private function enforceOwnerSecurity(Event $event)
{
    $user = $this->getUser();

    if ($user != $event->getOwner()) {
        // if you're using 2.5 or higher
        // throw $this->createAccessDeniedException('You are not the owner!!!');
        throw new AccessDeniedException('You are not the owner!!!');
    }
}

It’s now pretty simple to prevent Darth from doing things with events he didn’t create. Just call this function from editAction, updateAction and deleteAction:

// src/Yoda/EventBundle/Controller/EventController.php
// ...

public function editAction($id)
{
    // ...

    if (!$entity) {
        throw $this->createNotFoundException('Unable to find Event entity.');
    }

    $this->enforceOwnerSecurity($entity);
    // ...
}

// repeate for updateAction and deleteAction

Ok, log in as Darth and try to edit an event. Denied!

In the production environment, the user will see a 403 page that you can customize. And in a few minutes, we’ll show you how.

Tip

There is an even cleaner, but more advanced, approach to restricting access to specific objects called “voters”. You can learn more about these from our Question and Answer Day. An even more advanced approach is available called ACLs.

Now that Darth can only edit an event if he created it, add an if statement around the edit link that hides it for all other users:

{# src/Yoda/EventBundle/Resources/views/Event/show.html.twig #}
{# ... #}

{% if app.user == entity.owner %}
    <a class="button" href="{{ path('event_edit', {'id': entity.id}) }}">edit</a>
{% endif %}

Remember that this works because app.user gives us the User object for whoever is logged in.

Leave a comment!

  • 2018-02-19 Junaid Farooq

    Thanks Victor,

    Got it.

  • 2018-02-16 Victor Bocharsky

    Hey Junaid,

    Yeah, probably a bad option, because if you do it in frontend only - you leave the opportunity to hack the system, someone can inject an HTML/JS code with a tool like Chrome Dev Tools. The ideal is do it in both frontend and backend: hiding it in frontend will give a better UX, in turn, doing it in backend will give you more security.

    Cheers!

  • 2018-02-16 Junaid Farooq

    Hi,

    What if i hide the buttons from the front-end by checking whether the currently logged in user is the owner of the event and not enforce the security in the controller. Will that be a bad option?