symfony batch action security
https://stackoverflow.com/questions/8659064
-
07-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
my security.yml:
all:
is_secure: true
new:
credentials: [add_ticker_source]
edit:
credentials: [edit_ticker_source]
delete:
credentials: [delete_ticker_source]
batchDelete: //I don't know whether it is correct. Should it be batch_delete?
credentials: [delete_ticker_source]
batch_delete:
credentials: [delete_ticker_source]
index:
is_secure: false
in my generator.yml, I added
list:
batch_actions:
_delete: {credentials: delete_ticker_source}
then I commented last two lines and opened list view in my browser. So in my list view in the browser, I can see delete in the drop-down of batch actions. Now, I uncommented them and didn't refresh the browser. I selected some elements from the list view, selected delete in the batch drop-down and hit go. These items get deleted instantly. Does that mean batch delete is not secure?? Or could anyone delete by sniffing around??
I even tried clearing cache after uncommenting but then also, the elements are deleted.
P.S. : and no, the user I'm logged in with, does not have delete_ticker_source credentials(as told by web debug bar).
Solution
I tried your settings and yet I'm wonder of this unexpected behaviour. So I surfed inside the code and finally I found that to secure the batchDelete action we have to put the setting inside the generator.yml in this way, under config > actions:
config:
actions:
batchDelete:
credentials: [user_permission]
Obiviously user_permission is delete_ticker_source for you.
