Home/ Questions/Q 3218738
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T15:33:46+00:00

I am trying to wrap my head around symfony’s user authentication. Need advice on

  • 0

I am trying to wrap my head around symfony’s user authentication. Need advice on best practices.

apps/frontend/modules/mymodule/config/security.yml

edit:
  is_secure: true
  credentials: owner

all:
  is_secure: false

When and where do I set $this->getUser()->addCredential('owner')?
In a filter of the filter chain?

If I set it there, when do I remove the credentials again?
I could just remove in the same filter, if the user is not the owner of that object, but then once the user edited one object, he will have the owner credentials, until he tries to edit something he doesn’t own. Is there a drawback to that?

Or is there a way to set the needed credentials to the id of the object? Like

edit:
  is_secure: true
  credentials: %%request_id%%

And then add user credentials on login for all their ids?

Any insight would be much appreciated.

Update 1:

Would something like this work? Can’t test right now if the code actually works. Would this be best practice?

apps/frontend/config/filters.yml

// ...

security:
  class: addOwnerCredentials

// ...

apps/frontend/lib/addOwnerCredentials.class.php

class addOwnerCredentials extends sfBasicSecurityFilter
{

  function execute($filterChain)
  {
    $context = $this->getContext();
    $request = $context->getRequest();
    $user = $context->getUser();

    $user_ids = $user->getAllOwnership();

    // Add owner credential for current user or remove if he has it but shouldn't
    if (in_array($request->getParameter('id'), $user_ids)) {
      $user->addCredential('owner');
    }
    elseif ($user->hasCredential('owner')) {
      $user->removeCredential('owner');
    }

    // Continue down normal filterChain
    parent::execute($filterChain);

    // On the way back, before rendering, remove owner credential again
    // The code after the call to $filterChain->execute() executes after the
    // action execution and before the rendering.
    if ($user->hasCredential('owner')) {
      $user->removeCredential('owner');
    }
  }

}

Update 2:
Added to code snippet, to remove the owner credentials, right after they were needed, so the user doesn’t have a unnecessary credential in their session.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ve put my custom filter which adds arbitrary credentials to user before security filter, not replaced them. This looks like only difference between our approaches 🙂

    So, I’d say yes, it (I mean UPD1) is best practice.

    • 0