Feature #46111
Provide security skeleton
Status: | New | Start date: | 2013-03-07 | |
---|---|---|---|---|
Priority: | Could have | Due date: | ||
Assigned To: | - | % Done: | 0% |
|
Category: | - | |||
Target version: | - |
Description
I need to allow to delete a comment by the author, hence I'd like to provide a deleteAction and an appropriate Policy.yaml snippet which is present per default and can be activated by users.
Question is: should the Policy secure the Repository or the action? Currently my Policy.yaml for it looks like this,
resources: methods: TYPO3_Comments_RepositoryDeleteComment: 'method(TYPO3\Comments\Domain\Repository\CommentRepository->remove(object.author === current.securityContext.party))'
but maybe deleteAction should be secured rather than the Repository->remove() method. What do you think?
History
#1 Updated by Bastian Waidelich over 2 years ago
Adrian Föder wrote:
but maybe deleteAction should be secured rather than the Repository->remove() method. What do you think?
Yes, usually Policies cover Controller/action pairs.
Your implementation would be "safer" but it would for example prevent you from calling CommentRepository::remove() from a CLI command.
#2 Updated by Adrian Föder over 2 years ago
ok great thx for your feedback.
How would you implement the actual controller; a direct controller or also via (the) widget?