-
-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Live][RFC] LiveProp::$role
#424
Comments
How would this work with exposed properties? Like, if “title” is exposed, i guess the security check would still be applied only to the top-level post, right? I also think we should list a few specific use cases for this to make sure it feels right. Also: what if whether I can do this depends on the value of another property? Like, the new value is valid only if some other non-writable LiveProp Boolean is true? in general, it does seem reasonable to have a way to restrict what values a prop is changed to. Most of the time it doesn’t matter: if you change to a bad value, then on an action, you can fail validation. But I’m some cases, a bad value could be used to expose info (like changing to a see info about a Post you don’t own). |
Could be an alternative to work with methods that manage the permissions? That allows more fine grained decision that there are enough rights. Example: #[LiveProp(writable: true, authorization_method: 'authorizePost')]
public Post $post; //...
public function authorizePost(Post $post)
{
$authorizationChecker = $this->get('security.authorization_checker');
// check for edit access
if (false === $authorizationChecker->isGranted('EDIT', $post)) {
throw new AccessDeniedException();
}
} like here: https://github.com/symfony/acl-bundle/blob/main/src/Resources/doc/index.rst#checking-access |
Yes, that was my thinking.
One possibility I guess would be to have an option that passes the entire component as the subject.
This could be an option, yes, but I believe the same thing could be effectively achieved with a post-hydrate hook. |
Thank you for this issue. |
Wondering if it would be desired to add
LiveProp::$role
:When hydrating the property, we'd use
AuthorizationChecker::isGranted($liveProp->role, $post)
and throw anAccessDeniedException
if false.The text was updated successfully, but these errors were encountered: