symfony - Symfony2 and FOSRestBundle - Only Allow Users to Edit Data That They Own -


symphony version 2.2 (yah, know). fosrestbundle: 1.5.3

current scenario

i have rest api driving angular page. let's each user has token associated w/ user record. consider following urls.

  • get /api/user/{token}/messages
  • post /api/user/{token}/messages
  • get /api/messages/{messageid}

  • get /api/user/{token}/votes

  • post /api/user/{token}/votes

so user can , post messages. user can make votes , see them.

(i have 30 diff routes - urls on place).

question

how can verify user allowed get/post data token they're providing?

i realize copy/paste code check given user vs user url. or write service w/ checkuser() function on each endpoint.

my hope, though, there way of doing doesn't require me check user on each endpoint's entry point.

don't send authentication in endpoint. endpoint typically should idempotent, , should individually identify particular resource.

send authentication tokens in http headers.

with said, strategy, baking in security using @wonde idea. have implemented custom base controller class in past, filter , event handling built symphony provides sexier solution.


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

jdbc - Not able to establish database connection in eclipse -

firemonkey - How do I make a beep sound in Android using Delphi and the API? -