symfony - Symfony2 and FOSRestBundle - Only Allow Users to Edit Data That They Own -
symphony version 2.2 (yah, know). fosrestbundle: 1.5.3
current scenario
i have rest api driving angular page. let's each user has token associated w/ user record. consider following urls.
- get /api/user/{token}/messages
- post /api/user/{token}/messages
get /api/messages/{messageid}
get /api/user/{token}/votes
- post /api/user/{token}/votes
so user can , post messages. user can make votes , see them.
(i have 30 diff routes - urls on place).
question
how can verify user allowed get/post data token they're providing?
i realize copy/paste code check given user vs user url. or write service w/ checkuser()
function on each endpoint.
my hope, though, there way of doing doesn't require me check user on each endpoint's entry point.
don't send authentication in endpoint. endpoint typically should idempotent, , should individually identify particular resource.
send authentication tokens in http headers.
with said, strategy, baking in security using @wonde idea. have implemented custom base controller class in past, filter , event handling built symphony provides sexier solution.
Comments
Post a Comment