sorry to bothe abain, but the pastebin expired... now it's all here:
http://pastebin.com/quQfBXTy
and here:
<?php
/*
*filters.yml
rendering: ~
remember_me:
class: sfGuardRememberMeFilter
clear_owner:
class: ownerFilter
security: ~
# insert your own filters here
cache: ~
execution: ~
*/
/*
*security.yml
edit:
is_secure: true
credentials: [[ admin, owner ]] # admin OR owner
*/
/**
* Description of ownerFilterclass
*
* @author marco
*/
class ownerFilter extends sfFilter {
public function execute($filterChain) {
$user = $this->getContext()->getUser();
$request = $this->getContext()->getRequest();
$model = tools::getModelNameFromModule($request-
>getParameter('module'));
var_dump($request->getParameter('id'));
var_dump($model);
if ($model != null)
{
if (
$obj = Doctrine::getTable($model)->find($request-
>getParameter('id'))
AND $obj
AND $user->getGuardUser() == $obj->getAuthor()
) {
$user->addCredential('owner');
}
else {
$user->removeCredential('owner');
}
}
// Execute next filter
$filterChain->execute();
//remove the owner credential
$user->removeCredential('owner');
}
}
?>
On Mar 4, 12:54 am, mbernasocchi <[email protected]> wrote:
> hi all,
> I've set up a filter to give and take away a dynamic owner credential
> (so that only the author of the object can edit it). my problem is
> that as soon as I activate the filter and try to perform an action
> that needs the owner credential, symfony reports " _csrf_token [CSRF
> attack detected.] "
>
> the relevant code can be found here:http://pastebin.com/7tUuTuMKh
>
> thanks in advance
>
> MArco
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
