there is the credential conditions under the object_actions , you can
do something similar to this in your generator.yml to hide the actions
list:
title: something
object_actions:
_edit: # no credentials needed
_delete: { credentials: [[ credential_name ]] } # that privilege
is needed to show the link to the action.
you still have to secure the modules though
On 25 Ago, 15:14, Tomasz Ignatiuk <tomek.ignat...@gmail.com> wrote:
> Hi
>
> I have credentials for module as well as for actions. Unfortunatelly
> this doesn't work as it should:
>
> all:
> is_secure: on
> credentials: [[all, product]]
>
> edit:
> is_secure: on
> credentials: product_edit
>
> delete:
> is_secure: on
> credentials: product_delete
>
> - So module is secured well (GOOD)
> - Both list td actions are being shown (NOT GOOD, they shouldn't).
> - if I click Edit, access error is being shown (GOOD)
> - if I click Delete and confirm, object is deleted (NOT GOOD)
>
> In admin generator plugin in templates I found this function used:
> addCredentialCondition
> But it doesn't work. Also in cache in action links credentials are not
> passed as a link parameter.
>
> Any guess why it doesn't work? I can override this manually by
> changing admin generator plugin template, but I would like to know if
> this is an error.
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
