Symfony: Add authorization constraints on entities

[malkusch]

Currently users can view, edit and delete entities of other users:

1. Login as User-1
2. Create pad and remember id of that pad from URI.
3. Login as User-2
4. With the pad id from 2. you can view and edit the pad.

Deleting the pad doesn't work, but unfortunately deleting the note of another user does.

The authenticated user should be checked against the owner of entities.

[aminemat]

Why would you want to do that @malkusch ?
are you proposing to create an admin role that can manage users ?

[malkusch]

Sorry, I was not clear enough. I updated the description above to be more clear about the issue.

[aminemat]

Oh I see, thanks for reporting this, I will make the necessary changes.

[komarserjio]

The easy solution is to find an entity based on two params: entity id + user id. So nothing is found if an entity is requested by not an owner.
Example: https://github.com/komarserjio/notejam/blob/master/cakephp/notejam/src/Controller/NotesController.php#L135

[malkusch]

@komarserjio Now that you mention it, is NotesController::create() protected against a post request with a pad id from another user's pad?

[komarserjio]

Good point. No, there is no protection from another user's pad.
This case should be added as a unit test and implemented across all apps.