I use Symfony 3.
I have an entity (Book) that I can create and edit. So I have created two actions and forms to do this. But, I want to save historical of this change.
I have imagine a solution. Two Entity, Book and SubBook to inherit of BaseBook. SubBook is the history of all edit of Book and is linked by a field "parent".
public function editAction(Request $request, ...)
{
$book = ...
$form = $this->createForm(BookType::class, $book);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
$subbook = new SubBook($book);
$em = $this->getDoctrine()->getManager();
$em->persist($subbook);
$em->flush();
// ...
}
// ...
}
AppBundle/Entity/Book
class Book extends BaseBook {
// ...
}
AppBundle/Entity/SubBook
class SubBook extends BaseBook {
// ...
public function __construct($book)
{
parent::__construct();
// ...
$this->parent = $book;
}
}
AppBundle/Model/BaseBook
abstract class BaseBook
{
// ...
}
But my problem is that when I submit the edit form, my Book ($book) is automatically persist when I execute $em->flush(); so it is updated even if I don't execute $em->persist($book);.
So, do you have any idea to do this ? or to solve this error ?
Thanks !
You should use $em->detach($book);. You can find more information in the documentation
So, I finally did this. My Book is the entity with last update and I save in an SubBook entity all values that have changed.
My SubBook entity is so almost like Book but all value (not changed) can be null. So I abandoned the model.
public function editAction(Request $request, $id)
{
$book = ...
$form = ...
if ($form->isSubmitted() && $form->isValid()) {
$em = $this->getDoctrine()->getManager();
$uow = $em->getUnitOfWork();
$uow->computeChangeSets();
$changeset = $uow->getEntityChangeSet($book);
$subbook = new SubBook($book, $changeset);
$em->persist($subbook);
$em->persist($book);
$em->flush();
// ...
}
// ...
}
AppBundle/Entity/SubBook
public function __construct($book, $changeset)
{
// ...
$this->parent = $book;
foreach ($changeset as $key => $values) {
$this->$key = $values[0]; // values[0] => Hold value, [1] => New value
}
}
Related
This question already has answers here:
Symfony2 Form Entity Update
(3 answers)
Closed 2 years ago.
I'm making a REST API with Symfony 4.4. The API largely revolves around putting data into a database, using Doctrine. I have figured out how to add rows to the database, but now I'm stuck on changing data. I know how I can take a row from the database and that, in theory, I can change fields by calling the setter of a property, but right now, I seem to be getting an array instead of the desired entity and, seemingly more difficult, I want to be able to dynamically change the properties of the existing row, so that I don't have to include every field of the object of the row I'm changing and call every setter.
Here is my code:
// PersonController.php
/**
* #IsGranted("ROLE_USER")
* #Rest\Post("/addperson")
* #param Request $request
* #return Response
*/
public function addOrUpdatePerson(Request $request)
{
$data = json_decode($request->getContent(), true);
$em = $this->getDoctrine()->getManager();
$person = new Person();
$form = $this->createForm(PersonType::class, $person);
$form->submit($data);
if (!$form->isSubmitted() || !$form->isValid())
{
return $this->handleView($this->view($form->getErrors()));
}
if (isset($data['id']))
{
// This person exists, change the row
// What to do?
}
// This person is new, insert a new row
$em->persist($person);
$em->flush();
return $this->handleView($this->view(['status' => 'ok'], Response::HTTP_CREATED));
}
// PersonType.php
public function buildForm(FormBuilderInterface $builder, array $options)
{
$builder
->add('id', IntegerType::class, ['mapped' => false])
->add('inits')
->add('firstname')
->add('lastname')
->add('email')
->add('dateofbirth', DateTimeType::class, [
'widget' => 'single_text',
// this is actually the default format for single_text
'format' => 'yyyy-MM-dd',
])
// Some other stuff
->add('save', SubmitType::class);
}
public function configureOptions(OptionsResolver $resolver)
{
$resolver->setDefaults(array(
'data_class' => Person::class,
'csrf_protection' => false
));
}
I doubt the Person entity is relevant here, but if it is, please let me know and I'll include it ASAP!
As a response to the suggestion of the other question from Symfony 2; it doesn't seem to fix my problem (entirely). As a result of this question, I have changed my function to this (which doesn't work, but doesn't throw any errors):
public function addOrUpdatePerson(Request $request)
{
$data = json_decode($request->getContent(), true);
$em = $this->getDoctrine()->getManager();
if (isset($data['id'])) {
// This person exists
$existing = $em->getRepository(Person::class)->find(['id' => $data['id']]);
$this->getDoctrine()->getManager()->flush();
$form = $this->createForm(PersonType::class, $existing);
$form->handleRequest($request);
// this doesn't seem to do anything
// $em->persist($existing);
$em->flush();
return $this->handleView($this->view($existing));
}
}
I think I'm still missing some info, like what to do at // perform some action, such as save the object to the database. I also notice a lot has changed since Symfony 2, and as a result it is not obvious to me what I should do.
After '$person = new Person()' juste add :
If (isset($data['id']) && 0 < $data['id']) {
$person=$em->getRepository(Person::class)->find($data['id']);
}
If (!$person) {
Throw new \Exception('Person not found');
}
1.) You don't have to use json_decode directly. You can use the following code instead:
// Person controller
/**
* #Route("/person", name="api.person.add", methods={"POST"})
* #Security("is_granted('ROLE_USER')")
*/
public function addPerson(Request $request)
{
$person = new Person();
$form = $this->createForm(PersonType::class, $person);
$form->submit($request->request->all());
if (!$form->isSubmitted() || !$form->isValid()) {
throw new \Exception((string) $form->getErrors(true));
}
$em = $this->getDoctrine()->getManager();
$em->persist($person);
$em->flush();
...
}
2.) When you're updating entity you need to load it first and skip the $em->persist($entity); part. In this case, we provide the ID of the entity via the path variable (there are various ways to provide it but this one is quite common). NOTE: I've set $id parameter as mixed because it can be integer or string if you're using UUID type of IDs.
// Person controller
/**
* #Route("/person/{id}", name=api.person.patch", methods={"PATCH"})
* #Security("is_granted('ROLE_USER')")
*/
public function patchPerson(Request $request, mixed $id)
{
// Load person
$personRepository = $this->getDoctrine()->getRepository(Person::class);
$person = $personRepository->find($id);
if (!$person) { throw new \Exception('Entity not found'); }
$form = $this->createForm(PersonType::class, $person);
$form->submit($request->request->all());
if (!$form->isSubmitted() || !$form->isValid()) {
throw new \Exception((string) $form->getErrors(true));
}
$em = $this->getDoctrine()->getManager();
$em->flush();
...
}
3.) In general usage, we don't set the ID property via posted data (unless it is required). We rather use generated value instead. When you insert new entity you gen use its ID to address it for modifications. Sample:
<?php
namespace App\Entity;
use Ramsey\Uuid\Uuid;
use Doctrine\ORM\Mapping as ORM;
class Person
{
/**
* #var Uuid
*
* #ORM\Id
* #ORM\Column(type="uuid", unique=true)
* #ORM\GeneratedValue(strategy="CUSTOM")
* #ORM\CustomIdGenerator(class="Ramsey\Uuid\Doctrine\UuidGenerator")
* #Groups({"public"})
*/
protected $id;
// Other entity properties ...
public function getId(): ?string
{
return $this->id;
}
public function setId(string $id): self
{
$this->id = $id;
return $this;
}
// Setters and getters for other entity properties ...
}
4.) Entity class in FormType (PersonType.php) is very relevant. After form submission and validation you access properties of the entity itself within the controller - not the decoded payload data from the request directly. Symfony's form system will make sure that the input data is valid and matches the requirements and constraints set in the entity model or form type specification.
// Person controller
/**
* #Route("/person", name="api.person.add", methods={"POST"})
* #Security("is_granted('ROLE_USER')")
*/
public function addPerson(Request $request)
{
$person = new Person();
$form = $this->createForm(PersonType::class, $person);
$form->submit($request->request->all());
if (!$form->isSubmitted() || !$form->isValid()) {
throw new \Exception((string) $form->getErrors(true));
}
$em = $this->getDoctrine()->getManager();
$em->persist($person);
$em->flush();
$id = $person->getId();
$firstName = $person->getFirstname();
$lastName = $person->getLastname();
// etc
...
}
5.) If you want to use the same method/endpoint for adding and updating entity you can do something like #lasouze mentioned.
// Person controller
/**
* #Route("/person", name=api.person.add_or_update", methods={"POST", "PATCH"})
* #Security("is_granted('ROLE_USER')")
*/
public function patchPerson(Request $request)
{
$id = $request->request->get('id', null);
if (!$id) {
$person = new Person();
} else {
// Load person
$personRepository = $this->getDoctrine()->getRepository(Person::class);
$person = $personRepository->find($id);
if (!$person) { throw new \Exception('Entity not found'); }
}
$form = $this->createForm(PersonType::class, $person);
$form->submit($request->request->all());
if (!$form->isSubmitted() || !$form->isValid()) {
throw new \Exception((string) $form->getErrors(true));
}
$em = $this->getDoctrine()->getManager();
$em->flush();
...
}
PS: $form->submit($request->request->all()); will not work for file uploads because $request->request->all() does not contain parameters provided by $_FILES. In my case I ended up merging data like $form->submit(array_merge($request->request->all(), $request->files->all())); but this is probably not the best solution. I'll update my answer if I'll figure out anything better.
I have this EventSubscriber:
class ChangeLogListener implements EventSubscriber
{
private $tokenStorage;
private $str,$str1;
public function __construct(TokenStorage $tokenStorage)
{
$this->tokenStorage = $tokenStorage;
}
public function getSubscribedEvents()
{
return array(
'postPersist',
'postUpdate',
'onDelete',
);
}
public function postPersist(LifecycleEventArgs $args)
{
if (!$args->getEntity() instanceof ChangeLog)
$this->createLog($args, 'creation');
}
public function postUpdate(LifecycleEventArgs $args)
{
$this->createLog($args, 'update');
}
public function preRemove(LifecycleEventArgs $args)
{
$this->createLog($args, 'remove');
}
public function createLog(LifecycleEventArgs $args, $action)
{
# Entity manager
$em = $args->getEntityManager();
$uow = $em->getUnitOfWork();
$entity = $args->getEntity();
# Get user
$user = $this->tokenStorage->getToken()->getUser();
#Get changes
$changes = $uow->getEntityChangeSet($entity);
$cl = new ChangeLog();
$cl->setDate(new \DateTime());
$cl->setUser($user);
$cl->setEntityName(get_class($entity));
$cl->setEntityId($entity->getId());
$cl->setAction($action);
$cl->setDescription($log);
$cl->setChangeset($changes);
$em->persist($cl);
$em->flush();
}
}
And when I want to POST item, some data must be recorded to db. After all actions I receive this in change_set in my db:
a:3:{s:5:"value";a:2:{i:0;N;i:1;s:3:"120";}s:4:"item";a:2:{i:0;N;i:1;O:21:"AppBundle\Entity\Item":6:{s:25:"AppBundle\Entity\Itemid";i:127;s:27:"AppBundle\Entity\Itemname";s:7:"newitem";s:13:"*categories";O:33:"Doctrine\ORM\PersistentCollection":2:{s:13:"*collection";O:43:"Doctrine\Common\Collections\ArrayCollection":1:{s:53:"Doctrine\Common\Collections\ArrayCollectionelements";a:2:{i:0;O:25:"AppBundle\Entity\Category":7:{s:29:"AppBundle\Entity\Categoryid";i:2;s:31:"AppBundle\Entity\Categoryname";s:10:"child
to
1";s:33:"AppBundle\Entity\Categoryparent";O:40:"Proxies__CG__\AppBundle\Entity\Category":8:{s:17:"isInitialized";b:0;s:29:"AppBundle\Entity\Categoryid";i:1;s:31:"AppBundle\Entity\Categoryname";N;s:33:"AppBundle\Entity\Categoryparent";N;s:35:"AppBundle\Entity\Categorychildren";N;s:8:"*items";N;s:36:"AppBundle\Entity\CategorycreatedAt";N;s:36:"AppBundle\Entity\CategoryupdatedAt";N;}s:35:"AppBundle\Entity\Categorychildren";O:33:"Doctrine\ORM\PersistentCollection":2:{s:13:"*collection";O:43:"Doctrine\Common\Collections\ArrayCollection":1:{s:53:"Doctrine\Common\Collections\ArrayCollectionelements";a:0:{}}s:14:"*initialized";b:0;}s:8:"*items";O:33:"Doctrine\ORM\PersistentCollection":2:{s:13:"*collection";O:43:"Doctrine\Common\Collections\ArrayCollection":1:{s:53:"Doctrine\Common\Collections\ArrayCollectionelements";a:0:{}}s:14:"*initialized";b:0;}s:36:"AppBundle\Entity\CategorycreatedAt";N;s:36:"AppBundle\Entity\CategoryupdatedAt";N;}i:1;O:25:"AppBundle\Entity\Category":7:{s:29:"AppBundle\Entity\Categoryid";i:4;s:31:"AppBundle\Entity\Categoryname";s:8:"child1.1";s:33:"AppBundle\Entity\Categoryparent";r:13;s:35:"AppBundle\Entity\Categorychildren";O:33:"Doctrine\ORM\PersistentCollection":2:{s:13:"*collection";O:43:"Doctrine\Common\Collections\ArrayCollection":1:{s:53:"Doctrine\Common\Collections\ArrayCollectionelements";a:0:{}}s:14:"*initialized";b:0;}s:8:"*items";O:33:"Doctrine\ORM\PersistentCollection":2:{s:13:"*collection";O:43:"Doctrine\Common\Collections\ArrayCollection":1:{s:53:"Doctrine\Common\Collections\ArrayCollectionelements";a:0:{}}s:14:"*initialized";b:0;}s:36:"AppBundle\Entity\CategorycreatedAt";N;s:36:"AppBundle\Entity\CategoryupdatedAt";N;}}}s:14:"*initialized";b:1;}s:13:"*attributes";N;s:32:"AppBundle\Entity\ItemcreatedAt";O:8:"DateTime":3:{s:4:"date";s:26:"2018-03-19
10:22:47.000000";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:32:"AppBundle\Entity\ItemupdatedAt";N;}}s:9:"attribute";a:2:{i:0;N;i:1;O:26:"AppBundle\Entity\Attribute":3:{s:30:"AppBundle\Entity\Attributeid";i:96;s:33:"AppBundle\Entity\Attributealias";s:5:"price";s:32:"AppBundle\Entity\Attributename";s:5:"price";}}}
But I think this data is not readable.I think I need to parse received data before writing it into db, but I don't understand how to parse this into readable format, something like this:
name: Old Value: 12 => New Value: 121, updatedAt: Old Value:
2018-03-20 05:51:44 => New Value: 2018-03-20 08:36:12 and other
Any idea how to parse this?
You are directly inserting all work done on entities with whole object, that's why you are saving all the meta-data into db. Better to doctrine customized extension to handle this (doctrine-extensions and see Loggable behavioral extension for Doctrine2) or if you want to create self customized ChangeLogListner then use methods to compute or get exact change-Set using doctrine methods. to methods see here.
you can change your EventListner code something like this:
$em = $this->getDoctrine()->getManager();
$entity = $em->find('My\Entity', 1);
$entity->setTitle('Changed Title!');
$uow = $em->getUnitOfWork();
$uow->computeChangeSets(); // do not compute changes if inside a listener
$changeset = $uow->getEntityChangeSet($entity);
or check Is there a built-in way to get all of the changed/updated fields in a Doctrine 2 entity
if you are trying inside EventListner then try inside particular events like:
public function preUpdate(Event\LifecycleEventArgs $eventArgs)
{
$changeArray = $eventArgs->getEntityChangeSet();
//do stuff with the change array
}
I have a simple registration form which has 3 fields. Email, name and password. So far so good. I'm able to create new users. The problem comes when I want to edit user information.
I want to update password field in the database only if html password field is not empty
public function editAction(User $user, Request $request)
{
$form = $this->createForm(new UserForm(), $user);
$form->handleRequest($request);
if($form->isSubmitted() && $form->isValid()){
$em = $this->getDoctrine()->getManager();
$em->persist($user);
$em->flush();
$this->redirectToRoute('bd_user_list');
}
return $this->render('BDUserBundle:User:add.html.twig', [
'form' => $form->createView()
]);
}
If I left password field blank I get this error (which is normal)
An exception occurred while executing 'UPDATE users SET password = ? WHERE id = ?' with params [null, 5]:
SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'password' cannot be null
I've read about validation groups but I'm not sure they can help.
// the solution
UserForm.php
[...]
builder->addEventSubscriber(new UserFormListener());
[...]
UserFormListener.php
<?php
namespace SDUserBundle\Form\EventListener;
use Symfony\Component\Form\FormEvent;
use Symfony\Component\Form\FormEvents;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
class UserFormListener implements EventSubscriberInterface
{
private $password;
public static function getSubscribedEvents()
{
return array(
FormEvents::PRE_SET_DATA => 'preSetData',
FormEvents::POST_SUBMIT => 'postSubmit'
);
}
public function preSetData(FormEvent $event)
{
$this->password = $event->getData()->getPassword();
}
public function postSubmit(FormEvent $event)
{
$data = $event->getData();
if ($data->getPassword() == false) {
$data->setPassword($this->password);
}
}
}
Fast solution
Modify your code as follows
public function editAction(User $user, Request $request)
{
$old_pwd = $user->getPassword(); //or whatever the method is called
$form = $this->createForm(new UserForm(), $user);
$form->handleRequest($request);
if($form->isSubmitted() && $form->isValid()){
$em = $this->getDoctrine()->getManager();
if (null == $user->getPassword()) {
$user->setPassword($old_pwd);
}
$em->persist($user);
$em->flush();
$this->redirectToRoute('bd_user_list');
}
return $this->render('BDUserBundle:User:add.html.twig', [
'form' => $form->createView()
]);
}
More elegant solution
This is a first solution but involves some logic inside controller; maybe you need that code elsewhere, so you could migrate it into form events like FormEvents::PRE_SET_DATA
So you need to modify your UserForm as follows
use Symfony\Component\Form\FormEvent;
use Symfony\Component\Form\FormEvents;
[...]
class UserForm extends AbstractType
{
private $old_pwd;
[...]
$builder
[...]
->addEventListener(FormEvents::PRE_SET_DATA, function(FormEvent $event) {
$data = $event->getData();
$this->old_pwd = $data->getPassword();
})
->addEventListener(FormEvents::POST_SUBMIT, function(FormEvent $event) {
$data = $event->getData();
if (false == $data->getPassword()) {
$data->setPassword($this->old_pwd);
$this->setData($data);
}
})
}
I really don't know if second approach is a working one as I can't test it at the moment but FormEvents should help you accomplish what you need.
Another approach, not so good?
Maybe you could modify User setter directly
class User
{
[...]
public function setPassword($pwd)
{
if ($pwd) {
$this->pwd = //logic here to store a safe pwd
}
}
}
Why this third solution is the worst at all I let you to find yourself ;)
Side note
Just to let you know that isValid() take care for you about submitted controls from Symfony2.3 on so you don't need isSubmitted() control explicitly
I have three entities: User, Store and Category.
User has a bidirectional relation with Store and store has a bidirectional relation with Category also.
Each user can create many stores and he can create many categories for each one.
I have managed to secure the store using Voters and user can access only to his stores.
This is the route of store
dashboard_store_view:
path: /{id}/view
defaults: { _controller: ProjectStoreBundle:StoreDashboard:view }
The url is like this
http://localhost/project/web/app_dev.php/dashboard/store/1/view
This is the controller StoreDashboardController.php
<?php
//..................
public function viewAction(Store $store)
{
// keep in mind, this will call all registered security voters
if (false === $this->get('security.context')->isGranted('view', $store)) {
throw new AccessDeniedException('Unauthorised access!');
}
$em = $this->getDoctrine()->getManager();
$store = $em->getRepository('ProjectStoreBundle:Store')->findOneById($store);
return $this->render('ProjectDashboardBundle:Store:view.html.twig',
array(
'store' => $store
));
}
And this is the StoreVoter
<?php
namespace Project\StoreBundle\Security\Authorization\Voter;
use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\User\UserInterface;
class StoreVoter implements VoterInterface
{
const VIEW = 'view';
const EDIT = 'edit';
const DELETE = 'delete';
public function supportsAttribute($attribute)
{
return in_array($attribute, array(
self::VIEW,
self::EDIT,
self::DELETE,
));
}
public function supportsClass($class)
{
$supportedClass = 'Project\StoreBundle\Entity\Store';
return $supportedClass === $class || is_subclass_of($class, $supportedClass);
}
/**
* #var \Project\StoreBundle\Entity\Store $store
*/
public function vote(TokenInterface $token, $store, array $attributes)
{
// check if class of this object is supported by this voter
if (!$this->supportsClass(get_class($store))) {
return VoterInterface::ACCESS_ABSTAIN;
}
// check if the voter is used correct, only allow one attribute
// this isn't a requirement, it's just one easy way for you to
// design your voter
if(1 !== count($attributes)) {
throw new InvalidArgumentException(
'Only one attribute is allowed for VIEW or EDIT'
);
}
// set the attribute to check against
$attribute = $attributes[0];
// get current logged in user
$user = $token->getUser();
// check if the given attribute is covered by this voter
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return VoterInterface::ACCESS_DENIED;
}
switch($attribute) {
case 'view':
// we assume that our data object has a method getUser() to
// get the current owner user entity for this data object
if ($user->getId() === $store->getUser()->getId()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
case 'edit':
// we assume that our data object has a method getUser() to
// get the current owner user entity for this data object
if ($user->getId() === $store->getUser()->getId()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
case 'delete':
// we assume that our data object has a method getUser() to
// get the current owner user entity for this data object
if ($user->getId() === $store->getUser()->getId()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
}
}
I tried to do the same thing with categories but I failed to secure each category to his own store and so evry user can edit any category
This is the route
dashboard_category_edit:
pattern: /{store_id}/edit/{id}
defaults: { _controller: ProjectStoreBundle:CategoryDashboard:edit }
The url is like this
http://localhost/project/web/app_dev.php/dashboard/categories/store/1/edit/3
CategoryDashboardController.php
public function editAction(Category $category, Store $store)
{
// keep in mind, this will call all registered security voters
if (false === $this->get('security.context')->isGranted('edit', $store)) {
throw new AccessDeniedException('Unauthorised access!');
}
$form = $this->createForm(new CategoryEditType(), $category);
$request = $this->getRequest();
if ($request->getMethod() == 'POST')
{
$form->bind($request);
if ($form->isValid())
{
$em = $this->getDoctrine()->getManager();
$em->persist($category);
$em->flush();
$this->get('session')->getFlashBag()->add('info', 'Category bien modifié');
return $this->redirect( $this->generateUrl('dashboard_category_index', array('store_id' => $store->getId())));
}
}
return $this->render('ProjectDashboardBundle:Category:edit.html.twig',
array(
'form' => $form->createView() ,
'store' => $store
));
}
and this is the CategoryVoter
<?php
namespace Project\StoreBundle\Security\Authorization\Voter;
use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\User\UserInterface;
class CategoryVoter implements VoterInterface
{
const VIEW = 'view';
const EDIT = 'edit';
const DELETE = 'delete';
public function supportsAttribute($attribute)
{
return in_array($attribute, array(
self::VIEW,
self::EDIT,
self::DELETE,
));
}
public function supportsClass($class)
{
$supportedClass = 'Project\StoreBundle\Entity\Category';
return $supportedClass === $class || is_subclass_of($class, $supportedClass);
}
/**
* #var \Project\StoreBundle\Entity\Category $category
*/
public function vote(TokenInterface $token, $category, array $attributes)
{
// check if class of this object is supported by this voter
if (!$this->supportsClass(get_class($category))) {
return VoterInterface::ACCESS_ABSTAIN;
}
// check if the voter is used correct, only allow one attribute
// this isn't a requirement, it's just one easy way for you to
// design your voter
if(1 !== count($attributes)) {
throw new InvalidArgumentException(
'Only one attribute is allowed for VIEW or EDIT'
);
}
// set the attribute to check against
$attribute = $attributes[0];
// get current logged in user
$user = $token->getUser();
// check if the given attribute is covered by this voter
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
// make sure there is a user object (i.e. that the user is logged in)
if (!$user instanceof UserInterface) {
return VoterInterface::ACCESS_DENIED;
}
switch($attribute) {
case 'view':
// we assume that our data object has a method getUser() to
// get the current owner user entity for this data object
if ($user->getId() === $category->getStore()->getUser()->getId()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
case 'edit':
// we assume that our data object has a method getUser() to
// get the current owner user entity for this data object
if ($user->getId() === $category->getStore()->getUser()->getId()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
case 'delete':
// we assume that our data object has a method getUser() to
// get the current owner user entity for this data object
if ($user->getId() === $category->getStore()->getUser()->getId()) {
return VoterInterface::ACCESS_GRANTED;
}
break;
}
}
}
The problem is that categories is not realted to user but it is related to store, so how can I secure it ?
I find this solution doing verification if $category->getStore <> $store so throw AccessDeniedException without using Voters and it work fine now.
if ($category->getStore() <> $store) {
throw new AccessDeniedException('Unauthorised access!');
}
So the controller will be like this
/**
* #ParamConverter("store", options={"mapping": {"store_id":"id"}})
*/
public function editAction(Category $category, Store $store)
{
if ($category->getStore() <> $store) {
throw new AccessDeniedException('Unauthorised access!');
}
$form = $this->createForm(new CategoryEditType(), $category);
$request = $this->getRequest();
if ($request->getMethod() == 'POST')
{
$form->bind($request);
if ($form->isValid())
{
$em = $this->getDoctrine()->getManager();
$em->persist($category);
$em->flush();
$this->get('session')->getFlashBag()->add('info', 'Category bien modifié');
return $this->redirect( $this->generateUrl('dashboard_category_index', array('store_id' => $store->getId())));
}
}
return $this->render('ProjectDashboardBundle:Category:edit.html.twig',
array(
'form' => $form->createView() ,
'store' => $store
));
}
Is it a good solution ?
If each Category has only one Store ther is no point in using store_id in route when you want to edit Category. Just use category_id and get $store from $category by calling $store = $category->getStore();. Change editAction:
/**
* #ParamConverter("category", options={"mapping": {"category_id":"id"}})
*/
public function editAction(Category $category)
{
// keep in mind, this will call all registered security voters
if (false === $this->get('security.context')->isGranted('edit', $category)) {
throw new AccessDeniedException('Unauthorised access!');
}
$store = $category->getStore();
(...)
I find this solution that getting the ID of store in table category then doing two verifications,
if id_store in table category doesn't match Store's owner and if id_store in table category doesn't match current store
/**
* #ParamConverter("store", options={"mapping": {"store_id":"id"}})
*/
public function editAction(Category $category, Store $store)
{
// get id_store in table category
$idStore = $category->getStore();
// if id_store in table category doesn't match user
if (false === $this->get('security.context')->isGranted('edit', $idStore)) {
throw new AccessDeniedException('Unauthorised access!');
}
// if id_store in table category doesn't match current store
if (false === ($idStore === $store)) {
throw new AccessDeniedException('Unauthorised access!');
}
$form = $this->createForm(new CategoryEditType(), $category);
$request = $this->getRequest();
if ($request->getMethod() == 'POST')
{
$form->bind($request);
if ($form->isValid())
{
$em = $this->getDoctrine()->getManager();
$em->persist($category);
$em->flush();
$this->get('session')->getFlashBag()->add('info', 'Category bien modifié');
return $this->redirect( $this->generateUrl('dashboard_category_index', array('store_id' => $store->getId())));
}
}
return $this->render('ProjectDashboardBundle:Category:edit.html.twig',
array(
'form' => $form->createView() ,
'store' => $store
));
}
I have this code in two methods (create and update). Each time I need to update or create a new user I need to encode the user password with the salt.
$factory = $this->get('security.encoder_factory');
$encoder = $factory->getEncoder($entity);
$password = $encoder->encodePassword($entity->getPassword(), $entity->getSalt());
$entity->setPassword($password);
To avoid code duplication what should I do?
Create a new method in controller getEncondedPassword($entity) : return $encodedPassword
Add this logic to the Form using DI injecting the $encoder as required field
Add this logic to model, and pass the $encoder in the constructor of the entity object.
Thank you!
If your create and edit are fairly simple and pretty much the same, you can combine it to one function which actually generates and validates the form.
Some code:
class ProductController extends Controller
{
/**
* #Route("/create", name="_product_create")
*/
public function createAction()
{
$product = new Product();
return $this->productForm($product, $this->getRequest(), 'create');
}
/**
* #Route("/edit/{product_id}", name="_product_edit_id")
*/
public function editIdAction($product_id)
{
$entity_manager = $this->getDoctrine()->getEntityManager();
$product_repository = $entity_manager->getRepository('VendorBundle:Product');
$product = $product_repository->findOneBy(
array('id' => $product_id)
);
return $this->productForm($product, $this->getRequest(), 'editId');
}
protected function productForm(Product $product, Request $request, $twig_name)
{
$form = $this->createForm(new ProductType(), $product);
if ($request->getMethod() == 'POST') {
$form->bindRequest($request);
if ($form->isValid()) {
// Do whatever we want before persisting/flushing
return $this->redirect($redirect_url);
}
}
$twig_params = array(
);
return $this->render(
'VendorBundle:Product:' . $twig_name . '.html.twig', $twig_params
);
}
}
this will render create.html.twig and editId.html.twig depending on the route.
if $product->getId() === null we are creating a new entity, else we are editing.
I think that the correct option is the model/entity approach.
So, I leave here the my solution:
public function hashPassword($container)
{
$factory = $container->get('security.encoder_factory');
$encoder = $factory->getEncoder($this);
$password = $encoder->encodePassword($this->getPassword(), $this->getSalt());
return $password;
}
In the controller:
//hash user password
$userEntity->setPassword($userEntity->hashPassword($this->container));
Right now I have improved(I at least think...) the answer to this question.
I have created an class that will receive the $encoderFactory form the DI
#services.yml
parameters:
password_encoder.class: Beubi\SignatureBundle\Handler\PasswordEncoder
services:
password_encoder:
class: %password_encoder.class%
arguments: [#security.encoder_factory]
So, I create a class that will be used in Service container:
class PasswordEncoder
{
protected $encoderFactory;
public function __construct(EncoderFactory $encoderFactory)
{
$this->encoderFactory = $encoderFactory;
}
public function encodePassword($entity){
$encoder = $this->encoderFactory->getEncoder($entity);
return $encoder->encodePassword($entity->getPassword(), $entity->getSalt());
}
}
And then in my controller:
$password = $this->get('password_encoder')->encodePassword($entity);
$entity->setPassword($password);
This way, my User object doesn't have any knowledge of $factoryEncoder or how to encode an password.
I'm expecting more comments on this question...