sfEnhancedSecPlugin - 0.0.3

Security Enhancements plugin.

You are currently browsing
the website for symfony 1

Visit the Symfony2 website


« Back to the Plugins Home

Signin


Forgot your password?
Create an account

Tools

Stats

advanced search
Information Readme Releases Changelog Contribute
Show source

sfEnhabcedSec plugin

The sfEnhabcedSecPlugin is a symfony plugin that provides additional secuirty features above the standard security feature of symfony.

It gives three additional security methods:

  • Allow access based on links that were renderd in the previous request.
  • Callback into your action class for users lacking a specific credential, where you decide if the user passed / failed the test.
  • Auto mode where you give the current model and base model. This can be used for row level security.

Installation

  • Install the plugin

    $ symfony plugin:install sfEnhabcedSecPlugin
    
  • Enable the filter in filters.yml, insert after the security filter

    sfEnhancedSecFilter:
      class: sfEnhancedSecFilter
  • Enable one or more security methods in your app.yml (optional)

    • For the link checker: render_checker
    • For the automatic checks: auto_sec

      all:
         render_checker:  true
         auto_sec:        true

Secure your application

To secure a symfony application with this plugin:

  • Example of settings for sfEnhacncedSecPlugin in security.yml

    secure_check:
      model_class:  MyForm
      edit:
        function1: 
          name: checkUserCredentials
          credentails: [[root, administrator]]
          param: id
        content_verification:
          credentails: [root]
          active: true
        auto_check:
          credentails: [root]
          active: true
          assosiation:
            1:
              credentails: [administrator]
              module: Moderators
              user_param: mod_group_id
              compare_field: id
            2:
              credentails: [subscriber]
              module: Owners
              user_param: owner_id
              compare_field: id             
  • Basic callback checks example:

    secure_check:
      edit:
        function1: 
          name: checkUserCredentials
          credentails: [[root, administrator]]
          param: id
        function2: 
          name: checkUserOwnership
          credentails: [root]
          param: id
    • This example will call the action class for the module whenever the edit action is called. Each function will be called by its name if the user lacks the credentilas in the credentails: setting. if the function returns true the check has been passed if the function returns false the check failed and the user will be forwarded to the default security module / action.
  • Basic link checks example:

    secure_check:
      edit:
        content_verification:
           credentails: [root]
           active: true
    • This example will test for the edit action of the module if the user previously had the the uri to edit this row, if the user has the specifc credential in (credentails: ) the check is skipped.
    • Notice that even though the check is done only in the edit action all the modules and all the actions have thier links renderd and pass through the filter.
    • This method is mostly useful in case of admin generated content where its very simple to filter the results and through that filteration you will not be able to execute an action that wasnt renderd.
    • Only links and forms are checked currently.
  • Auto security checks example:

    secure_check:
      model_class:  MyForm
      edit:
        auto_check:
          credentails: [root]
          active: true
          assosiation:
            1:
              credentails: [administrator]
              module: Moderators
              user_param: mod_group_id
              compare_field: id
            2:
              credentails: [subscriber]
              module: Owners
              user_param: owner_id
              compare_field: id
    • This example will run the the check for every edit action of the module if the user lacks the credentials in ( credentials: ). The current user will only need to pass one check. if in this case the user has both administrator and subscriber credentilas if he passed the first check he will not undergo the second. the (credentails: ) under the ( assosiation: ) are actually the credentails that the user has to go into this specific test.

    • Sub section:

      [yml] 1: credentails: [administrator] module: Moderators user_param: mod_group_id compare_field: id

      • This section defines database realationship, in this case the MyForm model table holdes a foregin key that will eventually lead to the Moderators table, there could be many tables along the way as long as they are all holding foregin keys from one to another. The filter will find the realationship and attempt to query the database with the correct joins to count the number of records that have the current parameters in the request for the MyForm table and at the other end have the value of the (user_param: mod_group_id) in the subscriber attribute.

      • Keep in mind that if this is to work correctly when a user logs in you will have to add the attribues Like "mod_group_id" of the current user if he is in the moderators table.

TODO

  • add support for Propel 1.2