Symfony2 - use of Delete form in CRUD operation

Asked 5/1, 2016 at 6:26 Answered 9/1, 2019 at 8:56

Solved php symfony symfony-forms symfony-2.8

the adutomatic crud operation generated by symfony and also the symfony demo application has the following code structure for the delete action

    /**
     * Deletes a testing entity.
     *
     * @Route("/{id}", name="testing_delete")
     * @Method("DELETE")
     */
    public function deleteAction(Request $request, testing $testing)
    {
        $form = $this->createDeleteForm($testing);
        $form->handleRequest($request);

        if ($form->isSubmitted() && $form->isValid()) {
            $em = $this->getDoctrine()->getManager();
            $em->remove($testing);
            $em->flush();
        }

        return $this->redirectToRoute('testing_index');
    }

    /**
     * Creates a form to delete a testing entity.
     *
     * @param testing $testing The testing entity
     *
     * @return \Symfony\Component\Form\Form The form
     */
    private function createDeleteForm(testing $testing)
    {
        return $this->createFormBuilder()
            ->setAction($this->generateUrl('testing_delete', array('id' => $testing->getId())))
            ->setMethod('DELETE')
            ->getForm()
        ;
    }

my question is why do we need a form to delete? cant we just have a link in the twig with an id parameter set accordingly, cant we just do the following, why do we need to check if the entity isValid() inside a form before deleteing it?

    /**
     * test delete
     * @Route("/{id}", name="testing_delete")
     * @Method("DELETE")
     */
    public function deleteAction(testing $testing) {
        $em = $this->getDoctrine()->getManager();
        $em->remove($testing);
        $em->flush();
        return $this->redirectToRoute('testing_showall');
    }

Graptolite answered 5/1, 2016 at 6:26 Comment(0)

If you used link for delete with id, it's possible to robot can delete you data with looping.

In Symfony action check "DELETE" method as well as if your crsf token verify with method isValid "$form->isValid()"

That's security reason it's create form and validate

Sheathing answered 5/1, 2016 at 6:46 Comment(3)

ah yea, excellent, is there any documents online that talks about this? – Graptolite 5/1, 2016 at 7:8

I don't know about the documents, I have given answer as per my knowledge. If i will find document share with you.. thanks – Sheathing 5/1, 2016 at 7:9

this link talks about csrf protection, from the Symfony's doc symfony.com/doc/current/components/form.html#csrf-protection – Carotenoid 13/5, 2017 at 18:16

Not using a simple link to delete data denotes to the concept of safe methods in HTTP (if you had just a simple link, you would have to send a GET request to the URL):

Some of the methods (for example, HEAD, GET, OPTIONS and TRACE) are, by convention, defined as safe, which means they are intended only for information retrieval and should not change the state of the server. In other words, they should not have side effects [...]

Luck answered 5/1, 2016 at 8:11 Comment(0)

I think it's important to write a word about CSRF.

By using a Symfony form, it creates a CSRF token that ensure the user who deletes the entity is the same user who wanted it. If there was no form and only a link /{id}, it would be possible by using a bad link in a mail, or an XSS attack, to make someone else sending the request to delete an entity.

If Bob uses an XSS breach or something else to make Alice (the admin) sending a request for deleting an entity, the request is sent by Alice, event if it's an attack from Bob. So, Bob hasn't the rights for this request but he used the session of Alice, who has the rights. The entity is deleted.

To protect against CSRF attacks, using a CSRF token is really important. Symfony's Form includes it automatically, and check if in isValid().

Fashion answered 9/1, 2019 at 8:56 Comment(0)

Recommended topics

Hot tags