On the Jolicode.com blog, there's a tutorial they've posted showing how to "mix security and forms" in a Symfony application to show only certain form fields based on a user's roles.
In some applications, it could be required to disable some form fields depending on user’s roles.In this article, we will see how to implement this feature thanks to a simple example: a blog engine.
For their example, they use a Symfony 4 application with the MakerBundle and create a basic blog with "article" entities and an "admin" entity for the user list. From there, the post includes the code needed to update the buildForm
method in the ArticleType
class to check the current user and be sure they have the "admin" role. To make this work, they also build out a SecurityExtension
form extension class that performs the actual check. This is then hooked into the pre-submit event on the form to prevent other issues where an attacker might delete the "allowed" element and submit the data anyway. The post wraps up with an example of performing a similar check but hiding the field instead of just disabling it in the form.