[LiveComponent] Document IDOR / write-surface sharp edges on LiveProp#3545
Open
Amoifr wants to merge 3 commits into
Open
[LiveComponent] Document IDOR / write-surface sharp edges on LiveProp#3545Amoifr wants to merge 3 commits into
Amoifr wants to merge 3 commits into
Conversation
…ypes When a #[LiveProp(url: true)] property is typed as a Doctrine entity (or any object loaded via HydrationExtensionInterface), the identifier read from the query string is trusted as-is by the hydrator. Anyone visiting "?article=999" loads that entity into the component, with no authorization check happening at the framework level. This is by design — the same mechanism is exposed for writable: true and matches Symfony's ParamConverter behaviour — but the sharp edge is easy to miss when reading the attribute alone. Document it on the docblock so the expectation is explicit at the call site.
A writable: true LiveProp typed as a Doctrine entity lets the frontend swap the identifier in the "updated" payload, which the hydrator turns into a fresh entity lookup with no authorization check. Same intent as the previous commit on $url: documenting an existing sharp edge so it's visible at the attribute declaration site.
…ct props The "plain object" branch of hydrateObjectValue() takes the property names to write straight from the client-supplied array. PropertyAccessor still honours visibility (a setter or public property is required), so the surface is bounded — but anyone using writable: true on a DTO with public setters is unwittingly exposing them. Add an inline note so the constraint is visible next to the code that enforces it, instead of being something a reviewer has to derive from PropertyAccessor's semantics.
carsonbot
added
Documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Doc-only resubmission of #3541 (closed alongside #3540) — rebased onto `3.x` and the Q/A header is now in place, as @Kocal asked on related PRs. No behaviour change.
`#[LiveProp]` has a few intentional, by-design sharp edges that aren't surfaced at the attribute declaration site:
These are documented tradeoffs of the component model, not bugs — the change just makes them visible at the call site so a developer doesn't have to derive them from the hydrator internals.
Commits
cc @kbond @smnandre — wording open for discussion; happy to move some of this into the reference docs instead if you'd rather keep the docblocks terse.