Method attribute

---

1Presentation

Temma offers several attributes to filter access to controllers/actions according to HTTP method (GET, POST, etc.). The Method attribute is quite comprehensive and versatile, but Temma also provides attributes that are simpler and quicker to use.

---

2Method

This attribute is used to define the HTTP methods that are allowed or forbidden when accessing a controller or action.

This can be very useful for protecting an action against CSRF flaws (by forcing a request to be made as a POST and not as a GET), or for precisely defining the authorized methods for an API.

---

2.1Parameters

• $allowed: (string|array) Allowed HTTP method, or list of allowed methods.
• $forbidden: (string|array) HTTP method forbidden, or list of forbidden methods.
• $redirect: (string) URL to redirect the user to if the method is not authorized.
• $redirectVar: (string) Name of template variable containing URL to redirect user to.

---

2.2Priority

To define the URL to which the user will be redirected, the attribute applies the following order of priority:

1. If the $redirect parameter is defined, it is used.
2. If the $redirectVar parameter is defined, and it contains the name of an existing, non-empty template variable, its content is used.
3. If the etc/temma.php file contains an x-security extended configuration, and this contains a methodRedirect key, its content is used.
4. If the etc/temma.php file contains an x-security extended configuration, and this contains a redirect key, its content is used.

If no redirection URL is found, a 403 error is returned.

---

2.3Configuration

To ensure that all Method attributes redirect to the same URL, simply define it in the etc/temma.php file:

[
    'x-security' => [
        'methodRedirect' => '/badAccess'
    ]
]

To ensure that the redirection URL is the same for the Auth, Method, Referer and Redirect attributes, simply define the redirect key in the x-security extended configuration in the etc/temma.php file:

[
    'x-security' => [
        'redirect' => '/login'
    ]
]

---

2.4Examples

use \Temma\Attributes\Method as TµMethod;

/* all controller actions can only be accessed via POST. */
#[TµMethod('POST')]
class Actions extends \Temma\Web\Controller {
    // ...
}

use \Temma\Attributes\Method as TµMethod;

class Actions extends \Temma\Web\Controller {
    // this action is only available in GET
    #[TµMethod('GET')]
    public function getList() {
        // ...
    }

    // this action can be accessed via POST or PUT
    #[TµMethod(['POST', 'PUT'])]
    public function removeItem(int $id) {
        // ...
    }

    // this action can be accessed with any method
    // except PATCH
    #[TµMethod(forbidden: 'PATCH')]
    public function defineItem(int $id, mixed value) {
        // ...
    }

    // this action can be accessed with any
    // method except HEAD and DELETE
    #[TµMethod(forbidden: ['HEAD', 'DELETE'])]
    public function fetchData() {
        // ...
    }
}

---

3Head, Get, Post, Put, Patch, Delete

These attributes are shortcuts that simplify the use of the Method attribute. They specify the HTTP method that must be used to access a controller or action.

---

3.1Specific parameters

These attributes have no parameters.

---

3.2Redirection priority

When a controller or action is accessed using an incorrect method (for example, a GET request is made on an action that is configured with the \Temma\Attributes\Methods\Post attribute), a redirection URL can be defined. The attributes apply the following order of priority:

1. If the etc/temma.php file contains an x-security extended configuration, and this contains a methodRedirect key, its contents are used.
2. If the etc/temma.php file contains an x-security extended configuration, and this contains a redirect key, its contents are used.

If no redirect URL is found, a 403 error is returned.

---

3.3Specific configuration

To ensure that all Method attributes redirect to the same URL, simply define it in the etc/temma.php file:

[
    'x-security' => [
        'methodRedirect' => '/badAccess'
    ]
]

To ensure that the redirection URL is the same for the Auth, Method, Referer and Redirect attributes, simply define the redirect key in the x-security extended configuration in the etc/temma.php file:

[
    'x-security' => [
        'redirect' => '/login'
    ]
]

---

3.4Attributes examples

use \Temma\Attributes\Methods\Head as TµHead;
use \Temma\Attributes\Methods\Get as TµGet;
use \Temma\Attributes\Methods\Post as TµPost;
use \Temma\Attributes\Methods\Put as TµPut;
use \Temma\Attributes\Methods\Patch as TµPatch;
use \Temma\Attributes\Methods\Delete as TµDelete;

class Actions extends \Temma\Web\Controller {
    // this action is only available via HEAD
    #[TµHead]
    public function action1() { }

    // this action is only available via GET
    #[TµGet]
    public function action2() { }

    // this action is only available via POST
    #[TµPost]
    public function action3() { }

    // this action is only available via PUT
    #[TµPut]
    public function action4() { }

    // this action is only available via PATCH
    #[TµPatch]
    public function action5() { }

    // this action is only available via DELETE
    #[TµDelete]
    public function action6() { }
}