Documentation

Method attribute

Table of Contents 

Presentation

Temma offers several attributes to filter access to controllers/actions according to HTTP method (GET, POST, etc.). The Method attribute is quite comprehensive and versatile, but Temma also provides attributes that are simpler and quicker to use.

Method

This attribute is used to define the HTTP methods that are allowed or forbidden when accessing a controller or action.

This can be very useful for protecting an action against CSRF flaws (by forcing a request to be made as a POST and not as a GET), or for precisely defining the authorized methods for an API.

Parameters

  • $allowed: (string|array) Allowed HTTP method, or list of allowed methods.
  • $forbidden: (string|array) HTTP method forbidden, or list of forbidden methods.
  • $redirect: (string) URL to redirect the user to if the method is not authorized.
  • $redirectVar: (string) Name of template variable containing URL to redirect user to.

Priority

To define the URL to which the user will be redirected, the attribute applies the following order of priority:

  1. If the $redirect parameter is defined, it is used.
  2. If the $redirectVar parameter is defined, and it contains the name of an existing, non-empty template variable, its content is used.
  3. If the temma.json file contains an x-security extended configuration, and this contains a methodRedirect key, its content is used.
  4. If the temma.json file contains an x-security extended configuration, and this contains a redirect key, its content is used.

If no redirection URL is found, a 403 error is returned.

Configuration

To ensure that all Method attributes redirect to the same URL, simply define it in the temma.json file:

{
    "x-security": {
        "methodRedirect": "/badAccess"
    }   
}

To ensure that the redirection URL is the same for the Auth, Method, Referer and Redirect attributes, simply define the redirect key in the x-security extended configuration in the temma.json file:

{
    "x-security": {
        "redirect": "/login"
    }   
}

Examples:

use \Temma\Attributes\Method as TµMethod;

/* all controller actions can only be accessed via POST. */
#[TµMethod('POST')]
class Actions extends \Temma\Web\Controller {
    // ...
}
use \Temma\Attributes\Method as TµMethod;

class Actions extends \Temma\Web\Controller {
    // this action is only available in GET
    #[TµMethod('GET')]
    public function getList() {
        // ...
    }

    // this action can be accessed via POST or PUT
    #[TµMethod(['POST', 'PUT'])]
    public function removeItem(int $id) {
        // ...
    }

    // this action can be accessed with any method
    // except PATCH
    #[TµMethod(forbidden: 'PATCH')]
    public function defineItem(int $id, mixed value) {
        // ...
    }

    // this action can be accessed with any
    // method except HEAD and DELETE
    #[TµMethod(forbidden: ['HEAD', 'DELETE'])]
    public function fetchData() {
        // ...
    }
}

Head, Get, Post, Put, Patch, Delete

These attributes are shortcuts that simplify the use of the Method attribute. They specify the HTTP method that must be used to access a controller or action.

Parameters

These attributes have no parameters.

Redirection priority

When a controller or action is accessed using an incorrect method (for example, a GET request is made on an action that is configured with the \Temma\Attributes\Methods\Post attribute), a redirection URL can be defined. The attributes apply the following order of priority:

  1. If the temma.json file contains an x-security extended configuration, and this contains a methodRedirect key, its contents are used.
  2. If the temma.json file contains an x-security extended configuration, and this contains a redirect key, its contents are used.

If no redirect URL is found, a 403 error is returned.

Configuration

To ensure that all Method attributes redirect to the same URL, simply define it in the temma.json file:

{
    "x-security": {
        "methodRedirect": "/badAccess"
    }   
}

To ensure that the redirection URL is the same for the Auth, Method, Referer and Redirect attributes, simply define the redirect key in the x-security extended configuration in the temma.json file:

{
    "x-security": {
        "redirect": "/login"
    }   
}

Examples

use \Temma\Attributes\Methods\Head as TµHead;
use \Temma\Attributes\Methods\Get as TµGet;
use \Temma\Attributes\Methods\Post as TµPost;
use \Temma\Attributes\Methods\Put as TµPut;
use \Temma\Attributes\Methods\Patch as TµPatch;
use \Temma\Attributes\Methods\Delete as TµDelete;

class Actions extends \Temma\Web\Controller {
    // this action is only available via HEAD
    #[TµHead]
    public function action1() { }

    // this action is only available via GET
    #[TµGet]
    public function action2() { }

    // this action is only available via POST
    #[TµPost]
    public function action3() { }

    // this action is only available via PUT
    #[TµPut]
    public function action4() { }

    // this action is only available via PATCH
    #[TµPatch]
    public function action5() { }

    // this action is only available via DELETE
    #[TµDelete]
    public function action6() { }
}
Previous: Auth attribute helper
Next: Referer attribute helper

Table of Contents