whats the point of using the @Method annotation

Question

Route Method¶ There is a shortcut @Method annotation to specify the HTTP method allowed for the route. To use it, import the Method annotation namespace:

use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Method;

/**
 * @Route("/blog")
 */
class PostController extends Controller
{
    /**
     * @Route("/edit/{id}")
     * @Method({"GET", "POST"})
     */
    public function editAction($id)
    {
    }
}

I've seen a lot of developers limiting the Method to either only GET or POST, but since the controller allows both by default, why do developers choose to restrict it to only one method? is this some kind of security measure? and if yes what kind of attacks would that protect you from?

Answer 1

First, there are several method available following the spec, not only GET and POST

I don't think this is a security reason, it's more a matter of respecting standards (e.g REST methods).
I personally use different methods for several behaviours. For me, there's the action of SEEING the edition, and APPLYING the edition.
That's two different behaviours for a single URL. Even if the response at the end will tends not to change, the behaviour at controller level is different.

I think this is a matter of personnal preference, I like rather see

/**
 * @Route("/edit")
 * @Method({"GET"})
 * @Template
 */
public function editAction()
{
    $obj = new Foo;
    $obj->setBaz($this->container->getParameter('default_baz'));

    $type = new FooType;

    $form = $this->createForm($type, $obj, array(
        'action' => $this->generateUrl('acme_foo_bar_doedit'),
        'method' => 'PUT'
    ));

    return array(
        'form' => $form->createView()
    );
}

It's pretty clear what it does. It just instanciates the form you need, no user input are processed.
Now, you can add your action to process the edition by adding a second method

/**
 * @Route("/edit")
 * @Method({"PUT"})
 * @Template("AcmeFooBundle:Bar:edit.html.twig")
 */
public function doEditAction(Request $request)
{
    $obj = new Foo;
    $type = new FooType;

    $form = $this->createForm($type, $obj, array(
        'action' => $this->generateUrl('acme_foo_bar_doedit'),
        'method' => 'PUT'
    ));

    $form->handleRequest($request);

    if ($form->isValid()) {
        // Play with $obj
    }

    return array(
        'form' => $form->createView()
    );
}

Easy too, and can easily be used elsewhere in your application (rather than in the default edition page)

Answer 2

I personally ALWAYS define a request method (POST, GET, PUT etc etc). I think that (especially with RESTful API's) this is transparent. It can protect you against some attacks, because you are limiting the methods that can be used. It also makes sense, because if you login you POST data and don't GET it and if you request an article, you DO want to GET it :) See what I mean? Only the 'it makes it more transparent' has catched me already. I'm hooked to always defining the methods, whether it's only for clarity or anything else.

edit: Haven't seen the other answer yet (must've been added while I pressed the submit button :) )

Answer 3

There are a lots of reasons to choose between POST, GET, PUT and DELETE methods (or Http verbs). first of all there are some limitations in using GET method for example you can not include large amount of data in URL query string or MULTI-PART forms for uploading files. And there are many security considerations about using POST and GET methods and I don't even know where to start from. You can Google that. And finally in RESTful web services convention CRUD (Create/Retrieve/Update/Delete) operations are mapped to Http methods (POST/GET/PUT/DELETE). For example:

path: /student/{id}, method GET returns a student
path: /student, method POST creates a student
path: /student, method PUT updates student info

One of the most important security reasons would be that URLs are usually logged in ISPs, Apache web server and network devices(firewalls, ...) and if you include sensitive data such as session ids, ... your data will be stored in plain text in so many places that you have no idea about. Also i recommend have a look at OWASP top 10.