But you also need to be aware that you’re unwillingly creating a pattern that can be abused when you aren’t paying attention. I got caught by one of these myself for a few weeks now..

Let me explain.. For a couple of weeks, one of my sites was cursed with some strange voodoo. I had a list of some items on a page, and 1 of these items ( always the same one ) kept disappearing on a daily basis, while i was the only one with access to the database. I was puzzled until some mysql logging cleared things up. Some asian IP was executing my website like this: http://mysite.be/item/delete/id/$nr where $nr are the id’s from the list. ( Basic and easy-to-try standard crud thing, available from most frameworks, so if you know Symfony, you could guess that item had a delete, create, edit, show and list action )

Because the item module was forgotten in my security.yml frenzy, everyone could browse to that URL, and delete my items But why did only one item disappear? Well, the other delete requests were denied because of foreign keys, while the deleted one wasn’t coupled to any other field, so it was successfully removed every time.

Anyways, i plugged the hole with a security.yml as follows:

delete:
is_secure: on
credentials: admin

create:
is_secure: on
credentials: admin

edit:
is_secure: on
credentials: admin

One less thing to worry about