home / skills / makfly / superpowers-symfony / form-types-validation

form-types-validation skill

safe

This skill strengthens Symfony form types validation and authorization by applying test-backed boundaries at controllers and API operations.

npx playbooks add skill makfly/superpowers-symfony --skill form-types-validation

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

1.1 KB

---

name: symfony:form-types-validation
allowed-tools:
  - Read
  - Write
  - Edit
  - Bash
  - Glob
  - Grep
description: Strengthen Symfony authorization and validation boundaries with explicit, test-backed enforcement. Use for form types validation tasks.
---

# Form Types Validation (Symfony)

## Use when
- Hardening access-control or validation boundaries.
- Aligning voters/security expressions with domain rules.

## Default workflow
1. Map actor/resource/action decision matrix.
2. Implement voter/constraint logic at the right boundary.
2. Wire checks at controllers and API operations.
2. Test allowed/forbidden/invalid paths comprehensively.

## Guardrails
- Avoid policy logic duplication across layers.
- Do not leak privileged state via error detail.
- Preserve explicit deny behavior for sensitive actions.

## Progressive disclosure
- Use this file for execution posture and risk controls.
- Open references when deep implementation details are needed.

## Output contract
- Security boundary updates.
- Integration points enforcing decisions.
- Negative-path test results.

## References
- `reference.md`
- `docs/complexity-tiers.md`

Overview

This skill strengthens Symfony authorization and validation boundaries by enforcing explicit checks at form type and controller boundaries. It guides mapping actor-resource-action matrices, placing voters and constraints correctly, and producing test-backed negative and positive path coverage. The result is clearer responsibility, fewer duplicated policies, and safer error exposure.

How this skill works

The skill inspects form types, validators, and voter implementations to ensure access control and validation live at the correct boundary. It recommends wiring checks into controllers and API operations, and it generates a test matrix that exercises allowed, forbidden, and invalid paths. Outputs include suggested boundary updates, integration points, and failing negative-path tests to prevent regressions.

When to use it

Hardening access-control around sensitive domain actions
Aligning security voters or expressions with domain validation rules
Ensuring form input validation and authorization occur at intended boundaries
Reducing duplicated policy logic across layers
Auditing error messages to avoid leaking privileged state

Best practices

Map actor-resource-action decisions before implementing checks
Place policy logic in voters or dedicated constraints, not duplicated in controllers and forms
Wire explicit deny behavior for sensitive actions and test it
Keep error responses minimal to avoid leaking privileged state
Cover positive, forbidden, and invalid cases in automated tests

Example use cases

Move a permission check from a controller into a voter used by a form submit to centralize policy
Add a custom constraint to a form type to enforce domain rules already used by a voter
Create a test suite that asserts forbidden users receive 403 and invalid input yields validation errors
Audit a code path that returned detailed errors to ensure sensitive state is not exposed
Document integration points where authorization and validation intersect for future maintainers

FAQ

Where should I put complex business rules?

Place access decisions in voters or policy services and keep validation-specific rules in form constraints. Avoid duplicating the same rule in both places.

How do I test negative paths effectively?

Build a decision matrix of actor/resource/action combinations and write tests for allowed, forbidden, and invalid inputs to ensure behavior stays explicit.