Security issue in Create Action

There is a missing check for newly created entities.

Example is not a real case, since our system is still under development, but it describes a vector of attack.

For example we have an admin-user who has relation to few notice boards. And this user can add the advertisements only on his own board.

This check provided by appropriate voter. And obviously list of available boards is filtered by query.

But our violator can substitute board_id with id of somebody else's board and submit his request. By the way he is no longer can operate with submitted advertisement, because <code>isGranted('EDIT', $object)</code> will return <code>false</code> due to voter logic. But he can still do a lot of spam submissions because of missed <code>isGranted('CREATE', $object)</code> and as a result missed voter call.

Controller/CRUDController.php

@@ -521,6 +521,11 @@ class CRUDController extends Controller
 
             // persist if the form was valid and if in preview mode the preview was approved
             if ($isFormValid && (!$this->isInPreviewMode() || $this->isPreviewApproved())) {
+                
+                if (false === $this->admin->isGranted('CREATE', $object)) {
+                    throw new AccessDeniedException();
+                }
+                
                 $this->admin->create($object);
 
                 if ($this->isXmlHttpRequest()) {