Chapters

36 Chapters | 1:50:44 |

01

Introduction

0:44
02

Security Fundamentals

3:47
03

Authorization with Access Control

2:08
04

Creating a Login Form (Part 1)

4:46
05

Creating a Login Form (Part 2)

3:57
06

Logging Out and Cleaning Up

5:03
07

Twig Security and IS_AUTHENTICATED_FULLY

2:41
08

Denying Access: AccessDeniedException

4:23
09

Entity Security

4:32
10

Saving Users

3:37
11

Adding Dynamic Roles to each User

4:56
12

Repository Security

4:20
13

Doctrine’s QueryBuilder

2:25
14

The UserProvider: Custom Logic to Load Security Users

3:15
15

User Serialization

2:16
16

Registration Form

3:11
17

Form Rendering

4:38
18

Using More Fields: email and repeated

2:31
19

Handling Form Submissions

4:22
20

Form: Default Data

2:10
21

Cleaning up with a plainPassword Field

1:34
22

Using an External Form Type Class

2:40
23

Registration Validation

3:36
24

Server-Side Validation

4:18
25

Adding a Flash Message

1:35
26

Automatically Authenticating after Registration

0:55
27

Functional Testing

5:04
28

Testing Forms

3:21
29

Controlling Data / Fixtures in a Test

3:23
30

More about Container, the “doctrine” Service and the Entity Manager

1:54
31

After-dinner Mint

3:35
32

Security: Creating Roles and Role Hierarchies

2:50
33

Switching Users / Impersonation

1:09
34

Whitelisting: Securing all Pages, except a few

2:15
35

Accessing the User

1:09
36

Remember Me Functionality

1:44

This tutorial has a new version, check it out!

> Symfony 2 > Starting in Symfony2: Course 2 (2.4+)

Buy Access to Course

10.

Saving Users

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

Saving Users¶

Now that the error is gone, try logging in! Wait, but our user table is empty. So we can see the bad password message, but we can’t actually log in yet.

But we’re pros, so it’s no problem. Let’s copy the LoadEvents fixtures class (LoadEvents.php) into the UserBundle, rename it to LoadUsers, and update the namespaces:

// src/Yoda/UserBundle/DataFixtures/ORM/LoadUsers.php
namespace Yoda\UserBundle\DataFixtures\ORM;

use Doctrine\Common\DataFixtures\FixtureInterface;
use Doctrine\Common\Persistence\ObjectManager;
use Yoda\UserBundle\Entity\User;

class LoadUsers implements FixtureInterface
{
    public function load(ObjectManager $manager)
    {
        // todo
    }
}

Saving users is almost easy: just create the object, give it a username and then persist and flush it.

The tricky part is that darn password field, which needs to be encoded with bcrypt:

// src/Yoda/UserBundle/DataFixtures/ORM/LoadUsers.php
// ...
use Yoda\UserBundle\Entity\User;
// ...

public function load(ObjectManager $manager)
{
    $user = new User();
    $user->setUsername('darth');
    // todo - fill in this encoded password... ya know... somehow...
    $user->setPassword('');
    $manager->persist($user);

    // the queries aren't done until now
    $manager->flush();
}

ContainerAwareInterface for Fixtures¶

But what’s cool is that Symfony gives us an object that can do all that encoding for us. To get it, first make the fixture implement the ContainerAwareInterface:

// src/Yoda/UserBundle/DataFixtures/ORM/LoadUsers.php
// ...

use Symfony\Component\DependencyInjection\ContainerAwareInterface;

class LoadUsers implements FixtureInterface, ContainerAwareInterface
{
    // ...
}

This requires one new method - setContainer. In it, we’ll store the $container variable onto a new $container property:

// src/Yoda/UserBundle/DataFixtures/ORM/LoadUsers.php
// ...

use Symfony\Component\DependencyInjection\ContainerAwareInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;

class LoadUsers implements FixtureInterface, ContainerAwareInterface
{
    private $container;

    // ...

    public function setContainer(ContainerInterface $container = null)
    {
        $this->container = $container;
    }
}

Because we implement this interface, Symfony calls this method and passes us the container object before calling load. Remember that the container is the array-like object that holds all the useful objects in the system. We can see a list of those object by running the container:debug console task:

php app/console container:debug

Encoding the Password¶

Let’s create a helper function called encodePassword to you know encode the password! This step may look strange, but stay with me. First, we ask Symfony for a special “encoder” object that knows how to encrypt our passwords. Remember the bcrypt config we put in security.yml? Yep, this object will use that.

After we grab the encoder, we just call encodePassword(), grab a sandwich and let it do all the work:

// src/Yoda/UserBundle/DataFixtures/ORM/LoadUsers.php
// ...

private function encodePassword(User $user, $plainPassword)
{
    $encoder = $this->container->get('security.encoder_factory')
        ->getEncoder($user)
    ;

    return $encoder->encodePassword($plainPassword, $user->getSalt());
}

Behind the scenes, it takes the plain-text password, generates a random salt, then encrypts the whole thing using bcrypt. Ok, so let’s set this onto the password property:

// src/Yoda/UserBundle/DataFixtures/ORM/LoadUsers.php
// ...

public function load(ObjectManager $manager)
{
    $user = new User();
    $user->setUsername('darth');
    $user->setPassword($this->encodePassword($user, 'darthpass'));
    $manager->persist($user);

    // the queries aren't done until now
    $manager->flush();
}

Try it! Reload the fixtures from the command line:

php app/console doctrine:fixtures:load

Let’s use the query console task to look at what the user looks like:

php app/console doctrine:query:sql "SELECT * FROM yoda_user"

array (size=1)
  0 =>
    array (size=3)
      'id' => string '1' (length=1)
      'username' => string 'user' (length=4)
      'password' => string '$2y$13$BoVE3I5dmVkBjRp.l6uwyOI8Z8Ngokiaa.OUUuHoDbGDBdMRMUrmC' (length=60)

Nice! We can see the encoded password, which for bcrypt, also includes the randomly-generated salt. You do need to store the salt for each user, but with bcrypt, it happens automatically. Symfony requires us to have a getSalt function on our User, but it’s totally not needed with bcrypt.

Back at the browser, we can login! Behind the scenes, here’s basically what’s happening:

A User entity is loaded from the database for the given username;
The plain-text password we entered is encoded with bcrypt;
The encoded version of the submitted password is compared with the saved password field. If they match, then you now have access to roam about this fully armed and operational battle station!

14 Comments

Sort By

Dan Costinel 6 years ago edited

Hey KNP! I'm sorry for bothering you again!

So I need to create a custom deleteAction() method. My reliable friend, google, didn't cared about my problem, unfortunately. Muf! Muf!

Anyway, here's what I've wrote until now:

`
/**

 * Deletes a Post entity.
 *
 * @Route("/post/{id}", name="post_delete")
 * @Method("DELETE")
 */
public function deleteAction(Request $request, $id)
{
    $em = $this->getDoctrine()->getManager();
    $entity = $em->getRepository('AppBundle:Post')->find($id);

    if (!$entity) {
        throw $this->createNotFoundException('Unable to find Post entity.');
    }

    $em->remove($entity);
    $em->flush();

    return $this->redirect($this->generateUrl('dashboard'));
}

And in my twig template:

<br />// for post in posts<br />// ...<br /><a href="{{ path('post_delete', { 'id':post.id }) }}">Delete</a><br />// ...<br />// endfor<br />

But I'm getting the following error:

<br />No route found for "GET /post/13": Method Not Allowed (Allow: DELETE)<br />

I also copied and adapted to my case, the code from a generated CRUD. It didn't worked!

Help, I'm in panic!

| Reply |

Dan Costinel Dan Costinel 6 years ago

Damn, I'm such a noob!

I finally solve the problem, by replacing the "DELETE" method with "GET". And boom, it worked like a charm!

I hope someone will find this helpful! ... and I'm glad I've "enlighted" myself!

But high-five KNP, just in case! :)

| Reply |

Victor SFCASTS Dan Costinel 6 years ago

Hey Dan,

Actually, you did it right, but there's more robust solution with a form which sends with DELETE method.

The "@Method("DELETE")" annotation means that you can send only DELETE request to this route, i.e. you can't send DELETE request with a link because it's just a GET request. So there're a few solutions:

1. Change "@Method("DELETE")" to the @Method("GET") because you delete posts by clicking a link. - Like you did
2. Replace delete link in the template with a <form method="DELETE"></form>, because you can send DELETE requests only with form. Of course, you need to add a submit button to this form and also generate the action attribute which points to the deleteAction().

The 2nd solution is more robust, because with the 1st one you can accidently go directly to the delete action and remove a post which you don't want to delete.

Cheers!

| Reply |

Dan Costinel Victor 6 years ago edited

Hi Victor, thanks for replying!

I tried your second solution too, but I couldn't figure out how to add a different id for each delete_form form.

Tried something like:


// loop through posts
// ...
<a href="{{ form(delete_form, { 'id':post.id }) }}">Delete</a>
// ...
// endloop

And I used both deleteAction(Request $request, $id) and createDeleteForm($id) generated by CRUD.
I ended up with just one delete button, and I needed one for each post.

| Reply |

Victor SFCASTS Dan Costinel 6 years ago edited

It's simple enough - just create a separate form for each post row as you do with links ;)


{% for post in posts %}
    <form action="{{ path('post_delete', {id: post.id}) }}" method="DELETE">
        <input type="submit">
    </form>
{% endfor %}

i.e. use its own separate form for each product row.

Cheers!

| Reply |

Dan Costinel Victor 6 years ago

I'll give it a try. Thanks a lot!
And one more question if you don't mind to answer it.

I have, for this part of my template, the need to hide some links (edit and delete) if the current logged in user is not the owner of the respective post (I have a ManyToOne relationship)

Like:

Users
-------
id username
1 abc
2 def

Posts
-------
id body user_id
1 ... 1
2 ... 1
3 ... 2

How to achieve this?

| Reply |

Victor SFCASTS Dan Costinel 6 years ago edited

You could easily check permissions with something like {% if app.user.id == post.user.id %} - then show links, but let's use something cooler! Look at <a href="http://symfony.com/doc/current/security/voters.html">Symfony Voters</a> - it's exactly what you need. then you can check whether the current user has access to a post with is_granted() Twig function. And hey, we have a free course on it: <a href="https://knpuniversity.com/screencast/symfony-voters">Symfony Security Voters</a>. And one more useful screencast about voters with a nice example inside: https://knpuniversity.com/screencast/new-in-symfony3/voter .

Cheers!

2 | Reply |

BondashMaster 6 years ago

I'm following this tutorial. But I get lost in "Let’s copy the LoadEvents fixtures class (LoadEvents.php)".

| Reply |

weaverryan SFCASTS BondashMaster 6 years ago

Hey there!

Yea, I realize that's a little vague - sorry about that :). In this step, I copy the entire DataFixtures directory from EventBundle (which contains the LoadEvents.php file we created earlier) and copy it into UserBundle. I just did this to save me time from creating the DataFixtures/ORM directory in UserBundle and creating the new LoadUsers.php file by hand.

I hope that helps!

| Reply |

BondashMaster weaverryan 6 years ago

Little Question, If I get the $25 monthly acces. I get "Access to the full KnpUniversity course library". So that includes this tutorial in particular??? Or the current month tutorials??? Cause I want THIS course in particular. And also the episode 1(cause I check thats includes the datafixture part) But I'm not sure if I get them with the monthly acces.

| Reply |

weaverryan SFCASTS BondashMaster 6 years ago

You'll get access to *everything* while your subscription is active - including this and episode 1... and also all of the newer Symfony 3 tutorials if you want those :)

| Reply |

BondashMaster weaverryan 6 years ago

Thanks.

| Reply |

weaverryan SFCASTS BondashMaster 6 years ago

Of course :) - I always keep an eye on the comments!

| Reply |

BondashMaster weaverryan 6 years ago

and I have ALL THE POWERRRRRR!!! I got my suscription :D. This is gonna be a hell of a good weekend.

| Reply |

Symfony 2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=5.3.3",
        "symfony/symfony": "~2.4", // v2.4.2
        "doctrine/orm": "~2.2,>=2.2.3", // v2.4.2
        "doctrine/doctrine-bundle": "~1.2", // v1.2.0
        "twig/extensions": "~1.0", // v1.0.1
        "symfony/assetic-bundle": "~2.3", // v2.3.0
        "symfony/swiftmailer-bundle": "~2.3", // v2.3.5
        "symfony/monolog-bundle": "~2.4", // v2.5.0
        "sensio/distribution-bundle": "~2.3", // v2.3.4
        "sensio/framework-extra-bundle": "~3.0", // v3.0.0
        "sensio/generator-bundle": "~2.3", // v2.3.4
        "incenteev/composer-parameter-handler": "~2.0", // v2.1.0
        "doctrine/doctrine-fixtures-bundle": "~2.2.0", // v2.2.0
        "ircmaxell/password-compat": "~1.0.3", // 1.0.3
        "phpunit/phpunit": "~4.1" // 4.1.0
    }
}

Previous Chapter

Next Chapter

Saving Users

Share this awesome video!

Keep on Learning!

Saving Users¶

ContainerAwareInterface for Fixtures¶

Encoding the Password¶

14 Comments

Delete comment?

What PHP libraries does this tutorial use?