…we need to make this userIsOwner() method... actually work! Add a constructor to the top of this class and autowire the Security service. I'll hit Alt -> Enter and go to "Initialize Fields" to create that property and set it. Down in the method…

…cheat for now. Find your terminal and run: php bin/console security:encode This is a fun utility where you can give it a plain-text password - I'll use foo - and it will give us back an encoded version of that password. Copy that…

…Guzzle. Let's do this! Make a request with $client->request(): make a POST request to /api/cheeses. How nice is that? We're going to focus our tests mostly on asserting security stuff. Because we haven't logged in, this request will not be…

…bin/console make:voter Call it CheeseListingVoter. I commonly have one voter for each entity or "resource" that has complex access rules. This creates src/Security/Voter/CheeseListingVoter.php. Before we dive into the new class, go to CheeseListing. Instead of saying is_granted('ROLE…

…let's add this to the API for all users by adding @Groups("user:write"). This creates a huge security hole... so we'll come back to this in a few minutes and make sure that only admin users can write to this field. Let…

…overriding the first... so let's remove the extra one. Anyways, for our first test, I want to make sure this security is working. Add public function testCreateCheeseListing(). And inside, make sure this all isn't an elaborate dream with $this->assertEquals(42, 42). Ok…

…when a user is updating their password. We talk about that on an older Symfony 3 Security Tutorial. We're going to try a different approach - an approach that's more specific to API Platform. Before we get there, let's write a test to…

…and things like this. In these tools are also available the security. So when you think about an API, you don't really think about security and you don't have to care about it because we did all the work. We prepared this for…

… I'll double-click to get back into SecurityBundle. Because we want to test TargetPathHelper, the test should live in Tests/Security. Create a new PHP class called TargetPathHelperTest. Make this extend the normal TestCase from PHPUnit: Then add public function testSavePath(): For the body…

…builds off of TargetPathTrait, let's see where that's documented: git grep TargetPathTrait Ok: apparently that's covered in some form_login.rst file. Go find that in PhpStorm: security/form_login.rst. Look all the way down at the bottom. Yep, here is…

…back over, find the security.rst file and scroll down to line 1269. Ah. This toctree thing is another feature of RST - it helps build the table of contents. Remove the security/target_path line. To make sure there aren't any other references, find…

…Shift+Shift and search for this: AppVariable. Cool! Ignore the setter methods on top - these are just for setup. The AppVariable has a couple of handy methods: getToken() and getUser() both relate to security. Then, hey! There's our favorite getRequest() method, then getSession(), getEnvironment(…

…main repository is closely controlled for quality. The second - the "contrib" repository - has some basic checks, but the community can freely contribute recipes. For security reasons, when you download a package that installs a recipe from that repository, it will ask you first before installing…

…enabled as the Security CSRF component is not installed. Ohhhh. Like translation and form, csrf_protection activates a component that we don't have installed! No problem! Go back to symfony.sh and search for "csrf". There it is! Run: composer require security-csrf By…

…So... why are we upgrading? So glad you asked: because the new version has a feature I really like! As soon as Composer finishes, go back to GenusAdminController. Instead of using @Security, use @IsGranted. This is similar, but simpler. For the value, you only need…

…terminal, run: git grep AppBundle Hey! Not too bad. And most of these are the same: calls to getRepository(). Start in security.yaml and do the same find and replace. You could do this for your entire project, but I'll play it safe. Now…

…talks to the database! First, we need to finish our entities. Find Security and copy the id field. Open Dinosaur and paste this in. Do the same for Enclosure. We haven't needed these yet because we haven't touched the database at all. Now…

…top of every test method. But another great option is to override setUp() and add it there. Let's empty all three entities: Enclosure, Security and Dinosaur. For this method to work, we need a getEntityManager() method. At the bottom, add private function getEntityManager(). Then…

…the tutorial/ directory, you should have a DataFixtures directory. Copy that into your AppBundle. These two classes build 3 Enclosures and also add some security to them. But, part of this code is using a setEnclosure() method on Dinosaur... and that doesn't exist! Open…

…and... refresh! Bah: require is not defined Boo! My bad - I forgot to use the new built file. Open templates/bundles/FOSUserBundle/Security/login.html.twig. Point the script tag to build/login.js: And now... it works! When I type a really long username…