…it to see if the User is logged in because this will return null if they're not. A more "official" way to do this would be to use isGranted() - that's another method on the Security class - and check for IS_AUTHENTICATED_REMEMBERED: Anyways…

…soon. For the else, this is when the user does not send an owner field. To set it to the currently authenticated user, on top, inject the Security service onto a new property. Then back below, set owner to $this->security->getUser(). Beautiful! We are…

…have Ngrok running, we're still able to sync the LemonSqueezy customer ID with the user via JavaScript events. This approach simplifies local development a bit, but both ways are totally valid. Next: Let's tackle some potential security issues by preventing customer ID hijacking.

…test mode. In production, this would also list all the customer's orders. Okay, now let's turn our attention to a small security issue here. At the moment, we're filtering orders by the email users have registered with our site. But, in theory…

…have a custom authenticator for our login form, so to make this actually work, we need to make some adjustments. Open src/Security/LoginFormAuthenticator. At the start of the onAuthenticationSuccess() method, add if ($targetPath = $request->query->get('_target_path')). Inside, return new RedirectResponse($targetPath)…

…go... Twig is using htmlentities to output escape the text. Twig does that automatically for security: it protects against XSS attacks - that's when users try to enter JavaScript inside a question so that it will render & execute on your site. In this case, we…

…the value, open .env.local, copy the long DSN string, then paste here. You won't see the value because the command is hiding it for security purposes. And... boom! This generated the prod vault and encrypted the secret. Check out config/secrets/prod. It…

…admin somehow got the "Delete" URL for an approved question, the delete action would still work. The action itself isn't secure. To give us that extra layer of security, right before an entity is deleted, let's check to see if it's approved…

…empty. After? We have _route, _controller, slug and hey! A few other things were added by other listeners related to security. That's not important for us - but still, interesting! Remove all that debug code. Before we find out how the request attributes are used…

…huge step forward. Next, let's dial in on these remaining deprecations and work on squashing them. We're going to start with the elephant in the room: converting to the new security system. But don't worry! It's easier than you might think!

…that would awesome. This is probably even better: let's chat about password hashing algorithms. Trust me, it's actually pretty neat stuff. Specifically, I want to talk about safely upgrading hashed passwords in your database to stay up-to-date with security best-practices.

…resolver. Another resolver lives in a different directory - I'll hit Shift+Shift to open it: UserValueResolver.php. This resolver allows you to type-hint UserInterface on an argument to get your security User object. At this point, if we look back at ArticleController::show…

…code. Flex has no effect on these: they upgrade normally, and that's fine. So upgrading the "patch" version of Symfony to get bug fixes and security releases is just as simple as running composer update "symfony/*". But to upgrade to the next minor version…

…it... but I don't really see the point. I'll keep absolute URLs always. Next: let's start uploading private assets: stuff that can't be put into the public/ directory because we need to check security before we let a user download it.

…more time. The huge error is replaced by a much more pleasant validation message. Next: the author can upload a file reference... but it is literally impossible for them to download it. How can we make these private files accessible, but still check security first?

…use symfony security:check, which is nice because it does not connect to the API. So it's, everything happens locally. So it clones a GitHub repository but then everything happens locally. So that's a nice way to not depend on security.symfony.com…

…want. That means, back in SecurityController, delete this line and add a new AuthenticationUtils $authenticationUtils argument. Done. The last spot is in UserController: we're using security.authentication.guard_handler. This time, let's guess the type-hint! Add a new argument: Guard... GuardAuthenticationHandler. That…

…This parameter is absolutely necessary for the API request to work, but isn't actually used by COOP. It's a security measure, and it must exactly equal the original redirect_uri that we used when we redirected the user. Ok, let's try it…

…but instead of actually sending the verification email, we're just putting the verification URL directly into a flash message. It was a shortcut I made during the Security tutorial. But now, let's send a real email. I'll go to the bottom of…

…config is no config... which tells Doctrine to figure out things for us. Once again, add all these changes, commit, and... let's keep going! Well, let's keep going in the next chapter, where we upgrade DoctrineExtensionsBundle, some debug recipes, routing, security and more!