…API request, click into the Doctrine section then "view formatted query". Beautiful! The is_published and owner_id check comes from a Doctrine extension we created in the last tutorial and relates to security. And then it searches on the title or description fields. Pretty…

…like to do whenever I start a new project and when I download new dependency, I like play a game and it's called do you need this? So basically do you need security, if you're on a private network? Do you need forms…

… To find the currently-authenticated user, add an __construct() method, type-hint the Security service and then press Alt + Enter and select "Initialize fields" to create that property and set it. Next, inside the method, start by seeing if the owner was already set: if…

…most importantly, it fixes our issue! Next, let's add the proper security logic to our class and then investigate another superpower of normalizers: the ability to add completely custom fields. We'll add a strange... but potentially useful boolean field to User called isMe.

…for more complex control, hiding fields based on the user, adding custom fields based on the user, validating data... again... based on who is logged in and even controlling database queries based on security. That... was awesome! In an upcoming tutorial, we'll talk about…

…We need to get the service out of the container that's responsible for encoding passwords. We can get that with self::$container->get('security.password_encoder'). We also could have used UserPasswordEncoderInterface::class as the service id - that's the type-hint we use…

… Next, I want to make one more improvement to our test suite before we get back to talking about API Platform security. I want to create a base test class with some helper methods that will enable us to move fast and write clean code…

…the test environment, in order for Symfony's security system to "notice" that a user's roles were updated in the database, that user needs to log back in. It's a quirk of the security system and hopefully one we'll fix soon. Heck…

… Okay. 6 to 7 hands. So, actually, can you raise your hands up? Who tests everything? How much security testing do we do? Performance testing? Visual regression testing? That all is testing, right? So, why I decided to do this talk was people came to…

…let's say you have a bug in production. How would you replicate that in a local environment? If you're dealing with a monolith, maybe depending upon your security requirements, you clone the database? Or if you're actually doing things well and GDPR…

…surprise: I love the Workflow Component. I use the Workflow component all over the place. If I have... the Symfony Security components have the concept of voters, which are basically: if someone wants to watch, view an advert, I got to make sure that advert…

…for example, it could be the groups of a user, because Symfony security has this concept of groups already. This can be implemented quite transparently: the reverse proxy does the job and the application doesn't really need to know about it that much. The…

…bugs so that trying really to analyze php on multiple levels of php code you have bugs, you have even vulnerabilities. So they have kind of security checks as well. You have those code smells. It's the things I want to talk about today…

…data from headers, which, you know, it's not the best idea in terms of security or taking user content and like just dumping it into the session and serializing it, like you want to be really careful when you do things like that. Um…

…Okay? That's a simple one. It's more or less easier, but it can have some issues. Let's say that you want to apply some security updates. It can be more tricky. I usually prefer a multistep build process. This is my preference…

…stuff. But then, in just a couple of places in Symfony, the main ones being Twig extensions, event subscribers and security voters - a few topics we'll talk about in the future - you should consider using a service subscriber instead to avoid a performance hit.

…On a real site, I should only be able to like this article one time. But, we'll need to talk about users and security before we can do that. Now that this is working, we can improve it! In the controller, we wrote some…

…piece of configuration. In your application, open config/packages/framework.yaml. Yep, right on top: the secret key. This is used in various places for security, and, since it needs to be unique and secret, Symfony can't give you a default value. For our…

…old! Let's try one of these commands! ./bin/console make:voter Call it RandomAccessVoter: we'll create a voter that randomly gives us access. Fun! Open the new class in src/Security/Voter. This comes pre-generated with real-world example code. In supports()…

…say about the topic of services, and so many other parts of Symfony: configuration, Doctrine & the database, forms, Security and APIs, to just name a few. The Space Bar is far from being the galactic information source that we know it will be! But, congrats…