…big list of which recipes have been installed. So, who created the other file? Open it up: config/packages/security_checker.yaml. Each package you install may have a Flex "recipe". The idea is beautifully simple. Instead of telling people to install a package and…

…turn the oven off... probably. It gives you a lot of free features that we will build by hand. But FOSUserBundle does not give you any special "security" system - it's much less interesting than that, in a good way! The bundle gives you just…

Using a shortcut Base Controller Class¶ Getting the security.context service requires too much typing. So let’s make some improvements so we can get things done faster. Create a new class called Controller inside the EventBundle and make this class extend Symfony’s standard…

…do a quick review of how our authenticator works. After activating it in security.yaml: Symfony calls our supports() method on every request before the controller: Since our authenticator knows how to handle the login form submit, we return true if the current request is…

Head back over to /register. We built this in our security tutorial. It does work... but we kind of cheated. Back in your editor, open src/Controller/SecurityController.php and find the register() method. Yep, it's pretty obvious: we did not use the form…

Authentication is done. So how about we tackle the second half of security: authorization. This is all about figuring out whether or not the user has access to do something. For example, right now we have a fancy admin section, but probably not everyone should…

…little evil. Finally, in eraseCredentials(), add $this->plainPassword = null: Symfony calls this after logging in, and it's just a minor security measure to prevent the plain-text password from being accidentally saved anywhere. The User object is perfect. Let's add the listener.

…getReferenceRepository() and assign this to a new $fixtures variable: Here's the deal: if you look in the fixtures, you can see that the first two Enclosures do not have any security. You can also see that we're using some sort of "reference" system…

Switching Users / Impersonation¶ What’s that ROLE_ALLOWED_TO_SWITCH all about in security.yml. Symfony gives you the ability to actually change the user you’re logged in as. Ever have a client complaint you couldn’t replicate? Well now you can login as…

In DragonTreasure, find the $isPublished field. Earlier we added this ApiProperty security thing so that the field is only returned for admin users or owners of this treasure. This is a simple and 100% valid way to handle this situation. However, there is another way…

…happened while we were upgrading recipes. In framework.yaml, it's the annotations: false. SensioFrameworkExtraBundle gave us all kinds of features like the @Route annotation, security annotation, and something called the param converter. These all relied on the annotation system, which has been replaced by…

…authenticate - a login form, social authentication, or an API key - your security system needs some concept of a user: some class that describes the "thing" that is logged in. Yup, step 1 of authentication is to create a User class. And there's a command…

…logic. To do the owner check, we need to know who's logged in. Add a __construct() method, autowire our favorite Security class... and I'll put private in front of that, so it becomes a property: Below, set $user = $this->security->getUser(). And…

Thanks to part 1 & part 2, we've already built a seriously powerful API, complete with security, custom fields and many more goodies. In this course, we'll take things even further: State Providers & "proper" custom fields Run custom code on a "state" change (e…

Let's add a registration form to our site. There's a funny thing about registration forms: they have basically nothing to do with security! Think about it: the point of a registration form is just to insert new users into the database. So creating…

When we need to deny access to something, we can do it in a couple of different places, like access_control in security.yaml: Or various ways inside of a controller. And when we deny access, we know that we can do it by checking…

…because that writes everything into the public/uploads/ directory. If we need to check security before letting a user download a file, then it can't live in the public/ directory. And that means we need a second Flysystem filesystem: one that can store things…

…it's from security! Open that up: Shift+Shift, ContextListener.php. Scroll down to find the method we care about: onKernelResponse(). It says: Writes the security token into the session. If you use a "stateful" firewall... which you probably are, unless your security system is…

…securities, an exception should be thrown. And of course, we will need to update some of our examples from earlier once we get this working so that they also have some active security. Anyways, down in addDinosaur(), let's call another new method if (!$this…

There are two main places where you can deny access. The first we just learned about: access_control in security.yaml: It's simple - just a regular expression and a role. It's the best way to protect entire areas of your site - like everything…