From e43573d9876cf446bba4aa423aedadeeaa84a908 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Sch=C3=A4dlich?= Date: Wed, 19 Feb 2020 14:13:17 +0100 Subject: [PATCH 1/4] Fix wording --- components/phpunit_bridge.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/phpunit_bridge.rst b/components/phpunit_bridge.rst index 409647e3a0c..db3c029efd1 100644 --- a/components/phpunit_bridge.rst +++ b/components/phpunit_bridge.rst @@ -525,7 +525,7 @@ Troubleshooting The ``@group time-sensitive`` and ``@group dns-sensitive`` annotations work "by convention" and assume that the namespace of the tested class can be obtained just by removing the ``Tests\`` part from the test namespace. I.e. -that if the your test case fully-qualified class name (FQCN) is +if your test case's fully-qualified class name (FQCN) is ``App\Tests\Watch\DummyWatchTest``, it assumes the tested class namespace is ``App\Watch``. From aba29b2c66b9302782da384d05ded282b1956d7b Mon Sep 17 00:00:00 2001 From: Jules Pietri Date: Wed, 19 Feb 2020 21:01:08 +0100 Subject: [PATCH 2/4] [Security] clarified the encoding with memory providers --- security.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security.rst b/security.rst index c5c5e4fbcb8..db407525de7 100644 --- a/security.rst +++ b/security.rst @@ -449,13 +449,18 @@ To fix this, add an ``encoders`` key: User providers load user information and put it into a :class:`Symfony\\Component\\Security\\Core\\User\\UserInterface` implementation. If you :doc:`load users from the database ` or :doc:`some other source `, you'll -use your own custom User class. But when you use the "in memory" provider type, +use your own custom User class. But when you use the ``memory`` provider type, it gives you a :class:`Symfony\\Component\\Security\\Core\\User\\User` object. Whatever your User class is, you need to tell Symfony what algorithm was used to encode the passwords. In this case, the passwords are just plaintext, but in a second, you'll change this to use ``bcrypt``. +.. caution:: + + When using a ``memory`` provider and the :class:`Symfony\\Component\\Security\\Core\\User\\User`, + you have to choose an encoding without salt (i.e. ``bcrypt``). + If you refresh now, you'll be logged in! The web debug toolbar even tells you who you are and what roles you have: From 33cb2f35bb1c0e3ca4e11a727ecb9392b4fa1974 Mon Sep 17 00:00:00 2001 From: Oskar Stark Date: Thu, 20 Feb 2020 08:20:20 +0100 Subject: [PATCH 3/4] minor. refs #13186 --- components/phpunit_bridge.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/phpunit_bridge.rst b/components/phpunit_bridge.rst index db3c029efd1..a99752764d9 100644 --- a/components/phpunit_bridge.rst +++ b/components/phpunit_bridge.rst @@ -525,7 +525,7 @@ Troubleshooting The ``@group time-sensitive`` and ``@group dns-sensitive`` annotations work "by convention" and assume that the namespace of the tested class can be obtained just by removing the ``Tests\`` part from the test namespace. I.e. -if your test case's fully-qualified class name (FQCN) is +if your test cases fully-qualified class name (FQCN) is ``App\Tests\Watch\DummyWatchTest``, it assumes the tested class namespace is ``App\Watch``. From 8f2e6b52112b462ea58e03e951189543f5c993aa Mon Sep 17 00:00:00 2001 From: Oskar Stark Date: Thu, 20 Feb 2020 08:33:29 +0100 Subject: [PATCH 4/4] Move caution plus reword --- security/user_provider.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security/user_provider.rst b/security/user_provider.rst index 45f4911f762..69ba8ec6275 100644 --- a/security/user_provider.rst +++ b/security/user_provider.rst @@ -215,6 +215,11 @@ It's not recommended to use this provider in real applications because of its limitations and how difficult it is to manage users. It may be useful in application prototypes and for limited applications that don't store users in databases. +.. caution:: + + When using a ``memory`` provider, the :class:`Symfony\\Component\\Security\\Core\\User\\User` + and not the ``auto`` algorithm, you have to choose an encoding without salt (i.e. ``bcrypt``). + This user provider stores all user information in a configuration file, including their passwords. That's why the first step is to configure how these users will encode their passwords: