From 17999cfd34ba951eb7cff08b517acdb262e497cb Mon Sep 17 00:00:00 2001
From: Roberto Lombi <signoramiailmio@robertodormepoco.org>
Date: Fri, 28 Feb 2014 13:29:19 +0100
Subject: [PATCH 1/2] Wrong parameters order and wrong naming

Wrong parameters order and wrong naming on "Using Password Encoders" section
---
 components/security/authentication.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/security/authentication.rst b/components/security/authentication.rst
index 11afefa23ff..f010e4cac7e 100644
--- a/components/security/authentication.rst
+++ b/components/security/authentication.rst
@@ -249,8 +249,8 @@ which should be used to encode this user's password::
     // check if the password is valid:
 
     $validPassword = $encoder->isPasswordValid(
+        $encodedPassword,
         $user->getPassword(),
-        $password,
         $user->getSalt());
 
 .. _`CVE-2013-5750`: http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form

From 02f072a667ce2ef2d9227bd0e24da74614da411a Mon Sep 17 00:00:00 2001
From: WouterJ <waldio.webdesign@gmail.com>
Date: Wed, 21 May 2014 11:16:20 +0200
Subject: [PATCH 2/2] Applied comments

---
 components/security/authentication.rst | 28 +++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/components/security/authentication.rst b/components/security/authentication.rst
index f010e4cac7e..3abba44dea3 100644
--- a/components/security/authentication.rst
+++ b/components/security/authentication.rst
@@ -237,21 +237,35 @@ method of the password encoder factory is called with the user object as
 its first argument, it will return an encoder of type :class:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface`
 which should be used to encode this user's password::
 
-    // fetch a user of type Acme\Entity\LegacyUser
-    $user = ...
+    // a Acme\Entity\LegacyUser instance
+    $user = ...;
+
+    // the password that was submitted, e.g. when registering
+    $plainPassword = ...;
 
     $encoder = $encoderFactory->getEncoder($user);
 
     // will return $weakEncoder (see above)
+    $encodedPassword = $encoder->encodePassword($plainPassword, $user->getSalt());
+
+    $user->setPassword($encodedPassword);
 
-    $encodedPassword = $encoder->encodePassword($password, $user->getSalt());
+    // ... save the user
 
-    // check if the password is valid:
+Now, when you want to check if the submitted password (e.g. when trying to log
+in) is correct, you can use::
+
+    // fetch the Acme\Entity\LegacyUser
+    $user = ...;
+    
+    // the submitted password, e.g. from the login form
+    $plainPassword = ...;
 
     $validPassword = $encoder->isPasswordValid(
-        $encodedPassword,
-        $user->getPassword(),
-        $user->getSalt());
+        $user->getPassword(), // the encoded password
+        $plainPassword,       // the submitted password
+        $user->getSalt()
+    );
 
 .. _`CVE-2013-5750`: http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form
 .. _`BasePasswordEncoder::checkPasswordLength`: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php