From bee0cba6bd03c2f30c308c350ece3764648ebc6e Mon Sep 17 00:00:00 2001 From: Richard van Laak Date: Fri, 6 Jan 2017 13:53:22 +0100 Subject: [PATCH 1/3] Warn for implementing `eraseCredentials` ... as implementing `eraseCredentials` on a Doctrine entity will be flushed. Setting `password` to `null` will actually be saved at every login attempt. --- security/entity_provider.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/security/entity_provider.rst b/security/entity_provider.rst index 32cb4460bbb..1b2b55ccb9b 100644 --- a/security/entity_provider.rst +++ b/security/entity_provider.rst @@ -169,6 +169,12 @@ forces the class to have the five following methods: To learn more about each of these, see :class:`Symfony\\Component\\Security\\Core\\User\\UserInterface`. +.. caution:: + + Do not actually implement ``eraseCredentials`` when you load your users directly + from Doctrine, as changes will be flushed when a user tries to login. As example, + setting ``password`` to ``null`` will be flushed with every login attempt. + What do the serialize and unserialize Methods do? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From 1eed188ee55bba0c043e1e3685a4024498f9d8a7 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sat, 15 Apr 2017 10:20:04 +0200 Subject: [PATCH 2/3] Minor reword --- security/entity_provider.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/entity_provider.rst b/security/entity_provider.rst index 1b2b55ccb9b..06b5976401d 100644 --- a/security/entity_provider.rst +++ b/security/entity_provider.rst @@ -171,9 +171,10 @@ To learn more about each of these, see :class:`Symfony\\Component\\Security\\Cor .. caution:: - Do not actually implement ``eraseCredentials`` when you load your users directly - from Doctrine, as changes will be flushed when a user tries to login. As example, - setting ``password`` to ``null`` will be flushed with every login attempt. + Do not actually implement ``eraseCredentials()`` when loading the users + directly from Doctrine, as changes will be flushed when a user tries to + login. For example, setting ``password`` to ``null`` will be flushed with + every login attempt. What do the serialize and unserialize Methods do? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From 50305ffe1e2aa5332fc07801776f883d04516548 Mon Sep 17 00:00:00 2001 From: Richard van Laak Date: Wed, 17 May 2017 09:30:25 +0200 Subject: [PATCH 3/3] Update caution about eraseCredentials --- security/entity_provider.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security/entity_provider.rst b/security/entity_provider.rst index 06b5976401d..202fd820332 100644 --- a/security/entity_provider.rst +++ b/security/entity_provider.rst @@ -171,10 +171,10 @@ To learn more about each of these, see :class:`Symfony\\Component\\Security\\Cor .. caution:: - Do not actually implement ``eraseCredentials()`` when loading the users - directly from Doctrine, as changes will be flushed when a user tries to - login. For example, setting ``password`` to ``null`` will be flushed with - every login attempt. + The ``eraseCredentials()`` method is only meant to clean up possibly stored + plain text passwords (or similar credentials). Be careful what to erase + if your user class is also mapped to a database as the modified object + will likely be persisted during the request. What do the serialize and unserialize Methods do? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~