jrushlow
commented
3 months ago Howdy @keoozDan - In very broad, general terms, it's usually best to allow a user to authenticate (Authentication) regardless if they're "verified" or not. To prevent access (Authorization) to all or part of an application for "non-verified" users, Symfony's Security Voter system can help with that depending on your needs. https://symfony.com/doc/current/security/voters.html
If you really want to only allow users who have verified their email address to be able to login (authentication), then you would probably need to use a custom authenticator or some sort of custom security events to handle that gracefully.
Hope this helps!
I think that user with isVerified is false can login.
How can we block the login because : 1/ In app_verify_email we use : $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY'); 2/ In UserChecker.php : we can't block for false isVerified because we block the verification too
Have you any solution ?