Add in memory users - Githubissues

symfony-cmf / standard-edition

The "Symfony CMF Standard Edition" distribution

cmf.symfony.com

MIT License

118 stars 48 forks source link

Add in memory users #42

Closed spolischook closed 9 years ago

spolischook commented 9 years ago

https://github.com/symfony-cmf/standard-edition/issues/38

lsmith77 commented 9 years ago

@WouterJ we removed this because it was removed from the SE, right?

wouterj commented 9 years ago

@lsmith77 yes.

I don't see why we would need to add memory users to the SE. The SE doesn't configure any security (except from an anonymous firewall) and doesn't include an admin interface (so no need to protect an admin area).

Also, unless I'm missing something, #38 is about these lines in app_dev.php, which is not related to the Security system.

wouterj commented 9 years ago

Oh well, my bad. This is related to the CreateBundle integration. However, in this case, we need to assign the ROLE_ADMIN role and not ROLE_SUPER_ADMIN. Also, I would prefer to not use parameters here, but just configure it in security.yml.

dbu commented 9 years ago

+1 for not using parameters but do it in security.yml. and add a comment around it that you want to change this in a real project?

spolischook commented 9 years ago

If you use in memory users you must hold all passwords in parameters.yml. If you add or remove users you need change two files. I find this way is more usable in a project with in memory users.

dbu commented 9 years ago

the thing is we want to strongly discourage from using this outside of demo purposes. having the passwords in plain text in a parameters.yml file is not good security

spolischook commented 9 years ago

so I can change "encoders" setting and live users with passwords in parameters.yml?

wouterj commented 9 years ago

I highly recommend to use in memory users purely for demo purposes and use a user in a database, a custom user provider with built-in users or something else in production.

spolischook commented 9 years ago

@WouterJ ok so what am I gonna do? We have broken behavior in fresh installation, and we need users for fixing it. I can add a comment like "Highly recommend to not use in memory users in the production environment"

wouterj commented 9 years ago

I propose to just add the condig.yml (so no parameter) and add a comment that this is just for demo purposes and one should use another user provider in real apps, maybe even linking to the docs

lsmith77 commented 9 years ago

ping

spolischook commented 9 years ago

will fix your comments, asap, thanks for reminders!

lsmith77 commented 9 years ago

thx!

spolischook commented 9 years ago

done

lsmith77 commented 9 years ago

@spolischook thanks .. can you also add a comment as noted by @WouterJ above?

spolischook commented 9 years ago

done

lsmith77 commented 9 years ago

thanks!