In part 1, we discussed the basics of setting up a security system in our app (database and security.yml settings). We also covered the pre-registration stage where a user verifies their invitation status with the app.
In this article, we will talk about registration, logins and post-login actions.
Form, database, and more
Registration is done through a form. The user will enter information like email, user name, password, confirmed password, and accept a disclaimer in some cases.
We also know that a user object will ultimately be persisted in the user table.
During this persistence process, we must be aware that:
Some form input will be used in populating a user object (like username, password);
Some user properties will be set by the app (like created, a date/time field to store when the user registers);
Some form inputs are merely for verification and discarded (like retyped password, a check on the disclaimer).
We must have a way to create a “link” between a form and the underlying table, and specify the above requirements.
In Symfony, we achieve this by declaring a special form type class associated with an entity. In this case, a RegistrationType manages which fields to display, which fields are mapped (to a field), etc.
I recommend including the CSRF token in your forms or at least telling people about that feature in the article. They should know about this from a very start
You don’t really have to set the attributes (action, method…) in the form definition since you then set it manually in the view. But what you probably should do is setting the createAction method to be POST only.
I also miss any kind of validation but I guess you wanted to keep it simple and just show folks the basics.
And huge for showing the success handler. Lot of people are ignoring this and are inventing weird and wrong hacks around in controllers. Looking forward to more articles.
They added the bootstrap framework to Symfony as of version 2.6 (which I personally think was a general mistake). However, it looks like you were using the bootstrap stuff anyway. So, I too am not sure what is meant by @bollasandor in his last sentence.
Is it possible to decode the hash from the email link to prefill the email field?
Last but not least a wish for the next tutorial.
Build a mail service to handle actions like send confirmation/invite email or a contact form by providing properties like setFrom, setTo and template with passed object for setBody.
Thats a good example for slim down controllers.
It would be good to have a workign application code for download.
For me it is not clear how is implemented login and login_check actions in Security controller.