On 10/20/10 5:06 PM, Matthias Nothhaft wrote:
Hi,
first of all I have to say the new security layer looks great. I just
had a look at the code and the docs.
Thanks for taking the time to review the code and thanks for the
feedback. This is much appreciated. Quick answers below.
I'm comparing it a bit with sf 1.x trying to understand how things
work and how I can build a bundle on top of it.
I wonder why you called this thing "role" ? I understand that
"credential" was not that good choice in sf 1.x but to me this is more
like "permission" or "right" to do something (most of the time some
action). So I think it would be better to call this permission or
right. To me "role" is what you also used in the docs: an admin or a
content editor or something like that, but to me a role in this case
is a "small summary" what a user can do or in other words a group of
some rights to work on a part of the application.
Role is different than a permission. The documentation does not reflect
that yet, but if you have a look at the code, you can see that the
switch user feature is implemented as a role for instance.
Also, I think it would be useful to have a way to define these roles
something in a configuration file so a user+permission system can
easily load all available roles of all bundles into the database. Of
course this could be part of such a bundle but I think it would make
sense to have a Symfony2 default to *define* possible roles.
We will have an ACL system in Symfony2. This is just something that is
not done yet.
On the other side I read somewhere "credential" and I suppose this is
now the password of a user?
Yes, the password or something else. But most of the time, for most
websites, this is the password.
Also, "username" is also a bit confusing as this is not always the
username but can be an email adress or customer number or whatever, so
maybe a better name for this could be "handle" or "auth_handle" or
something like that?
Like for the password, most of the time, the "username" is well, the
username. In Spring, this is called the "principal" instead. I choose to
use "username" as it is probably what developers expect.
Ok.. I guesss for "all the rest" of my current questions I can only
find the answers by implementing a user bundle on top of Symfony2. For
example I would probably want to implement the form login and logout
completely by myself to add things like IP/username blocking for too
many failed tries and so on. Might not be my last posting about that
topic.. ;-)
Keep them coming. The component is very young and I'm sure we can
enhance it a lot before the final release.
Fabien
regards,
Matthias
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
