I'm new to Symfony. Is my understanding correct that the User class is actually for controlling sessions? But is there built-in login and account creation? I'm not finding it. But if there's an admin backend generator, how can it function without user logins?
Not sure what version of Symfony you're using, but login and account creation is typically incorporated into an application using either the sfGuardPlugin (for Propel) or sfDoctrineGuardPlugin (for Doctrine).
For Symfony v1.2, see Day 13 of the Jobeet tutorial to get started.
The myUser.class.php
file is the session controller/storage, yes. You can create your own security module if you wish, but many use the plugins mentioned in nselikoff's answer. They're not perfect but they do a decent job. Whichever ORM use, you should definitely start with one of these plugins, and extend/improve them if you need too.
Your admin generator modules are not secured by default, no - it is up to you to implement a security layer. As an aside, don't think of admin-generated modules as exclusively for a backend/backoffice purpose, as there may be some reason for a frontend app to require one. Certainly a system you use internally at your company or at home on a local webserver doesn't need a security layer to function.
Changing the security.yml
file to secure an app, module or action requires you to specify the login page in your app's settings.yml
, but the security plugins will help you configure this.
Apart from what others have said, I find very useful the source code from symfonians, that resolves all these problems: http://symfonians.org/