-
-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Completely re-reading the security book #4606
Conversation
8e5a87b
to
8657c6f
Compare
.. code-block:: php-annotations | ||
|
||
// src/AppBundle/Controller/SecurityController.php | ||
// ... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should move the empty line below above this comment
I left one comment (at a completely random location). I'll review the rest tomorrow |
|
||
The | ||
:method:`Symfony\\Component\\Security\\Core\\Util\\SecureRandom::nextBytes` | ||
methods returns a random string composed of the number of characters passed as |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
method
@@ -0,0 +1,299 @@ | |||
How does the Security access_control Work? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does
meh, github does not show the diff for the security book (too big diff) |
use Symfony\Component\Security\Core\Util\StringUtils; | ||
|
||
// is password1 equals to password2? | ||
$bool = StringUtils::equals($password1, $password2); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should note that the order of arguments is important to avoid timing attack. The known string should be the first argument, and the user input should be the second one
A few comments on the book itself, which cannot be inline because the diff is not visible in the PR because of its size:
This sentence is incomplete. bcrypt and pbkf2 (and plaintext) are implemented using their own encoders in Symfony. They don't rely on the DigestPasswordEncoder (which is the one relying on algorithms know by hash_algos).
this description is again mixing roles and permission attributes (see #4158). A user receives roles, but a resource will require a specific permission attribute (which may be a role, but may be something else).
I suggest removing this sentence. If you define something not starting with |
The section about the
Typo here:
This is confusing, because users will not understand the difference. This should explain than |
Guys! Thanks so much for the review on this really long thing. What's cool is that we found several small tweaks where I had just copied and pasted old docs into a new location. In other words, we face-lifted some areas that I hadn't even intended to tweak. The changes are at sha: 5d842e2. The big one is the new "ips" access_control restriction spot, where I had to change the example entirely. I have a few small comments still pending, but if you have any big blocker concerns, please let me know. Also, as Stof mentioned, the book is not showing up as a diff, so please realize that it did change, and I'd appreciate notes on it. Here are my blockers:
... and then of course I'll merge up to the other branches and put the new version stuff back :D |
@weaverryan Thanks so much for this great work. I'll try to put some time into updated/syncing the code blocks in the next days. |
<label for="password">Password:</label> | ||
<input type="password" id="password" name="_password" /> | ||
|
||
<!-- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use twig comments here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. this is the PHP template. It should be a PHP comment, not a Twig one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In HTML+PHP templates, we always use HTML comments.
- more tutorial-styled - tried to move things into other entries - tried to keep as many anchor references as possible
e6fca36
to
fe9fdac
Compare
This PR was merged into the 2.3 branch. Discussion ---------- Completely re-reading the security book | Q | A | ------------- | --- | Doc fix? | no | New docs? | no | Applies to | all | Fixed tickets | n/a Well, this should be interesting :). Several years ago, I bootstrapped the security chapter and it's been there ever since. That fact doesn't necessarily mean that it was good. I've just re-read and basically re-written the chapter from scratch. I thought it was too long, too theoretical in the beginning, and it also had some extra "baggage" just from being old and having things added to it. My goal is to: A) Not actually remove anything of importance - I've done my best with this B) Actually get feedback that this is better. I feel that this is better, but rewrites aren't automatically better. It's like the second album of a band - even though they're older and wiser, maybe the original is still better :). I hope not! Todo: - [ ] fill in config blocks - @xabbuh if you happen to have some time and can help, I would be even more in debt to you :) As I merge to 2.5 and up, I'll need to check for the `versionadded` tags on each branch and re-add those things to the new chapter. Thanks! Commits ------- fe9fdac [#4606] Getting my XML (and PHP) on in the new security chapter aedfcd2 [#4606] Tweaks thanks entirely to stof 614da15 Changing to _ for consistency 95d6a7d [#4606] Updating thanks to comments from everyone! d9a9310 Completely re-reading the security book
* 2.3: [#4606] Getting my XML (and PHP) on in the new security chapter [#4606] Tweaks thanks entirely to stof Changing to _ for consistency [#4606] Updating thanks to comments from everyone! Completely re-reading the security book Misc changes [Cookbook] Fix XML example of RTE Conflicts: book/security.rst cookbook/map.rst.inc cookbook/security/index.rst
* 2.5: [#4606] Getting my XML (and PHP) on in the new security chapter [#4606] Tweaks thanks entirely to stof Changing to _ for consistency [#4606] Updating thanks to comments from everyone! Completely re-reading the security book Misc changes [Cookbook] Fix XML example of RTE Conflicts: book/security.rst
Ok guys :). I've just added a few last commits for the last comments, merged this in, the merged it up the branches. I'm fairly convinced that the merges were clean - I manually looked at the log difference between new branches to make sure changes/additions on more-recent branches were not "run over" with the merge. But if you spot anything, please let me know! Thanks again - I will probably try not to completely rewrite chapters in the future, though I still think more need to be re-read (but many less than even 6 months ago thanks for a lot of people here). |
This PR was merged into the 2.3 branch. Discussion ---------- review all Security code blocks | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | #4606 (comment) As I promised @weaverryan I now found some time to review all the security-related code blocks. :) Commits ------- 9099cf2 review all Security code blocks
Well, this should be interesting :). Several years ago, I bootstrapped the security chapter and it's been there ever since. That fact doesn't necessarily mean that it was good. I've just re-read and basically re-written the chapter from scratch. I thought it was too long, too theoretical in the beginning, and it also had some extra "baggage" just from being old and having things added to it.
My goal is to:
A) Not actually remove anything of importance - I've done my best with this
B) Actually get feedback that this is better. I feel that this is better, but rewrites aren't automatically better. It's like the second album of a band - even though they're older and wiser, maybe the original is still better :). I hope not!
Todo:
As I merge to 2.5 and up, I'll need to check for the
versionadded
tags on each branch and re-add those things to the new chapter.Thanks!