Warn for implementing eraseCredentials

rvanlaak · web-flow · commit bee0cba6bd03 · 2017-01-06T13:53:22.000+01:00
... as implementing `eraseCredentials` on a Doctrine entity will be flushed. Setting `password` to `null` will actually be saved at every login attempt.
diff --git a/security/entity_provider.rst b/security/entity_provider.rst
@@ -169,6 +169,12 @@ forces the class to have the five following methods:
 
 To learn more about each of these, see :class:`Symfony\\Component\\Security\\Core\\User\\UserInterface`.
 
+.. caution::
+
+    Do not actually implement ``eraseCredentials`` when you load your users directly
+    from Doctrine, as changes will be flushed when a user tries to login. As example,
+    setting ``password`` to ``null`` will be flushed with every login attempt.
+
 What do the serialize and unserialize Methods do?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
