minor #7326 [Security] Warn for implementing eraseCredentials (rvanlaak, javiereguiluz)

xabbuh · xabbuh · commit ef31047e12f7 · 2017-05-26T16:46:01.000+02:00
This PR was merged into the 2.7 branch. Discussion ---------- [Security] Warn for implementing `eraseCredentials` ... as implementing `eraseCredentials` on a Doctrine entity will be flushed. Setting `password` to `null` will actually be saved at every login attempt. This might also could be a warning with the `UserInterface` docblock directly (?) Commits ------- 50305ff Update caution about eraseCredentials 1eed188 Minor reword bee0cba Warn for implementing `eraseCredentials`
diff --git a/security/entity_provider.rst b/security/entity_provider.rst
@@ -169,6 +169,13 @@ forces the class to have the five following methods:
 
 To learn more about each of these, see :class:`Symfony\\Component\\Security\\Core\\User\\UserInterface`.
 
+.. caution::
+
+    The ``eraseCredentials()`` method is only meant to clean up possibly stored 
+    plain text passwords (or similar credentials). Be careful what to erase 
+    if your user class is also mapped to a database as the modified object 
+    will likely be persisted during the request.
+
 What do the serialize and unserialize Methods do?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
