tonehaus/docs/auth-and-users.md

Authentication & Users

Login & Registration (modal)

• Login and sign‑up are handled in a Bootstrap modal.
• AJAX submits keep users on the page; a successful login refreshes state.
• Remember‑me cookie keeps users logged in across sessions.

Roles & Permissions

• ROLE_USER — default for registered users
• ROLE_MODERATOR — can access dashboard and user management, and moderate content
• ROLE_ADMIN — adds Site Settings access and moderator promotion/demotion

Promotion (from your host):

docker compose exec tonehaus php bin/console app:promote-moderator mod@example.com
docker compose exec tonehaus php bin/console app:promote-admin admin@example.com

Access flow

• Visiting /admin/* while unauthenticated redirects through /login, which reopens the modal.
• Role hierarchy applies: Admin ⊇ Moderator ⊇ User.
• Controllers, templates, and voters enforce privilege boundaries (e.g., site settings are admin‑only).

Public registration toggle

• Toggle in UI: /admin/settings (stored in DB)
• Env override: APP_ALLOW_REGISTRATION=0|1 (env has priority on each boot)
• When disabled, the modal replaces “Sign up” with a tooltip explaining registration is closed. Staff can still create users via /admin/users.

User management (moderator+)

• /admin/users lists accounts with album/review counts and actions:
  • Create accounts inline (does not affect the current session)
  • Delete users (guards prevent deleting self or administrators)
  • Admins can Promote/Demote Moderator on non‑admins

Profiles & Passwords

• /account/profile: update email and display name
• /account/password: change password (requires current password)

Demo accounts & avatars

docker compose exec tonehaus php bin/console app:seed-demo-users --count=50
docker compose exec tonehaus php bin/console app:seed-user-avatars --overwrite

Logout

• Link in the user menu calls /logout (handled by Symfony security).