The dashboard was built as a development tool, but it can run in production as well. Because it
exposes internal data and lets visitors control your subscriptions, you must put it behind
authentication before enabling it outside of dev.
The dashboard has no built in access control. Anyone who can reach it can read your events, see internal information about your system and your users, and pause, rebuild or remove subscriptions. Never expose it to the public without a security layer in front of it.
For production the bundle must be a normal dependency rather than a dev only one:
composer require patchlevel/event-sourcing-admin-bundleMake sure the bundle is registered for the environments you want it in, for example by removing the
['dev' => true] restriction in config/bundles.php.
Move the configuration out of the when@dev block so it applies in production too:
# config/packages/patchlevel_event_sourcing_admin.yaml
patchlevel_event_sourcing_admin:
enabled: trueDo the same for the routes import:
# config/routes/patchlevel_event_sourcing_admin.yaml
event_sourcing:
resource: '@PatchlevelEventSourcingAdminBundle/config/routes.yaml'
prefix: /es-adminProtect the prefix you mounted the dashboard under with the Symfony security component, for example with an access control rule that requires an admin role:
# config/packages/security.yaml
security:
access_control:
- { path: ^/es-admin, roles: ROLE_ADMIN }The subscription controls run synchronously in the web request. In production prefer the console commands of the event-sourcing-bundle for heavy operations like full rebuilds, and keep the dashboard for inspection and lighter actions.