security:
    password_hashers:
        App\Entity\User:
            algorithm: auto

    providers:
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email

    firewalls:

        # 🔐 Admin zuerst!
        admin:
            pattern: ^/admin
            lazy: true
            provider: app_user_provider

            form_login:
                login_path: admin_login
                check_path: admin_login
                default_target_path: admin_dashboard

            logout:
                path: admin_logout
                target: admin_login

            remember_me:
                secret: '%kernel.secret%'
                lifetime: 604800
                path: /admin

        # 🌍 Alles andere ist public (Chat etc.)
        main:
            pattern: ^/
            security: false

    role_hierarchy:
        ROLE_SUPER_ADMIN: [ROLE_KNOWLEDGE_ADMIN, ROLE_EDITOR, ROLE_USER]
        ROLE_KNOWLEDGE_ADMIN: [ROLE_EDITOR, ROLE_USER]
        ROLE_EDITOR: [ROLE_USER]

    access_control:
        - { path: ^/admin/login$, roles: PUBLIC_ACCESS }
        - { path: ^/admin/logout$, roles: PUBLIC_ACCESS }
        - { path: ^/admin, roles: ROLE_USER }