Skip to main content
Rakcha supports three distinct user roles, multiple authentication methods, two-factor authentication, and a full suite of self-service account management tools.

Client

Browse films, book cinema seats, shop the store, rate content, and manage their personal profile.

Cinema manager

Register and manage cinemas, configure theaters, schedule séances, and view their own venue analytics.

Admin

Full platform access: approve cinemas, manage all users, assign roles, and view platform-wide data.

Registration

1

Complete the registration form

New users register at /register by providing:
  • First name (prenom) and last name (nom) — 2 to 50 characters each
  • Email address — must be unique across the platform
  • Password — minimum 8 characters
  • Phone number — positive integer, used for SMS notifications
  • Date of birth — must not be in the future
  • Address — 5 to 50 characters
  • Role — one of client, admin, or responsable de cinema
  • Profile photo (optional) — uploaded to /img/users/
2

Email verification

After registering, a verification email is sent to the provided address. The account cannot be used until the email link is clicked.
Admin-created accounts (created directly from the user dashboard) bypass the verification step and are marked as verified immediately.
3

Log in

Once verified, the user can log in using their email and password, or via a configured OAuth provider.

Authentication methods

Standard credential-based login. The user enters their email and password on the login page. Passwords are hashed using Symfony’s password hasher before storage — plain-text passwords are never persisted.Failed login attempts are subject to rate limiting to prevent brute-force attacks.

Two-factor authentication (TOTP)

Rakcha implements TOTP-based 2FA using the scheb/2fa-bundle. Once enabled, users are prompted for a 6-digit code after entering their password.

Enabling 2FA

1

Access 2FA settings

From your profile page, navigate to the Security section and click Enable Two-Factor Authentication.
2

Scan the QR code

A QR code is generated from your TOTP secret (SHA-1, 30-second window, 6-digit codes). Scan it with any TOTP-compatible authenticator app such as Google Authenticator or Authy.
3

Verify the setup

Enter the current 6-digit code from your app to confirm the link. 2FA is activated on your account immediately.

Trusted devices

After completing a 2FA challenge you can mark the current device as trusted. Trusted devices skip the 2FA prompt on future logins from the same browser, reducing friction for devices you own.

Disabling 2FA

To remove 2FA, clear the TOTP secret from your security settings. You will need to enter your current password to confirm the change.
If you lose access to your authenticator app and have no trusted devices, contact your platform administrator to reset your 2FA secret.

Password reset

1

Request a reset

Click Forgot password? on the login page and enter your registered email address.
2

Check your email

A password reset link is sent to your address. The link is time-limited and single-use.
3

Set a new password

Click the link and enter a new password (minimum 8 characters). The new password is hashed and saved. You are redirected to the login page.

User profile management

Each user can update their own profile from /profile/update:
  • First name and last name
  • Email address
  • Date of birth
  • Address
  • Phone number
  • Profile photo — uploading a new photo replaces the existing one
Changes are persisted immediately. The profile page also displays friendship status relative to other users, allowing users to send and manage friend requests.

Deleting your account

Users can permanently delete their own account from the profile page. The action requires a valid CSRF token and:
  1. Removes the user record from the database
  2. Invalidates the current session
  3. Clears the authentication token
  4. Redirects to the home page
Account deletion is irreversible. All associated data — bookings, cart items, orders, and ratings — linked to the user will be affected. Ensure clients understand this before confirming.

Admin: managing all users

Admins access the user management dashboard at /usersDash. The dashboard displays all registered users with pagination (5 per page).

Viewing users

The user table shows each user’s name, email, role, and verification status. Click any row to open the user’s profile view.

Creating a user (admin)

Admins can create users directly from the dashboard without going through the registration flow. The admin form requires:
  • All standard profile fields
  • Role selection
  • Password (hashed on save)
Admin-created accounts are automatically set to isVerified = true, bypassing email confirmation.

Editing a user

Admins can edit any user’s profile fields, including reassigning their role. Password updates via the admin edit form re-hash the new value before saving.

Deleting a user

Admins can delete any user account from the user table. The action requires a valid CSRF token.

Role assignment

Roles map to Symfony security roles as follows:
Role labelSymfony roleAccess
clientROLE_CLIENTPublic store, film catalog, cinema booking
adminROLE_ADMINFull back-office access, user and cinema management
responsable de cinemaROLE_RESPONSABLE_DE_CINEMACinema, salle, and séance management for owned venues
All authenticated users also receive ROLE_USER automatically.
Role changes take effect on the user’s next login. Ask the user to log out and back in after a role update.

Build docs developers (and LLMs) love

Get started for freeTalk to us