From f8f2ce1ea612109bb2b0dc2140fc16cf5c880f96 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Wed, 21 Sep 2022 08:19:48 +0900
Subject: [PATCH] docs: add note about strong_password

See https://github.com/codeigniter4/shield/pull/439#discussion_r974787536
and https://github.com/codeigniter4/shield/issues/438
---
 docs/concepts.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/docs/concepts.md b/docs/concepts.md
index 530a0bd67..c8cafce74 100644
--- a/docs/concepts.md
+++ b/docs/concepts.md
@@ -88,3 +88,17 @@ public $passwordValidators = [
     //'CodeIgniter\Shield\Authentication\Passwords\PwnedValidator',
 ];
 ```
+
+You use `strong_password` rule for password validation explained above.
+
+> **Note**
+> The `strong_password` rule only supports use cases to check the user's own password.
+> It fetches the authenticated user's data for **NothingPersonalValidator**
+> if the visitor is authenticated.
+>
+> If you want to have use cases that set and check another user's password,
+> you can't use `strong_password`. You need to use `service('passwords')` directly
+> to check the password.
+>
+> But remember, it is not good practice to set passwords for other users.
+> This is because the password should be known only by that user.