There is a problem in sfGuardSecurityUser::hasCredential method, which returns inadequate results when global security is disabled.
sfBasicSecurityUser::hasCredential(array()) returns true in any case
However:
sfGuardSecurityUser::hasCredential(array()) returns true if the user is authenticated
sfGuardSecurityUser::hasCredential(array()) returns false if the user is not authenticated
It's interesting, that Propel's sfGuardPlugin also has the same bug (or that's not a bug). But nevertheless - Doctrine's admin generator checks user credentials even if the needed credentials are empty, so if:
1. myUser extends sfBasicSecurityUser
2. is_secure is off
3. user is not authenticated
So user cannot enter the admin.
Propel's admin generator checks if credentials are empty, and only if they are - checks if they match for entering admin module.
So, there are two solutions:
1. fix sfGuardSecurityUser (and, of course, Propel's version of this class)
2. fix sfDoctrineGuardPlugin not to check credentials if they are empty (equally to sfGuardPlugin's behavior).
The solution for second method is written in ticket #5738
