fix : correctifs de sécurité et robustesse post-review

- MeProvider : guard null user avec AccessDeniedHttpException - MaintenanceToggleProcessor : vérification des opérations filesystem - User : restreindre Get/GetCollection aux ROLE_ADMIN - useAppVersion : corriger le path relatif '/version' Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 13:09:05 +02:00
parent b39e6f81d8
commit e8fc85c173
4 changed files with 19 additions and 7 deletions
--- a/frontend/composables/useAppVersion.ts
+++ b/frontend/composables/useAppVersion.ts
@@ -6,7 +6,7 @@ export function useAppVersion() {
        if (version.value) {
            return version.value
        }
-        const response = await api.get<{ version: string }>('version', {}, {
+        const response = await api.get<{ version: string }>('/version', {}, {
            toast: false
        })
        version.value = response.version
--- a/src/Entity/User.php
+++ b/src/Entity/User.php
@@ -28,9 +28,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
            normalizationContext: ['groups' => ['me:read']],
        ),
        new Get(
+            security: "is_granted('ROLE_ADMIN')",
            normalizationContext: ['groups' => ['user:list']],
        ),
        new GetCollection(
+            security: "is_granted('ROLE_ADMIN')",
            normalizationContext: ['groups' => ['user:list']],
        ),
        new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
--- a/src/State/MaintenanceToggleProcessor.php
+++ b/src/State/MaintenanceToggleProcessor.php
@@ -44,13 +44,17 @@ final readonly class MaintenanceToggleProcessor implements ProcessorInterface
        if ($data->maintenance) {
            $directory = dirname($maintenancePath);

-            if (!is_dir($directory)) {
-                mkdir($directory, 0755, true);
+            if (!is_dir($directory) && !mkdir($directory, 0755, true)) {
+                throw new \RuntimeException(sprintf('Cannot create directory "%s".', $directory));
            }

-            touch($maintenancePath);
+            if (!touch($maintenancePath)) {
+                throw new \RuntimeException(sprintf('Cannot create maintenance file at "%s".', $maintenancePath));
+            }
        } elseif (file_exists($maintenancePath)) {
-            unlink($maintenancePath);
+            if (!unlink($maintenancePath)) {
+                throw new \RuntimeException(sprintf('Cannot remove maintenance file at "%s".', $maintenancePath));
+            }
        }

        $dto              = new ManagedApplication();
--- a/src/State/MeProvider.php
+++ b/src/State/MeProvider.php
@@ -8,6 +8,7 @@ use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Entity\User;
 use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

 /**
 * @implements ProviderInterface<User>
@@ -20,7 +21,12 @@ final readonly class MeProvider implements ProviderInterface

    public function provide(Operation $operation, array $uriVariables = [], array $context = []): User
    {
-        // @var User $user
-        return $this->security->getUser();
+        $user = $this->security->getUser();
+
+        if (!$user instanceof User) {
+            throw new AccessDeniedHttpException('User not authenticated.');
+        }
+
+        return $user;
    }
 }