From e8fc85c17321a9f7cbe1a5d32b72396c6c5aad60 Mon Sep 17 00:00:00 2001
From: matthieu <matthieu@yuno.malio.fr>
Date: Fri, 3 Apr 2026 13:09:05 +0200
Subject: [PATCH] =?UTF-8?q?fix=20:=20correctifs=20de=20s=C3=A9curit=C3=A9?=
 =?UTF-8?q?=20et=20robustesse=20post-review?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- MeProvider : guard null user avec AccessDeniedHttpException
- MaintenanceToggleProcessor : vérification des opérations filesystem
- User : restreindre Get/GetCollection aux ROLE_ADMIN
- useAppVersion : corriger le path relatif '/version'

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 frontend/composables/useAppVersion.ts    |  2 +-
 src/Entity/User.php                      |  2 ++
 src/State/MaintenanceToggleProcessor.php | 12 ++++++++----
 src/State/MeProvider.php                 | 10 ++++++++--
 4 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/frontend/composables/useAppVersion.ts b/frontend/composables/useAppVersion.ts
index 921f546..434b761 100644
--- a/frontend/composables/useAppVersion.ts
+++ b/frontend/composables/useAppVersion.ts
@@ -6,7 +6,7 @@ export function useAppVersion() {
         if (version.value) {
             return version.value
         }
-        const response = await api.get<{ version: string }>('version', {}, {
+        const response = await api.get<{ version: string }>('/version', {}, {
             toast: false
         })
         version.value = response.version
diff --git a/src/Entity/User.php b/src/Entity/User.php
index 4e1f44f..4f9728e 100644
--- a/src/Entity/User.php
+++ b/src/Entity/User.php
@@ -28,9 +28,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
             normalizationContext: ['groups' => ['me:read']],
         ),
         new Get(
+            security: "is_granted('ROLE_ADMIN')",
             normalizationContext: ['groups' => ['user:list']],
         ),
         new GetCollection(
+            security: "is_granted('ROLE_ADMIN')",
             normalizationContext: ['groups' => ['user:list']],
         ),
         new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
diff --git a/src/State/MaintenanceToggleProcessor.php b/src/State/MaintenanceToggleProcessor.php
index 13f536d..3bf4b16 100644
--- a/src/State/MaintenanceToggleProcessor.php
+++ b/src/State/MaintenanceToggleProcessor.php
@@ -44,13 +44,17 @@ final readonly class MaintenanceToggleProcessor implements ProcessorInterface
         if ($data->maintenance) {
             $directory = dirname($maintenancePath);
 
-            if (!is_dir($directory)) {
-                mkdir($directory, 0755, true);
+            if (!is_dir($directory) && !mkdir($directory, 0755, true)) {
+                throw new \RuntimeException(sprintf('Cannot create directory "%s".', $directory));
             }
 
-            touch($maintenancePath);
+            if (!touch($maintenancePath)) {
+                throw new \RuntimeException(sprintf('Cannot create maintenance file at "%s".', $maintenancePath));
+            }
         } elseif (file_exists($maintenancePath)) {
-            unlink($maintenancePath);
+            if (!unlink($maintenancePath)) {
+                throw new \RuntimeException(sprintf('Cannot remove maintenance file at "%s".', $maintenancePath));
+            }
         }
 
         $dto              = new ManagedApplication();
diff --git a/src/State/MeProvider.php b/src/State/MeProvider.php
index f2866a7..acfcc51 100644
--- a/src/State/MeProvider.php
+++ b/src/State/MeProvider.php
@@ -8,6 +8,7 @@ use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Entity\User;
 use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
  * @implements ProviderInterface<User>
@@ -20,7 +21,12 @@ final readonly class MeProvider implements ProviderInterface
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): User
     {
-        // @var User $user
-        return $this->security->getUser();
+        $user = $this->security->getUser();
+
+        if (!$user instanceof User) {
+            throw new AccessDeniedHttpException('User not authenticated.');
+        }
+
+        return $user;
     }
 }