MALIO-DEV/Central
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix : correctifs de sécurité et robustesse post-review
Some checks failed
Auto Tag Develop / tag (push) Has been cancelled
Details

Browse Source 
- MeProvider : guard null user avec AccessDeniedHttpException
- MaintenanceToggleProcessor : vérification des opérations filesystem
- User : restreindre Get/GetCollection aux ROLE_ADMIN
- useAppVersion : corriger le path relatif '/version'

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
THOLOT DECHENE Matthieu
2026-04-03 13:09:05 +02:00
parent b39e6f81d8
commit e8fc85c173
4 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
frontend/composables/useAppVersion.ts
View File

@@ -6,7 +6,7 @@ export function useAppVersion() {
if (version.value) { if (version.value) {
return version.value return version.value
} }
const response = await api.get<{ version: string }>('version', {}, { const response = await api.get<{ version: string }>('/version', {}, {
toast: false toast: false
}) })
version.value = response.version version.value = response.version

2
src/Entity/User.php
View File

@@ -28,9 +28,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
normalizationContext: ['groups' => ['me:read']], normalizationContext: ['groups' => ['me:read']],
), ),
new Get( new Get(
security: "is_granted('ROLE_ADMIN')",
normalizationContext: ['groups' => ['user:list']], normalizationContext: ['groups' => ['user:list']],
), ),
new GetCollection( new GetCollection(
security: "is_granted('ROLE_ADMIN')",
normalizationContext: ['groups' => ['user:list']], normalizationContext: ['groups' => ['user:list']],
), ),
new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class), new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),

12
src/State/MaintenanceToggleProcessor.php
View File

@@ -44,13 +44,17 @@ final readonly class MaintenanceToggleProcessor implements ProcessorInterface
if ($data->maintenance) { if ($data->maintenance) {
$directory = dirname($maintenancePath); $directory = dirname($maintenancePath);
if (!is_dir($directory)) { if (!is_dir($directory) && !mkdir($directory, 0755, true)) {
mkdir($directory, 0755, true); throw new \RuntimeException(sprintf('Cannot create directory "%s".', $directory));
} }
touch($maintenancePath); if (!touch($maintenancePath)) {
throw new \RuntimeException(sprintf('Cannot create maintenance file at "%s".', $maintenancePath));
}
} elseif (file_exists($maintenancePath)) { } elseif (file_exists($maintenancePath)) {
unlink($maintenancePath); if (!unlink($maintenancePath)) {
throw new \RuntimeException(sprintf('Cannot remove maintenance file at "%s".', $maintenancePath));
}
} }
$dto = new ManagedApplication(); $dto = new ManagedApplication();

10
src/State/MeProvider.php
View File

@@ -8,6 +8,7 @@ use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface; use ApiPlatform\State\ProviderInterface;
use App\Entity\User; use App\Entity\User;
use Symfony\Bundle\SecurityBundle\Security; use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
/** /**
* @implements ProviderInterface<User> * @implements ProviderInterface<User>
@@ -20,7 +21,12 @@ final readonly class MeProvider implements ProviderInterface
public function provide(Operation $operation, array $uriVariables = [], array $context = []): User public function provide(Operation $operation, array $uriVariables = [], array $context = []): User
{ {
// @var User $user $user = $this->security->getUser();
return $this->security->getUser();
if (!$user instanceof User) {
throw new AccessDeniedHttpException('User not authenticated.');
}
return $user;
} }
} }