MALIO-DEV/Coltura
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(core) : RBAC - rendre le catalogue permissions accessible a tout user authentifie

Browse Source 
La permission core.permissions.view est supprimee du CoreModule.
Le endpoint GET /api/permissions est desormais protege par ROLE_USER
au lieu d'une permission RBAC specifique, car c'est un catalogue
de metadonnees necessaire aux drawers de gestion des roles et users.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matthieu
2026-04-16 16:27:32 +02:00
parent 6395f4cced
commit 60e424393c
3 changed files with 6 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/Module/Core/CoreModule.php
View File

@@ -34,7 +34,6 @@ final class CoreModule
['code' => 'core.users.manage', 'label' => 'Gerer les utilisateurs (creer, editer, supprimer)'],
['code' => 'core.roles.view', 'label' => 'Voir les roles RBAC'],
['code' => 'core.roles.manage', 'label' => 'Gerer les roles et permissions'],
['code' => 'core.permissions.view', 'label' => 'Voir le catalogue des permissions'],
];
}
}

4
src/Module/Core/Domain/Entity/Permission.php
View File

@@ -19,11 +19,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
operations: [
new GetCollection(
normalizationContext: ['groups' => ['permission:read']],
security: "is_granted('core.permissions.view')",
security: "is_granted('ROLE_USER')",
),
new Get(
normalizationContext: ['groups' => ['permission:read']],
security: "is_granted('core.permissions.view')",
security: "is_granted('ROLE_USER')",
),
],
)]

43
tests/Module/Core/Api/PermissionApiTest.php
View File

@@ -166,51 +166,16 @@ final class PermissionApiTest extends AbstractApiTestCase
self::assertResponseStatusCodeSame(401);
}
public function testNonAdminReturns403(): void
public function testStandardUserCanListPermissions(): void
{
// Le catalogue de permissions est accessible a tout utilisateur authentifie.
$client = $this->authenticatedClient('alice', 'alice');
$client->request('GET', '/api/permissions');
self::assertResponseStatusCodeSame(403);
}
// --- Tests voter RBAC : non-admin avec / sans permission ---
public function testListPermissionsAsUserWithViewPermissionReturns200(): void
{
// Un non-admin portant core.permissions.view doit pouvoir lister.
$credentials = $this->createUserWithPermission('core.permissions.view');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('GET', '/api/permissions');
self::assertResponseIsSuccessful();
}
public function testListPermissionsAsStandardUserReturns403(): void
{
// alice n'a aucune permission RBAC : acces refuse.
$client = $this->authenticatedClient('alice', 'alice');
$client->request('GET', '/api/permissions');
self::assertResponseStatusCodeSame(403);
}
public function testGetPermissionAsUserWithViewPermissionReturns200(): void
{
// Recupere l'id d'une permission existante pour construire l'URL GET item.
$permission = $this->getEm()->getRepository(Permission::class)
->findOneBy(['code' => 'test.core.users.view'])
;
self::assertNotNull($permission);
$credentials = $this->createUserWithPermission('core.permissions.view');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('GET', '/api/permissions/'.$permission->getId());
self::assertResponseIsSuccessful();
}
public function testGetPermissionAsStandardUserReturns403(): void
public function testStandardUserCanGetPermission(): void
{
$permission = $this->getEm()->getRepository(Permission::class)
->findOneBy(['code' => 'test.core.users.view'])
@@ -220,7 +185,7 @@ final class PermissionApiTest extends AbstractApiTestCase
$client = $this->authenticatedClient('alice', 'alice');
$client->request('GET', '/api/permissions/'.$permission->getId());
self::assertResponseStatusCodeSame(403);
self::assertResponseIsSuccessful();
}
private function cleanupTestPermissions(): void