From 60e424393c33214f840a20a387a3547b83e7d2fc Mon Sep 17 00:00:00 2001
From: Matthieu <mtholot19@gmail.com>
Date: Thu, 16 Apr 2026 16:27:32 +0200
Subject: [PATCH] refactor(core) : RBAC - rendre le catalogue permissions
 accessible a tout user authentifie

La permission core.permissions.view est supprimee du CoreModule.
Le endpoint GET /api/permissions est desormais protege par ROLE_USER
au lieu d'une permission RBAC specifique, car c'est un catalogue
de metadonnees necessaire aux drawers de gestion des roles et users.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/Module/Core/CoreModule.php               |  1 -
 src/Module/Core/Domain/Entity/Permission.php |  4 +-
 tests/Module/Core/Api/PermissionApiTest.php  | 43 ++------------------
 3 files changed, 6 insertions(+), 42 deletions(-)

diff --git a/src/Module/Core/CoreModule.php b/src/Module/Core/CoreModule.php
index e8a4e30..5b9b3d8 100644
--- a/src/Module/Core/CoreModule.php
+++ b/src/Module/Core/CoreModule.php
@@ -34,7 +34,6 @@ final class CoreModule
             ['code' => 'core.users.manage', 'label' => 'Gerer les utilisateurs (creer, editer, supprimer)'],
             ['code' => 'core.roles.view', 'label' => 'Voir les roles RBAC'],
             ['code' => 'core.roles.manage', 'label' => 'Gerer les roles et permissions'],
-            ['code' => 'core.permissions.view', 'label' => 'Voir le catalogue des permissions'],
         ];
     }
 }
diff --git a/src/Module/Core/Domain/Entity/Permission.php b/src/Module/Core/Domain/Entity/Permission.php
index 7ef7278..e780ff3 100644
--- a/src/Module/Core/Domain/Entity/Permission.php
+++ b/src/Module/Core/Domain/Entity/Permission.php
@@ -19,11 +19,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
     operations: [
         new GetCollection(
             normalizationContext: ['groups' => ['permission:read']],
-            security: "is_granted('core.permissions.view')",
+            security: "is_granted('ROLE_USER')",
         ),
         new Get(
             normalizationContext: ['groups' => ['permission:read']],
-            security: "is_granted('core.permissions.view')",
+            security: "is_granted('ROLE_USER')",
         ),
     ],
 )]
diff --git a/tests/Module/Core/Api/PermissionApiTest.php b/tests/Module/Core/Api/PermissionApiTest.php
index d9c6609..dc06f3d 100644
--- a/tests/Module/Core/Api/PermissionApiTest.php
+++ b/tests/Module/Core/Api/PermissionApiTest.php
@@ -166,51 +166,16 @@ final class PermissionApiTest extends AbstractApiTestCase
         self::assertResponseStatusCodeSame(401);
     }
 
-    public function testNonAdminReturns403(): void
+    public function testStandardUserCanListPermissions(): void
     {
+        // Le catalogue de permissions est accessible a tout utilisateur authentifie.
         $client = $this->authenticatedClient('alice', 'alice');
         $client->request('GET', '/api/permissions');
 
-        self::assertResponseStatusCodeSame(403);
-    }
-
-    // --- Tests voter RBAC : non-admin avec / sans permission ---
-
-    public function testListPermissionsAsUserWithViewPermissionReturns200(): void
-    {
-        // Un non-admin portant core.permissions.view doit pouvoir lister.
-        $credentials = $this->createUserWithPermission('core.permissions.view');
-        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
-        $client->request('GET', '/api/permissions');
-
         self::assertResponseIsSuccessful();
     }
 
-    public function testListPermissionsAsStandardUserReturns403(): void
-    {
-        // alice n'a aucune permission RBAC : acces refuse.
-        $client = $this->authenticatedClient('alice', 'alice');
-        $client->request('GET', '/api/permissions');
-
-        self::assertResponseStatusCodeSame(403);
-    }
-
-    public function testGetPermissionAsUserWithViewPermissionReturns200(): void
-    {
-        // Recupere l'id d'une permission existante pour construire l'URL GET item.
-        $permission = $this->getEm()->getRepository(Permission::class)
-            ->findOneBy(['code' => 'test.core.users.view'])
-        ;
-        self::assertNotNull($permission);
-
-        $credentials = $this->createUserWithPermission('core.permissions.view');
-        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
-        $client->request('GET', '/api/permissions/'.$permission->getId());
-
-        self::assertResponseIsSuccessful();
-    }
-
-    public function testGetPermissionAsStandardUserReturns403(): void
+    public function testStandardUserCanGetPermission(): void
     {
         $permission = $this->getEm()->getRepository(Permission::class)
             ->findOneBy(['code' => 'test.core.users.view'])
@@ -220,7 +185,7 @@ final class PermissionApiTest extends AbstractApiTestCase
         $client = $this->authenticatedClient('alice', 'alice');
         $client->request('GET', '/api/permissions/'.$permission->getId());
 
-        self::assertResponseStatusCodeSame(403);
+        self::assertResponseIsSuccessful();
     }
 
     private function cleanupTestPermissions(): void