feat(core) : RBAC - filtrage sidebar par permission

Les items sidebar peuvent declarer une cle `permission` optionnelle. Le SidebarProvider verifie isGranted() et masque les items dont l'utilisateur ne possede pas la permission requise. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 15:08:58 +02:00
parent 793c58a4a8
commit 6395f4cced
2 changed files with 27 additions and 10 deletions
--- a/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
+++ b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
@@ -7,6 +7,7 @@ namespace App\Shared\Infrastructure\ApiPlatform\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
+use Symfony\Bundle\SecurityBundle\Security;

 /**
 * @implements ProviderInterface<object>
@@ -16,10 +17,10 @@ class SidebarProvider implements ProviderInterface
    /** @var list<string> */
    private readonly array $activeModuleIds;

-    /** @var list<array{label: string, icon: string, items: list<array{label: string, to: string, icon: string, module: string}>}> */
+    /** @var list<array{label: string, icon: string, items: list<array{label: string, to: string, icon: string, module: string, permission?: string}>}> */
    private readonly array $sidebarConfig;

-    public function __construct()
+    public function __construct(private readonly Security $security)
    {
        $configDir = dirname(__DIR__, 5).'/config';

@@ -58,6 +59,18 @@ class SidebarProvider implements ProviderInterface
                    continue;
                }

+                // Filtrage par permission RBAC : si l'item declare une permission
+                // requise et que l'utilisateur courant ne la possede pas, l'item
+                // est masque et sa route ajoutee aux routes desactivees.
+                $requiredPermission = $item['permission'] ?? null;
+                if (null !== $requiredPermission && !$this->security->isGranted($requiredPermission)) {
+                    if (isset($item['to'])) {
+                        $disabledRoutes[] = $item['to'];
+                    }
+
+                    continue;
+                }
+
                $items[] = [
                    'label' => $item['label'],
                    'to'    => $item['to'],