| Numéro du ticket | Titre du ticket | |------------------|-----------------| | | | ## Description de la PR ## Modification du .env ## Check list - [x] Pas de régression - [x] TU/TI/TF rédigée - [x] TU/TI/TF OK - [ ] CHANGELOG modifié Co-authored-by: Matthieu <mtholot19@gmail.com> Reviewed-on: #8 Co-authored-by: tristan <tristan@yuno.malio.fr> Co-committed-by: tristan <tristan@yuno.malio.fr>
This commit was merged in pull request #8.
This commit is contained in:
@@ -9,6 +9,7 @@ use ApiPlatform\Symfony\Bundle\Test\Client;
|
||||
use App\Module\Core\Domain\Entity\Permission;
|
||||
use App\Module\Core\Domain\Entity\Role;
|
||||
use App\Module\Core\Domain\Entity\User;
|
||||
use App\Module\Sites\Domain\Entity\Site;
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
|
||||
|
||||
@@ -123,6 +124,19 @@ abstract class AbstractApiTestCase extends ApiTestCase
|
||||
$user->setIsAdmin(false);
|
||||
$user->setPassword($hasher->hashPassword($user, $password));
|
||||
$user->addRbacRole($role);
|
||||
|
||||
// Le helper attache le user jetable a tous les sites existants pour
|
||||
// neutraliser le filtrage par UserSiteScopedExtension : la plupart
|
||||
// des tests assume une visibilite globale sur les users cibles. Les
|
||||
// tests qui valident le comportement "sans sites" doivent creer leur
|
||||
// user a la main (pas via ce helper).
|
||||
$siteRepository = $em->getRepository(Site::class);
|
||||
if (null !== $siteRepository) {
|
||||
foreach ($siteRepository->findAll() as $site) {
|
||||
$user->addSite($site);
|
||||
}
|
||||
}
|
||||
|
||||
$em->persist($user);
|
||||
|
||||
$em->flush();
|
||||
@@ -130,4 +144,34 @@ abstract class AbstractApiTestCase extends ApiTestCase
|
||||
|
||||
return ['username' => $username, 'password' => $password];
|
||||
}
|
||||
|
||||
/**
|
||||
* Skip le test courant si le module Sites est desactive dans
|
||||
* `config/modules.php` de l'environnement de test.
|
||||
*
|
||||
* Mecanisme : on cherche la permission `sites.view` en base. Si le
|
||||
* module Sites est desactive, `app:sync-permissions` aura marque cette
|
||||
* permission comme orpheline et l'aura supprimee de la table — donc
|
||||
* `findOneBy(['code' => 'sites.view'])` renvoie null.
|
||||
*
|
||||
* Quand utiliser ce helper : tests qui s'appuient sur
|
||||
* `createUserWithPermission('sites.*')`. Les tests qui utilisent
|
||||
* uniquement l'admin (qui bypass via isAdmin) n'en ont pas besoin :
|
||||
* la classe Site reste mappee Doctrine et exposee via API Platform
|
||||
* meme module desactive (mapping inconditionnel, decision assumee
|
||||
* ticket 1).
|
||||
*/
|
||||
protected function skipIfSitesModuleDisabled(): void
|
||||
{
|
||||
if (!self::$kernel) {
|
||||
self::bootKernel();
|
||||
}
|
||||
$perm = $this->getEm()
|
||||
->getRepository(Permission::class)
|
||||
->findOneBy(['code' => 'sites.view'])
|
||||
;
|
||||
if (null === $perm) {
|
||||
self::markTestSkipped('Module Sites desactive : permission sites.view introuvable en base.');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -7,6 +7,7 @@ namespace App\Tests\Module\Core\Api;
|
||||
use App\Module\Core\Domain\Entity\Permission;
|
||||
use App\Module\Core\Domain\Entity\Role;
|
||||
use App\Module\Core\Domain\Entity\User;
|
||||
use App\Module\Sites\Domain\Entity\Site;
|
||||
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
|
||||
|
||||
/**
|
||||
@@ -41,11 +42,18 @@ final class UserRbacApiTest extends AbstractApiTestCase
|
||||
/** @var UserPasswordHasherInterface $hasher */
|
||||
$hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
|
||||
|
||||
// User cible standard (non admin).
|
||||
// User cible standard (non admin). On lui attache tous les sites
|
||||
// fixtures pour rester visible depuis les callers non-admin munis de
|
||||
// sites (cf. UserSiteScopedExtension qui filtre `/api/users` par
|
||||
// intersection de sites). Sans cela, un user `core.users.manage`
|
||||
// sans site commun avec test_target recevrait un 404 sur le PATCH.
|
||||
$target = new User();
|
||||
$target->setUsername('test_target');
|
||||
$target->setIsAdmin(false);
|
||||
$target->setPassword($hasher->hashPassword($target, 'secret'));
|
||||
foreach ($em->getRepository(Site::class)->findAll() as $site) {
|
||||
$target->addSite($site);
|
||||
}
|
||||
$em->persist($target);
|
||||
|
||||
// User admin dedie pour le cas d'auto-suicide (pas l'admin fixture).
|
||||
|
||||
189
tests/Module/Core/Api/UserRbacSitesApiTest.php
Normal file
189
tests/Module/Core/Api/UserRbacSitesApiTest.php
Normal file
@@ -0,0 +1,189 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Tests\Module\Core\Api;
|
||||
|
||||
use App\Module\Core\Domain\Entity\User;
|
||||
use App\Module\Sites\Domain\Entity\Site;
|
||||
|
||||
/**
|
||||
* Tests d'extension de l'endpoint PATCH /api/users/{id}/rbac pour assigner
|
||||
* des sites a un user, avec les deux gardes post-persist :
|
||||
* - si currentSite n'est plus dans sites → null ;
|
||||
* - si currentSite null ET sites non vide → auto-select premier site.
|
||||
*
|
||||
* @internal
|
||||
*/
|
||||
final class UserRbacSitesApiTest extends AbstractApiTestCase
|
||||
{
|
||||
public function testAdminCanAssignSitesToUser(): void
|
||||
{
|
||||
$em = $this->getEm();
|
||||
$saintJean = $em->getRepository(Site::class)->findOneBy(['name' => 'Saint-Jean']);
|
||||
self::assertNotNull($saintJean);
|
||||
|
||||
$alice = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
|
||||
$aliceId = $alice->getId();
|
||||
$em->clear();
|
||||
|
||||
$client = $this->authenticatedClient('admin', 'admin');
|
||||
$client->request('PATCH', '/api/users/'.$aliceId.'/rbac', [
|
||||
'headers' => ['Content-Type' => 'application/merge-patch+json'],
|
||||
'json' => [
|
||||
'sites' => ['/api/sites/'.$saintJean->getId()],
|
||||
],
|
||||
]);
|
||||
|
||||
self::assertResponseIsSuccessful();
|
||||
|
||||
// Verification cote base.
|
||||
$em = $this->getEm();
|
||||
$em->clear();
|
||||
$reloaded = $em->getRepository(User::class)->find($aliceId);
|
||||
self::assertNotNull($reloaded);
|
||||
self::assertCount(1, $reloaded->getSites());
|
||||
self::assertSame('Saint-Jean', $reloaded->getSites()->first()->getName());
|
||||
|
||||
// Restauration pour ne pas polluer les autres tests.
|
||||
$this->restoreAliceSites();
|
||||
}
|
||||
|
||||
public function testRemovingCurrentSiteResetsCurrentSiteToNullThenAutoSelectsFirst(): void
|
||||
{
|
||||
// alice a actuellement {Chatellerault}, currentSite=Chatellerault.
|
||||
// On lui attribue {Saint-Jean} : Chatellerault disparait → currentSite
|
||||
// devrait temporairement etre null, PUIS auto-select Saint-Jean (seul
|
||||
// site restant).
|
||||
$em = $this->getEm();
|
||||
$saintJean = $em->getRepository(Site::class)->findOneBy(['name' => 'Saint-Jean']);
|
||||
$alice = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
|
||||
$aliceId = $alice->getId();
|
||||
$em->clear();
|
||||
|
||||
$client = $this->authenticatedClient('admin', 'admin');
|
||||
$client->request('PATCH', '/api/users/'.$aliceId.'/rbac', [
|
||||
'headers' => ['Content-Type' => 'application/merge-patch+json'],
|
||||
'json' => [
|
||||
'sites' => ['/api/sites/'.$saintJean->getId()],
|
||||
],
|
||||
]);
|
||||
|
||||
self::assertResponseIsSuccessful();
|
||||
|
||||
$em = $this->getEm();
|
||||
$em->clear();
|
||||
$reloaded = $em->getRepository(User::class)->find($aliceId);
|
||||
self::assertNotNull($reloaded->getCurrentSite());
|
||||
self::assertSame('Saint-Jean', $reloaded->getCurrentSite()->getName());
|
||||
|
||||
$this->restoreAliceSites();
|
||||
}
|
||||
|
||||
public function testEmptySitesPayloadResetsCurrentSiteToNull(): void
|
||||
{
|
||||
$em = $this->getEm();
|
||||
$alice = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
|
||||
$aliceId = $alice->getId();
|
||||
$em->clear();
|
||||
|
||||
$client = $this->authenticatedClient('admin', 'admin');
|
||||
$client->request('PATCH', '/api/users/'.$aliceId.'/rbac', [
|
||||
'headers' => ['Content-Type' => 'application/merge-patch+json'],
|
||||
'json' => [
|
||||
'sites' => [],
|
||||
],
|
||||
]);
|
||||
|
||||
self::assertResponseIsSuccessful();
|
||||
|
||||
$em = $this->getEm();
|
||||
$em->clear();
|
||||
$reloaded = $em->getRepository(User::class)->find($aliceId);
|
||||
self::assertCount(0, $reloaded->getSites());
|
||||
self::assertNull($reloaded->getCurrentSite());
|
||||
|
||||
$this->restoreAliceSites();
|
||||
}
|
||||
|
||||
public function testCurrentSiteFieldInRbacPayloadIsSilentlyIgnored(): void
|
||||
{
|
||||
// Garde structurelle : `currentSite` n'est pas dans le groupe
|
||||
// user:rbac:write. Un client malveillant qui essaierait de set un
|
||||
// currentSite arbitraire via /rbac doit etre silencieusement
|
||||
// ignore (le seul flux autorise est PATCH /me/current-site).
|
||||
$em = $this->getEm();
|
||||
$pommevic = $em->getRepository(Site::class)->findOneBy(['name' => 'Pommevic']);
|
||||
$alice = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
|
||||
$aliceId = $alice->getId();
|
||||
$em->clear();
|
||||
|
||||
$client = $this->authenticatedClient('admin', 'admin');
|
||||
$client->request('PATCH', '/api/users/'.$aliceId.'/rbac', [
|
||||
'headers' => ['Content-Type' => 'application/merge-patch+json'],
|
||||
'json' => [
|
||||
'currentSite' => '/api/sites/'.$pommevic->getId(),
|
||||
],
|
||||
]);
|
||||
|
||||
self::assertResponseIsSuccessful();
|
||||
|
||||
// alice n'a Pommevic ni dans ses sites ni en currentSite (le champ
|
||||
// a ete ignore par le denormalizer). Son currentSite reste son
|
||||
// Chatellerault d'origine.
|
||||
$em = $this->getEm();
|
||||
$em->clear();
|
||||
$reloaded = $em->getRepository(User::class)->find($aliceId);
|
||||
self::assertNotNull($reloaded);
|
||||
self::assertNotNull($reloaded->getCurrentSite());
|
||||
self::assertSame('Chatellerault', $reloaded->getCurrentSite()->getName());
|
||||
}
|
||||
|
||||
public function testRbacPatchWithoutSitesFieldDoesNotChangeCurrentSite(): void
|
||||
{
|
||||
// Garde structurelle : si le payload /rbac ne contient pas le champ
|
||||
// `sites`, ensureCurrentSiteConsistency ne doit pas auto-modifier
|
||||
// le currentSite (alice avait deja Chatellerault). Un PATCH qui
|
||||
// change uniquement isAdmin ou roles ne doit pas remuer la
|
||||
// configuration site de l'user.
|
||||
$em = $this->getEm();
|
||||
$alice = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
|
||||
$aliceId = $alice->getId();
|
||||
$em->clear();
|
||||
|
||||
$client = $this->authenticatedClient('admin', 'admin');
|
||||
$client->request('PATCH', '/api/users/'.$aliceId.'/rbac', [
|
||||
'headers' => ['Content-Type' => 'application/merge-patch+json'],
|
||||
'json' => [
|
||||
'isAdmin' => false,
|
||||
],
|
||||
]);
|
||||
|
||||
self::assertResponseIsSuccessful();
|
||||
|
||||
$em = $this->getEm();
|
||||
$em->clear();
|
||||
$reloaded = $em->getRepository(User::class)->find($aliceId);
|
||||
self::assertNotNull($reloaded->getCurrentSite());
|
||||
self::assertSame('Chatellerault', $reloaded->getCurrentSite()->getName());
|
||||
}
|
||||
|
||||
/**
|
||||
* Remet alice dans l'etat des fixtures : un seul site Chatellerault,
|
||||
* currentSite Chatellerault. Evite la pollution inter-tests.
|
||||
*/
|
||||
private function restoreAliceSites(): void
|
||||
{
|
||||
$em = $this->getEm();
|
||||
$chatellerault = $em->getRepository(Site::class)->findOneBy(['name' => 'Chatellerault']);
|
||||
$alice = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
|
||||
|
||||
// Reset complet des sites
|
||||
foreach ($alice->getSites() as $existing) {
|
||||
$alice->removeSite($existing);
|
||||
}
|
||||
$alice->addSite($chatellerault);
|
||||
$alice->setCurrentSite($chatellerault);
|
||||
$em->flush();
|
||||
}
|
||||
}
|
||||
@@ -50,6 +50,14 @@ final class UserRbacProcessorTest extends TestCase
|
||||
|
||||
$this->entityManager->method('getUnitOfWork')->willReturn($this->unitOfWork);
|
||||
|
||||
// wrapInTransaction doit executer reellement la closure pour que le
|
||||
// resultat de persistProcessor->process() soit capture dans $result.
|
||||
// Sans ce stub, la closure n'est jamais invoquee et $result reste null.
|
||||
$this->entityManager
|
||||
->method('wrapInTransaction')
|
||||
->willReturnCallback(static fn (callable $fn) => $fn())
|
||||
;
|
||||
|
||||
$this->processor = new UserRbacProcessor(
|
||||
$this->persistProcessor,
|
||||
$this->entityManager,
|
||||
|
||||
Reference in New Issue
Block a user