test(core) : RBAC #345 - functional coverage voter + last admin guard

2026-04-15 16:16:30 +02:00
parent d1e4402368
commit 6df4316950
5 changed files with 438 additions and 1 deletions
--- a/tests/Module/Core/Api/RoleApiTest.php
+++ b/tests/Module/Core/Api/RoleApiTest.php
@@ -368,6 +368,85 @@ final class RoleApiTest extends AbstractApiTestCase
        self::assertResponseStatusCodeSame(403);
    }

+    // --- Tests voter RBAC : non-admin avec / sans permission ---
+
+    public function testListRolesAsUserWithViewPermissionReturns200(): void
+    {
+        // Un non-admin portant core.roles.view doit pouvoir lister les roles.
+        $credentials = $this->createUserWithPermission('core.roles.view');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testListRolesAsUserWithOnlyManagePermissionReturns403(): void
+    {
+        // Un user avec uniquement core.roles.manage ne peut PAS lister (list/get
+        // exige core.roles.view, cf. spec section 3 ticket-345).
+        $credentials = $this->createUserWithPermission('core.roles.manage');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testListRolesAsStandardUserReturns403(): void
+    {
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testCreateRoleAsUserWithManagePermissionReturns201(): void
+    {
+        // Un non-admin portant core.roles.manage doit pouvoir creer un role.
+        $credentials = $this->createUserWithPermission('core.roles.manage');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $response    = $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                'code'  => 'test_created_by_manager',
+                'label' => 'Role cree par manager (test)',
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(201);
+        $data = $response->toArray();
+        self::assertSame('test_created_by_manager', $data['code']);
+    }
+
+    public function testCreateRoleAsUserWithOnlyViewPermissionReturns403(): void
+    {
+        // Un user avec core.roles.view uniquement ne peut pas creer (POST exige .manage).
+        $credentials = $this->createUserWithPermission('core.roles.view');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                'code'  => 'test_shouldnotcreate',
+                'label' => 'Ne doit pas etre cree',
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testCreateRoleAsStandardUserReturns403(): void
+    {
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                'code'  => 'test_shouldnotcreate_alice',
+                'label' => 'Ne doit pas etre cree',
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
    /**
     * Purge les donnees de test (roles et permissions prefixees `test.`).
     * Ne touche JAMAIS aux roles systeme `admin` et `user` charges par les