test(core) : RBAC #345 - functional coverage voter + last admin guard

tests/Module/Core/Api/UserRbacApiTest.php

@@ -224,6 +224,40 @@ final class UserRbacApiTest extends AbstractApiTestCase
         self::assertFalse($reloaded->isAdmin());
     }
 
+    // --- Tests voter RBAC : non-admin avec / sans permission ---
+
+    public function testPatchRbacAsUserWithManagePermissionReturns200(): void
+    {
+        // Un non-admin portant core.users.manage doit pouvoir appeler PATCH /rbac.
+        $target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertNotNull($target);
+
+        $credentials = $this->createUserWithPermission('core.users.manage');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['isAdmin' => false],
+        ]);
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testPatchRbacAsUserWithOnlyViewPermissionReturns403(): void
+    {
+        // Un user avec core.users.view uniquement ne peut pas ecrire via /rbac.
+        $target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertNotNull($target);
+
+        $credentials = $this->createUserWithPermission('core.users.view');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['isAdmin' => true],
+        ]);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
     public function testPatchRbacSelfRemovingAdminReturns400(): void
     {
         // On utilise le user admin dedie (test_self_admin) pour ne pas