feat(core) : RBAC #344 - API Platform Role CRUD nominal + validators

2026-04-15 11:41:21 +02:00
parent f79f061131
commit 7be0260b29
2 changed files with 383 additions and 0 deletions
--- a/src/Module/Core/Domain/Entity/Role.php
+++ b/src/Module/Core/Domain/Entity/Role.php
@@ -4,12 +4,24 @@ declare(strict_types=1);

 namespace App\Module\Core\Domain\Entity;

+use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
 use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
+use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
+use Symfony\Component\Serializer\Attribute\Groups;
+use Symfony\Component\Serializer\Attribute\SerializedName;
+use Symfony\Component\Validator\Constraints as Assert;

 /**
 * Role RBAC : groupe nomme de permissions assignable a un utilisateur.
@@ -18,27 +30,72 @@ use Doctrine\ORM\Mapping as ORM;
 * "personnalise" (cree par un administrateur). Seuls les roles personnalises
 * peuvent etre supprimes.
 */
+#[ApiResource(
+    operations: [
+        new GetCollection(
+            normalizationContext: ['groups' => ['role:read']],
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+        new Get(
+            normalizationContext: ['groups' => ['role:read']],
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+        new Post(
+            normalizationContext: ['groups' => ['role:read']],
+            denormalizationContext: ['groups' => ['role:write']],
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+        new Patch(
+            normalizationContext: ['groups' => ['role:read']],
+            denormalizationContext: ['groups' => ['role:write']],
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+        new Delete(
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+    ],
+    normalizationContext: ['groups' => ['role:read']],
+    denormalizationContext: ['groups' => ['role:write']],
+)]
+#[ApiFilter(BooleanFilter::class, properties: ['isSystem'])]
 #[ORM\Entity(repositoryClass: DoctrineRoleRepository::class)]
 #[ORM\Table(name: '`role`')]
 #[ORM\UniqueConstraint(name: 'uniq_role_code', columns: ['code'])]
 #[ORM\Index(name: 'idx_role_is_system', columns: ['is_system'])]
+#[UniqueEntity(fields: ['code'], message: 'Un role avec ce code existe deja.')]
 class Role
 {
    #[ORM\Id]
    #[ORM\GeneratedValue]
    #[ORM\Column]
+    #[Groups(['role:read'])]
    private ?int $id = null;

    #[ORM\Column(length: 100)]
+    #[Groups(['role:read', 'role:write'])]
+    #[Assert\NotBlank]
+    #[Assert\Regex(pattern: '/^[a-z][a-z0-9_]*$/', message: 'Le code doit etre en snake_case et commencer par une lettre minuscule.')]
    private string $code;

    #[ORM\Column(length: 255)]
+    #[Groups(['role:read', 'role:write'])]
+    #[Assert\NotBlank]
    private string $label;

    #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['role:read', 'role:write'])]
    private ?string $description = null;

+    // Volontairement exclu du groupe `role:write` : un client ne doit jamais
+    // pouvoir positionner ce flag via l'API. Seules les fixtures et migrations
+    // creent les roles systeme.
    #[ORM\Column(name: 'is_system', options: ['default' => false])]
+    #[Groups(['role:read'])]
    private bool $isSystem = false;

    /** @var Collection<int, Permission> */
@@ -53,6 +110,7 @@ class Role
    //   projection cachee (ticket a ouvrir a ce moment-la).
    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
    #[ORM\JoinTable(name: 'role_permission')]
+    #[Groups(['role:read', 'role:write'])]
    private Collection $permissions;

    public function __construct(string $code, string $label, bool $isSystem = false, ?string $description = null)
@@ -84,6 +142,12 @@ class Role
        return $this->description;
    }

+    // Le getter est annote directement car la convention Symfony PropertyInfo
+    // strip le prefixe `is` et exposerait le champ sous le nom `system`. On
+    // pose donc un SerializedName explicite pour garantir la sortie JSON-LD
+    // sous `isSystem`, nom attendu par les clients de l'API.
+    #[Groups(['role:read'])]
+    #[SerializedName('isSystem')]
    public function isSystem(): bool
    {
        return $this->isSystem;