fix(core) : RBAC #344 - ferme leak user list + test cascade delete role

Ajoute une operation Patch dediee `PATCH /api/users/{id}/rbac` (nom
`user_rbac_patch`) qui accepte exclusivement les champs RBAC isAdmin,
roles et directPermissions via le groupe user:rbac:write. L'endpoint est
separe volontairement du Patch profil existant pour isoler la modification
des droits de celle des donnees profil (decision 0fc4e16).

UserRbacProcessor delegue au PersistProcessor Doctrine decore et applique
une garde auto-suicide : un admin ne peut pas retirer ses propres droits
administrateur (compare l'etat entrant a l'etat UnitOfWork). La garde
'dernier admin' globale est reportee au ticket #345.

La propriete Doctrine $roles est renommee $rbacRoles pour eviter la
collision avec UserInterface::getRoles() (qui renvoie list<string>) lors
de la normalization API Platform. La cle JSON reste `roles` grace a
SerializedName, le contrat API est inchange.

Tests : 6 unitaires (UserRbacProcessorTest) + 8 fonctionnels
(UserRbacApiTest) couvrant promotion admin, remplacement des collections
roles/directPermissions, 401/403, filtrage du groupe denormalization
(`username` ignore), preservation de isAdmin sur le Patch profil, et
garde auto-suicide.

composer.json

@@ -23,7 +23,6 @@
         "symfony/expression-language": "8.0.*",
         "symfony/flex": "^2",
         "symfony/framework-bundle": "8.0.*",
-        "symfony/http-client": "8.0.*",
         "symfony/mime": "8.0.*",
         "symfony/monolog-bundle": "^4.0",
         "symfony/property-access": "8.0.*",
@@ -90,6 +89,8 @@
     "require-dev": {
         "doctrine/doctrine-fixtures-bundle": "^4.3",
         "friendsofphp/php-cs-fixer": "^3.94",
-        "phpunit/phpunit": "^13.0"
+        "phpunit/phpunit": "^13.0",
+        "symfony/browser-kit": "8.0.*",
+        "symfony/http-client": "8.0.*"
     }
 }

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "bfd26e903d79f710cfe95452c05f2a25",
+    "content-hash": "75f8e672f2a401290886fbcf01befd3f",
     "packages": [
         {
             "name": "api-platform/doctrine-common",
@@ -4988,180 +4988,6 @@
             ],
             "time": "2026-03-30T15:14:47+00:00"
         },
-        {
-            "name": "symfony/http-client",
-            "version": "v8.0.8",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/symfony/http-client.git",
-                "reference": "356e43d6994ae9d7761fd404d40f78691deabe0e"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/http-client/zipball/356e43d6994ae9d7761fd404d40f78691deabe0e",
-                "reference": "356e43d6994ae9d7761fd404d40f78691deabe0e",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">=8.4",
-                "psr/log": "^1|^2|^3",
-                "symfony/http-client-contracts": "~3.4.4|^3.5.2",
-                "symfony/service-contracts": "^2.5|^3"
-            },
-            "conflict": {
-                "amphp/amp": "<3",
-                "php-http/discovery": "<1.15"
-            },
-            "provide": {
-                "php-http/async-client-implementation": "*",
-                "php-http/client-implementation": "*",
-                "psr/http-client-implementation": "1.0",
-                "symfony/http-client-implementation": "3.0"
-            },
-            "require-dev": {
-                "amphp/http-client": "^5.3.2",
-                "amphp/http-tunnel": "^2.0",
-                "guzzlehttp/promises": "^1.4|^2.0",
-                "nyholm/psr7": "^1.0",
-                "php-http/httplug": "^1.0|^2.0",
-                "psr/http-client": "^1.0",
-                "symfony/cache": "^7.4|^8.0",
-                "symfony/dependency-injection": "^7.4|^8.0",
-                "symfony/http-kernel": "^7.4|^8.0",
-                "symfony/messenger": "^7.4|^8.0",
-                "symfony/process": "^7.4|^8.0",
-                "symfony/rate-limiter": "^7.4|^8.0",
-                "symfony/stopwatch": "^7.4|^8.0"
-            },
-            "type": "library",
-            "autoload": {
-                "psr-4": {
-                    "Symfony\\Component\\HttpClient\\": ""
-                },
-                "exclude-from-classmap": [
-                    "/Tests/"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Nicolas Grekas",
-                    "email": "p@tchwork.com"
-                },
-                {
-                    "name": "Symfony Community",
-                    "homepage": "https://symfony.com/contributors"
-                }
-            ],
-            "description": "Provides powerful methods to fetch HTTP resources synchronously or asynchronously",
-            "homepage": "https://symfony.com",
-            "keywords": [
-                "http"
-            ],
-            "support": {
-                "source": "https://github.com/symfony/http-client/tree/v8.0.8"
-            },
-            "funding": [
-                {
-                    "url": "https://symfony.com/sponsor",
-                    "type": "custom"
-                },
-                {
-                    "url": "https://github.com/fabpot",
-                    "type": "github"
-                },
-                {
-                    "url": "https://github.com/nicolas-grekas",
-                    "type": "github"
-                },
-                {
-                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
-                    "type": "tidelift"
-                }
-            ],
-            "time": "2026-03-30T15:14:47+00:00"
-        },
-        {
-            "name": "symfony/http-client-contracts",
-            "version": "v3.6.0",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/symfony/http-client-contracts.git",
-                "reference": "75d7043853a42837e68111812f4d964b01e5101c"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/http-client-contracts/zipball/75d7043853a42837e68111812f4d964b01e5101c",
-                "reference": "75d7043853a42837e68111812f4d964b01e5101c",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">=8.1"
-            },
-            "type": "library",
-            "extra": {
-                "thanks": {
-                    "url": "https://github.com/symfony/contracts",
-                    "name": "symfony/contracts"
-                },
-                "branch-alias": {
-                    "dev-main": "3.6-dev"
-                }
-            },
-            "autoload": {
-                "psr-4": {
-                    "Symfony\\Contracts\\HttpClient\\": ""
-                },
-                "exclude-from-classmap": [
-                    "/Test/"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Nicolas Grekas",
-                    "email": "p@tchwork.com"
-                },
-                {
-                    "name": "Symfony Community",
-                    "homepage": "https://symfony.com/contributors"
-                }
-            ],
-            "description": "Generic abstractions related to HTTP clients",
-            "homepage": "https://symfony.com",
-            "keywords": [
-                "abstractions",
-                "contracts",
-                "decoupling",
-                "interfaces",
-                "interoperability",
-                "standards"
-            ],
-            "support": {
-                "source": "https://github.com/symfony/http-client-contracts/tree/v3.6.0"
-            },
-            "funding": [
-                {
-                    "url": "https://symfony.com/sponsor",
-                    "type": "custom"
-                },
-                {
-                    "url": "https://github.com/fabpot",
-                    "type": "github"
-                },
-                {
-                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
-                    "type": "tidelift"
-                }
-            ],
-            "time": "2025-04-29T11:18:49+00:00"
-        },
         {
             "name": "symfony/http-foundation",
             "version": "v8.0.8",
@@ -11018,6 +10844,322 @@
             ],
             "time": "2024-10-20T05:08:20+00:00"
         },
+        {
+            "name": "symfony/browser-kit",
+            "version": "v8.0.8",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/browser-kit.git",
+                "reference": "f5a28fca785416cf489dd579011e74c831100cc3"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/browser-kit/zipball/f5a28fca785416cf489dd579011e74c831100cc3",
+                "reference": "f5a28fca785416cf489dd579011e74c831100cc3",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.4",
+                "symfony/dom-crawler": "^7.4|^8.0"
+            },
+            "require-dev": {
+                "symfony/css-selector": "^7.4|^8.0",
+                "symfony/http-client": "^7.4|^8.0",
+                "symfony/mime": "^7.4|^8.0",
+                "symfony/process": "^7.4|^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\BrowserKit\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Simulates the behavior of a web browser, allowing you to make requests, click on links and submit forms programmatically",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/browser-kit/tree/v8.0.8"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-03-30T15:14:47+00:00"
+        },
+        {
+            "name": "symfony/dom-crawler",
+            "version": "v8.0.8",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/dom-crawler.git",
+                "reference": "284ace90732b445b027728b5e0eec6418a17a364"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/284ace90732b445b027728b5e0eec6418a17a364",
+                "reference": "284ace90732b445b027728b5e0eec6418a17a364",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.4",
+                "symfony/polyfill-ctype": "^1.8",
+                "symfony/polyfill-mbstring": "^1.0"
+            },
+            "require-dev": {
+                "symfony/css-selector": "^7.4|^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\DomCrawler\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Eases DOM navigation for HTML and XML documents",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/dom-crawler/tree/v8.0.8"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-03-30T15:14:47+00:00"
+        },
+        {
+            "name": "symfony/http-client",
+            "version": "v8.0.8",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/http-client.git",
+                "reference": "356e43d6994ae9d7761fd404d40f78691deabe0e"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/http-client/zipball/356e43d6994ae9d7761fd404d40f78691deabe0e",
+                "reference": "356e43d6994ae9d7761fd404d40f78691deabe0e",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.4",
+                "psr/log": "^1|^2|^3",
+                "symfony/http-client-contracts": "~3.4.4|^3.5.2",
+                "symfony/service-contracts": "^2.5|^3"
+            },
+            "conflict": {
+                "amphp/amp": "<3",
+                "php-http/discovery": "<1.15"
+            },
+            "provide": {
+                "php-http/async-client-implementation": "*",
+                "php-http/client-implementation": "*",
+                "psr/http-client-implementation": "1.0",
+                "symfony/http-client-implementation": "3.0"
+            },
+            "require-dev": {
+                "amphp/http-client": "^5.3.2",
+                "amphp/http-tunnel": "^2.0",
+                "guzzlehttp/promises": "^1.4|^2.0",
+                "nyholm/psr7": "^1.0",
+                "php-http/httplug": "^1.0|^2.0",
+                "psr/http-client": "^1.0",
+                "symfony/cache": "^7.4|^8.0",
+                "symfony/dependency-injection": "^7.4|^8.0",
+                "symfony/http-kernel": "^7.4|^8.0",
+                "symfony/messenger": "^7.4|^8.0",
+                "symfony/process": "^7.4|^8.0",
+                "symfony/rate-limiter": "^7.4|^8.0",
+                "symfony/stopwatch": "^7.4|^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\HttpClient\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Provides powerful methods to fetch HTTP resources synchronously or asynchronously",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "http"
+            ],
+            "support": {
+                "source": "https://github.com/symfony/http-client/tree/v8.0.8"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-03-30T15:14:47+00:00"
+        },
+        {
+            "name": "symfony/http-client-contracts",
+            "version": "v3.6.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/http-client-contracts.git",
+                "reference": "75d7043853a42837e68111812f4d964b01e5101c"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/http-client-contracts/zipball/75d7043853a42837e68111812f4d964b01e5101c",
+                "reference": "75d7043853a42837e68111812f4d964b01e5101c",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.1"
+            },
+            "type": "library",
+            "extra": {
+                "thanks": {
+                    "url": "https://github.com/symfony/contracts",
+                    "name": "symfony/contracts"
+                },
+                "branch-alias": {
+                    "dev-main": "3.6-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Contracts\\HttpClient\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Test/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Generic abstractions related to HTTP clients",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "abstractions",
+                "contracts",
+                "decoupling",
+                "interfaces",
+                "interoperability",
+                "standards"
+            ],
+            "support": {
+                "source": "https://github.com/symfony/http-client-contracts/tree/v3.6.0"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2025-04-29T11:18:49+00:00"
+        },
         {
             "name": "symfony/process",
             "version": "v8.0.8",

config/packages/api_platform.yaml

@@ -1,6 +1,14 @@
 api_platform:
     title: Coltura API
     version: 1.0.0
+    # Scan du module Core pour decouvrir les classes ApiResource et ApiFilter.
+    # Ajouter un chemin par module lors de l'ajout d'entites ApiResource dans d'autres modules.
+    # Sans ces paths, le compile pass d'API Platform ne declare pas les
+    # services de filtres annotes (les filtres etaient silencieusement
+    # ignores sur Permission — cf. ticket #344).
+    mapping:
+        paths:
+            - '%kernel.project_dir%/src/Module/Core/Domain/Entity'
     formats:
         jsonld: ['application/ld+json']
         json: ['application/json']

phpunit.dist.xml

@@ -15,6 +15,7 @@
         <ini name="error_reporting" value="-1" />
         <server name="APP_ENV" value="test" force="true" />
         <server name="SHELL_VERBOSITY" value="-1" />
+        <server name="KERNEL_CLASS" value="App\Kernel" />
     </php>
 
     <testsuites>

src/Module/Core/Domain/Entity/Permission.php

@@ -4,10 +4,33 @@ declare(strict_types=1);
 
 namespace App\Module\Core\Domain\Entity;
 
+use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
 use App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository;
 use Doctrine\ORM\Mapping as ORM;
 use InvalidArgumentException;
+use Symfony\Component\Serializer\Attribute\Groups;
 
+#[ApiResource(
+    operations: [
+        new GetCollection(
+            normalizationContext: ['groups' => ['permission:read']],
+            // TODO ticket #345 : remplacer par is_granted('core.permissions.view')
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+        new Get(
+            normalizationContext: ['groups' => ['permission:read']],
+            // TODO ticket #345 : remplacer par is_granted('core.permissions.view')
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+    ],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['module' => 'exact'])]
+#[ApiFilter(BooleanFilter::class, properties: ['orphan'])]
 #[ORM\Entity(repositoryClass: DoctrinePermissionRepository::class)]
 #[ORM\Table(name: 'permission')]
 #[ORM\UniqueConstraint(name: 'uniq_permission_code', columns: ['code'])]
@@ -18,18 +41,23 @@ class Permission
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
+    #[Groups(['permission:read'])]
     private ?int $id = null;
 
     #[ORM\Column(length: 255)]
+    #[Groups(['permission:read'])]
     private string $code;
 
     #[ORM\Column(length: 255)]
+    #[Groups(['permission:read'])]
     private string $label;
 
     #[ORM\Column(length: 100)]
+    #[Groups(['permission:read'])]
     private string $module;
 
     #[ORM\Column(options: ['default' => false])]
+    #[Groups(['permission:read'])]
     private bool $orphan = false;
 
     /**

src/Module/Core/Domain/Entity/Role.php

@@ -4,12 +4,25 @@ declare(strict_types=1);
 
 namespace App\Module\Core\Domain\Entity;
 
+use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
 use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\RoleProcessor;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
+use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
+use Symfony\Component\Serializer\Attribute\Groups;
+use Symfony\Component\Serializer\Attribute\SerializedName;
+use Symfony\Component\Validator\Constraints as Assert;
 
 /**
  * Role RBAC : groupe nomme de permissions assignable a un utilisateur.
@@ -18,27 +31,75 @@ use Doctrine\ORM\Mapping as ORM;
  * "personnalise" (cree par un administrateur). Seuls les roles personnalises
  * peuvent etre supprimes.
  */
+#[ApiResource(
+    operations: [
+        new GetCollection(
+            normalizationContext: ['groups' => ['role:read']],
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+        new Get(
+            normalizationContext: ['groups' => ['role:read']],
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+        new Post(
+            normalizationContext: ['groups' => ['role:read']],
+            denormalizationContext: ['groups' => ['role:write']],
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+            processor: RoleProcessor::class,
+        ),
+        new Patch(
+            normalizationContext: ['groups' => ['role:read']],
+            denormalizationContext: ['groups' => ['role:write']],
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+            processor: RoleProcessor::class,
+        ),
+        new Delete(
+            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('ROLE_ADMIN')",
+            processor: RoleProcessor::class,
+        ),
+    ],
+    normalizationContext: ['groups' => ['role:read']],
+    denormalizationContext: ['groups' => ['role:write']],
+)]
+#[ApiFilter(BooleanFilter::class, properties: ['isSystem'])]
 #[ORM\Entity(repositoryClass: DoctrineRoleRepository::class)]
 #[ORM\Table(name: '`role`')]
 #[ORM\UniqueConstraint(name: 'uniq_role_code', columns: ['code'])]
 #[ORM\Index(name: 'idx_role_is_system', columns: ['is_system'])]
+#[UniqueEntity(fields: ['code'], message: 'Un role avec ce code existe deja.')]
 class Role
 {
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
+    #[Groups(['role:read'])]
     private ?int $id = null;
 
     #[ORM\Column(length: 100)]
+    #[Groups(['role:read', 'role:write'])]
+    #[Assert\NotBlank]
+    #[Assert\Regex(pattern: '/^[a-z][a-z0-9_]*$/', message: 'Le code doit etre en snake_case et commencer par une lettre minuscule.')]
     private string $code;
 
     #[ORM\Column(length: 255)]
+    #[Groups(['role:read', 'role:write'])]
+    #[Assert\NotBlank]
     private string $label;
 
     #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['role:read', 'role:write'])]
     private ?string $description = null;
 
+    // Volontairement exclu du groupe `role:write` : un client ne doit jamais
+    // pouvoir positionner ce flag via l'API. Seules les fixtures et migrations
+    // creent les roles systeme.
     #[ORM\Column(name: 'is_system', options: ['default' => false])]
+    #[Groups(['role:read'])]
     private bool $isSystem = false;
 
     /** @var Collection<int, Permission> */
@@ -53,6 +114,7 @@ class Role
     //   projection cachee (ticket a ouvrir a ce moment-la).
     #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
     #[ORM\JoinTable(name: 'role_permission')]
+    #[Groups(['role:read', 'role:write'])]
     private Collection $permissions;
 
     public function __construct(string $code, string $label, bool $isSystem = false, ?string $description = null)
@@ -84,6 +146,12 @@ class Role
         return $this->description;
     }
 
+    // Le getter est annote directement car la convention Symfony PropertyInfo
+    // strip le prefixe `is` et exposerait le champ sous le nom `system`. On
+    // pose donc un SerializedName explicite pour garantir la sortie JSON-LD
+    // sous `isSystem`, nom attendu par les clients de l'API.
+    #[Groups(['role:read'])]
+    #[SerializedName('isSystem')]
     public function isSystem(): bool
     {
         return $this->isSystem;
@@ -95,6 +163,23 @@ class Role
         return $this->permissions;
     }
 
+    /**
+     * Setter expose uniquement a la denormalisation API Platform pour
+     * permettre au RoleProcessor de detecter une tentative de modification
+     * du code (garde "code immuable"). Le code reste en pratique fige apres
+     * creation : le processor refuse toute modification via 400.
+     *
+     * @internal Ne PAS appeler depuis le domaine, les fixtures ou les commandes.
+     *           Hors contexte API Platform, cette methode modifie silencieusement
+     *           le code sans aucun garde.
+     */
+    public function setCode(string $code): static
+    {
+        $this->code = $code;
+
+        return $this;
+    }
+
     /**
      * Met a jour le libelle affichable du role. Le code reste immuable pour
      * garantir la stabilite des references cote fixtures et migrations.

src/Module/Core/Domain/Entity/User.php

@@ -11,6 +11,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserPasswordHasherProcessor;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Provider\MeProvider;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use DateTimeImmutable;
@@ -20,6 +21,7 @@ use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Serializer\Attribute\Groups;
+use Symfony\Component\Serializer\Attribute\SerializedName;
 
 #[ApiResource(
     operations: [
@@ -29,13 +31,24 @@ use Symfony\Component\Serializer\Attribute\Groups;
             normalizationContext: ['groups' => ['me:read']],
         ),
         new Get(
+            security: "is_granted('ROLE_ADMIN')",  // TODO ticket #345 : remplacer par is_granted('core.users.view')
             normalizationContext: ['groups' => ['user:list']],
         ),
         new GetCollection(
+            security: "is_granted('ROLE_ADMIN')",  // TODO ticket #345 : remplacer par is_granted('core.users.view')
             normalizationContext: ['groups' => ['user:list']],
         ),
         new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
         new Patch(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
+        new Patch(
+            name: 'user_rbac_patch',
+            uriTemplate: '/users/{id}/rbac',
+            // TODO ticket #345 : remplacer par is_granted('core.users.manage')
+            security: "is_granted('ROLE_ADMIN')",
+            normalizationContext: ['groups' => ['user:rbac:read']],
+            denormalizationContext: ['groups' => ['user:rbac:write']],
+            processor: UserRbacProcessor::class,
+        ),
         new Delete(security: "is_granted('ROLE_ADMIN')"),
     ],
     denormalizationContext: ['groups' => ['user:write']],
@@ -47,7 +60,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
-    #[Groups(['me:read', 'user:list'])]
+    #[Groups(['me:read', 'user:list', 'user:rbac:read'])]
     private ?int $id = null;
 
     #[ORM\Column(length: 180, unique: true)]
@@ -55,7 +68,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     private ?string $username = null;
 
     #[ORM\Column(name: 'is_admin', options: ['default' => false])]
-    #[Groups(['me:read', 'user:list'])]
+    #[Groups(['me:read', 'user:list', 'user:rbac:write', 'user:rbac:read'])]
     private bool $isAdmin = false;
 
     /**
@@ -70,20 +83,25 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
      */
     #[ORM\ManyToMany(targetEntity: Role::class, fetch: 'EAGER')]
     #[ORM\JoinTable(name: 'user_role')]
-    #[Groups(['me:read', 'user:list'])]
-    private Collection $roles;
+    #[Groups(['me:read', 'user:list', 'user:rbac:write', 'user:rbac:read'])]
+    // La propriete s'appelle `rbacRoles` cote PHP pour ne pas entrer en
+    // collision avec UserInterface::getRoles() (qui renvoie list<string>) ;
+    // on reexpose la cle JSON sous `roles` via SerializedName pour rester
+    // conforme au contrat API documente dans le ticket #344.
+    #[SerializedName('roles')]
+    private Collection $rbacRoles;
 
     /**
      * Les permissions directes accordees hors des roles.
      *
-     * Meme justification EAGER que pour $roles : garantie que
+     * Meme justification EAGER que pour $rbacRoles : garantie que
      * getEffectivePermissions() fonctionne dans tous les contextes de chargement.
      *
      * @var Collection<int, Permission>
      */
     #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
     #[ORM\JoinTable(name: 'user_permission')]
-    #[Groups(['me:read', 'user:list'])]
+    #[Groups(['me:read', 'user:list', 'user:rbac:write', 'user:rbac:read'])]
     private Collection $directPermissions;
 
     #[ORM\Column]
@@ -98,7 +116,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     public function __construct()
     {
         $this->createdAt         = new DateTimeImmutable();
-        $this->roles             = new ArrayCollection();
+        $this->rbacRoles         = new ArrayCollection();
         $this->directPermissions = new ArrayCollection();
     }
 
@@ -131,10 +149,12 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
      * ROLE_ADMIN est ajoute si l'utilisateur porte le flag is_admin — c'est le
      * SEUL levier technique de bypass RBAC (cf. section 11 du spec).
      *
-     * Important : ne JAMAIS iterer $this->roles (la Collection de Role) ici.
-     * Cette methode peut etre appelee pendant un refresh JWT, moment ou la
-     * Collection peut ne pas etre hydratee. On se contente d'un calcul base
-     * sur un scalaire.
+     * Important : ne JAMAIS iterer $this->rbacRoles (la Collection de Role)
+     * ici. Cette methode peut etre appelee pendant un refresh JWT, moment ou
+     * la Collection peut ne pas etre hydratee. On se contente d'un calcul
+     * base sur un scalaire.
+     *
+     * @see getRbacRoles() pour la collection RBAC metier (exposee en JSON sous la cle "roles").
      *
      * @return list<string>
      */
@@ -170,13 +190,13 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
      */
     public function getRbacRoles(): Collection
     {
-        return $this->roles;
+        return $this->rbacRoles;
     }
 
     public function addRbacRole(Role $role): static
     {
-        if (!$this->roles->contains($role)) {
-            $this->roles->add($role);
+        if (!$this->rbacRoles->contains($role)) {
+            $this->rbacRoles->add($role);
         }
 
         return $this;
@@ -184,7 +204,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
 
     public function removeRbacRole(Role $role): static
     {
-        $this->roles->removeElement($role);
+        $this->rbacRoles->removeElement($role);
 
         return $this;
     }
@@ -229,7 +249,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     {
         $codes = [];
 
-        foreach ($this->roles as $role) {
+        foreach ($this->rbacRoles as $role) {
             foreach ($role->getPermissions() as $permission) {
                 $codes[$permission->getCode()] = true;
             }

src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php

@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\DeleteOperationInterface;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use Doctrine\ORM\EntityManagerInterface;
+use LogicException;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Processor applicatif pour l'entite Role.
+ *
+ * Choix d'implementation : une seule classe qui recoit en dependances les deux
+ * processors Doctrine decores (Persist et Remove) et branche l'un ou l'autre
+ * selon le type d'operation. Ce choix reste plus lisible que deux classes
+ * jumelees et reflete la symetrie des gardes metier (immuabilite du `code`
+ * cote ecriture, protection des roles systeme cote suppression).
+ *
+ * Gardes metier :
+ *  - DELETE : delegue a Role::ensureDeletable() et traduit la
+ *    SystemRoleDeletionException en AccessDeniedHttpException (403).
+ *  - POST/PATCH : refuse toute modification du `code` (champ immuable apres
+ *    creation), regle uniforme pour les roles systeme ET custom.
+ *
+ * @implements ProcessorInterface<Role, null|Role>
+ */
+final class RoleProcessor implements ProcessorInterface
+{
+    public function __construct(
+        #[Autowire(service: 'api_platform.doctrine.orm.state.persist_processor')]
+        private readonly ProcessorInterface $persistProcessor,
+        #[Autowire(service: 'api_platform.doctrine.orm.state.remove_processor')]
+        private readonly ProcessorInterface $removeProcessor,
+        private readonly EntityManagerInterface $entityManager,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): mixed
+    {
+        if (!$data instanceof Role) {
+            // Ce processor est wire exclusivement sur les operations Role.
+            // Si on arrive ici avec autre chose, c'est une misconfiguration
+            // qu'il faut faire remonter fort.
+            throw new LogicException(sprintf(
+                'RoleProcessor attend une instance de %s, %s recu.',
+                Role::class,
+                get_debug_type($data),
+            ));
+        }
+
+        if ($operation instanceof DeleteOperationInterface) {
+            try {
+                $data->ensureDeletable();
+            } catch (SystemRoleDeletionException $e) {
+                // Traduction HTTP : le domaine reste pur, l'API renvoie 403.
+                throw new AccessDeniedHttpException($e->getMessage(), $e);
+            }
+
+            return $this->removeProcessor->process($data, $operation, $uriVariables, $context);
+        }
+
+        // Ecriture (POST/PATCH) : verifier l'immuabilite du `code`.
+        // L'UnitOfWork n'expose un etat d'origine que pour les entites deja
+        // managees (PATCH). Pour un POST (entite nouvelle), `getOriginalEntityData`
+        // retourne un tableau vide : aucune comparaison necessaire.
+        $originalData = $this->entityManager->getUnitOfWork()->getOriginalEntityData($data);
+
+        if (isset($originalData['code']) && $originalData['code'] !== $data->getCode()) {
+            throw new BadRequestHttpException("Le code d'un role est immuable apres creation.");
+        }
+
+        return $this->persistProcessor->process($data, $operation, $uriVariables, $context);
+    }
+}

src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php

@@ -0,0 +1,77 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use LogicException;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Processor dedie a l'endpoint RBAC `PATCH /api/users/{id}/rbac`.
+ *
+ * Delegue la persistance au PersistProcessor Doctrine decore apres avoir
+ * applique les gardes metier propres aux changements de droits. Cet endpoint
+ * ne touche JAMAIS au mot de passe — c'est une separation volontaire avec le
+ * UserPasswordHasherProcessor qui gere le endpoint profil `/api/users/{id}`.
+ *
+ * Gardes metier :
+ *  - Auto-suicide : un admin ne peut pas retirer son propre flag `isAdmin`.
+ *    On compare l'etat entrant a l'etat d'origine via l'UnitOfWork Doctrine,
+ *    en restreignant la verification au couple "user courant == user cible".
+ *
+ * TODO ticket #345 : garde "dernier admin" globale via inventaire des admins
+ * restants (empeche de retirer `isAdmin` au dernier admin de l'instance, meme
+ * si ce n'est pas sa propre operation).
+ *
+ * @implements ProcessorInterface<User, User>
+ */
+final class UserRbacProcessor implements ProcessorInterface
+{
+    public function __construct(
+        #[Autowire(service: 'api_platform.doctrine.orm.state.persist_processor')]
+        private readonly ProcessorInterface $persistProcessor,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): mixed
+    {
+        if (!$data instanceof User) {
+            // Ce processor est wire exclusivement sur l'operation user_rbac_patch
+            // qui cible User. Si on arrive ici avec autre chose, c'est une
+            // misconfiguration qu'il faut faire remonter fort.
+            throw new LogicException(sprintf(
+                'UserRbacProcessor attend une instance de %s, %s recu.',
+                User::class,
+                get_debug_type($data),
+            ));
+        }
+
+        $currentUser = $this->security->getUser();
+
+        // Garde auto-suicide : l'user courant ne peut pas retirer son propre
+        // flag admin. On ne compare que si la cible == l'user courant.
+        if ($currentUser instanceof User
+            && null !== $currentUser->getId()
+            && $currentUser->getId() === $data->getId()
+        ) {
+            $originalData = $this->entityManager->getUnitOfWork()->getOriginalEntityData($data);
+            $wasAdmin     = $originalData['isAdmin'] ?? null;
+
+            if (true === $wasAdmin && false === $data->isAdmin()) {
+                throw new BadRequestHttpException(
+                    'Vous ne pouvez pas retirer vos propres droits administrateur.'
+                );
+            }
+        }
+
+        return $this->persistProcessor->process($data, $operation, $uriVariables, $context);
+    }
+}

tests/Module/Core/Api/AbstractApiTestCase.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Api;
+
+use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;
+use ApiPlatform\Symfony\Bundle\Test\Client;
+use Doctrine\ORM\EntityManagerInterface;
+
+/**
+ * Classe de base pour les tests fonctionnels API Platform du module Core.
+ *
+ * Mutualise :
+ *  - `$alwaysBootKernel = true` : bascule le nouveau comportement API Platform 5
+ *    et evite la deprecation emise a la creation du client de test.
+ *  - `authenticatedClient()` : cree un client authentifie via `/login_check`
+ *    (cookie BEARER HTTP-only pose par lexik_jwt_authentication).
+ *  - `getEm()` : recupere l'EntityManager depuis le container courant.
+ *    A rappeler apres chaque createClient() car le kernel est reboote.
+ *
+ * @internal
+ */
+abstract class AbstractApiTestCase extends ApiTestCase
+{
+    // Bascule explicite sur le nouveau comportement API Platform 5 pour
+    // eviter la deprecation emise a la creation du client de test.
+    protected static ?bool $alwaysBootKernel = true;
+
+    /**
+     * Recupere l'EntityManager depuis le container courant. A utiliser a
+     * chaque appel : apres un createClient(), le kernel est reboote et tout
+     * EM precedemment capture est invalide.
+     */
+    protected function getEm(): EntityManagerInterface
+    {
+        if (!self::$kernel) {
+            self::bootKernel();
+        }
+
+        return self::getContainer()->get('doctrine')->getManager();
+    }
+
+    /**
+     * Cree un client authentifie via /login_check. La configuration du projet
+     * pose le JWT dans un cookie HTTP-only `BEARER` (cf. lexik_jwt_authentication.yaml)
+     * et retire le token du body de reponse ; le client BrowserKit persiste
+     * automatiquement le cookie pour les requetes suivantes.
+     */
+    protected function authenticatedClient(string $username, string $password): Client
+    {
+        $client   = self::createClient();
+        $response = $client->request('POST', '/login_check', [
+            'headers' => ['Content-Type' => 'application/json'],
+            'json'    => ['username' => $username, 'password' => $password],
+        ]);
+
+        self::assertContains(
+            $response->getStatusCode(),
+            [200, 204],
+            'Login failed for '.$username.': '.$response->getStatusCode(),
+        );
+
+        return $client;
+    }
+}

tests/Module/Core/Api/PermissionApiTest.php

@@ -0,0 +1,181 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Api;
+
+use App\Module\Core\Domain\Entity\Permission;
+
+/**
+ * Tests fonctionnels de l'exposition API Platform de l'entite Permission.
+ *
+ * Strategie de donnees : on cree directement quelques instances de Permission
+ * via l'EntityManager au setUp (choix le plus simple et le plus rapide, pas
+ * besoin de booter la commande app:sync-permissions). Les fixtures de test
+ * sont prefixees par "test." pour ne pas collisionner avec d'eventuelles
+ * permissions reelles et sont nettoyees en tearDown.
+ *
+ * @internal
+ */
+final class PermissionApiTest extends AbstractApiTestCase
+{
+    private const TEST_CODE_PREFIX = 'test.';
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        // On boote le kernel une fois pour pouvoir seeder les fixtures.
+        // ATTENTION : ne pas stocker l'EntityManager dans une propriete,
+        // chaque createClient() dans les tests rebootera le kernel et
+        // invalidera tout EM capture ici (cf. $alwaysBootKernel = true).
+        self::bootKernel();
+        $em = $this->getEm();
+
+        // Nettoyage defensif au cas ou un run precedent aurait laisse des restes.
+        $this->cleanupTestPermissions();
+
+        // Donnees de test : deux permissions "core" dont une orpheline,
+        // plus une permission d'un autre module pour verifier le filtre.
+        $p1 = new Permission('test.core.users.view', 'View users (test)', 'core');
+        $p2 = new Permission('test.core.users.manage', 'Manage users (test)', 'core');
+        $p3 = new Permission('test.commercial.clients.view', 'View clients (test)', 'commercial');
+        $p2->markOrphan();
+
+        $em->persist($p1);
+        $em->persist($p2);
+        $em->persist($p3);
+        $em->flush();
+        $em->clear();
+    }
+
+    protected function tearDown(): void
+    {
+        $this->cleanupTestPermissions();
+        parent::tearDown();
+    }
+
+    public function testGetCollectionAsAdminReturns200(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/permissions');
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        // API Platform 4 emet du JSON-LD 1.1 avec un @context qui utilise un
+        // @vocab : les cles sortent donc non prefixees (`member`, `totalItems`)
+        // au lieu des anciennes `hydra:member` / `hydra:totalItems`.
+        self::assertArrayHasKey('member', $data);
+        self::assertGreaterThanOrEqual(3, $data['totalItems']);
+    }
+
+    public function testCollectionFilterByModule(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/permissions', [
+            'query' => ['module' => 'core'],
+        ]);
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        foreach ($data['member'] as $item) {
+            self::assertSame('core', $item['module']);
+        }
+        // Doit contenir au moins nos deux permissions core de test.
+        $codes = array_column($data['member'], 'code');
+        self::assertContains('test.core.users.view', $codes);
+        self::assertContains('test.core.users.manage', $codes);
+        self::assertNotContains('test.commercial.clients.view', $codes);
+    }
+
+    public function testCollectionFilterByOrphanTrue(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/permissions', [
+            'query' => ['orphan' => 'true'],
+        ]);
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        foreach ($data['member'] as $item) {
+            self::assertTrue($item['orphan']);
+        }
+        $codes = array_column($data['member'], 'code');
+        // La permission marquee orpheline dans setUp() doit remonter...
+        self::assertContains('test.core.users.manage', $codes);
+        // ...et celles non orphelines doivent etre exclues.
+        self::assertNotContains('test.core.users.view', $codes);
+        self::assertNotContains('test.commercial.clients.view', $codes);
+    }
+
+    public function testCollectionFilterByOrphanFalse(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/permissions', [
+            'query' => ['orphan' => 'false'],
+        ]);
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        foreach ($data['member'] as $item) {
+            self::assertFalse($item['orphan']);
+        }
+        $codes = array_column($data['member'], 'code');
+        self::assertContains('test.core.users.view', $codes);
+        self::assertNotContains('test.core.users.manage', $codes);
+    }
+
+    public function testGetItemAsAdminReturnsAllReadFields(): void
+    {
+        /** @var null|Permission $permission */
+        $permission = $this->getEm()->getRepository(Permission::class)
+            ->findOneBy(['code' => 'test.core.users.view'])
+        ;
+        self::assertNotNull($permission);
+
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/permissions/'.$permission->getId());
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        self::assertSame($permission->getId(), $data['id']);
+        self::assertSame('test.core.users.view', $data['code']);
+        self::assertSame('View users (test)', $data['label']);
+        self::assertSame('core', $data['module']);
+        self::assertFalse($data['orphan']);
+    }
+
+    public function testPostIsMethodNotAllowed(): void
+    {
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('POST', '/api/permissions', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => ['code' => 'test.foo.bar.baz', 'label' => 'Foo', 'module' => 'foo'],
+        ]);
+
+        self::assertResponseStatusCodeSame(405);
+    }
+
+    public function testUnauthenticatedReturns401(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/permissions');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testNonAdminReturns403(): void
+    {
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('GET', '/api/permissions');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    private function cleanupTestPermissions(): void
+    {
+        $this->getEm()->createQuery(
+            'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
+        )->setParameter('prefix', self::TEST_CODE_PREFIX.'%')->execute();
+    }
+}

tests/Module/Core/Api/RoleApiTest.php

@@ -0,0 +1,402 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Api;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Security\SystemRoles;
+
+/**
+ * Tests fonctionnels de l'exposition API Platform de l'entite Role (CRUD nominal).
+ *
+ * Strategie :
+ *  - Les roles systeme `admin` et `user` sont deja charges par les fixtures
+ *    (cf. AppFixtures::ensureSystemRole). On ne les touche JAMAIS.
+ *  - Les roles et permissions crees pour les tests ont le prefixe `test.` et
+ *    sont purges en setUp + tearDown par DQL prefixe.
+ *  - Les cas 403 sur role systeme et 400 sur modification de `code` sont
+ *    reportes a la Task 3 (RoleProcessor) et ne sont PAS testes ici.
+ *
+ * @internal
+ */
+final class RoleApiTest extends AbstractApiTestCase
+{
+    // Prefixe pour les roles de test : `test_` (underscore) parce que les
+    // codes de role doivent matcher `/^[a-z][a-z0-9_]*$/` (pas de point
+    // autorise, contrairement aux permissions).
+    private const TEST_ROLE_PREFIX = 'test_';
+
+    // Prefixe pour les permissions de test : `test.` (point) parce que les
+    // codes de permission doivent contenir au moins un `.` (convention
+    // module.resource.action validee dans le constructeur Permission).
+    private const TEST_PERMISSION_PREFIX = 'test.';
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        self::bootKernel();
+        $em = $this->getEm();
+
+        // Nettoyage defensif au cas ou un run precedent aurait laisse des restes.
+        $this->cleanupTestData();
+
+        // Permissions de test reutilisables (notamment pour le PATCH).
+        $p1 = new Permission('test.core.roles.view', 'View roles (test)', 'core');
+        $p2 = new Permission('test.core.roles.manage', 'Manage roles (test)', 'core');
+        $em->persist($p1);
+        $em->persist($p2);
+
+        // Role custom existant : utilise pour les GET / PATCH / DELETE.
+        $editor = new Role('test_editor', 'Editeur (test)', false, 'Role de test editeur');
+        $em->persist($editor);
+
+        // Deuxieme role custom : pour enrichir les collections.
+        $viewer = new Role('test_viewer', 'Visualisateur (test)', false);
+        $em->persist($viewer);
+
+        $em->flush();
+        $em->clear();
+    }
+
+    protected function tearDown(): void
+    {
+        $this->cleanupTestData();
+        parent::tearDown();
+    }
+
+    public function testPostCreatesCustomRoleAsAdmin(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                'code'        => 'test_new_editor',
+                'label'       => 'Nouvel editeur',
+                'description' => 'Role de test',
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(201);
+        $data = $response->toArray();
+        self::assertSame('test_new_editor', $data['code']);
+        self::assertSame('Nouvel editeur', $data['label']);
+        self::assertFalse($data['isSystem']);
+
+        // Verification cote base : le role existe et isSystem = false.
+        $persisted = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_new_editor']);
+        self::assertNotNull($persisted);
+        self::assertFalse($persisted->isSystem());
+    }
+
+    public function testPostWithDuplicateCodeReturns422(): void
+    {
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                // `admin` est un role systeme charge par les fixtures.
+                'code'  => SystemRoles::ADMIN_CODE,
+                'label' => 'Tentative de doublon',
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(422);
+    }
+
+    public function testPostWithInvalidCodeReturns422(): void
+    {
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                // Majuscules interdites par la regex snake_case.
+                'code'  => 'BadCode',
+                'label' => 'Code invalide',
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(422);
+    }
+
+    public function testPostWithIsSystemTrueIgnoresItAndPersistsFalse(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                'code'     => 'test_sneaky',
+                'label'    => 'Tentative systeme',
+                'isSystem' => true,
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(201);
+        $data = $response->toArray();
+        self::assertFalse($data['isSystem']);
+
+        $persisted = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_sneaky']);
+        self::assertNotNull($persisted);
+        self::assertFalse($persisted->isSystem());
+    }
+
+    public function testGetCollectionAsAdminReturnsRoles(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/roles');
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        self::assertArrayHasKey('member', $data);
+        // Au moins admin systeme + user systeme + test_editor + test_viewer.
+        self::assertGreaterThanOrEqual(4, $data['totalItems']);
+        $codes = array_column($data['member'], 'code');
+        self::assertContains('test_editor', $codes);
+    }
+
+    public function testGetCollectionFilterByIsSystemTrue(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/roles', [
+            'query' => ['isSystem' => 'true'],
+        ]);
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        foreach ($data['member'] as $item) {
+            self::assertTrue($item['isSystem']);
+        }
+        $codes = array_column($data['member'], 'code');
+        self::assertNotContains('test_editor', $codes);
+        self::assertNotContains('test_viewer', $codes);
+    }
+
+    public function testGetItemReturnsAllReadFields(): void
+    {
+        $role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
+        self::assertNotNull($role);
+
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/roles/'.$role->getId());
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        self::assertSame('test_editor', $data['code']);
+        self::assertSame('Editeur (test)', $data['label']);
+        self::assertSame('Role de test editeur', $data['description']);
+        self::assertFalse($data['isSystem']);
+        self::assertArrayHasKey('permissions', $data);
+        self::assertIsArray($data['permissions']);
+    }
+
+    public function testPatchCustomRoleUpdatesLabelAndAddsPermission(): void
+    {
+        $em   = $this->getEm();
+        $role = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
+        self::assertNotNull($role);
+        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'test.core.roles.view']);
+        self::assertNotNull($permission);
+
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('PATCH', '/api/roles/'.$role->getId(), [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => [
+                'label'       => 'Editeur modifie',
+                'permissions' => ['/api/permissions/'.$permission->getId()],
+            ],
+        ]);
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        self::assertSame('Editeur modifie', $data['label']);
+        self::assertCount(1, $data['permissions']);
+
+        // Verification cote base.
+        $em->clear();
+
+        /** @var Role $reloaded */
+        $reloaded = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
+        self::assertSame('Editeur modifie', $reloaded->getLabel());
+        self::assertCount(1, $reloaded->getPermissions());
+    }
+
+    public function testDeleteCustomRoleReturns204(): void
+    {
+        $role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_viewer']);
+        self::assertNotNull($role);
+        $id = $role->getId();
+
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('DELETE', '/api/roles/'.$id);
+
+        self::assertResponseStatusCodeSame(204);
+
+        $em = $this->getEm();
+        $em->clear();
+        self::assertNull($em->getRepository(Role::class)->find($id));
+    }
+
+    public function testDeleteCustomRoleAttachedToUserDoesNotDeleteUser(): void
+    {
+        // Scenario spec #344 sections 7 & 11 : supprimer un role custom rattache
+        // a un user doit laisser le user en base (la FK user_role est nettoyee
+        // par ON DELETE CASCADE, mais jamais le user lui-meme).
+        $em = $this->getEm();
+
+        // Creer un user de test dedie et lui rattacher le role custom `test_editor`.
+        $testUser = new User();
+        $testUser->setUsername('test_cascade_user');
+        // Le hashage du password est hors scope du test mais la colonne est NOT NULL.
+        $testUser->setPassword('not-hashed-ok-for-test');
+
+        /** @var Role $editor */
+        $editor = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
+        self::assertNotNull($editor);
+        $testUser->addRbacRole($editor);
+
+        $em->persist($testUser);
+        $em->flush();
+        $userId   = $testUser->getId();
+        $editorId = $editor->getId();
+        $em->clear();
+
+        // DELETE du role editor via l'API.
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('DELETE', '/api/roles/'.$editorId);
+        self::assertResponseStatusCodeSame(204);
+
+        // Verification : l'user existe toujours et sa collection de roles est vide.
+        $em = $this->getEm();
+
+        /** @var null|User $refreshed */
+        $refreshed = $em->getRepository(User::class)->find($userId);
+        self::assertNotNull($refreshed, 'L\'user ne doit PAS etre supprime par le cascade.');
+        self::assertCount(0, $refreshed->getRbacRoles(), 'La relation user_role doit etre nettoyee par le cascade.');
+
+        // Cleanup explicite : cleanupTestData() ne purge pas les users.
+        $em->remove($refreshed);
+        $em->flush();
+    }
+
+    public function testDeleteSystemRoleReturns403(): void
+    {
+        $role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]);
+        self::assertNotNull($role);
+
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('DELETE', '/api/roles/'.$role->getId());
+
+        self::assertResponseStatusCodeSame(403);
+
+        // Le role systeme doit toujours exister.
+        $em = $this->getEm();
+        $em->clear();
+        self::assertNotNull($em->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]));
+    }
+
+    public function testPatchSystemRoleLabelReturns200(): void
+    {
+        $em   = $this->getEm();
+        $role = $em->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]);
+        self::assertNotNull($role);
+        $originalLabel = $role->getLabel();
+        $roleId        = $role->getId();
+
+        $client = $this->authenticatedClient('admin', 'admin');
+
+        try {
+            $response = $client->request('PATCH', '/api/roles/'.$roleId, [
+                'headers' => ['Content-Type' => 'application/merge-patch+json'],
+                'json'    => ['label' => 'Administrateur (modifie test)'],
+            ]);
+
+            self::assertResponseIsSuccessful();
+            $data = $response->toArray();
+            self::assertSame('Administrateur (modifie test)', $data['label']);
+            self::assertSame(SystemRoles::ADMIN_CODE, $data['code']);
+            self::assertTrue($data['isSystem']);
+        } finally {
+            // Restauration defensive du label original pour ne pas polluer
+            // les tests suivants (les fixtures systeme sont partagees).
+            $em = $this->getEm();
+
+            /** @var null|Role $reloaded */
+            $reloaded = $em->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]);
+            if (null !== $reloaded && $reloaded->getLabel() !== $originalLabel) {
+                $reloaded->setLabel($originalLabel);
+                $em->flush();
+            }
+        }
+    }
+
+    public function testPatchRoleCodeChangeReturns400(): void
+    {
+        $role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
+        self::assertNotNull($role);
+
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('PATCH', '/api/roles/'.$role->getId(), [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['code' => 'test_editor_renamed'],
+        ]);
+
+        self::assertResponseStatusCodeSame(400);
+
+        // Verification cote base : le code d'origine n'a pas bouge.
+        $em = $this->getEm();
+        $em->clear();
+        self::assertNotNull($em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']));
+        self::assertNull($em->getRepository(Role::class)->findOneBy(['code' => 'test_editor_renamed']));
+    }
+
+    public function testUnauthenticatedGetCollectionReturns401(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testNonAdminGetCollectionReturns403(): void
+    {
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    /**
+     * Purge les donnees de test (roles et permissions prefixees `test.`).
+     * Ne touche JAMAIS aux roles systeme `admin` et `user` charges par les
+     * fixtures.
+     */
+    private function cleanupTestData(): void
+    {
+        $em = $this->getEm();
+
+        // Le cascade FK de la migration #343 (ON DELETE CASCADE sur
+        // role_permission.role_id et permission_id) nettoie automatiquement
+        // role_permission lors du DELETE SQL emis par Doctrine, meme via DQL
+        // bulk delete : le cascade est applique au niveau FK par PostgreSQL,
+        // pas par l'Unit of Work Doctrine. Verifie par comptage avant/apres
+        // runs successifs de la suite (stable a la ligne de base systeme).
+        // Purge defensive des users de test crees par certains scenarios
+        // (ex: testDeleteCustomRoleAttachedToUserDoesNotDeleteUser). Doit etre
+        // fait AVANT la suppression des roles pour que le cascade FK ne soit
+        // pas sollicite en ordre inverse.
+        $em->createQuery(
+            'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
+        )->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
+
+        $em->createQuery(
+            'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
+        )->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
+
+        $em->createQuery(
+            'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
+        )->setParameter('prefix', self::TEST_PERMISSION_PREFIX.'%')->execute();
+    }
+}

tests/Module/Core/Api/UserRbacApiTest.php

@@ -0,0 +1,271 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Api;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+
+/**
+ * Tests fonctionnels de l'endpoint RBAC dedie `PATCH /api/users/{id}/rbac`.
+ *
+ * Strategie de donnees :
+ *  - On cree des users, roles et permissions prefixes `test_` / `test.`
+ *    en setUp et on les purge en tearDown.
+ *  - On ne touche JAMAIS aux fixtures (admin / alice / bob). Les cas qui
+ *    ont besoin d'un user standard authentifie s'appuient sur alice sans
+ *    modification d'etat.
+ *  - Les users de test incluent un admin dedie pour le cas d'auto-suicide,
+ *    pour ne pas risquer de corrompre l'admin fixture.
+ *
+ * @internal
+ */
+final class UserRbacApiTest extends AbstractApiTestCase
+{
+    private const TEST_USER_PREFIX       = 'test_';
+    private const TEST_ROLE_PREFIX       = 'test_';
+    private const TEST_PERMISSION_PREFIX = 'test.';
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        self::bootKernel();
+        $em = $this->getEm();
+
+        $this->cleanupTestData();
+
+        /** @var UserPasswordHasherInterface $hasher */
+        $hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
+
+        // User cible standard (non admin).
+        $target = new User();
+        $target->setUsername('test_target');
+        $target->setIsAdmin(false);
+        $target->setPassword($hasher->hashPassword($target, 'secret'));
+        $em->persist($target);
+
+        // User admin dedie pour le cas d'auto-suicide (pas l'admin fixture).
+        $selfAdmin = new User();
+        $selfAdmin->setUsername('test_self_admin');
+        $selfAdmin->setIsAdmin(true);
+        $selfAdmin->setPassword($hasher->hashPassword($selfAdmin, 'secret'));
+        $em->persist($selfAdmin);
+
+        // Role custom pour tester le remplacement de la collection roles.
+        $role = new Role('test_editor', 'Editeur (test)', false);
+        $em->persist($role);
+
+        // Permission custom pour tester directPermissions.
+        $permission = new Permission('test.core.users.view', 'View users (test)', 'core');
+        $em->persist($permission);
+
+        $em->flush();
+        $em->clear();
+    }
+
+    protected function tearDown(): void
+    {
+        $this->cleanupTestData();
+        parent::tearDown();
+    }
+
+    public function testPatchRbacPromotesUserToAdmin(): void
+    {
+        $target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertNotNull($target);
+
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['isAdmin' => true],
+        ]);
+
+        self::assertResponseIsSuccessful();
+
+        $em = $this->getEm();
+        $em->clear();
+
+        /** @var User $reloaded */
+        $reloaded = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertTrue($reloaded->isAdmin());
+    }
+
+    public function testPatchRbacReplacesRolesCollection(): void
+    {
+        $em     = $this->getEm();
+        $target = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        $role   = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
+        self::assertNotNull($target);
+        self::assertNotNull($role);
+
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['roles' => ['/api/roles/'.$role->getId()]],
+        ]);
+
+        self::assertResponseIsSuccessful();
+
+        $em = $this->getEm();
+        $em->clear();
+
+        /** @var User $reloaded */
+        $reloaded = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertCount(1, $reloaded->getRbacRoles());
+        self::assertSame('test_editor', $reloaded->getRbacRoles()->first()->getCode());
+    }
+
+    public function testPatchRbacReplacesDirectPermissionsCollection(): void
+    {
+        $em         = $this->getEm();
+        $target     = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'test.core.users.view']);
+        self::assertNotNull($target);
+        self::assertNotNull($permission);
+
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['directPermissions' => ['/api/permissions/'.$permission->getId()]],
+        ]);
+
+        self::assertResponseIsSuccessful();
+
+        $em = $this->getEm();
+        $em->clear();
+
+        /** @var User $reloaded */
+        $reloaded = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertCount(1, $reloaded->getDirectPermissions());
+        self::assertSame('test.core.users.view', $reloaded->getDirectPermissions()->first()->getCode());
+    }
+
+    public function testPatchRbacAsStandardUserReturns403(): void
+    {
+        $target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertNotNull($target);
+
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['isAdmin' => true],
+        ]);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testPatchRbacUnauthenticatedReturns401(): void
+    {
+        $target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertNotNull($target);
+
+        $client = self::createClient();
+        $client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['isAdmin' => true],
+        ]);
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testPatchRbacIgnoresUsernameField(): void
+    {
+        $target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertNotNull($target);
+        $targetId = $target->getId();
+
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('PATCH', '/api/users/'.$targetId.'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => [
+                'username' => 'test_target_renamed',
+                'isAdmin'  => true,
+            ],
+        ]);
+
+        self::assertResponseIsSuccessful();
+
+        $em = $this->getEm();
+        $em->clear();
+
+        /** @var User $reloaded */
+        $reloaded = $em->getRepository(User::class)->find($targetId);
+        // `username` n'est pas dans `user:rbac:write` : ignore en denormalization.
+        self::assertSame('test_target', $reloaded->getUsername());
+        // `isAdmin` est bien applique.
+        self::assertTrue($reloaded->isAdmin());
+    }
+
+    public function testPatchProfileEndpointDoesNotModifyIsAdmin(): void
+    {
+        // Confirme la decision 0fc4e16 : `isAdmin` n'est plus dans `user:write`,
+        // donc `PATCH /api/users/{id}` sans `/rbac` ne peut plus promouvoir.
+        $target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertNotNull($target);
+        $targetId = $target->getId();
+        self::assertFalse($target->isAdmin());
+
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('PATCH', '/api/users/'.$targetId, [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['isAdmin' => true],
+        ]);
+
+        // Peu importe le code : le champ ne doit tout simplement pas bouger.
+        $em = $this->getEm();
+        $em->clear();
+
+        /** @var User $reloaded */
+        $reloaded = $em->getRepository(User::class)->find($targetId);
+        self::assertFalse($reloaded->isAdmin());
+    }
+
+    public function testPatchRbacSelfRemovingAdminReturns400(): void
+    {
+        // On utilise le user admin dedie (test_self_admin) pour ne pas
+        // corrompre l'admin fixture en cas de bug.
+        $em        = $this->getEm();
+        $selfAdmin = $em->getRepository(User::class)->findOneBy(['username' => 'test_self_admin']);
+        self::assertNotNull($selfAdmin);
+        $selfAdminId = $selfAdmin->getId();
+
+        $client = $this->authenticatedClient('test_self_admin', 'secret');
+        $client->request('PATCH', '/api/users/'.$selfAdminId.'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['isAdmin' => false],
+        ]);
+
+        self::assertResponseStatusCodeSame(400);
+
+        $em = $this->getEm();
+        $em->clear();
+
+        /** @var User $reloaded */
+        $reloaded = $em->getRepository(User::class)->find($selfAdminId);
+        self::assertTrue($reloaded->isAdmin());
+    }
+
+    private function cleanupTestData(): void
+    {
+        $em = $this->getEm();
+
+        // Ordre important : delier les collections avant de supprimer les
+        // entites referencees pour que les FK cascade s'appliquent via le
+        // schema PostgreSQL.
+        $em->createQuery(
+            'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
+        )->setParameter('prefix', self::TEST_USER_PREFIX.'%')->execute();
+
+        $em->createQuery(
+            'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
+        )->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
+
+        $em->createQuery(
+            'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
+        )->setParameter('prefix', self::TEST_PERMISSION_PREFIX.'%')->execute();
+    }
+}

tests/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessorTest.php

@@ -0,0 +1,228 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\RoleProcessor;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\UnitOfWork;
+use LogicException;
+use PHPUnit\Framework\Attributes\AllowMockObjectsWithoutExpectations;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use ReflectionClass;
+use stdClass;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Tests unitaires du RoleProcessor : couvre les gardes metier
+ * (immuabilite du code, refus de suppression des roles systeme) et la
+ * delegation aux processors Doctrine decores.
+ *
+ * @internal
+ */
+#[AllowMockObjectsWithoutExpectations]
+final class RoleProcessorTest extends TestCase
+{
+    private MockObject&ProcessorInterface $persistProcessor;
+    private MockObject&ProcessorInterface $removeProcessor;
+    private EntityManagerInterface&MockObject $entityManager;
+    private MockObject&UnitOfWork $unitOfWork;
+    private RoleProcessor $processor;
+
+    protected function setUp(): void
+    {
+        $this->persistProcessor = $this->createMock(ProcessorInterface::class);
+        $this->removeProcessor  = $this->createMock(ProcessorInterface::class);
+        $this->entityManager    = $this->createMock(EntityManagerInterface::class);
+        $this->unitOfWork       = $this->createMock(UnitOfWork::class);
+
+        $this->entityManager->method('getUnitOfWork')->willReturn($this->unitOfWork);
+
+        $this->processor = new RoleProcessor(
+            $this->persistProcessor,
+            $this->removeProcessor,
+            $this->entityManager,
+        );
+    }
+
+    public function testDeleteCustomRoleDelegatesToRemoveProcessor(): void
+    {
+        $role = new Role('editor', 'Editor', false);
+
+        $this->removeProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($role)
+            ->willReturn(null)
+        ;
+
+        $this->persistProcessor->expects(self::never())->method('process');
+
+        $result = $this->processor->process($role, new Delete());
+
+        self::assertNull($result);
+    }
+
+    public function testDeleteSystemRoleThrowsAccessDeniedHttpException(): void
+    {
+        $role = new Role('admin', 'Admin', true);
+
+        $this->removeProcessor->expects(self::never())->method('process');
+        $this->persistProcessor->expects(self::never())->method('process');
+
+        $this->expectException(AccessDeniedHttpException::class);
+        $this->expectExceptionMessage('Le role systeme "admin" ne peut pas etre supprime.');
+
+        $this->processor->process($role, new Delete());
+    }
+
+    public function testPostCreatesCustomRoleDelegatesToPersistProcessor(): void
+    {
+        $role = new Role('editor', 'Editor', false);
+
+        // Entite nouvelle : l'UnitOfWork n'a pas d'etat d'origine.
+        $this->unitOfWork
+            ->expects(self::once())
+            ->method('getOriginalEntityData')
+            ->with($role)
+            ->willReturn([])
+        ;
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($role)
+            ->willReturn($role)
+        ;
+
+        $this->removeProcessor->expects(self::never())->method('process');
+
+        $result = $this->processor->process($role, new Post());
+
+        self::assertSame($role, $result);
+    }
+
+    public function testPatchWithChangedCodeThrowsBadRequestHttpException(): void
+    {
+        // L'entite arrive avec le nouveau code deja applique par le denormalizer.
+        $role = new Role('editor_renamed', 'Editor', false);
+        $this->setRoleId($role, 42);
+
+        $this->unitOfWork
+            ->expects(self::once())
+            ->method('getOriginalEntityData')
+            ->with($role)
+            ->willReturn([
+                'id'       => 42,
+                'code'     => 'editor',
+                'label'    => 'Editor',
+                'isSystem' => false,
+            ])
+        ;
+
+        $this->persistProcessor->expects(self::never())->method('process');
+        $this->removeProcessor->expects(self::never())->method('process');
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage("Le code d'un role est immuable apres creation.");
+
+        $this->processor->process($role, new Patch());
+    }
+
+    public function testPatchWithUnchangedCodeDelegatesToPersistProcessor(): void
+    {
+        $role = new Role('editor', 'Editor modifie', false, 'desc');
+        $this->setRoleId($role, 42);
+
+        $this->unitOfWork
+            ->expects(self::once())
+            ->method('getOriginalEntityData')
+            ->with($role)
+            ->willReturn([
+                'id'       => 42,
+                'code'     => 'editor',
+                'label'    => 'Editor',
+                'isSystem' => false,
+            ])
+        ;
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($role)
+            ->willReturn($role)
+        ;
+
+        $this->removeProcessor->expects(self::never())->method('process');
+
+        $result = $this->processor->process($role, new Patch());
+
+        self::assertSame($role, $result);
+    }
+
+    public function testPatchSystemRoleLabelDelegatesToPersistProcessor(): void
+    {
+        // Regle uniforme : un role systeme peut voir son label modifie tant
+        // que son code reste inchange. Seul le DELETE est bloque.
+        $role = new Role('admin', 'Administrateur', true);
+        $this->setRoleId($role, 1);
+
+        $this->unitOfWork
+            ->expects(self::once())
+            ->method('getOriginalEntityData')
+            ->with($role)
+            ->willReturn([
+                'id'       => 1,
+                'code'     => 'admin',
+                'label'    => 'Admin',
+                'isSystem' => true,
+            ])
+        ;
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($role)
+            ->willReturn($role)
+        ;
+
+        $this->removeProcessor->expects(self::never())->method('process');
+
+        $result = $this->processor->process($role, new Patch());
+
+        self::assertSame($role, $result);
+    }
+
+    public function testProcessNonRoleDataThrowsLogicException(): void
+    {
+        // Garde-fou contre une misconfiguration : ce processor est wire
+        // exclusivement sur les operations Role.
+        $this->persistProcessor->expects(self::never())->method('process');
+        $this->removeProcessor->expects(self::never())->method('process');
+
+        $this->expectException(LogicException::class);
+        $this->expectExceptionMessage('RoleProcessor attend une instance de');
+
+        $this->processor->process(new stdClass(), new Patch());
+    }
+
+    /**
+     * Positionne l'id d'un Role via reflection pour simuler une entite deja
+     * persistee (les mocks d'UnitOfWork n'alimentent pas l'id tout seul).
+     */
+    private function setRoleId(Role $role, int $id): void
+    {
+        $refl = new ReflectionClass($role);
+        $prop = $refl->getProperty('id');
+        $prop->setAccessible(true);
+        $prop->setValue($role, $id);
+    }
+}

tests/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessorTest.php

@@ -0,0 +1,230 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\UnitOfWork;
+use LogicException;
+use PHPUnit\Framework\Attributes\AllowMockObjectsWithoutExpectations;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use ReflectionClass;
+use stdClass;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Tests unitaires du UserRbacProcessor : couvre la garde "auto-suicide" et la
+ * delegation au PersistProcessor Doctrine decore pour les trois champs RBAC
+ * (isAdmin, roles, directPermissions).
+ *
+ * @internal
+ */
+#[AllowMockObjectsWithoutExpectations]
+final class UserRbacProcessorTest extends TestCase
+{
+    private MockObject&ProcessorInterface $persistProcessor;
+    private EntityManagerInterface&MockObject $entityManager;
+    private MockObject&UnitOfWork $unitOfWork;
+    private MockObject&Security $security;
+    private UserRbacProcessor $processor;
+
+    protected function setUp(): void
+    {
+        $this->persistProcessor = $this->createMock(ProcessorInterface::class);
+        $this->entityManager    = $this->createMock(EntityManagerInterface::class);
+        $this->unitOfWork       = $this->createMock(UnitOfWork::class);
+        $this->security         = $this->createMock(Security::class);
+
+        $this->entityManager->method('getUnitOfWork')->willReturn($this->unitOfWork);
+
+        $this->processor = new UserRbacProcessor(
+            $this->persistProcessor,
+            $this->entityManager,
+            $this->security,
+        );
+    }
+
+    public function testPatchPromotesUserToAdminDelegatesToPersistProcessor(): void
+    {
+        $target = $this->buildUser(42, 'alice', false);
+        $target->setIsAdmin(true);
+
+        $currentAdmin = $this->buildUser(1, 'admin', true);
+        $this->security->method('getUser')->willReturn($currentAdmin);
+
+        // Cible != user courant : pas de lecture d'UnitOfWork necessaire.
+        $this->unitOfWork->expects(self::never())->method('getOriginalEntityData');
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($target)
+            ->willReturn($target)
+        ;
+
+        $result = $this->processor->process($target, new Patch());
+
+        self::assertSame($target, $result);
+    }
+
+    public function testPatchUpdatesRolesCollectionDelegatesToPersistProcessor(): void
+    {
+        $target = $this->buildUser(42, 'alice', false);
+        $target->addRbacRole(new Role('editor', 'Editor', false));
+
+        $currentAdmin = $this->buildUser(1, 'admin', true);
+        $this->security->method('getUser')->willReturn($currentAdmin);
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($target)
+            ->willReturn($target)
+        ;
+
+        $result = $this->processor->process($target, new Patch());
+
+        self::assertSame($target, $result);
+        self::assertCount(1, $result->getRbacRoles());
+    }
+
+    public function testPatchUpdatesDirectPermissionsCollectionDelegatesToPersistProcessor(): void
+    {
+        $target = $this->buildUser(42, 'alice', false);
+        $target->addDirectPermission(new Permission('core.users.view', 'View', 'core'));
+
+        $currentAdmin = $this->buildUser(1, 'admin', true);
+        $this->security->method('getUser')->willReturn($currentAdmin);
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($target)
+            ->willReturn($target)
+        ;
+
+        $result = $this->processor->process($target, new Patch());
+
+        self::assertSame($target, $result);
+        self::assertCount(1, $result->getDirectPermissions());
+    }
+
+    public function testPatchSelfRemovingAdminThrowsBadRequestHttpException(): void
+    {
+        // Meme identifiant : l'user courant PATCH sa propre ressource.
+        $self = $this->buildUser(1, 'admin', false);
+
+        $this->security->method('getUser')->willReturn($self);
+
+        $this->unitOfWork
+            ->expects(self::once())
+            ->method('getOriginalEntityData')
+            ->with($self)
+            ->willReturn([
+                'id'       => 1,
+                'username' => 'admin',
+                'isAdmin'  => true,
+            ])
+        ;
+
+        $this->persistProcessor->expects(self::never())->method('process');
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('Vous ne pouvez pas retirer vos propres droits administrateur.');
+
+        $this->processor->process($self, new Patch());
+    }
+
+    public function testPatchAdminDemotingAnotherUserIsAllowed(): void
+    {
+        // Un admin qui retire isAdmin a quelqu'un d'autre : autorise.
+        $target  = $this->buildUser(42, 'alice', false);
+        $current = $this->buildUser(1, 'admin', true);
+
+        $this->security->method('getUser')->willReturn($current);
+
+        // Cible != user courant : pas de verification d'auto-suicide.
+        $this->unitOfWork->expects(self::never())->method('getOriginalEntityData');
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($target)
+            ->willReturn($target)
+        ;
+
+        $result = $this->processor->process($target, new Patch());
+
+        self::assertSame($target, $result);
+    }
+
+    public function testPatchSelfKeepingAdminIsAllowed(): void
+    {
+        // L'user courant se PATCH lui-meme mais garde isAdmin = true :
+        // aucun auto-suicide, on delegue au PersistProcessor.
+        $self = $this->buildUser(1, 'admin', true);
+
+        $this->security->method('getUser')->willReturn($self);
+
+        $this->unitOfWork
+            ->expects(self::once())
+            ->method('getOriginalEntityData')
+            ->with($self)
+            ->willReturn([
+                'id'       => 1,
+                'username' => 'admin',
+                'isAdmin'  => true,
+            ])
+        ;
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($self)
+            ->willReturn($self)
+        ;
+
+        $result = $this->processor->process($self, new Patch());
+
+        self::assertSame($self, $result);
+    }
+
+    public function testProcessNonUserDataThrowsLogicException(): void
+    {
+        // Garde-fou contre une misconfiguration : ce processor est wire
+        // exclusivement sur l'operation user_rbac_patch (cible User).
+        $this->persistProcessor->expects(self::never())->method('process');
+
+        $this->expectException(LogicException::class);
+        $this->expectExceptionMessage('UserRbacProcessor attend une instance de');
+
+        $this->processor->process(new stdClass(), new Patch());
+    }
+
+    /**
+     * Construit un User avec un id force via reflection (les mocks
+     * d'UnitOfWork n'alimentent pas l'id tout seul).
+     */
+    private function buildUser(int $id, string $username, bool $isAdmin): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setIsAdmin($isAdmin);
+
+        $refl = new ReflectionClass($user);
+        $prop = $refl->getProperty('id');
+        $prop->setAccessible(true);
+        $prop->setValue($user, $id);
+
+        return $user;
+    }
+}