tristan
d137828919
Exposition de Site via API Platform (5 operations RBAC sites.view/sites.manage), relation User.sites (M2M user_site EAGER) + User.currentSite (M2O nullable, ON DELETE SET NULL). Endpoint PATCH /api/me/current-site via ressource virtuelle + processor (SiteNotAuthorizedException → 403). UserRbacProcessor etendu avec gardes post-persist : auto-reset si currentSite retire, auto-select premier site si null + sites non vide. Page /admin/sites (DataTable + drawer creation/edition + modale suppression). UserRbacDrawer etendu avec section "Sites autorises". Colonne "Sites" ajoutee dans la table /admin/users (liste des noms separes par virgule). Sidebar entree Sites (module: sites, permission: sites.view). Refactor adresse : split full_address en street + complement (nullable) + getter computed Site::getFullAddress() multi-lignes. Migration ALTER dediee pour compat devs ayant deja joue le ticket 1. Fixtures avec vraies adresses (Chatellerault/Fontenet/Pommevic). Doctrine : inversedBy synchrone User.sites <-> Site.users pour maintenir la collection inverse en memoire. User::switchCurrentSite() porte la garde domaine (throw SiteNotAuthorizedException), aligne sur Role::ensureDeletable. Helper skipIfSitesModuleDisabled centralise dans AbstractApiTestCase. Tests : 182/182 (182/182 aussi module desactive, 2 skipped). 29 nouveaux tests PHPUnit (CRUD API, switch currentSite, cascade DB, /api/me enrichi, extension /rbac, gardes structurelles fullAddress/currentSite ignores, anti-cycle Site.users). 11 tests Vitest sur la validation hex couleur. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
117 lines
4.2 KiB
PHP
117 lines
4.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Tests\Module\Sites\Api;
|
|
|
|
use App\Module\Core\Domain\Entity\User;
|
|
use App\Tests\Module\Core\Api\AbstractApiTestCase;
|
|
|
|
/**
|
|
* Tests d'exposition des sites autorises et du site courant dans /api/me.
|
|
*
|
|
* Regression-guard du contrat avec le front (ticket 3) : `sites` doit etre
|
|
* une liste d'objets Site complets (pas des IRIs), et `currentSite` doit
|
|
* etre un objet ou null. Les clients front consomment directement ces
|
|
* champs pour alimenter le SiteSelector et le store auth.
|
|
*
|
|
* @internal
|
|
*/
|
|
final class MeEndpointSitesTest extends AbstractApiTestCase
|
|
{
|
|
public function testMeExposesSitesAsObjects(): void
|
|
{
|
|
$client = $this->authenticatedClient('alice', 'alice');
|
|
$response = $client->request('GET', '/api/me');
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = $response->toArray();
|
|
|
|
self::assertArrayHasKey('sites', $data);
|
|
self::assertIsArray($data['sites']);
|
|
self::assertCount(1, $data['sites']);
|
|
|
|
$firstSite = $data['sites'][0];
|
|
self::assertIsArray($firstSite, 'Un site doit etre serialise en objet, pas en IRI string.');
|
|
self::assertArrayHasKey('id', $firstSite);
|
|
self::assertArrayHasKey('name', $firstSite);
|
|
self::assertArrayHasKey('street', $firstSite);
|
|
self::assertArrayHasKey('city', $firstSite);
|
|
self::assertArrayHasKey('color', $firstSite);
|
|
// Le getter computed est expose en lecture pour eviter au front
|
|
// de redupliquer la logique de concatenation.
|
|
self::assertArrayHasKey('fullAddress', $firstSite);
|
|
self::assertSame('Chatellerault', $firstSite['name']);
|
|
|
|
// Garde anti-cycle (cf. Site::$users sans Groups, ticket 2 spec
|
|
// section 12 risque 6) : la collection inverse ne doit JAMAIS etre
|
|
// serialisee dans /api/me sous peine de boucle infinie
|
|
// User → sites → users → sites → ...
|
|
self::assertArrayNotHasKey(
|
|
'users',
|
|
$firstSite,
|
|
'Site.users ne doit JAMAIS etre serialise dans /api/me (cycle infini).',
|
|
);
|
|
}
|
|
|
|
public function testMeExposesCurrentSiteAsObject(): void
|
|
{
|
|
$client = $this->authenticatedClient('alice', 'alice');
|
|
$response = $client->request('GET', '/api/me');
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = $response->toArray();
|
|
|
|
self::assertArrayHasKey('currentSite', $data);
|
|
self::assertIsArray($data['currentSite'], 'currentSite doit etre un objet, pas une IRI.');
|
|
self::assertSame('Chatellerault', $data['currentSite']['name']);
|
|
}
|
|
|
|
public function testAdminHasAllThreeSites(): void
|
|
{
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$response = $client->request('GET', '/api/me');
|
|
|
|
$data = $response->toArray();
|
|
self::assertCount(3, $data['sites']);
|
|
|
|
$names = array_column($data['sites'], 'name');
|
|
sort($names);
|
|
self::assertSame(['Chatellerault', 'Pommevic', 'Saint-Jean'], $names);
|
|
}
|
|
|
|
public function testUserWithoutSitesHasEmptyArrayAndNullCurrent(): void
|
|
{
|
|
// Creer un user jetable sans rattachement a un site.
|
|
$em = $this->getEm();
|
|
|
|
$suffix = substr(bin2hex(random_bytes(4)), 0, 8);
|
|
$username = 'orphan_'.$suffix;
|
|
|
|
$hasher = self::getContainer()->get('security.user_password_hasher');
|
|
$user = new User();
|
|
$user->setUsername($username);
|
|
$user->setIsAdmin(false);
|
|
$user->setPassword($hasher->hashPassword($user, 'testpass'));
|
|
$em->persist($user);
|
|
$em->flush();
|
|
|
|
try {
|
|
$client = $this->authenticatedClient($username, 'testpass');
|
|
$response = $client->request('GET', '/api/me');
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = $response->toArray();
|
|
self::assertSame([], $data['sites']);
|
|
self::assertNull($data['currentSite']);
|
|
} finally {
|
|
$em = $this->getEm();
|
|
$reloaded = $em->getRepository(User::class)->findOneBy(['username' => $username]);
|
|
if (null !== $reloaded) {
|
|
$em->remove($reloaded);
|
|
$em->flush();
|
|
}
|
|
}
|
|
}
|
|
}
|