THOLOT DECHENE Matthieu
e8c2789435
Some checks failed
Auto Tag Develop / tag (push) Has been cancelled
## Résumé
Implémentation complète du système RBAC (Role-Based Access Control) pour Coltura.
### Backend
- Entités Permission et Role avec API Platform CRUD
- PermissionVoter : vérification des permissions effectives (rôles + directes), admin bypass
- Endpoints `PATCH /users/{id}/rbac` pour assigner rôles, permissions directes et isAdmin
- AdminHeadcountGuard : protection contre la suppression du dernier admin
- Commande `app:sync-permissions` pour synchroniser les permissions déclarées par les modules
- Filtrage sidebar par permission RBAC (`permission` key optionnelle dans sidebar.php)
- 115 tests PHPUnit (fonctionnels + unitaires)
### Frontend
- Composable `usePermissions()` avec `can()`, `canAny()`, `canAll()` et admin bypass
- Page `/admin/roles` : DataTable, création/édition via drawer, suppression avec confirmation
- Page `/admin/users` : DataTable, drawer RBAC avec rôles, permissions directes, résumé effectif
- PermissionGroup : checkboxes groupées par module avec "tout sélectionner"
- EffectivePermissions : résumé lecture seule avec badges source ("via Rôle X" / "Direct")
- Warning auto-édition, toggle isAdmin
- Tests Vitest pour usePermissions
### Permissions déclarées
- `core.users.view` — Voir les utilisateurs
- `core.users.manage` — Gérer les utilisateurs
- `core.roles.view` — Voir les rôles RBAC
- `core.roles.manage` — Gérer les rôles et permissions
- `GET /api/permissions` accessible à tout utilisateur authentifié (catalogue read-only)
## Tickets Lesstime
- ERP-23 (#343) — Entités Permission et Role
- ERP-24 (#344) — API CRUD Roles & Permissions
- ERP-25 (#345) — Voter Symfony + usePermissions
- ERP-26 (#346) — Interface Admin : Gestion des Rôles
- ERP-27 (#347) — Interface Admin : Permissions Utilisateur
## Test plan
- [ ] `make db-reset` puis vérifier les fixtures (admin/alice/bob, rôles système)
- [ ] Login admin : sidebar affiche Gestion des rôles + Utilisateurs
- [ ] Login alice : sidebar masque ces onglets (pas de permission)
- [ ] Page /admin/roles : CRUD rôles, permissions groupées, protection rôles système
- [ ] Page /admin/users : assignation rôles + permissions directes, résumé effectif
- [ ] Warning auto-édition quand admin modifie ses propres droits
- [ ] `make test` : 115 tests PHPUnit passent
- [ ] `cd frontend && npm run test` : tests Vitest passent
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Matthieu <mtholot19@gmail.com>
Co-authored-by: tristan <tristan@yuno.malio.fr>
Reviewed-on: #7
Co-authored-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
Co-committed-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
260 lines
9.0 KiB
Vue
260 lines
9.0 KiB
Vue
<template>
|
|
<MalioDrawer
|
|
:model-value="modelValue"
|
|
:title="t('admin.users.drawer.title', { username: user?.username ?? '' })"
|
|
drawer-class="w-full max-w-lg"
|
|
@update:model-value="emit('update:modelValue', $event)"
|
|
>
|
|
<div class="flex flex-col gap-6 p-4">
|
|
<!-- Avertissement auto-edition -->
|
|
<div
|
|
v-if="isSelfEdit"
|
|
class="flex items-center gap-2 rounded-lg border border-yellow-300 bg-yellow-50 px-4 py-3 text-sm text-yellow-800"
|
|
>
|
|
<Icon name="mdi:alert-outline" class="size-5 shrink-0" />
|
|
{{ t('admin.users.drawer.selfWarning') }}
|
|
</div>
|
|
|
|
<!-- Toggle Administrateur -->
|
|
<MalioCheckbox
|
|
id="admin-toggle"
|
|
:label="t('admin.users.drawer.adminToggle')"
|
|
:model-value="form.isAdmin"
|
|
label-class="font-semibold text-sm text-neutral-700"
|
|
@update:model-value="form.isAdmin = $event"
|
|
/>
|
|
|
|
<!-- Section Roles -->
|
|
<div>
|
|
<h4 class="mb-3 text-sm font-semibold text-neutral-700">
|
|
{{ t('admin.users.drawer.rolesSection') }}
|
|
</h4>
|
|
<div class="flex flex-col gap-2">
|
|
<MalioCheckbox
|
|
v-for="role in allRoles"
|
|
:key="role.id"
|
|
:id="`role-${role.id}`"
|
|
:label="role.label"
|
|
:model-value="selectedRoleIds.has(role.id)"
|
|
label-class="text-sm text-neutral-600"
|
|
@update:model-value="(val: boolean) => toggleRole(role.id, val)"
|
|
/>
|
|
</div>
|
|
</div>
|
|
|
|
<!-- Section Permissions directes -->
|
|
<div>
|
|
<h4 class="mb-3 text-sm font-semibold text-neutral-700">
|
|
{{ t('admin.users.drawer.directPermissionsSection') }}
|
|
</h4>
|
|
<div v-if="permissionsByModule.length === 0" class="text-sm text-neutral-400">
|
|
{{ t('admin.roles.permissions.noPermissions') }}
|
|
</div>
|
|
<div class="flex flex-col gap-4">
|
|
<PermissionGroup
|
|
v-for="group in permissionsByModule"
|
|
:key="group.module"
|
|
:module="group.module"
|
|
:module-label="group.module"
|
|
:permissions="group.permissions"
|
|
:selected-ids="selectedDirectPermissionIds"
|
|
@toggle="handleTogglePermission"
|
|
@toggle-all="handleToggleAll"
|
|
/>
|
|
</div>
|
|
</div>
|
|
|
|
<!-- Section Resume permissions effectives -->
|
|
<div>
|
|
<h4 class="mb-3 text-sm font-semibold text-neutral-700">
|
|
{{ t('admin.users.drawer.summarySection') }}
|
|
</h4>
|
|
<EffectivePermissions :permissions="effectivePermissions" />
|
|
</div>
|
|
|
|
<!-- Boutons -->
|
|
<div class="flex justify-end gap-3 border-t border-neutral-200 pt-4">
|
|
<MalioButton
|
|
:label="t('common.cancel')"
|
|
variant="tertiary"
|
|
@click="emit('update:modelValue', false)"
|
|
/>
|
|
<MalioButton
|
|
:label="t('common.save')"
|
|
variant="primary"
|
|
:disabled="saving"
|
|
@click="handleSave"
|
|
/>
|
|
</div>
|
|
</div>
|
|
</MalioDrawer>
|
|
</template>
|
|
|
|
<script setup lang="ts">
|
|
import type { Permission, Role, UserListItem, EffectivePermission } from '~/shared/types/rbac'
|
|
|
|
interface PermissionModule {
|
|
module: string
|
|
permissions: Permission[]
|
|
}
|
|
|
|
const { t } = useI18n()
|
|
const api = useApi()
|
|
const auth = useAuthStore()
|
|
|
|
const props = defineProps<{
|
|
modelValue: boolean
|
|
user: UserListItem | null
|
|
}>()
|
|
|
|
const emit = defineEmits<{
|
|
'update:modelValue': [value: boolean]
|
|
saved: []
|
|
}>()
|
|
|
|
const saving = ref(false)
|
|
const allRoles = ref<Role[]>([])
|
|
const allPermissions = ref<Permission[]>([])
|
|
|
|
const form = ref({ isAdmin: false })
|
|
const selectedRoleIds = ref(new Set<number>())
|
|
const selectedDirectPermissionIds = ref(new Set<number>())
|
|
|
|
// Detecter l'auto-edition
|
|
const isSelfEdit = computed(() => props.user?.id === auth.user?.id)
|
|
|
|
// Extraire un ID depuis une IRI API Platform
|
|
function iriToId(iri: string): number {
|
|
return Number(iri.split('/').pop())
|
|
}
|
|
|
|
// Grouper les permissions par module (pour les checkboxes)
|
|
const permissionsByModule = computed<PermissionModule[]>(() => {
|
|
const groups = new Map<string, Permission[]>()
|
|
for (const perm of allPermissions.value) {
|
|
if (perm.orphan) continue
|
|
const list = groups.get(perm.module) || []
|
|
list.push(perm)
|
|
groups.set(perm.module, list)
|
|
}
|
|
return Array.from(groups.entries())
|
|
.map(([module, permissions]) => ({ module, permissions }))
|
|
.sort((a, b) => a.module.localeCompare(b.module))
|
|
})
|
|
|
|
// Calculer les permissions effectives avec leurs sources
|
|
const effectivePermissions = computed<EffectivePermission[]>(() => {
|
|
const permMap = new Map<number, Permission>()
|
|
for (const p of allPermissions.value) {
|
|
if (!p.orphan) permMap.set(p.id, p)
|
|
}
|
|
|
|
// Construire la map permissionId -> sources[]
|
|
const result = new Map<number, string[]>()
|
|
|
|
// Permissions heritees des roles
|
|
for (const roleId of selectedRoleIds.value) {
|
|
const role = allRoles.value.find(r => r.id === roleId)
|
|
if (!role) continue
|
|
for (const p of role.permissions) {
|
|
const pid = typeof p === 'string' ? iriToId(p) : p.id
|
|
const sources = result.get(pid) || []
|
|
sources.push(t('admin.users.drawer.sourceRole', { role: role.label }))
|
|
result.set(pid, sources)
|
|
}
|
|
}
|
|
|
|
// Permissions directes
|
|
for (const pid of selectedDirectPermissionIds.value) {
|
|
const sources = result.get(pid) || []
|
|
sources.push(t('admin.users.drawer.sourceDirect'))
|
|
result.set(pid, sources)
|
|
}
|
|
|
|
// Construire la liste finale
|
|
return Array.from(result.entries())
|
|
.map(([pid, sources]) => {
|
|
const perm = permMap.get(pid)
|
|
if (!perm) return null
|
|
return { code: perm.code, label: perm.label, module: perm.module, sources }
|
|
})
|
|
.filter((p): p is EffectivePermission => p !== null)
|
|
.sort((a, b) => a.code.localeCompare(b.code))
|
|
})
|
|
|
|
// Charger roles et permissions
|
|
async function loadData() {
|
|
const [rolesData, permsData] = await Promise.all([
|
|
api.get<{ member: Role[] }>('/roles', {}, { toast: false }),
|
|
api.get<{ member: Permission[] }>('/permissions', { orphan: false, itemsPerPage: 999 }, { toast: false }),
|
|
])
|
|
allRoles.value = rolesData.member
|
|
allPermissions.value = permsData.member
|
|
}
|
|
|
|
// Remplir le formulaire quand le user change
|
|
watch(() => props.user, (user) => {
|
|
if (user) {
|
|
form.value.isAdmin = user.isAdmin
|
|
selectedRoleIds.value = new Set(user.roles.map(iriToId))
|
|
selectedDirectPermissionIds.value = new Set(user.directPermissions.map(iriToId))
|
|
} else {
|
|
form.value.isAdmin = false
|
|
selectedRoleIds.value = new Set()
|
|
selectedDirectPermissionIds.value = new Set()
|
|
}
|
|
}, { immediate: true })
|
|
|
|
// Charger les donnees quand le drawer s'ouvre
|
|
watch(() => props.modelValue, (open) => {
|
|
if (open) loadData()
|
|
})
|
|
|
|
function toggleRole(id: number, selected: boolean) {
|
|
const ids = new Set(selectedRoleIds.value)
|
|
if (selected) ids.add(id)
|
|
else ids.delete(id)
|
|
selectedRoleIds.value = ids
|
|
}
|
|
|
|
function handleTogglePermission(id: number, selected: boolean) {
|
|
const ids = new Set(selectedDirectPermissionIds.value)
|
|
if (selected) ids.add(id)
|
|
else ids.delete(id)
|
|
selectedDirectPermissionIds.value = ids
|
|
}
|
|
|
|
function handleToggleAll(module: string, selected: boolean) {
|
|
const ids = new Set(selectedDirectPermissionIds.value)
|
|
const group = permissionsByModule.value.find(g => g.module === module)
|
|
if (!group) return
|
|
for (const perm of group.permissions) {
|
|
if (selected) ids.add(perm.id)
|
|
else ids.delete(perm.id)
|
|
}
|
|
selectedDirectPermissionIds.value = ids
|
|
}
|
|
|
|
async function handleSave() {
|
|
if (!props.user) return
|
|
saving.value = true
|
|
try {
|
|
await api.patch(`/users/${props.user.id}/rbac`, {
|
|
isAdmin: form.value.isAdmin,
|
|
roles: Array.from(selectedRoleIds.value).map(id => `/api/roles/${id}`),
|
|
directPermissions: Array.from(selectedDirectPermissionIds.value).map(id => `/api/permissions/${id}`),
|
|
}, {
|
|
toastSuccessMessage: t('admin.users.toast.updated'),
|
|
})
|
|
// Rafraichir les donnees du user courant si auto-edition
|
|
if (isSelfEdit.value) {
|
|
await auth.refreshUser()
|
|
}
|
|
emit('saved')
|
|
emit('update:modelValue', false)
|
|
} finally {
|
|
saving.value = false
|
|
}
|
|
}
|
|
</script>
|