From 3fe0bbf71ef9e3f1a5cd6c6ef6606c533e414481 Mon Sep 17 00:00:00 2001
From: tristan <tristan@yuno.malio.fr>
Date: Tue, 28 Apr 2026 11:52:18 +0000
Subject: [PATCH] =?UTF-8?q?feat:=20modification=20de=20la=20gestion=20des?=
 =?UTF-8?q?=20r=C3=B4les=20+=20ajout=20r=C3=B4le=20d'un=20bureau=20(!52)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

| Numéro du ticket | Titre du ticket |
|------------------|-----------------|
|                  |                 |

## Description de la PR

## Modification du .env

## Check list

- [ ] Pas de régression
- [ ] TU/TI/TF rédigée
- [ ] TU/TI/TF OK
- [ ] CHANGELOG modifié

Reviewed-on: https://gitea.malio.fr/MALIO-DEV/Ferme/pulls/52
Co-authored-by: tristan <tristan@yuno.malio.fr>
Co-committed-by: tristan <tristan@yuno.malio.fr>
---
 config/packages/security.yaml                 |  7 ++++
 frontend/composables/useBovineColumns.ts      | 23 ++++++-----
 frontend/middleware/admin-guard.global.ts     | 27 +++++++++++++
 frontend/pages/inventory.vue                  |  4 +-
 frontend/stores/auth.ts                       |  6 ++-
 frontend/utils/constants.ts                   |  1 +
 frontend/utils/roles.ts                       | 38 +++++++++++++++++++
 src/ApiResource/BovineInventoryExport.php     |  2 +-
 src/ApiResource/BovineSyncInventoryResult.php |  2 +-
 src/Entity/Bovine.php                         |  4 +-
 src/Entity/Reception.php                      |  1 +
 src/Entity/Shipment.php                       |  1 +
 12 files changed, 99 insertions(+), 17 deletions(-)
 create mode 100644 frontend/middleware/admin-guard.global.ts
 create mode 100644 frontend/utils/roles.ts

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index cc32766..56050e8 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -1,4 +1,11 @@
 security:
+    # Hiérarchie des rôles : ADMIN inclut BUREAU qui inclut USER.
+    # Ajouter un nouveau rôle = ajouter une ligne ici (et son équivalent côté
+    # front dans utils/roles.ts).
+    role_hierarchy:
+        ROLE_BUREAU: ROLE_USER
+        ROLE_ADMIN:  ROLE_BUREAU
+
     # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
     password_hashers:
         App\Entity\User: 'auto'
diff --git a/frontend/composables/useBovineColumns.ts b/frontend/composables/useBovineColumns.ts
index a4866cd..7c4d978 100644
--- a/frontend/composables/useBovineColumns.ts
+++ b/frontend/composables/useBovineColumns.ts
@@ -18,13 +18,15 @@ export interface UseBovineColumnsOptions {
 
 /**
  * Définition partagée des colonnes des tableaux bovins (inventory + case).
- * Variants distincts pour chaque écran et chaque rôle (admin/user) afin de
- * pouvoir ajuster les largeurs indépendamment.
+ * 4 variants : avec/sans colonnes prix × inventory/case.
+ *
+ * Les colonnes Prix/kg et Prix total sont visibles pour les rôles BUREAU
+ * et ADMIN (BUREAU hérite ses droits price-visibility, ADMIN hérite de BUREAU).
  */
 export const useBovineColumns = (options: UseBovineColumnsOptions = {}) => {
     const auth = useAuthStore()
 
-    const adminColumnsInventory: BovineColumn[] = [
+    const withPricesInventory: BovineColumn[] = [
         { key: 'nationalNumber', label: 'N° National', width: '80px' },
         { key: 'workNumber', label: 'N° Travail', width: '60px' },
         { key: 'sex', label: 'Sexe', width: '70px' },
@@ -38,7 +40,7 @@ export const useBovineColumns = (options: UseBovineColumnsOptions = {}) => {
         { key: 'finalPrice', label: 'Prix total', width: '80px' }
     ]
 
-    const userColumnsInventory: BovineColumn[] = [
+    const withoutPricesInventory: BovineColumn[] = [
         { key: 'nationalNumber', label: 'N° National', width: '80px' },
         { key: 'workNumber', label: 'N° Travail', width: '60px' },
         { key: 'sex', label: 'Sexe', width: '70px' },
@@ -50,7 +52,7 @@ export const useBovineColumns = (options: UseBovineColumnsOptions = {}) => {
         { key: 'arrivalDate', label: 'Entrée le', width: '90px' }
     ]
 
-    const adminColumnsCase: BovineColumn[] = [
+    const withPricesCase: BovineColumn[] = [
         { key: 'nationalNumber', label: 'N° National', width: '110px' },
         { key: 'workNumber', label: 'N° Travail', width: '85px' },
         { key: 'sex', label: 'Sexe', width: '90px' },
@@ -62,7 +64,7 @@ export const useBovineColumns = (options: UseBovineColumnsOptions = {}) => {
         { key: 'finalPrice', label: 'Prix total', width: '105px' }
     ]
 
-    const userColumnsCase: BovineColumn[] = [
+    const withoutPricesCase: BovineColumn[] = [
         { key: 'nationalNumber', label: 'N° National', width: '130px' },
         { key: 'workNumber', label: 'N° Travail', width: '100px' },
         { key: 'sex', label: 'Sexe', width: '110px' },
@@ -73,10 +75,13 @@ export const useBovineColumns = (options: UseBovineColumnsOptions = {}) => {
     ]
 
     const columns = computed<BovineColumn[]>(() => {
-        if (options.variant === 'case') {
-            return auth.isAdmin ? adminColumnsCase : userColumnsCase
+        const isCase   = options.variant === 'case'
+        const seePrice = auth.isBureau
+
+        if (isCase) {
+            return seePrice ? withPricesCase : withoutPricesCase
         }
-        return auth.isAdmin ? adminColumnsInventory : userColumnsInventory
+        return seePrice ? withPricesInventory : withoutPricesInventory
     })
 
     return { columns }
diff --git a/frontend/middleware/admin-guard.global.ts b/frontend/middleware/admin-guard.global.ts
new file mode 100644
index 0000000..e911f74
--- /dev/null
+++ b/frontend/middleware/admin-guard.global.ts
@@ -0,0 +1,27 @@
+import { useAuthStore } from '~/stores/auth'
+
+/**
+ * Garde-fou global : empêche les utilisateurs non-admin d'accéder aux pages
+ * sous /admin/*. Renvoie vers la home pour les utilisateurs authentifiés
+ * non-admin, et vers /login pour les non authentifiés.
+ *
+ * L'API back rejette de toute façon les actions admin avec un 403, mais ce
+ * middleware évite l'affichage des pages vides / en erreur quand un user
+ * tape directement l'URL /admin/...
+ */
+export default defineNuxtRouteMiddleware(async (to) => {
+    if (!to.path.startsWith('/admin')) {
+        return
+    }
+
+    const auth = useAuthStore()
+    await auth.ensureSession()
+
+    if (!auth.isAuthenticated) {
+        return navigateTo('/login')
+    }
+
+    if (!auth.isAdmin) {
+        return navigateTo('/')
+    }
+})
diff --git a/frontend/pages/inventory.vue b/frontend/pages/inventory.vue
index 7f3fabe..9a1579b 100644
--- a/frontend/pages/inventory.vue
+++ b/frontend/pages/inventory.vue
@@ -13,7 +13,7 @@
                 <h1 class="font-bold text-3xl uppercase text-primary-500">Inventaire bovins</h1>
                 <span class="text-lg text-slate-500">({{ totalItems }} bovin{{ totalItems > 1 ? 's' : '' }})</span>
                 <div
-                    v-if="auth.isAdmin"
+                    v-if="auth.isBureau"
                     class="bg-primary-500 p-1 rounded-md flex items-center cursor-pointer hover:opacity-80"
                     :class="exporting ? 'cursor-not-allowed opacity-60' : ''"
                     title="Exporter en Excel"
@@ -23,7 +23,7 @@
                 </div>
             </div>
             <button
-                v-if="auth.isAdmin"
+                v-if="auth.isBureau"
                 type="button"
                 :disabled="syncing"
                 class="inline-flex items-center justify-center text-xl text-white uppercase bg-primary-500 h-[50px] px-6 rounded hover:opacity-80 gap-2 disabled:cursor-not-allowed disabled:opacity-60"
diff --git a/frontend/stores/auth.ts b/frontend/stores/auth.ts
index 76447c5..4848627 100644
--- a/frontend/stores/auth.ts
+++ b/frontend/stores/auth.ts
@@ -2,7 +2,7 @@ import {defineStore} from 'pinia'
 import type {UserData} from '~/services/dto/user-data'
 import {getCurrentUser, createUser, updateUser, login, logout} from '~/services/auth'
 import type {UserPayload} from "~/services/dto/user-data";
-import {ROLE} from '~/utils/constants'
+import {userHasRole} from '~/utils/roles'
 
 export const useAuthStore = defineStore('auth', {
     state: () => ({
@@ -12,7 +12,9 @@ export const useAuthStore = defineStore('auth', {
     }),
     getters: {
         isAuthenticated: (state) => Boolean(state.user),
-        isAdmin: (state) => Boolean(state.user?.roles?.includes(ROLE[0].value))
+        hasRole: (state) => (role: string): boolean => userHasRole(state.user?.roles, role),
+        isAdmin: (state) => userHasRole(state.user?.roles, 'ROLE_ADMIN'),
+        isBureau: (state) => userHasRole(state.user?.roles, 'ROLE_BUREAU')
     },
     actions: {
         clearSession() {
diff --git a/frontend/utils/constants.ts b/frontend/utils/constants.ts
index 2f741b8..0ff670a 100644
--- a/frontend/utils/constants.ts
+++ b/frontend/utils/constants.ts
@@ -10,6 +10,7 @@ export const MERCHANDISE_TYPE_CODES = {
 
 export const ROLE = [
     { label: 'Administrateur', value: 'ROLE_ADMIN' },
+    { label: 'Bureau', value: 'ROLE_BUREAU' },
     { label: 'Utilisateur', value: 'ROLE_USER' }
 ]
 export const SUPPLIER_CODE = {
diff --git a/frontend/utils/roles.ts b/frontend/utils/roles.ts
new file mode 100644
index 0000000..6fa0e26
--- /dev/null
+++ b/frontend/utils/roles.ts
@@ -0,0 +1,38 @@
+/**
+ * Hiérarchie des rôles côté front. Doit rester synchronisée avec
+ * `role_hierarchy` dans config/packages/security.yaml côté back.
+ *
+ * Pour ajouter un nouveau rôle :
+ *  1. Ajouter une entrée ici (son rôle parent dans la chaîne)
+ *  2. Ajouter `ROLE_X: ROLE_Y` dans security.yaml côté back
+ *  3. Ajouter le rôle dans `ROLE` (utils/constants.ts) pour le form admin
+ */
+export const ROLE_HIERARCHY: Record<string, string[]> = {
+    ROLE_ADMIN: ['ROLE_BUREAU'],
+    ROLE_BUREAU: ['ROLE_USER'],
+    ROLE_USER: []
+}
+
+/**
+ * Retourne l'ensemble des rôles effectifs en expansant la hiérarchie.
+ * Ex : ['ROLE_ADMIN'] → Set { 'ROLE_ADMIN', 'ROLE_BUREAU', 'ROLE_USER' }.
+ */
+export const expandRoles = (roles: string[]): Set<string> => {
+    const expanded = new Set<string>(roles)
+    const visit = (role: string): void => {
+        const parents = ROLE_HIERARCHY[role] ?? []
+        for (const parent of parents) {
+            if (!expanded.has(parent)) {
+                expanded.add(parent)
+                visit(parent)
+            }
+        }
+    }
+    for (const r of roles) visit(r)
+    return expanded
+}
+
+export const userHasRole = (userRoles: string[] | null | undefined, role: string): boolean => {
+    if (!userRoles || userRoles.length === 0) return false
+    return expandRoles(userRoles).has(role)
+}
diff --git a/src/ApiResource/BovineInventoryExport.php b/src/ApiResource/BovineInventoryExport.php
index 418ce77..04cbcfd 100644
--- a/src/ApiResource/BovineInventoryExport.php
+++ b/src/ApiResource/BovineInventoryExport.php
@@ -19,7 +19,7 @@ use App\State\Bovin\BovineInventoryExportProvider;
                 description: "Retourne un fichier XLSX listant tous les bovins actifs (exitedAt IS NULL) triés par date de naissance croissante, avec colorisation des lignes selon l'âge.",
                 tags: ['Bovines'],
             ),
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('ROLE_BUREAU')",
             output: false,
             provider: BovineInventoryExportProvider::class,
         ),
diff --git a/src/ApiResource/BovineSyncInventoryResult.php b/src/ApiResource/BovineSyncInventoryResult.php
index adf32ad..def8332 100644
--- a/src/ApiResource/BovineSyncInventoryResult.php
+++ b/src/ApiResource/BovineSyncInventoryResult.php
@@ -19,7 +19,7 @@ use App\State\Bovin\BovineSyncInventoryProcessor;
                 description: 'Upsert des bovins par numéro national ; marque comme sortis ceux absents de la réponse EDNOTIF.',
                 tags: ['Bovines'],
             ),
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('ROLE_BUREAU')",
             input: false,
             output: self::class,
             processor: BovineSyncInventoryProcessor::class,
diff --git a/src/Entity/Bovine.php b/src/Entity/Bovine.php
index 8d630cb..656fd78 100644
--- a/src/Entity/Bovine.php
+++ b/src/Entity/Bovine.php
@@ -81,7 +81,7 @@ class Bovine
 
     #[ORM\Column(type: 'float', nullable: true)]
     #[Groups(['bovine:read', 'bovine:write', 'building_case:read'])]
-    #[ApiProperty(security: "is_granted('ROLE_ADMIN')")]
+    #[ApiProperty(security: "is_granted('ROLE_BUREAU')")]
     private ?float $pricePerKg = null;
 
     #[ORM\Column(type: 'date_immutable', nullable: true)]
@@ -177,7 +177,7 @@ class Bovine
     }
 
     #[Groups(['bovine:read', 'building_case:read'])]
-    #[ApiProperty(security: "is_granted('ROLE_ADMIN')")]
+    #[ApiProperty(security: "is_granted('ROLE_BUREAU')")]
     public function getFinalPrice(): ?float
     {
         if (null === $this->receivedWeight || null === $this->pricePerKg) {
diff --git a/src/Entity/Reception.php b/src/Entity/Reception.php
index 82d5afc..a6a1c91 100644
--- a/src/Entity/Reception.php
+++ b/src/Entity/Reception.php
@@ -61,6 +61,7 @@ use Symfony\Component\Serializer\Normalizer\DateTimeNormalizer;
         ),
         new Delete(
             requirements: ['id' => '\d+'],
+            security: "is_granted('ROLE_ADMIN')",
         ),
         new Get(
             uriTemplate: '/receptions/weigh',
diff --git a/src/Entity/Shipment.php b/src/Entity/Shipment.php
index d9f9a36..f71e86d 100644
--- a/src/Entity/Shipment.php
+++ b/src/Entity/Shipment.php
@@ -61,6 +61,7 @@ use Symfony\Component\Serializer\Normalizer\DateTimeNormalizer;
         ),
         new Delete(
             requirements: ['id' => '\d+'],
+            security: "is_granted('ROLE_ADMIN')",
         ),
         new Get(
             uriTemplate: '/shipments/weigh',