feat(permissions) : add role-based access control system

Backend: - Add role hierarchy (ADMIN > GESTIONNAIRE > VIEWER > USER) in security.yaml - Add password authentication on profile activation (SessionProfileController) - Add SessionProfileAuthenticator with stateless API firewall - Add ProfilePasswordHasher state processor for API Platform - Add security annotations on all 18 API Platform entities - Add denyAccessUnlessGranted on all 13 custom controllers - Add AdminProfileController for profile/role management (/api/admin/profiles) - Add InitProfilePasswordsCommand for initial admin setup - Simplify SessionProfilesController to list-only (removed create/delete) Frontend (submodule update): - Add usePermissions composable (isAdmin, canEdit, canView, isGranted) - Add password login modal on profiles page - Add admin backoffice page for profile management - Disable all form fields for ROLE_VIEWER across all edit/create pages - Show navigation buttons for all roles, hide destructive actions for viewers - Add readonly mode to ModelTypeForm and site/constructeur modals - Guard /admin routes in middleware - Configure Vite proxy for API requests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 13:37:12 +01:00
parent adc44b99d3
commit a3e440c254
36 changed files with 762 additions and 110 deletions
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -29,33 +29,36 @@ security:
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure

-        session_profile:
-            pattern: ^/api/session
-            stateless: false
-
-        session_api:
-            pattern: ^/api/(sites|machines|documents|profiles)
-            stateless: false
+        session_public:
+            pattern: ^/api/session/profiles?$
+            security: false

        api:
            pattern: ^/api
-            stateless: false
+            stateless: true
+            custom_authenticators:
+                - App\Security\SessionProfileAuthenticator

        main:
            lazy: true
            provider: app_user_provider

+    role_hierarchy:
+        ROLE_ADMIN: ROLE_GESTIONNAIRE
+        ROLE_GESTIONNAIRE: ROLE_VIEWER
+        ROLE_VIEWER: ROLE_USER
+
    # Note: Only the *first* matching rule is applied
    access_control:
-        - { path: ^/api/session/profile, roles: PUBLIC_ACCESS }
-        - { path: ^/api/session/profiles, roles: PUBLIC_ACCESS }
-        - { path: ^/api, roles: PUBLIC_ACCESS }
+        - { path: ^/api/session/profile$, roles: PUBLIC_ACCESS }
+        - { path: ^/api/session/profiles, roles: PUBLIC_ACCESS, methods: [GET] }
+        - { path: ^/api/admin, roles: ROLE_ADMIN }
        - { path: ^/api/docs, roles: PUBLIC_ACCESS }
        - { path: ^/api/test, roles: PUBLIC_ACCESS }
        - { path: ^/docs, roles: PUBLIC_ACCESS }
        - { path: ^/contexts, roles: PUBLIC_ACCESS }
        - { path: ^/\.well-known, roles: PUBLIC_ACCESS }
-        - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
+        - { path: ^/api, roles: ROLE_VIEWER }

 when@test:
    security: