a3e440c254
Backend: - Add role hierarchy (ADMIN > GESTIONNAIRE > VIEWER > USER) in security.yaml - Add password authentication on profile activation (SessionProfileController) - Add SessionProfileAuthenticator with stateless API firewall - Add ProfilePasswordHasher state processor for API Platform - Add security annotations on all 18 API Platform entities - Add denyAccessUnlessGranted on all 13 custom controllers - Add AdminProfileController for profile/role management (/api/admin/profiles) - Add InitProfilePasswordsCommand for initial admin setup - Simplify SessionProfilesController to list-only (removed create/delete) Frontend (submodule update): - Add usePermissions composable (isAdmin, canEdit, canView, isGranted) - Add password login modal on profiles page - Add admin backoffice page for profile management - Disable all form fields for ROLE_VIEWER across all edit/create pages - Show navigation buttons for all roles, hide destructive actions for viewers - Add readonly mode to ModelTypeForm and site/constructeur modals - Guard /admin routes in middleware - Configure Vite proxy for API requests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
259 lines
6.5 KiB
PHP
259 lines
6.5 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Entity;
|
|
|
|
use ApiPlatform\Metadata\ApiResource;
|
|
use ApiPlatform\Metadata\Delete;
|
|
use ApiPlatform\Metadata\Get;
|
|
use ApiPlatform\Metadata\GetCollection;
|
|
use ApiPlatform\Metadata\Patch;
|
|
use ApiPlatform\Metadata\Post;
|
|
use ApiPlatform\Metadata\Put;
|
|
use App\Repository\ProfileRepository;
|
|
use App\State\ProfilePasswordHasher;
|
|
use DateTimeImmutable;
|
|
use Doctrine\ORM\Mapping as ORM;
|
|
use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
|
|
use Symfony\Component\Security\Core\User\UserInterface;
|
|
use Symfony\Component\Serializer\Annotation\Groups;
|
|
use Symfony\Component\Validator\Constraints as Assert;
|
|
|
|
#[ORM\Entity(repositoryClass: ProfileRepository::class)]
|
|
#[ORM\Table(name: 'profiles')]
|
|
#[ORM\UniqueConstraint(name: 'UNIQ_email', columns: ['email'])]
|
|
#[ORM\HasLifecycleCallbacks]
|
|
#[ApiResource(
|
|
operations: [
|
|
new Get(security: "is_granted('ROLE_VIEWER')"),
|
|
new GetCollection(security: "is_granted('ROLE_ADMIN')"),
|
|
new Post(
|
|
security: "is_granted('ROLE_ADMIN')",
|
|
denormalizationContext: ['groups' => ['profile:write', 'profile:admin:write']],
|
|
processor: ProfilePasswordHasher::class,
|
|
),
|
|
new Put(
|
|
security: "is_granted('ROLE_ADMIN')",
|
|
denormalizationContext: ['groups' => ['profile:write', 'profile:admin:write']],
|
|
processor: ProfilePasswordHasher::class,
|
|
),
|
|
new Patch(
|
|
security: "is_granted('ROLE_ADMIN')",
|
|
denormalizationContext: ['groups' => ['profile:write', 'profile:admin:write']],
|
|
processor: ProfilePasswordHasher::class,
|
|
),
|
|
new Delete(security: "is_granted('ROLE_ADMIN')"),
|
|
],
|
|
normalizationContext: ['groups' => ['profile:read']],
|
|
denormalizationContext: ['groups' => ['profile:write']]
|
|
)]
|
|
class Profile implements UserInterface, PasswordAuthenticatedUserInterface
|
|
{
|
|
#[ORM\Id]
|
|
#[ORM\Column(type: 'string', length: 36)]
|
|
#[Groups(['profile:read'])]
|
|
private ?string $id = null;
|
|
|
|
#[ORM\Column(type: 'string', length: 180, unique: true, nullable: true)]
|
|
#[Assert\Email]
|
|
#[Groups(['profile:read', 'profile:write'])]
|
|
private ?string $email = null;
|
|
|
|
#[ORM\Column(type: 'string', length: 100, name: 'firstname')]
|
|
#[Assert\NotBlank]
|
|
#[Groups(['profile:read', 'profile:write'])]
|
|
private string $firstName;
|
|
|
|
#[ORM\Column(type: 'string', length: 100, name: 'lastname')]
|
|
#[Assert\NotBlank]
|
|
#[Groups(['profile:read', 'profile:write'])]
|
|
private string $lastName;
|
|
|
|
#[ORM\Column(type: 'boolean', options: ['default' => true], name: 'isactive')]
|
|
#[Groups(['profile:read', 'profile:write'])]
|
|
private bool $isActive = true;
|
|
|
|
/**
|
|
* @var list<string> The user roles
|
|
*/
|
|
#[ORM\Column(type: 'json', options: ['default' => '["ROLE_USER"]'])]
|
|
#[Groups(['profile:read', 'profile:admin:write'])]
|
|
private array $roles = ['ROLE_USER'];
|
|
|
|
/**
|
|
* @var null|string The hashed password
|
|
*/
|
|
#[ORM\Column(type: 'string', nullable: true)]
|
|
private ?string $password = null;
|
|
|
|
/**
|
|
* Non-persisted field used for password hashing via ProfilePasswordHasher.
|
|
*/
|
|
#[Groups(['profile:write'])]
|
|
private ?string $plainPassword = null;
|
|
|
|
#[ORM\Column(type: 'datetime_immutable', name: 'createdat')]
|
|
#[Groups(['profile:read'])]
|
|
private DateTimeImmutable $createdAt;
|
|
|
|
#[ORM\Column(type: 'datetime_immutable', name: 'updatedat')]
|
|
#[Groups(['profile:read'])]
|
|
private DateTimeImmutable $updatedAt;
|
|
|
|
public function __construct()
|
|
{
|
|
$this->id = 'cl'.substr(strtolower(base_convert(random_bytes(12), 2, 36)), 0, 24);
|
|
$this->createdAt = new DateTimeImmutable();
|
|
$this->updatedAt = new DateTimeImmutable();
|
|
}
|
|
|
|
public function getId(): ?string
|
|
{
|
|
return $this->id;
|
|
}
|
|
|
|
public function getEmail(): ?string
|
|
{
|
|
return $this->email;
|
|
}
|
|
|
|
public function setEmail(?string $email): static
|
|
{
|
|
$this->email = $email;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function getFirstName(): string
|
|
{
|
|
return $this->firstName;
|
|
}
|
|
|
|
public function setFirstName(string $firstName): static
|
|
{
|
|
$this->firstName = $firstName;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function getLastName(): string
|
|
{
|
|
return $this->lastName;
|
|
}
|
|
|
|
public function setLastName(string $lastName): static
|
|
{
|
|
$this->lastName = $lastName;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function isActive(): bool
|
|
{
|
|
return $this->isActive;
|
|
}
|
|
|
|
public function setIsActive(bool $isActive): static
|
|
{
|
|
$this->isActive = $isActive;
|
|
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* @see UserInterface
|
|
*/
|
|
public function getUserIdentifier(): string
|
|
{
|
|
return (string) $this->email;
|
|
}
|
|
|
|
/**
|
|
* @see UserInterface
|
|
*
|
|
* @return list<string>
|
|
*/
|
|
public function getRoles(): array
|
|
{
|
|
$roles = $this->roles;
|
|
$roles[] = 'ROLE_USER';
|
|
|
|
return array_values(array_unique($roles));
|
|
}
|
|
|
|
/**
|
|
* @param list<string> $roles
|
|
*/
|
|
public function setRoles(array $roles): static
|
|
{
|
|
$this->roles = $roles;
|
|
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* @see PasswordAuthenticatedUserInterface
|
|
*/
|
|
public function getPassword(): ?string
|
|
{
|
|
return $this->password;
|
|
}
|
|
|
|
public function setPassword(?string $password): static
|
|
{
|
|
$this->password = $password;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function getPlainPassword(): ?string
|
|
{
|
|
return $this->plainPassword;
|
|
}
|
|
|
|
public function setPlainPassword(?string $plainPassword): static
|
|
{
|
|
$this->plainPassword = $plainPassword;
|
|
|
|
return $this;
|
|
}
|
|
|
|
#[Groups(['profile:read'])]
|
|
public function getHasPassword(): bool
|
|
{
|
|
return null !== $this->password && '' !== $this->password;
|
|
}
|
|
|
|
/**
|
|
* @see UserInterface
|
|
*/
|
|
public function eraseCredentials(): void
|
|
{
|
|
$this->plainPassword = null;
|
|
}
|
|
|
|
public function getCreatedAt(): DateTimeImmutable
|
|
{
|
|
return $this->createdAt;
|
|
}
|
|
|
|
public function getUpdatedAt(): DateTimeImmutable
|
|
{
|
|
return $this->updatedAt;
|
|
}
|
|
|
|
#[ORM\PrePersist]
|
|
public function setCreatedAtValue(): void
|
|
{
|
|
$this->createdAt = new DateTimeImmutable();
|
|
$this->updatedAt = new DateTimeImmutable();
|
|
}
|
|
|
|
#[ORM\PreUpdate]
|
|
public function setUpdatedAtValue(): void
|
|
{
|
|
$this->updatedAt = new DateTimeImmutable();
|
|
}
|
|
}
|