From 0f14f26fd343a2e427556d8bf315be45955ebd78 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Wed, 24 Jun 2026 10:06:25 +0200
Subject: [PATCH] refactor(directory) : gate report actions via RBAC
 permissions + guard report deletion

- replace hardcoded ROLE_ADMIN check with usePermissions().can('directory.{clients,prospects}.manage')
- rename misleading isAdmin prop to canManage in CommercialReportTab and ReportDocumentList
- add busy guard on delete confirmation modal to prevent duplicate DELETE on double-click
---
 .../ui/ConfirmDeleteReportModal.vue           |  7 ++++-
 .../components/CommercialReportTab.vue        | 31 ++++++++++++-------
 .../components/ReportDocumentList.vue         |  4 +--
 .../pages/directory/clients/[id].vue          |  6 ++--
 .../pages/directory/prospects/[id].vue        |  6 ++--
 5 files changed, 33 insertions(+), 21 deletions(-)

diff --git a/frontend/components/ui/ConfirmDeleteReportModal.vue b/frontend/components/ui/ConfirmDeleteReportModal.vue
index 7aa6311..5010d48 100644
--- a/frontend/components/ui/ConfirmDeleteReportModal.vue
+++ b/frontend/components/ui/ConfirmDeleteReportModal.vue
@@ -13,12 +13,14 @@
                             variant="tertiary"
                             :label="$t('common.cancel')"
                             button-class="w-auto px-4"
+                            :disabled="busy"
                             @click="cancel"
                         />
                         <MalioButton
                             variant="danger"
                             :label="$t('common.delete')"
                             button-class="w-auto px-4"
+                            :disabled="busy"
                             @click="$emit('confirm')"
                         />
                     </div>
@@ -29,8 +31,10 @@
 </template>
 
 <script setup lang="ts">
-defineProps<{
+const props = defineProps<{
     modelValue: boolean
+    // Suppression en cours : on désactive les actions pour éviter un double envoi.
+    busy?: boolean
 }>()
 
 const emit = defineEmits<{
@@ -39,6 +43,7 @@ const emit = defineEmits<{
 }>()
 
 function cancel() {
+    if (props.busy) return
     emit('update:modelValue', false)
 }
 </script>
diff --git a/frontend/modules/directory/components/CommercialReportTab.vue b/frontend/modules/directory/components/CommercialReportTab.vue
index c1c778d..54d406b 100644
--- a/frontend/modules/directory/components/CommercialReportTab.vue
+++ b/frontend/modules/directory/components/CommercialReportTab.vue
@@ -6,7 +6,7 @@
                 <span v-if="reports.length">{{ $t('directory.reports.count', { n: reports.length }, reports.length) }}</span>
             </p>
             <MalioButton
-                v-if="isAdmin"
+                v-if="canManage"
                 icon-name="mdi:plus"
                 icon-position="left"
                 button-class="w-auto px-4"
@@ -24,7 +24,7 @@
             <p class="font-medium text-neutral-600">{{ $t('directory.reports.empty') }}</p>
             <p class="max-w-sm text-sm text-neutral-400">{{ $t('directory.reports.emptyHint') }}</p>
             <MalioButton
-                v-if="isAdmin"
+                v-if="canManage"
                 variant="tertiary"
                 icon-name="mdi:plus"
                 icon-position="left"
@@ -70,7 +70,7 @@
                                 <span v-if="report.author"> · {{ report.author.username }}</span>
                             </p>
                         </div>
-                        <div v-if="isAdmin" class="flex shrink-0 gap-1">
+                        <div v-if="canManage" class="flex shrink-0 gap-1">
                             <MalioButtonIcon
                                 icon="mdi:pencil-outline"
                                 variant="ghost"
@@ -97,7 +97,7 @@
 
                     <!-- Documents joints -->
                     <div
-                        v-if="(report.documents?.length ?? 0) || isAdmin"
+                        v-if="(report.documents?.length ?? 0) || canManage"
                         class="mt-3 border-t border-neutral-100 pt-3"
                     >
                         <p class="mb-2 text-xs font-medium uppercase tracking-wide text-neutral-400">
@@ -107,11 +107,11 @@
                             <ReportDocumentList
                                 v-if="report.documents?.length"
                                 :documents="report.documents"
-                                :is-admin="isAdmin"
+                                :can-manage="canManage"
                                 @delete="(docId) => removeDocument(docId)"
                             />
                             <ReportDocumentUpload
-                                v-if="isAdmin"
+                                v-if="canManage"
                                 :report-id="report.id"
                                 @uploaded="reload"
                             />
@@ -129,6 +129,7 @@
         />
         <ConfirmDeleteReportModal
             v-model="confirmOpen"
+            :busy="deleting"
             @confirm="confirmDelete"
         />
     </div>
@@ -141,7 +142,7 @@ import { useReportDocumentService } from '~/modules/directory/services/report-do
 
 const props = defineProps<{
     owner: { client?: string, prospect?: string }
-    isAdmin: boolean
+    canManage: boolean
 }>()
 
 const reportService = useCommercialReportService()
@@ -155,6 +156,7 @@ const editing = ref<CommercialReport | null>(null)
 
 const confirmOpen = ref(false)
 const pendingDelete = ref<CommercialReport | null>(null)
+const deleting = ref(false)
 
 // Le plus récent en haut (l'API ne garantit pas l'ordre).
 const sortedReports = computed(() =>
@@ -208,11 +210,16 @@ function askDelete(report: CommercialReport): void {
 }
 
 async function confirmDelete(): Promise<void> {
-    if (!pendingDelete.value) return
-    await reportService.remove(pendingDelete.value.id)
-    confirmOpen.value = false
-    pendingDelete.value = null
-    await reload()
+    if (!pendingDelete.value || deleting.value) return
+    deleting.value = true
+    try {
+        await reportService.remove(pendingDelete.value.id)
+        confirmOpen.value = false
+        pendingDelete.value = null
+        await reload()
+    } finally {
+        deleting.value = false
+    }
 }
 
 async function removeDocument(id: number): Promise<void> {
diff --git a/frontend/modules/directory/components/ReportDocumentList.vue b/frontend/modules/directory/components/ReportDocumentList.vue
index 705f9dd..83fda90 100644
--- a/frontend/modules/directory/components/ReportDocumentList.vue
+++ b/frontend/modules/directory/components/ReportDocumentList.vue
@@ -15,7 +15,7 @@
                 {{ doc.originalName }}
             </a>
             <MalioButtonIcon
-                v-if="isAdmin"
+                v-if="canManage"
                 icon="mdi:trash-can-outline"
                 button-class="!text-red-600"
                 :aria-label="$t('common.delete')"
@@ -32,7 +32,7 @@
 import type { ReportDocument } from '~/modules/directory/services/dto/report-document'
 import { useReportDocumentService } from '~/modules/directory/services/report-documents'
 
-defineProps<{ documents: ReportDocument[], isAdmin: boolean }>()
+defineProps<{ documents: ReportDocument[], canManage: boolean }>()
 defineEmits<{ delete: [id: number] }>()
 
 const { getDownloadUrl } = useReportDocumentService()
diff --git a/frontend/modules/directory/pages/directory/clients/[id].vue b/frontend/modules/directory/pages/directory/clients/[id].vue
index 6f223ca..264e733 100644
--- a/frontend/modules/directory/pages/directory/clients/[id].vue
+++ b/frontend/modules/directory/pages/directory/clients/[id].vue
@@ -99,7 +99,7 @@
                 </template>
 
                 <template #report>
-                    <CommercialReportTab :owner="owner" :is-admin="isAdmin" />
+                    <CommercialReportTab :owner="owner" :can-manage="canManage" />
                 </template>
             </MalioTabList>
         </template>
@@ -137,8 +137,8 @@ const {
     load,
 } = useDirectoryDetail(owner)
 
-const authStore = useAuthStore()
-const isAdmin = computed(() => authStore.user?.roles?.includes('ROLE_ADMIN') ?? false)
+const { can } = usePermissions()
+const canManage = computed(() => can('directory.clients.manage'))
 
 const client = ref<Client | null>(null)
 const loading = ref(true)
diff --git a/frontend/modules/directory/pages/directory/prospects/[id].vue b/frontend/modules/directory/pages/directory/prospects/[id].vue
index 2141cb7..4d03db5 100644
--- a/frontend/modules/directory/pages/directory/prospects/[id].vue
+++ b/frontend/modules/directory/pages/directory/prospects/[id].vue
@@ -119,7 +119,7 @@
                 </template>
 
                 <template #report>
-                    <CommercialReportTab :owner="owner" :is-admin="isAdmin" />
+                    <CommercialReportTab :owner="owner" :can-manage="canManage" />
                 </template>
             </MalioTabList>
         </template>
@@ -157,8 +157,8 @@ const {
     load,
 } = useDirectoryDetail(owner)
 
-const authStore = useAuthStore()
-const isAdmin = computed(() => authStore.user?.roles?.includes('ROLE_ADMIN') ?? false)
+const { can } = usePermissions()
+const canManage = computed(() => can('directory.prospects.manage'))
 
 const prospect = ref<Prospect | null>(null)
 const loading = ref(true)