From 1ab2eecccad84667535e6b7ac01759a7e153cefb Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 29 Jun 2026 10:15:46 +0200
Subject: [PATCH] =?UTF-8?q?fix(rbac)=20:=20rattache=20le=20r=C3=B4le=20de?=
 =?UTF-8?q?=20base=20=C2=AB=20user=20=C2=BB=20et=20gate=20le=20frontend=20?=
 =?UTF-8?q?par=20permission?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Un user avec des permissions sur le rôle RBAC « user » ne voyait rien : le
ROLE_USER legacy n'a aucun lien avec le RBAC et getEffectivePermissions() ne lit
que rbacRoles + permissions directes, alors qu'aucun user n'était rattaché au
rôle « user » (table user_role vide, jamais backfillée).

Backend
- DefaultUserRoleAssigner + UserDefaultRoleListener (prePersist) : tout nouvel
  utilisateur est rattaché au rôle « user » sur tous les chemins de persistance.
- Commande app:assign-default-roles (backfill idempotent) + ajout au deploy.sh.
- AppFixtures : seed des rôles système avant la création des users.

Frontend (gating par permission au lieu de ROLE_ADMIN legacy)
- Nouveau middleware « permission » + augmentation PageMeta : definePageMeta
  ({ permission }) (string = requise, array = any), ROLE_ADMIN bypasse.
- Pages directory/reporting/admin gatées par permission ; SidebarFilter accepte
  une liste de permissions (any) ; section admin sans gate de rôle.
- team-absences reste en ROLE_ADMIN (module Absence non RBAC-isé côté backend).
---
 CLAUDE.md                                     |  3 +-
 config/services.yaml                          |  4 +
 config/sidebar.php                            | 10 ++-
 frontend/app/middleware/permission.ts         | 23 ++++++
 frontend/app/types/page-meta.d.ts             | 16 ++++
 .../pages/directory/clients/[id].vue          |  2 +-
 .../directory/pages/directory/index.vue       |  2 +-
 .../pages/directory/prestataires/[id].vue     |  2 +-
 .../pages/directory/prospects/[id].vue        |  2 +-
 .../modules/reporting/pages/reporting.vue     |  2 +-
 frontend/pages/admin.vue                      |  2 +-
 infra/prod/deploy.sh                          |  3 +
 src/DataFixtures/AppFixtures.php              |  9 ++-
 .../Rbac/DefaultUserRoleAssigner.php          | 76 +++++++++++++++++++
 .../Console/AssignDefaultRolesCommand.php     | 35 +++++++++
 .../EventListener/UserDefaultRoleListener.php | 26 +++++++
 src/Shared/Domain/Sidebar/SidebarFilter.php   | 23 ++++--
 .../Core/AssignDefaultRolesCommandTest.php    | 58 ++++++++++++++
 .../Core/UserDefaultRoleListenerTest.php      | 45 +++++++++++
 .../Unit/Shared/Sidebar/SidebarFilterTest.php | 29 +++++++
 20 files changed, 350 insertions(+), 22 deletions(-)
 create mode 100644 frontend/app/middleware/permission.ts
 create mode 100644 frontend/app/types/page-meta.d.ts
 create mode 100644 src/Module/Core/Application/Rbac/DefaultUserRoleAssigner.php
 create mode 100644 src/Module/Core/Infrastructure/Console/AssignDefaultRolesCommand.php
 create mode 100644 src/Module/Core/Infrastructure/EventListener/UserDefaultRoleListener.php
 create mode 100644 tests/Functional/Module/Core/AssignDefaultRolesCommandTest.php
 create mode 100644 tests/Functional/Module/Core/UserDefaultRoleListenerTest.php

diff --git a/CLAUDE.md b/CLAUDE.md
index eae2298..ba7efad 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -129,8 +129,9 @@ La librairie `@malio/layer-ui` fournit les composants de formulaire et d'action.
 ## Déploiement (prod Docker)
 
 - Script : `infra/prod/deploy.sh` (`./deploy.sh [tag]`) — doc complète : `doc/deployment-docker.md`
-- Étapes : maintenance → pull image → up → migrations → **`app:seed-rbac`** → **`app:sync-permissions`** → cache clear/warmup
+- Étapes : maintenance → pull image → up → migrations → **`app:seed-rbac`** → **`app:sync-permissions`** → **`app:assign-default-roles`** → cache clear/warmup
 - **RBAC** : les migrations créent les tables `role`/`permission` mais **n'insèrent aucune donnée**. Les rôles système (`admin`, `user`) viennent de `app:seed-rbac` (idempotent) et le catalogue des permissions de `app:sync-permissions` (à relancer à chaque ajout de permission). Symptôme si oubliées : page admin Rôles vide (« Aucun rôle trouvé »).
+- **Rattachement au rôle de base** : deux systèmes de rôles coexistent — le legacy `User::$roles` (`ROLE_USER`/`ROLE_ADMIN`, tableau Symfony) et le RBAC `User::$rbacRoles` (table `user_role`). **Aucun pont automatique** : `getEffectivePermissions()` ne lit que les `rbacRoles` + permissions directes. Un user doit donc être **explicitement rattaché** au rôle RBAC « user » pour hériter de ses permissions. C'est garanti automatiquement par `UserDefaultRoleListener` (prePersist, tout nouveau user) et `app:assign-default-roles` (backfill idempotent des users existants, lancé au déploiement). Symptôme si manquant : un non-admin avec des permissions sur le rôle « user » ne voit **rien** car son `effectivePermissions` reste `[]`. Les modifs de permissions d'un rôle sont **instantanées** côté backend (recalcul à chaque requête, sans cache) ; le frontend les reflète au prochain chargement de page (cache de session Pinia).
 
 ## Fixtures
 
diff --git a/config/services.yaml b/config/services.yaml
index 6590355..230357b 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -129,6 +129,10 @@ services:
         tags:
             - { name: doctrine.orm.entity_listener, entity: 'App\Module\ProjectManagement\Domain\Entity\Project', event: prePersist }
 
+    App\Module\Core\Infrastructure\EventListener\UserDefaultRoleListener:
+        tags:
+            - { name: doctrine.orm.entity_listener, entity: 'App\Module\Core\Domain\Entity\User', event: prePersist }
+
     App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
diff --git a/config/sidebar.php b/config/sidebar.php
index 75e1312..5900ff5 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -38,12 +38,16 @@ return [
         ],
     ],
     [
+        // Plus de gate de rôle au niveau section : chaque item porte sa propre
+        // permission (RBAC fin), alignée sur la sécurité backend et les middlewares
+        // de page. La section s'affiche dès qu'au moins un item est autorisé.
         'label' => 'sidebar.admin.section',
         'icon'  => 'mdi:cog-outline',
-        'roles' => ['ROLE_ADMIN'],
         'items' => [
-            ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline', 'module' => 'absence'],
-            ['label' => 'sidebar.admin.directory', 'to' => '/directory', 'icon' => 'mdi:card-account-details-outline', 'module' => 'directory'],
+            // team-absences : le module Absence est encore gardé par ROLE_ADMIN côté
+            // backend (pas de permission absence.* câblée) → on reste sur un gate de rôle.
+            ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline', 'module' => 'absence', 'roles' => ['ROLE_ADMIN']],
+            ['label' => 'sidebar.admin.directory', 'to' => '/directory', 'icon' => 'mdi:card-account-details-outline', 'module' => 'directory', 'permission' => ['directory.clients.view', 'directory.prospects.view', 'directory.providers.view']],
             ['label' => 'sidebar.admin.reporting', 'to' => '/reporting', 'icon' => 'mdi:chart-line', 'module' => 'reporting', 'permission' => 'reporting.view'],
             ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline', 'permission' => 'core.users.view'],
         ],
diff --git a/frontend/app/middleware/permission.ts b/frontend/app/middleware/permission.ts
new file mode 100644
index 0000000..52ef195
--- /dev/null
+++ b/frontend/app/middleware/permission.ts
@@ -0,0 +1,23 @@
+export default defineNuxtRouteMiddleware((to) => {
+    const auth = useAuthStore()
+
+    if (!auth.isAuthenticated) {
+        return navigateTo('/login')
+    }
+
+    // Gate the route on the RBAC permission(s) declared via definePageMeta.
+    // A string requires that single permission; an array requires ANY of them.
+    // ROLE_ADMIN bypasses everything through usePermissions().can().
+    const required = to.meta.permission
+
+    if (required === undefined) {
+        return
+    }
+
+    const { canAny } = usePermissions()
+    const codes = Array.isArray(required) ? required : [required]
+
+    if (!canAny(codes)) {
+        return navigateTo('/')
+    }
+})
diff --git a/frontend/app/types/page-meta.d.ts b/frontend/app/types/page-meta.d.ts
new file mode 100644
index 0000000..30e35f2
--- /dev/null
+++ b/frontend/app/types/page-meta.d.ts
@@ -0,0 +1,16 @@
+// Augments Nuxt page meta with the RBAC permission gate consumed by the
+// `permission` route middleware. A string requires that single permission;
+// an array requires ANY of the listed permissions.
+declare module '#app' {
+    interface PageMeta {
+        permission?: string | string[]
+    }
+}
+
+declare module 'vue-router' {
+    interface RouteMeta {
+        permission?: string | string[]
+    }
+}
+
+export {}
diff --git a/frontend/modules/directory/pages/directory/clients/[id].vue b/frontend/modules/directory/pages/directory/clients/[id].vue
index d5a5990..fe3723d 100644
--- a/frontend/modules/directory/pages/directory/clients/[id].vue
+++ b/frontend/modules/directory/pages/directory/clients/[id].vue
@@ -136,7 +136,7 @@ import type { Client } from '~/modules/directory/services/dto/client'
 import { useClientService } from '~/modules/directory/services/clients'
 import { isValidEmail, isValidFrPhone, isValidUrl } from '~/modules/directory/utils/validation'
 
-definePageMeta({ middleware: ['admin'] })
+definePageMeta({ middleware: ['permission'], permission: 'directory.clients.view' })
 
 const route = useRoute()
 const router = useRouter()
diff --git a/frontend/modules/directory/pages/directory/index.vue b/frontend/modules/directory/pages/directory/index.vue
index 4f7dd5a..38b2dfe 100644
--- a/frontend/modules/directory/pages/directory/index.vue
+++ b/frontend/modules/directory/pages/directory/index.vue
@@ -210,7 +210,7 @@ import type { Prestataire } from '~/modules/directory/services/dto/prestataire'
 import { usePrestataireService } from '~/modules/directory/services/prestataires'
 import { readHistoryTab, stampHistoryTab } from '~/utils/historyTab'
 
-definePageMeta({ middleware: ['admin'] })
+definePageMeta({ middleware: ['permission'], permission: ['directory.clients.view', 'directory.prospects.view', 'directory.providers.view'] })
 
 type ProspectRow = Prospect
 
diff --git a/frontend/modules/directory/pages/directory/prestataires/[id].vue b/frontend/modules/directory/pages/directory/prestataires/[id].vue
index 4319fa6..c62a0ee 100644
--- a/frontend/modules/directory/pages/directory/prestataires/[id].vue
+++ b/frontend/modules/directory/pages/directory/prestataires/[id].vue
@@ -136,7 +136,7 @@ import type { Prestataire } from '~/modules/directory/services/dto/prestataire'
 import { usePrestataireService } from '~/modules/directory/services/prestataires'
 import { isValidEmail, isValidFrPhone, isValidUrl } from '~/modules/directory/utils/validation'
 
-definePageMeta({ middleware: ['admin'] })
+definePageMeta({ middleware: ['permission'], permission: 'directory.providers.view' })
 
 const route = useRoute()
 const router = useRouter()
diff --git a/frontend/modules/directory/pages/directory/prospects/[id].vue b/frontend/modules/directory/pages/directory/prospects/[id].vue
index 6c4344b..2a4a431 100644
--- a/frontend/modules/directory/pages/directory/prospects/[id].vue
+++ b/frontend/modules/directory/pages/directory/prospects/[id].vue
@@ -158,7 +158,7 @@ import type { Prospect, ProspectStatus } from '~/modules/directory/services/dto/
 import { useProspectService } from '~/modules/directory/services/prospects'
 import { isValidEmail, isValidFrPhone, isValidUrl } from '~/modules/directory/utils/validation'
 
-definePageMeta({ middleware: ['admin'] })
+definePageMeta({ middleware: ['permission'], permission: 'directory.prospects.view' })
 
 const route = useRoute()
 const router = useRouter()
diff --git a/frontend/modules/reporting/pages/reporting.vue b/frontend/modules/reporting/pages/reporting.vue
index a00c16c..c73a6ad 100644
--- a/frontend/modules/reporting/pages/reporting.vue
+++ b/frontend/modules/reporting/pages/reporting.vue
@@ -206,7 +206,7 @@ import type { UserData } from '~/services/dto/user-data'
 import { useProjectService } from '~/modules/project-management/services/projects'
 import { useUserService } from '~/services/users'
 
-definePageMeta({ middleware: ['admin'] })
+definePageMeta({ middleware: ['permission'], permission: 'reporting.view' })
 
 const { t } = useI18n()
 useHead({ title: t('reporting.title') })
diff --git a/frontend/pages/admin.vue b/frontend/pages/admin.vue
index c4a3c3f..27b41fa 100644
--- a/frontend/pages/admin.vue
+++ b/frontend/pages/admin.vue
@@ -40,7 +40,7 @@
 </template>
 
 <script setup lang="ts">
-definePageMeta({ middleware: ['admin'] })
+definePageMeta({ middleware: ['permission'], permission: 'core.users.view' })
 useHead({ title: 'Administration' })
 
 const { can } = usePermissions()
diff --git a/infra/prod/deploy.sh b/infra/prod/deploy.sh
index a0f6358..ac7871a 100755
--- a/infra/prod/deploy.sh
+++ b/infra/prod/deploy.sh
@@ -33,6 +33,9 @@ sudo docker compose exec -T -u www-data app php bin/console app:seed-rbac
 echo "==> Syncing RBAC permissions catalog..."
 sudo docker compose exec -T -u www-data app php bin/console app:sync-permissions
 
+echo "==> Assigning base RBAC role 'user' to users missing it (idempotent)..."
+sudo docker compose exec -T -u www-data app php bin/console app:assign-default-roles
+
 echo "==> Clearing cache..."
 sudo docker compose exec -T -u www-data app php bin/console cache:clear --env=prod
 sudo docker compose exec -T -u www-data app php bin/console cache:warmup --env=prod
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index 94e5a77..866c2c3 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -45,6 +45,11 @@ class AppFixtures extends Fixture
 
     public function load(ObjectManager $manager): void
     {
+        // Seed des rôles système RBAC (admin, user) AVANT toute création d'utilisateur :
+        // UserDefaultRoleListener (prePersist) rattache le rôle « user » à chaque user,
+        // le rôle doit donc déjà exister en base au moment du persist().
+        $this->rbacSeeder->ensureSystemRoles();
+
         // Users
         $admin = new User();
         $admin->setUsername('admin');
@@ -826,9 +831,5 @@ class AppFixtures extends Fixture
         $manager->persist($pendingMarriage);
 
         $manager->flush();
-
-        // Seed des rôles système RBAC (admin, user). Idempotent ; aucune matrice
-        // métier attachée (cf. Décision 4 : les modules métier arrivent en 2.x).
-        $this->rbacSeeder->ensureSystemRoles();
     }
 }
diff --git a/src/Module/Core/Application/Rbac/DefaultUserRoleAssigner.php b/src/Module/Core/Application/Rbac/DefaultUserRoleAssigner.php
new file mode 100644
index 0000000..1b3dbcf
--- /dev/null
+++ b/src/Module/Core/Application/Rbac/DefaultUserRoleAssigner.php
@@ -0,0 +1,76 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Application\Rbac;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Doctrine\ORM\EntityManagerInterface;
+
+use function count;
+
+/**
+ * Garantit que chaque utilisateur porte le rôle RBAC de base « user ».
+ *
+ * Le rôle « user » est le socle commun : il porte les permissions par défaut
+ * des non-admins. Sans rattachement explicite dans user_role,
+ * User::getEffectivePermissions() reste vide — le ROLE_USER legacy n'a aucun
+ * lien avec le rôle RBAC « user ».
+ */
+final readonly class DefaultUserRoleAssigner
+{
+    public function __construct(
+        private RoleRepositoryInterface $roles,
+        private EntityManagerInterface $em,
+    ) {}
+
+    /**
+     * Ajoute le rôle « user » à l'utilisateur s'il ne l'a pas déjà.
+     * Ne flush pas : appelé en prePersist (création) ou par le backfill.
+     */
+    public function ensureDefaultRole(User $user): void
+    {
+        $userRole = $this->roles->findByCode(SystemRoles::USER_CODE);
+        if (null === $userRole) {
+            // Rôle non seedé : dégradation gracieuse, on ne bloque pas la création.
+            return;
+        }
+
+        foreach ($user->getRbacRoles() as $role) {
+            if (SystemRoles::USER_CODE === $role->getCode()) {
+                return;
+            }
+        }
+
+        $user->addRbacRole($userRole);
+    }
+
+    /**
+     * Rattache le rôle « user » à tous les utilisateurs qui ne l'ont pas.
+     * Idempotent. Retourne le nombre d'utilisateurs modifiés.
+     */
+    public function backfill(): int
+    {
+        $userRole = $this->roles->findByCode(SystemRoles::USER_CODE);
+        if (null === $userRole) {
+            return 0;
+        }
+
+        /** @var list<User> $users */
+        $users = $this->em
+            ->createQuery('SELECT u FROM '.User::class.' u WHERE :role NOT MEMBER OF u.rbacRoles')
+            ->setParameter('role', $userRole)
+            ->getResult()
+        ;
+
+        foreach ($users as $user) {
+            $user->addRbacRole($userRole);
+        }
+
+        $this->em->flush();
+
+        return count($users);
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Console/AssignDefaultRolesCommand.php b/src/Module/Core/Infrastructure/Console/AssignDefaultRolesCommand.php
new file mode 100644
index 0000000..db87798
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Console/AssignDefaultRolesCommand.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Console;
+
+use App\Module\Core\Application\Rbac\DefaultUserRoleAssigner;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+use function sprintf;
+
+#[AsCommand(
+    name: 'app:assign-default-roles',
+    description: 'Rattache le rôle RBAC de base « user » à tous les utilisateurs qui ne l\'ont pas.',
+)]
+final class AssignDefaultRolesCommand extends Command
+{
+    public function __construct(private readonly DefaultUserRoleAssigner $assigner)
+    {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io    = new SymfonyStyle($input, $output);
+        $count = $this->assigner->backfill();
+        $io->success(sprintf('%d utilisateur(s) rattaché(s) au rôle « user ».', $count));
+
+        return Command::SUCCESS;
+    }
+}
diff --git a/src/Module/Core/Infrastructure/EventListener/UserDefaultRoleListener.php b/src/Module/Core/Infrastructure/EventListener/UserDefaultRoleListener.php
new file mode 100644
index 0000000..7936c67
--- /dev/null
+++ b/src/Module/Core/Infrastructure/EventListener/UserDefaultRoleListener.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\EventListener;
+
+use App\Module\Core\Application\Rbac\DefaultUserRoleAssigner;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\Event\PrePersistEventArgs;
+
+/**
+ * Assigne le rôle RBAC de base « user » à tout nouvel utilisateur qui n'en a pas,
+ * quel que soit le chemin de persistance (API Platform, fixtures, MCP).
+ *
+ * Sans ça, un user créé n'est rattaché à aucun rôle RBAC et ses permissions
+ * effectives restent vides, peu importe les permissions portées par le rôle.
+ */
+final readonly class UserDefaultRoleListener
+{
+    public function __construct(private DefaultUserRoleAssigner $assigner) {}
+
+    public function prePersist(User $user, PrePersistEventArgs $args): void
+    {
+        $this->assigner->ensureDefaultRole($user);
+    }
+}
diff --git a/src/Shared/Domain/Sidebar/SidebarFilter.php b/src/Shared/Domain/Sidebar/SidebarFilter.php
index e39f8c4..fc50d14 100644
--- a/src/Shared/Domain/Sidebar/SidebarFilter.php
+++ b/src/Shared/Domain/Sidebar/SidebarFilter.php
@@ -7,10 +7,10 @@ namespace App\Shared\Domain\Sidebar;
 final class SidebarFilter
 {
     /**
-     * @param list<array{label:string, icon:string, roles?:list<string>, permission?:string, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>, permission?:string}>}> $sections
-     * @param list<string>                                                                                                                                                                                       $activeModuleIds
-     * @param list<string>                                                                                                                                                                                       $activeRoles
-     * @param list<string>                                                                                                                                                                                       $activePermissions
+     * @param list<array{label:string, icon:string, roles?:list<string>, permission?:list<string>|string, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>, permission?:list<string>|string}>}> $sections
+     * @param list<string>                                                                                                                                                                                                                 $activeModuleIds
+     * @param list<string>                                                                                                                                                                                                                 $activeRoles
+     * @param list<string>                                                                                                                                                                                                                 $activePermissions
      *
      * @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
      */
@@ -81,14 +81,21 @@ final class SidebarFilter
     }
 
     /**
-     * @param list<string> $activePermissions
+     * @param null|list<string>|string $required          une permission (string) ou un ensemble (any)
+     * @param list<string>             $activePermissions
      */
-    private static function permissionSatisfied(?string $required, array $activePermissions): bool
+    private static function permissionSatisfied(array|string|null $required, array $activePermissions): bool
     {
-        if (null === $required || '' === $required) {
+        if (null === $required || '' === $required || [] === $required) {
             return true;
         }
 
-        return in_array($required, $activePermissions, true);
+        foreach ((array) $required as $code) {
+            if (in_array($code, $activePermissions, true)) {
+                return true;
+            }
+        }
+
+        return false;
     }
 }
diff --git a/tests/Functional/Module/Core/AssignDefaultRolesCommandTest.php b/tests/Functional/Module/Core/AssignDefaultRolesCommandTest.php
new file mode 100644
index 0000000..7585ef6
--- /dev/null
+++ b/tests/Functional/Module/Core/AssignDefaultRolesCommandTest.php
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Application\Rbac\RbacSeeder;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+use function array_map;
+use function uniqid;
+
+/**
+ * @internal
+ */
+final class AssignDefaultRolesCommandTest extends KernelTestCase
+{
+    public function testBackfillLinksUsersMissingTheUserRole(): void
+    {
+        $kernel = self::bootKernel();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+        self::getContainer()->get(RbacSeeder::class)->ensureSystemRoles();
+
+        // Crée un user puis simule l'état « legacy » (aucun rôle RBAC) en retirant
+        // le rôle « user » auto-assigné à la création.
+        $user = new User();
+        $user->setUsername('backfill-'.uniqid());
+        $user->setPassword('x');
+        $em->persist($user);
+        $em->flush();
+        foreach ($user->getRbacRoles()->toArray() as $role) {
+            $user->removeRbacRole($role);
+        }
+        $em->flush();
+        $id = $user->getId();
+        $em->clear();
+
+        $before = $em->getRepository(User::class)->find($id);
+        self::assertInstanceOf(User::class, $before);
+        self::assertCount(0, $before->getRbacRoles(), 'Précondition : le user ne doit avoir aucun rôle RBAC.');
+        $em->clear();
+
+        $tester = new CommandTester(new Application($kernel)->find('app:assign-default-roles'));
+        $tester->execute([]);
+        $tester->assertCommandIsSuccessful();
+
+        $em->clear();
+        $after = $em->getRepository(User::class)->find($id);
+        self::assertInstanceOf(User::class, $after);
+        $codes = array_map(static fn ($role) => $role->getCode(), $after->getRbacRoles()->toArray());
+        self::assertContains(SystemRoles::USER_CODE, $codes, 'Le backfill doit rattacher le rôle « user ».');
+    }
+}
diff --git a/tests/Functional/Module/Core/UserDefaultRoleListenerTest.php b/tests/Functional/Module/Core/UserDefaultRoleListenerTest.php
new file mode 100644
index 0000000..595768b
--- /dev/null
+++ b/tests/Functional/Module/Core/UserDefaultRoleListenerTest.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Application\Rbac\RbacSeeder;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+use function array_map;
+use function uniqid;
+
+/**
+ * @internal
+ */
+final class UserDefaultRoleListenerTest extends KernelTestCase
+{
+    public function testNewUserReceivesDefaultUserRole(): void
+    {
+        $kernel = self::bootKernel();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+        self::getContainer()->get(RbacSeeder::class)->ensureSystemRoles();
+
+        $user = new User();
+        $user->setUsername('listener-'.uniqid());
+        $user->setPassword('x');
+        $em->persist($user);
+        $em->flush();
+        $id = $user->getId();
+
+        $em->clear();
+        $reloaded = $em->getRepository(User::class)->find($id);
+        self::assertInstanceOf(User::class, $reloaded);
+
+        $codes = array_map(static fn ($role) => $role->getCode(), $reloaded->getRbacRoles()->toArray());
+        self::assertContains(
+            SystemRoles::USER_CODE,
+            $codes,
+            'Un utilisateur fraîchement créé doit être rattaché au rôle RBAC de base « user ».',
+        );
+    }
+}
diff --git a/tests/Unit/Shared/Sidebar/SidebarFilterTest.php b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
index 939c1f1..f8983ca 100644
--- a/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
+++ b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
@@ -127,4 +127,33 @@ final class SidebarFilterTest extends TestCase
         $out = SidebarFilter::filter($sections, [], [], ['core.users.view']);
         self::assertCount(1, $out['sections'][0]['items']);
     }
+
+    public function testItemWithPermissionArrayIsVisibleWhenAnyGranted(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [[
+                'label'      => 'a', 'to' => '/a', 'icon' => 'i',
+                'permission' => ['directory.clients.view', 'directory.prospects.view', 'directory.providers.view'],
+            ]],
+        ]];
+
+        // L'utilisateur ne détient qu'une des permissions listées => item visible (any).
+        $out = SidebarFilter::filter($sections, [], [], ['directory.prospects.view']);
+        self::assertCount(1, $out['sections'][0]['items']);
+    }
+
+    public function testItemWithPermissionArrayIsHiddenWhenNoneGranted(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [[
+                'label'      => 'a', 'to' => '/a', 'icon' => 'i',
+                'permission' => ['directory.clients.view', 'directory.prospects.view'],
+            ]],
+        ]];
+
+        $out = SidebarFilter::filter($sections, [], [], ['reporting.view']);
+        self::assertSame([], $out['sections']);
+    }
 }