fix(rbac) : rattache le rôle de base « user » et gate le frontend par permission
Un user avec des permissions sur le rôle RBAC « user » ne voyait rien : le
ROLE_USER legacy n'a aucun lien avec le RBAC et getEffectivePermissions() ne lit
que rbacRoles + permissions directes, alors qu'aucun user n'était rattaché au
rôle « user » (table user_role vide, jamais backfillée).
Backend
- DefaultUserRoleAssigner + UserDefaultRoleListener (prePersist) : tout nouvel
utilisateur est rattaché au rôle « user » sur tous les chemins de persistance.
- Commande app:assign-default-roles (backfill idempotent) + ajout au deploy.sh.
- AppFixtures : seed des rôles système avant la création des users.
Frontend (gating par permission au lieu de ROLE_ADMIN legacy)
- Nouveau middleware « permission » + augmentation PageMeta : definePageMeta
({ permission }) (string = requise, array = any), ROLE_ADMIN bypasse.
- Pages directory/reporting/admin gatées par permission ; SidebarFilter accepte
une liste de permissions (any) ; section admin sans gate de rôle.
- team-absences reste en ROLE_ADMIN (module Absence non RBAC-isé côté backend).
This commit is contained in:
Matthieu
@@ -0,0 +1,23 @@
|
||||
export default defineNuxtRouteMiddleware((to) => {
|
||||
const auth = useAuthStore()
|
||||
|
||||
if (!auth.isAuthenticated) {
|
||||
return navigateTo('/login')
|
||||
}
|
||||
|
||||
// Gate the route on the RBAC permission(s) declared via definePageMeta.
|
||||
// A string requires that single permission; an array requires ANY of them.
|
||||
// ROLE_ADMIN bypasses everything through usePermissions().can().
|
||||
const required = to.meta.permission
|
||||
|
||||
if (required === undefined) {
|
||||
return
|
||||
}
|
||||
|
||||
const { canAny } = usePermissions()
|
||||
const codes = Array.isArray(required) ? required : [required]
|
||||
|
||||
if (!canAny(codes)) {
|
||||
return navigateTo('/')
|
||||
}
|
||||
})
|
||||
Vendored
+16
@@ -0,0 +1,16 @@
|
||||
// Augments Nuxt page meta with the RBAC permission gate consumed by the
|
||||
// `permission` route middleware. A string requires that single permission;
|
||||
// an array requires ANY of the listed permissions.
|
||||
declare module '#app' {
|
||||
interface PageMeta {
|
||||
permission?: string | string[]
|
||||
}
|
||||
}
|
||||
|
||||
declare module 'vue-router' {
|
||||
interface RouteMeta {
|
||||
permission?: string | string[]
|
||||
}
|
||||
}
|
||||
|
||||
export {}
|
||||
@@ -136,7 +136,7 @@ import type { Client } from '~/modules/directory/services/dto/client'
|
||||
import { useClientService } from '~/modules/directory/services/clients'
|
||||
import { isValidEmail, isValidFrPhone, isValidUrl } from '~/modules/directory/utils/validation'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'directory.clients.view' })
|
||||
|
||||
const route = useRoute()
|
||||
const router = useRouter()
|
||||
|
||||
@@ -210,7 +210,7 @@ import type { Prestataire } from '~/modules/directory/services/dto/prestataire'
|
||||
import { usePrestataireService } from '~/modules/directory/services/prestataires'
|
||||
import { readHistoryTab, stampHistoryTab } from '~/utils/historyTab'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: ['directory.clients.view', 'directory.prospects.view', 'directory.providers.view'] })
|
||||
|
||||
type ProspectRow = Prospect
|
||||
|
||||
|
||||
@@ -136,7 +136,7 @@ import type { Prestataire } from '~/modules/directory/services/dto/prestataire'
|
||||
import { usePrestataireService } from '~/modules/directory/services/prestataires'
|
||||
import { isValidEmail, isValidFrPhone, isValidUrl } from '~/modules/directory/utils/validation'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'directory.providers.view' })
|
||||
|
||||
const route = useRoute()
|
||||
const router = useRouter()
|
||||
|
||||
@@ -158,7 +158,7 @@ import type { Prospect, ProspectStatus } from '~/modules/directory/services/dto/
|
||||
import { useProspectService } from '~/modules/directory/services/prospects'
|
||||
import { isValidEmail, isValidFrPhone, isValidUrl } from '~/modules/directory/utils/validation'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'directory.prospects.view' })
|
||||
|
||||
const route = useRoute()
|
||||
const router = useRouter()
|
||||
|
||||
@@ -206,7 +206,7 @@ import type { UserData } from '~/services/dto/user-data'
|
||||
import { useProjectService } from '~/modules/project-management/services/projects'
|
||||
import { useUserService } from '~/services/users'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'reporting.view' })
|
||||
|
||||
const { t } = useI18n()
|
||||
useHead({ title: t('reporting.title') })
|
||||
|
||||
@@ -40,7 +40,7 @@
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'core.users.view' })
|
||||
useHead({ title: 'Administration' })
|
||||
|
||||
const { can } = usePermissions()
|
||||
|
||||
Reference in New Issue
Block a user