MALIO-DEV/Lesstime
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 32 Wiki Activity

feat(mail) : MailAccessChecker - verification acces mail ROLE_USER/ROLE_ADMIN (refus ROLE_CLIENT pur)

Browse Source 
- ensureCanAccessMail : refuse ROLE_CLIENT pur (sans ROLE_ADMIN)
- ensureIsAdmin : helper pour endpoints config
- service utilise par tous les controllers metier mail

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
THOLOT DECHENE Matthieu
2026-05-20 00:06:45 +02:00
parent 412c412cbc
commit 1c3ba9c33c
1 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
src/Security/MailAccessChecker.php Normal file
View File

@@ -0,0 +1,53 @@
<?php
declare(strict_types=1);
namespace App\Security;
use App\Entity\User;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\User\UserInterface;
final readonly class MailAccessChecker
{
public function __construct(
private AuthorizationCheckerInterface $authorizationChecker,
) {}
/**
* Verifie que l'utilisateur courant peut acceder aux endpoints mail.
* Autorise : ROLE_USER, ROLE_ADMIN.
* Refuse : ROLE_CLIENT pur (sans ROLE_ADMIN), non authentifie.
*
* @throws AccessDeniedException
*/
public function ensureCanAccessMail(?UserInterface $user): void
{
if (!$user instanceof User) {
throw new AccessDeniedException('Authentication required');
}
$roles = $user->getRoles();
if (in_array('ROLE_CLIENT', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
throw new AccessDeniedException('Mail not accessible to clients');
}
if (!in_array('ROLE_USER', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
throw new AccessDeniedException('ROLE_USER required');
}
}
/**
* Verifie que l'utilisateur est ROLE_ADMIN.
*
* @throws AccessDeniedException
*/
public function ensureIsAdmin(?UserInterface $user): void
{
if (!$user instanceof User || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
throw new AccessDeniedException('Admin only');
}
}
}