fix : allow ROLE_CLIENT to upload and view documents on client tickets

GetCollection/Get required ROLE_USER which ROLE_CLIENT doesn't have. Added TaskDocumentProvider to scope client access to their own tickets. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-20 14:17:48 +01:00
parent efa42b6039
commit 1d533d1d28
2 changed files with 85 additions and 3 deletions
--- a/src/State/TaskDocumentProvider.php
+++ b/src/State/TaskDocumentProvider.php
@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Entity\TaskDocument;
+use App\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+
+/**
+ * @implements ProviderInterface<TaskDocument>
+ */
+final readonly class TaskDocumentProvider implements ProviderInterface
+{
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private Security $security,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|TaskDocument|null
+    {
+        $user = $this->security->getUser();
+        assert($user instanceof User);
+
+        $repo     = $this->entityManager->getRepository(TaskDocument::class);
+        $isClient = $this->security->isGranted('ROLE_CLIENT') && !$this->security->isGranted('ROLE_ADMIN');
+
+        // Single item
+        if (isset($uriVariables['id'])) {
+            $document = $repo->find($uriVariables['id']);
+            if (null === $document) {
+                return null;
+            }
+
+            if ($isClient) {
+                $ticket = $document->getClientTicket();
+                if (null === $ticket || $ticket->getSubmittedBy() !== $user) {
+                    return null;
+                }
+            }
+
+            return $document;
+        }
+
+        // Collection
+        $qb = $repo->createQueryBuilder('d')
+            ->orderBy('d.id', 'DESC')
+        ;
+
+        if ($isClient) {
+            $qb->innerJoin('d.clientTicket', 'ct')
+                ->andWhere('ct.submittedBy = :user')
+                ->setParameter('user', $user)
+            ;
+        }
+
+        // Apply filters from query parameters
+        $filters = $context['filters'] ?? [];
+        if (isset($filters['task'])) {
+            $qb->andWhere('d.task = :task')
+                ->setParameter('task', self::extractId($filters['task']))
+            ;
+        }
+        if (isset($filters['clientTicket'])) {
+            $qb->andWhere('d.clientTicket = :clientTicket')
+                ->setParameter('clientTicket', self::extractId($filters['clientTicket']))
+            ;
+        }
+
+        return $qb->getQuery()->getResult();
+    }
+
+    private static function extractId(string $value): int
+    {
+        return is_numeric($value) ? (int) $value : (int) basename($value);
+    }
+}