From 309f0b10eef227235d48d241f5689500b0926f72 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 12 Jun 2026 15:27:43 +0200
Subject: [PATCH] =?UTF-8?q?fix(security)=20:=20double=20contr=C3=B4le=20RO?=
 =?UTF-8?q?LE=5FADMIN=20dans=20TaskDocumentProcessor=20(d=C3=A9fense=20en?=
 =?UTF-8?q?=20profondeur)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/State/TaskDocumentProcessor.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/State/TaskDocumentProcessor.php b/src/State/TaskDocumentProcessor.php
index 3191e2f..51c6750 100644
--- a/src/State/TaskDocumentProcessor.php
+++ b/src/State/TaskDocumentProcessor.php
@@ -19,6 +19,7 @@ use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Uid\Uuid;
 
@@ -74,6 +75,13 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
      */
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): TaskDocument
     {
+        // Défense en profondeur : l'opération Post est déjà protégée par ROLE_ADMIN, mais on
+        // re-vérifie ici pour que les deux chemins (upload ET lien partage) restent sûrs si la
+        // configuration de sécurité de l'opération venait à changer.
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedHttpException('Creating task documents requires admin privileges.');
+        }
+
         $request = $this->requestStack->getCurrentRequest();
 
         if (null === $request) {