refactor(directory) : harden report document upload (iri guard, orphan cleanup)

src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php

@@ -16,6 +16,7 @@ use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Uid\Uuid;
+use Throwable;
 
 use function in_array;
 
@@ -88,8 +89,18 @@ final readonly class ReportDocumentProcessor implements ProcessorInterface
         $document->setCreatedAt(new DateTimeImmutable());
         $document->setUploadedBy($this->security->getUser());
 
-        $this->entityManager->persist($document);
+        try {
-        $this->entityManager->flush();
+            $this->entityManager->persist($document);
+            $this->entityManager->flush();
+        } catch (Throwable $e) {
+            $filePath = $this->uploadDir.'/'.$document->getFileName();
+
+            if (file_exists($filePath)) {
+                @unlink($filePath);
+            }
+
+            throw $e;
+        }
 
         return $document;
     }
@@ -137,11 +148,13 @@ final readonly class ReportDocumentProcessor implements ProcessorInterface
 
     private function resolveReport(string $iri): CommercialReport
     {
-        if ('' === $iri) {
+        $idString = basename($iri);
-            throw new BadRequestHttpException('A commercialReport IRI is required.');
+
+        if ('' === $iri || !ctype_digit($idString)) {
+            throw new BadRequestHttpException('A valid commercialReport IRI is required.');
         }
 
-        $report = $this->entityManager->getRepository(CommercialReport::class)->find((int) basename($iri));
+        $report = $this->entityManager->getRepository(CommercialReport::class)->find((int) $idString);
 
         if (null === $report) {
             throw new BadRequestHttpException('Commercial report not found.');