From 4a7fd464932b92c2c9de0bcfe891f88d2d3bdc49 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Tue, 23 Jun 2026 17:10:58 +0200
Subject: [PATCH] fix(rbac) : add dedicated time-tracking.entries.manage
 permission
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

La revue de sécurité a relevé que les écritures de TimeEntry (Post/Patch/Delete)
étaient gardées par time-tracking.entries.view : une permission de lecture
accordait l'écriture (confusion lecture/écriture, least-privilege).

- Ajout de la permission time-tracking.entries.manage (catalogue cohérent avec
  les autres modules en view/manage).
- Écritures TimeEntry recâblées sur entries.manage ; self-service conservé
  (object.getUser() == user). Lecture inchangée (entries.view).
---
 src/Module/TimeTracking/Domain/Entity/TimeEntry.php | 6 +++---
 src/Module/TimeTracking/TimeTrackingModule.php      | 4 +---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/Module/TimeTracking/Domain/Entity/TimeEntry.php b/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
index 5da02ee..f386dc1 100644
--- a/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
+++ b/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
@@ -48,9 +48,9 @@ use Symfony\Component\Serializer\Attribute\Groups;
             security: "is_granted('time-tracking.entries.view')",
         ),
         new Get(security: "is_granted('time-tracking.entries.view')"),
-        new Post(security: "is_granted('time-tracking.entries.view')"),
-        new Patch(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.view') and object.getUser() == user)"),
-        new Delete(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.view') and object.getUser() == user)"),
+        new Post(security: "is_granted('time-tracking.entries.manage')"),
+        new Patch(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.manage') and object.getUser() == user)"),
+        new Delete(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.manage') and object.getUser() == user)"),
     ],
     normalizationContext: ['groups' => ['time_entry:read']],
     denormalizationContext: ['groups' => ['time_entry:write']],
diff --git a/src/Module/TimeTracking/TimeTrackingModule.php b/src/Module/TimeTracking/TimeTrackingModule.php
index d7982d0..f9ac475 100644
--- a/src/Module/TimeTracking/TimeTrackingModule.php
+++ b/src/Module/TimeTracking/TimeTrackingModule.php
@@ -26,15 +26,13 @@ final class TimeTrackingModule implements ModuleInterface
     /**
      * Permissions RBAC fin du Module TimeTracking (2.1).
      *
-     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
-     * reste en ROLE_USER (non recâblée ici).
-     *
      * @return list<array{code: string, label: string}>
      */
     public static function permissions(): array
     {
         return [
             ['code' => 'time-tracking.entries.view', 'label' => 'Voir les saisies de temps'],
+            ['code' => 'time-tracking.entries.manage', 'label' => 'Gérer les saisies de temps'],
             ['code' => 'time-tracking.entries.export', 'label' => 'Exporter les saisies de temps'],
         ];
     }