fix(rbac) : add dedicated time-tracking.entries.manage permission

La revue de sécurité a relevé que les écritures de TimeEntry (Post/Patch/Delete) étaient gardées par time-tracking.entries.view : une permission de lecture accordait l'écriture (confusion lecture/écriture, least-privilege). - Ajout de la permission time-tracking.entries.manage (catalogue cohérent avec les autres modules en view/manage). - Écritures TimeEntry recâblées sur entries.manage ; self-service conservé (object.getUser() == user). Lecture inchangée (entries.view).
2026-06-23 17:10:58 +02:00
parent 5e3607658a
commit 4a7fd46493
2 changed files with 4 additions and 6 deletions
@@ -48,9 +48,9 @@ use Symfony\Component\Serializer\Attribute\Groups;
            security: "is_granted('time-tracking.entries.view')",
        ),
        new Get(security: "is_granted('time-tracking.entries.view')"),
-        new Post(security: "is_granted('time-tracking.entries.view')"),
-        new Patch(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.view') and object.getUser() == user)"),
-        new Delete(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.view') and object.getUser() == user)"),
+        new Post(security: "is_granted('time-tracking.entries.manage')"),
+        new Patch(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.manage') and object.getUser() == user)"),
+        new Delete(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.manage') and object.getUser() == user)"),
    ],
    normalizationContext: ['groups' => ['time_entry:read']],
    denormalizationContext: ['groups' => ['time_entry:write']],