fix(security) : add ROLE_USER security on all read endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 19:21:19 +01:00
parent edc441f363
commit 63febbea45
10 changed files with 21 additions and 20 deletions
--- a/src/Entity/Client.php
+++ b/src/Entity/Client.php
@@ -18,8 +18,8 @@ use Symfony\Component\Serializer\Attribute\Groups;

 #[ApiResource(
    operations: [
-        new GetCollection(),
-        new Get(),
+        new GetCollection(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(security: "is_granted('ROLE_ADMIN')"),
        new Patch(security: "is_granted('ROLE_ADMIN')"),
        new Delete(security: "is_granted('ROLE_ADMIN')"),
--- a/src/Entity/Project.php
+++ b/src/Entity/Project.php
@@ -20,8 +20,8 @@ use Symfony\Component\Validator\Constraints as Assert;

 #[ApiResource(
    operations: [
-        new GetCollection(),
-        new Get(),
+        new GetCollection(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(
            security: "is_granted('ROLE_ADMIN')",
            denormalizationContext: ['groups' => ['project:write', 'project:create']],
--- a/src/Entity/Task.php
+++ b/src/Entity/Task.php
@@ -22,8 +22,8 @@ use Symfony\Component\Serializer\Attribute\Groups;

 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false),
-        new Get(),
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(security: "is_granted('ROLE_ADMIN')", processor: TaskNumberProcessor::class),
        new Patch(security: "is_granted('ROLE_ADMIN')"),
        new Delete(security: "is_granted('ROLE_ADMIN')"),
--- a/src/Entity/TaskDocument.php
+++ b/src/Entity/TaskDocument.php
@@ -19,8 +19,8 @@ use Symfony\Component\Serializer\Attribute\Groups;

 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false),
-        new Get(),
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(
            security: "is_granted('ROLE_ADMIN')",
            processor: TaskDocumentProcessor::class,
--- a/src/Entity/TaskEffort.php
+++ b/src/Entity/TaskEffort.php
@@ -16,8 +16,8 @@ use Symfony\Component\Serializer\Attribute\Groups;

 #[ApiResource(
    operations: [
-        new GetCollection(),
-        new Get(),
+        new GetCollection(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(security: "is_granted('ROLE_ADMIN')"),
        new Patch(security: "is_granted('ROLE_ADMIN')"),
        new Delete(security: "is_granted('ROLE_ADMIN')"),
--- a/src/Entity/TaskGroup.php
+++ b/src/Entity/TaskGroup.php
@@ -19,8 +19,8 @@ use Symfony\Component\Serializer\Attribute\Groups;

 #[ApiResource(
    operations: [
-        new GetCollection(),
-        new Get(),
+        new GetCollection(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(security: "is_granted('ROLE_ADMIN')"),
        new Patch(security: "is_granted('ROLE_ADMIN')"),
        new Delete(security: "is_granted('ROLE_ADMIN')"),
--- a/src/Entity/TaskPriority.php
+++ b/src/Entity/TaskPriority.php
@@ -16,8 +16,8 @@ use Symfony\Component\Serializer\Attribute\Groups;

 #[ApiResource(
    operations: [
-        new GetCollection(),
-        new Get(),
+        new GetCollection(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(security: "is_granted('ROLE_ADMIN')"),
        new Patch(security: "is_granted('ROLE_ADMIN')"),
        new Delete(security: "is_granted('ROLE_ADMIN')"),
--- a/src/Entity/TaskStatus.php
+++ b/src/Entity/TaskStatus.php
@@ -16,8 +16,8 @@ use Symfony\Component\Serializer\Attribute\Groups;

 #[ApiResource(
    operations: [
-        new GetCollection(),
-        new Get(),
+        new GetCollection(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(security: "is_granted('ROLE_ADMIN')"),
        new Patch(security: "is_granted('ROLE_ADMIN')"),
        new Delete(security: "is_granted('ROLE_ADMIN')"),
--- a/src/Entity/TaskTag.php
+++ b/src/Entity/TaskTag.php
@@ -16,8 +16,8 @@ use Symfony\Component\Serializer\Attribute\Groups;

 #[ApiResource(
    operations: [
-        new GetCollection(),
-        new Get(),
+        new GetCollection(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(security: "is_granted('ROLE_ADMIN')"),
        new Patch(security: "is_granted('ROLE_ADMIN')"),
        new Delete(security: "is_granted('ROLE_ADMIN')"),
--- a/src/Entity/TimeEntry.php
+++ b/src/Entity/TimeEntry.php
@@ -24,15 +24,16 @@ use Symfony\Component\Serializer\Attribute\Groups;

 #[ApiResource(
    operations: [
-        new GetCollection(),
+        new GetCollection(security: "is_granted('ROLE_USER')"),
        new GetCollection(
            name: 'active_time_entry',
            uriTemplate: '/time_entries/active',
            provider: ActiveTimeEntryProvider::class,
            description: 'Get the active timer for the current user',
            paginationEnabled: false,
+            security: "is_granted('ROLE_USER')",
        ),
-        new Get(),
+        new Get(security: "is_granted('ROLE_USER')"),
        new Post(security: "is_granted('ROLE_USER')"),
        new Patch(security: "is_granted('ROLE_ADMIN') or object.getUser() == user"),
        new Delete(security: "is_granted('ROLE_ADMIN') or object.getUser() == user"),