From 63febbea455e99f55142953c9ae2bf1dd1724ec1 Mon Sep 17 00:00:00 2001 From: matthieu Date: Sun, 15 Mar 2026 19:21:19 +0100 Subject: [PATCH] fix(security) : add ROLE_USER security on all read endpoints Co-Authored-By: Claude Sonnet 4.6 --- src/Entity/Client.php | 4 ++-- src/Entity/Project.php | 4 ++-- src/Entity/Task.php | 4 ++-- src/Entity/TaskDocument.php | 4 ++-- src/Entity/TaskEffort.php | 4 ++-- src/Entity/TaskGroup.php | 4 ++-- src/Entity/TaskPriority.php | 4 ++-- src/Entity/TaskStatus.php | 4 ++-- src/Entity/TaskTag.php | 4 ++-- src/Entity/TimeEntry.php | 5 +++-- 10 files changed, 21 insertions(+), 20 deletions(-) diff --git a/src/Entity/Client.php b/src/Entity/Client.php index 41e7551..b98ffad 100644 --- a/src/Entity/Client.php +++ b/src/Entity/Client.php @@ -18,8 +18,8 @@ use Symfony\Component\Serializer\Attribute\Groups; #[ApiResource( operations: [ - new GetCollection(), - new Get(), + new GetCollection(security: "is_granted('ROLE_USER')"), + new Get(security: "is_granted('ROLE_USER')"), new Post(security: "is_granted('ROLE_ADMIN')"), new Patch(security: "is_granted('ROLE_ADMIN')"), new Delete(security: "is_granted('ROLE_ADMIN')"), diff --git a/src/Entity/Project.php b/src/Entity/Project.php index 559c4f4..ec19473 100644 --- a/src/Entity/Project.php +++ b/src/Entity/Project.php @@ -20,8 +20,8 @@ use Symfony\Component\Validator\Constraints as Assert; #[ApiResource( operations: [ - new GetCollection(), - new Get(), + new GetCollection(security: "is_granted('ROLE_USER')"), + new Get(security: "is_granted('ROLE_USER')"), new Post( security: "is_granted('ROLE_ADMIN')", denormalizationContext: ['groups' => ['project:write', 'project:create']], diff --git a/src/Entity/Task.php b/src/Entity/Task.php index 1a6828c..b80a525 100644 --- a/src/Entity/Task.php +++ b/src/Entity/Task.php @@ -22,8 +22,8 @@ use Symfony\Component\Serializer\Attribute\Groups; #[ApiResource( operations: [ - new GetCollection(paginationEnabled: false), - new Get(), + new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"), + new Get(security: "is_granted('ROLE_USER')"), new Post(security: "is_granted('ROLE_ADMIN')", processor: TaskNumberProcessor::class), new Patch(security: "is_granted('ROLE_ADMIN')"), new Delete(security: "is_granted('ROLE_ADMIN')"), diff --git a/src/Entity/TaskDocument.php b/src/Entity/TaskDocument.php index 9cced98..ada81dd 100644 --- a/src/Entity/TaskDocument.php +++ b/src/Entity/TaskDocument.php @@ -19,8 +19,8 @@ use Symfony\Component\Serializer\Attribute\Groups; #[ApiResource( operations: [ - new GetCollection(paginationEnabled: false), - new Get(), + new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"), + new Get(security: "is_granted('ROLE_USER')"), new Post( security: "is_granted('ROLE_ADMIN')", processor: TaskDocumentProcessor::class, diff --git a/src/Entity/TaskEffort.php b/src/Entity/TaskEffort.php index a9f76da..a656725 100644 --- a/src/Entity/TaskEffort.php +++ b/src/Entity/TaskEffort.php @@ -16,8 +16,8 @@ use Symfony\Component\Serializer\Attribute\Groups; #[ApiResource( operations: [ - new GetCollection(), - new Get(), + new GetCollection(security: "is_granted('ROLE_USER')"), + new Get(security: "is_granted('ROLE_USER')"), new Post(security: "is_granted('ROLE_ADMIN')"), new Patch(security: "is_granted('ROLE_ADMIN')"), new Delete(security: "is_granted('ROLE_ADMIN')"), diff --git a/src/Entity/TaskGroup.php b/src/Entity/TaskGroup.php index ae3294c..753c9d1 100644 --- a/src/Entity/TaskGroup.php +++ b/src/Entity/TaskGroup.php @@ -19,8 +19,8 @@ use Symfony\Component\Serializer\Attribute\Groups; #[ApiResource( operations: [ - new GetCollection(), - new Get(), + new GetCollection(security: "is_granted('ROLE_USER')"), + new Get(security: "is_granted('ROLE_USER')"), new Post(security: "is_granted('ROLE_ADMIN')"), new Patch(security: "is_granted('ROLE_ADMIN')"), new Delete(security: "is_granted('ROLE_ADMIN')"), diff --git a/src/Entity/TaskPriority.php b/src/Entity/TaskPriority.php index c6aa263..48da256 100644 --- a/src/Entity/TaskPriority.php +++ b/src/Entity/TaskPriority.php @@ -16,8 +16,8 @@ use Symfony\Component\Serializer\Attribute\Groups; #[ApiResource( operations: [ - new GetCollection(), - new Get(), + new GetCollection(security: "is_granted('ROLE_USER')"), + new Get(security: "is_granted('ROLE_USER')"), new Post(security: "is_granted('ROLE_ADMIN')"), new Patch(security: "is_granted('ROLE_ADMIN')"), new Delete(security: "is_granted('ROLE_ADMIN')"), diff --git a/src/Entity/TaskStatus.php b/src/Entity/TaskStatus.php index 8d6f0b0..0d3d18b 100644 --- a/src/Entity/TaskStatus.php +++ b/src/Entity/TaskStatus.php @@ -16,8 +16,8 @@ use Symfony\Component\Serializer\Attribute\Groups; #[ApiResource( operations: [ - new GetCollection(), - new Get(), + new GetCollection(security: "is_granted('ROLE_USER')"), + new Get(security: "is_granted('ROLE_USER')"), new Post(security: "is_granted('ROLE_ADMIN')"), new Patch(security: "is_granted('ROLE_ADMIN')"), new Delete(security: "is_granted('ROLE_ADMIN')"), diff --git a/src/Entity/TaskTag.php b/src/Entity/TaskTag.php index ac93728..537db3a 100644 --- a/src/Entity/TaskTag.php +++ b/src/Entity/TaskTag.php @@ -16,8 +16,8 @@ use Symfony\Component\Serializer\Attribute\Groups; #[ApiResource( operations: [ - new GetCollection(), - new Get(), + new GetCollection(security: "is_granted('ROLE_USER')"), + new Get(security: "is_granted('ROLE_USER')"), new Post(security: "is_granted('ROLE_ADMIN')"), new Patch(security: "is_granted('ROLE_ADMIN')"), new Delete(security: "is_granted('ROLE_ADMIN')"), diff --git a/src/Entity/TimeEntry.php b/src/Entity/TimeEntry.php index eeec326..2c5332d 100644 --- a/src/Entity/TimeEntry.php +++ b/src/Entity/TimeEntry.php @@ -24,15 +24,16 @@ use Symfony\Component\Serializer\Attribute\Groups; #[ApiResource( operations: [ - new GetCollection(), + new GetCollection(security: "is_granted('ROLE_USER')"), new GetCollection( name: 'active_time_entry', uriTemplate: '/time_entries/active', provider: ActiveTimeEntryProvider::class, description: 'Get the active timer for the current user', paginationEnabled: false, + security: "is_granted('ROLE_USER')", ), - new Get(), + new Get(security: "is_granted('ROLE_USER')"), new Post(security: "is_granted('ROLE_USER')"), new Patch(security: "is_granted('ROLE_ADMIN') or object.getUser() == user"), new Delete(security: "is_granted('ROLE_ADMIN') or object.getUser() == user"),