Merge branch 'develop' into feat/directory-info-tab

2026-06-24 08:10:10 +00:00
parent 0f14f26fd3 6710c3015e
commit 68c3e6fbac
29 changed files with 330 additions and 216 deletions
@@ -23,9 +23,9 @@ return [
        'icon'  => 'mdi:view-dashboard-outline',
        'items' => [
            ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
-            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline', 'module' => 'project-management'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline', 'module' => 'project-management', 'permission' => 'project-management.tasks.view'],
-            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline', 'module' => 'project-management'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline', 'module' => 'project-management', 'permission' => 'project-management.projects.view'],
-            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking', 'permission' => 'time-tracking.entries.view'],
            // Gating module uniquement (cf. en-tête) : rendu visuel + badge gérés côté layout.
            ['label' => 'sidebar.general.mail', 'to' => '/mail', 'icon' => 'mdi:email-outline', 'module' => 'mail'],
        ],
@@ -1,2 +1,2 @@
 parameters:
-    app.version: '0.4.32'
+    app.version: '0.4.34'
@@ -24,7 +24,9 @@
    "updated": "Client mis à jour avec succès.",
    "deleted": "Client supprimé avec succès.",
    "addClient": "Ajouter un client",
-    "editClient": "Modifier un client"
+    "editClient": "Modifier un client",
    "deleteConfirmTitle": "Supprimer le client",
    "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer le client « {name} » ? Cette action est irréversible."
  },
  "projects": {
    "title": "Projets",
@@ -908,6 +910,8 @@
    "editProspect": "Modifier un prospect",
    "convert": "Convertir en client",
    "alreadyConverted": "Déjà converti en client",
    "deleteConfirmTitle": "Supprimer le prospect",
    "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer le prospect « {name} » ? Cette action est irréversible.",
    "fields": {
      "name": "Nom",
      "company": "Société",
@@ -6,21 +6,11 @@
        <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
            <MalioInputText
                v-model="form.name"
-                label="Nom"
+                label="Nom société"
                input-class="w-full"
                :error="touched.name && !form.name.trim() ? 'Le nom est requis' : ''"
                @blur="touched.name = true"
            />
            <MalioInputText
                v-model="form.email"
                label="Email"
                input-class="w-full"
            />
            <MalioInputText
                v-model="form.phone"
                label="Téléphone"
                input-class="w-full"
            />
            <div class="mt-6 flex justify-end">
                <MalioButton
@@ -58,28 +48,16 @@ const isSubmitting = ref(false)
 const form = reactive({
    name: '',
    email: '',
    phone: '',
 })
 const touched = reactive({
    name: false,
    email: false,
 })
 watch(() => props.modelValue, (open) => {
    if (open) {
-        if (props.client) {
+        form.name = props.client?.name ?? ''
            form.name = props.client.name ?? ''
            form.email = props.client.email ?? ''
            form.phone = props.client.phone ?? ''
        } else {
            form.name = ''
            form.email = ''
            form.phone = ''
        }
        touched.name = false
        touched.email = false
    }
 })
@@ -93,8 +71,6 @@ async function handleSubmit() {
    try {
        const payload: ClientWrite = {
            name: form.name.trim(),
            email: form.email.trim() || null,
            phone: form.phone.trim() || null,
        }
        if (isEditing.value && props.client) {
@@ -0,0 +1,58 @@
 <template>
    <Teleport v-if="modelValue" to="body">
        <Transition name="modal" appear>
            <div class="fixed inset-0 z-50 flex items-center justify-center">
                <div class="absolute inset-0 bg-black/30" @click="cancel" />
                <div class="relative z-10 w-full max-w-md rounded-lg bg-white p-6 shadow-xl">
                    <h3 class="text-lg font-bold text-neutral-900">{{ title }}</h3>
                    <p class="mt-3 text-sm text-neutral-600">
                        {{ message }}
                    </p>
                    <div class="mt-6 flex justify-end gap-3">
                        <MalioButton
                            variant="tertiary"
                            :label="$t('common.cancel')"
                            button-class="w-auto px-4"
                            @click="cancel"
                        />
                        <MalioButton
                            variant="danger"
                            :label="$t('common.delete')"
                            button-class="w-auto px-4"
                            @click="$emit('confirm')"
                        />
                    </div>
                </div>
            </div>
        </Transition>
    </Teleport>
 </template>
 <script setup lang="ts">
 defineProps<{
    modelValue: boolean
    title: string
    message: string
 }>()
 const emit = defineEmits<{
    (e: 'update:modelValue', value: boolean): void
    (e: 'confirm'): void
 }>()
 function cancel() {
    emit('update:modelValue', false)
 }
 </script>
 <style scoped>
 .modal-enter-active,
 .modal-leave-active {
    transition: opacity 0.2s ease;
 }
 .modal-enter-from,
 .modal-leave-to {
    opacity: 0;
 }
 </style>
@@ -6,41 +6,11 @@
        <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
            <MalioInputText
                v-model="form.name"
-                :label="$t('prospects.fields.name')"
+                label="Nom société"
                input-class="w-full"
                :error="touched.name && !form.name.trim() ? $t('prospects.validation.nameRequired') : ''"
                @blur="touched.name = true"
            />
            <MalioInputText
                v-model="form.company"
                :label="$t('prospects.fields.company')"
                input-class="w-full"
            />
            <MalioInputText
                v-model="form.email"
                :label="$t('prospects.fields.email')"
                input-class="w-full"
            />
            <MalioInputText
                v-model="form.phone"
                :label="$t('prospects.fields.phone')"
                input-class="w-full"
            />
            <MalioSelect
                v-model="form.status"
                :label="$t('prospects.fields.status')"
                :options="statusOptions"
                group-class="w-full"
            />
            <MalioInputText
                v-model="form.source"
                :label="$t('prospects.fields.source')"
                input-class="w-full"
            />
            <MalioInputTextArea
                v-model="form.notes"
                :label="$t('prospects.fields.notes')"
            />
            <div class="mt-6 flex items-center justify-between gap-2">
                <MalioButton
@@ -69,7 +39,7 @@
 </template>
 <script setup lang="ts">
-import type { Prospect, ProspectStatus, ProspectWrite } from '~/modules/directory/services/dto/prospect'
+import type { Prospect, ProspectWrite } from '~/modules/directory/services/dto/prospect'
 import { useProspectService } from '~/modules/directory/services/prospects'
 const props = defineProps<{
@@ -82,8 +52,6 @@ const emit = defineEmits<{
    (e: 'saved'): void
 }>()
 const { t } = useI18n()
 const isOpen = computed({
    get: () => props.modelValue,
    set: (v) => emit('update:modelValue', v),
@@ -93,30 +61,8 @@ const isEditing = computed(() => !!props.prospect)
 const isConverted = computed(() => !!props.prospect?.convertedClient)
 const isSubmitting = ref(false)
-const statusOptions = [
+const form = reactive({
    { label: t('prospects.status.new'), value: 'new' },
    { label: t('prospects.status.contacted'), value: 'contacted' },
    { label: t('prospects.status.qualified'), value: 'qualified' },
    { label: t('prospects.status.won'), value: 'won' },
    { label: t('prospects.status.lost'), value: 'lost' },
 ]
 const form = reactive<{
    name: string
    company: string
    email: string
    phone: string
    status: ProspectStatus
    source: string
    notes: string
 }>({
    name: '',
    company: '',
    email: '',
    phone: '',
    status: 'new',
    source: '',
    notes: '',
 })
 const touched = reactive({
@@ -125,23 +71,7 @@ const touched = reactive({
 watch(() => props.modelValue, (open) => {
    if (open) {
-        if (props.prospect) {
+        form.name = props.prospect?.name ?? ''
            form.name = props.prospect.name ?? ''
            form.company = props.prospect.company ?? ''
            form.email = props.prospect.email ?? ''
            form.phone = props.prospect.phone ?? ''
            form.status = props.prospect.status ?? 'new'
            form.source = props.prospect.source ?? ''
            form.notes = props.prospect.notes ?? ''
        } else {
            form.name = ''
            form.company = ''
            form.email = ''
            form.phone = ''
            form.status = 'new'
            form.source = ''
            form.notes = ''
        }
        touched.name = false
    }
 })
@@ -156,12 +86,6 @@ async function handleSubmit() {
    try {
        const payload: ProspectWrite = {
            name: form.name.trim(),
            company: form.company.trim() || null,
            email: form.email.trim() || null,
            phone: form.phone.trim() || null,
            status: form.status,
            source: form.source.trim() || null,
            notes: form.notes.trim() || null,
        }
        if (isEditing.value && props.prospect) {
@@ -31,6 +31,17 @@
                        <template #cell-phone="{ item }">
                            {{ (item as Client).phone ?? '—' }}
                        </template>
                        <template #cell-actions="{ item }">
                            <div class="flex justify-end" @click.stop>
                                <MalioButtonIcon
                                    icon="mdi:trash-can-outline"
                                    :aria-label="$t('common.delete')"
                                    button-class="!bg-red-100 !text-red-700"
                                    :icon-size="18"
                                    @click="askDeleteClient(item as Client)"
                                />
                            </div>
                        </template>
                    </MalioDataTable>
                </div>
            </template>
@@ -75,20 +86,23 @@
                            {{ (item as ProspectRow).phone ?? '—' }}
                        </template>
                        <template #cell-actions="{ item }">
-                            <div
+                            <div class="flex justify-end gap-2" @click.stop>
                                v-if="!(item as ProspectRow).convertedClient"
                                class="flex justify-end"
                                @click.stop
                            >
                                <MalioButtonIcon
                                    v-if="!(item as ProspectRow).convertedClient"
                                    icon="mdi:account-convert"
                                    :aria-label="$t('prospects.convert')"
                                    button-class="!bg-green-100 !text-green-700"
                                    :icon-size="18"
                                    @click="convertProspect(item as ProspectRow)"
                                />
                                <MalioButtonIcon
                                    icon="mdi:trash-can-outline"
                                    :aria-label="$t('common.delete')"
                                    button-class="!bg-red-100 !text-red-700"
                                    :icon-size="18"
                                    @click="askDeleteProspect(item as ProspectRow)"
                                />
                            </div>
                            <span v-else class="text-neutral-300">—</span>
                        </template>
                    </MalioDataTable>
                </div>
@@ -105,6 +119,13 @@
            :prospect="selectedProspect"
            @saved="onProspectSaved"
        />
        <ConfirmDeleteModal
            v-model="deleteModalOpen"
            :title="deleteModalTitle"
            :message="deleteModalMessage"
            @confirm="confirmDelete"
        />
    </div>
 </template>
@@ -139,6 +160,7 @@ const clientColumns = [
    { key: 'name', label: t('prospects.fields.name') },
    { key: 'email', label: t('prospects.fields.email') },
    { key: 'phone', label: t('prospects.fields.phone') },
    { key: 'actions', label: '' },
 ]
 async function loadClients() {
@@ -225,6 +247,54 @@ async function onProspectSaved() {
    await Promise.all([loadProspects(), loadClients()])
 }
 // --- Suppression (clients & prospects) ---
 type DeleteTarget =
    | { type: 'client'; item: Client }
    | { type: 'prospect'; item: Prospect }
 const deleteModalOpen = ref(false)
 const deleteTarget = ref<DeleteTarget | null>(null)
 const deleteModalTitle = computed(() =>
    deleteTarget.value?.type === 'prospect'
        ? t('prospects.deleteConfirmTitle')
        : t('clients.deleteConfirmTitle'),
 )
 const deleteModalMessage = computed(() => {
    if (!deleteTarget.value) return ''
    const name = deleteTarget.value.item.name
    return deleteTarget.value.type === 'prospect'
        ? t('prospects.deleteConfirmMessage', { name })
        : t('clients.deleteConfirmMessage', { name })
 })
 function askDeleteClient(item: Client) {
    deleteTarget.value = { type: 'client', item }
    deleteModalOpen.value = true
 }
 function askDeleteProspect(item: Prospect) {
    deleteTarget.value = { type: 'prospect', item }
    deleteModalOpen.value = true
 }
 async function confirmDelete() {
    const target = deleteTarget.value
    if (!target) return
    if (target.type === 'client') {
        await clientService.remove(target.item.id)
        await loadClients()
    } else {
        await prospectService.remove(target.item.id)
        await loadProspects()
    }
    deleteModalOpen.value = false
    deleteTarget.value = null
 }
 watch(statusFilter, loadProspects)
 onMounted(async () => {
@@ -8,6 +8,6 @@ export type Client = {
 export type ClientWrite = {
    name: string
-    email: string | null
+    email?: string | null
-    phone: string | null
+    phone?: string | null
 }
@@ -19,10 +19,10 @@ export type Prospect = {
 export type ProspectWrite = {
    name: string
-    company: string | null
+    company?: string | null
-    email: string | null
+    email?: string | null
-    phone: string | null
+    phone?: string | null
-    status: ProspectStatus
+    status?: ProspectStatus
-    source: string | null
+    source?: string | null
-    notes: string | null
+    notes?: string | null
 }
@@ -14,7 +14,9 @@ use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 */
 final class PermissionVoter extends Voter
 {
-    private const string PATTERN = '/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$/';
+    // Les codes de permission sont au format module.resource.action où chaque
    // segment peut contenir des tirets (ex. project-management, time-tracking).
    private const string PATTERN = '/^[a-z][a-z0-9_-]*(\.[a-z][a-z0-9_-]*)+$/';
    protected function supports(string $attribute, mixed $subject): bool
    {
@@ -23,11 +23,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[Auditable]
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
    ],
    normalizationContext: ['groups' => ['address:read']],
    denormalizationContext: ['groups' => ['address:write']],
@@ -25,11 +25,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[Auditable]
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('directory.clients.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('directory.clients.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('directory.clients.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('directory.clients.manage')"),
    ],
    normalizationContext: ['groups' => ['client:read']],
    denormalizationContext: ['groups' => ['client:write']],
@@ -26,11 +26,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
    ],
    normalizationContext: ['groups' => ['commercial_report:read']],
    denormalizationContext: ['groups' => ['commercial_report:write']],
@@ -23,11 +23,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[Auditable]
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
    ],
    normalizationContext: ['groups' => ['contact:read']],
    denormalizationContext: ['groups' => ['contact:write']],
@@ -27,14 +27,14 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[Auditable]
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.prospects.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('directory.prospects.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('directory.prospects.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('directory.prospects.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('directory.prospects.manage')"),
        new Post(
            uriTemplate: '/prospects/{id}/convert',
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('directory.prospects.manage')",
            processor: ConvertProspectProcessor::class,
        ),
    ],
@@ -20,14 +20,14 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
        new Post(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')",
            processor: ReportDocumentProcessor::class,
            deserialize: false,
        ),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
    ],
    normalizationContext: ['groups' => ['report_document:read']],
    denormalizationContext: ['groups' => ['report_document:write']],
@@ -30,18 +30,18 @@ use Symfony\Component\Validator\Constraints as Assert;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('project-management.projects.view')"),
        new Post(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('project-management.projects.manage')",
            denormalizationContext: ['groups' => ['project:write', 'project:create']],
        ),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.projects.manage')"),
        new Post(
            uriTemplate: '/projects/{id}/switch-workflow',
            uriVariables: ['id' => new Link(fromClass: Project::class)],
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('project-management.projects.manage')",
            input: false,
            output: SwitchWorkflowOutput::class,
            normalizationContext: ['groups' => ['switch_workflow:read']],
@@ -33,11 +33,11 @@ use Symfony\Component\Validator\Context\ExecutionContextInterface;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.tasks.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('project-management.tasks.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')", processor: TaskNumberProcessor::class),
+        new Post(security: "is_granted('project-management.tasks.manage')", processor: TaskNumberProcessor::class),
-        new Patch(security: "is_granted('ROLE_ADMIN')", processor: TaskCalendarProcessor::class),
+        new Patch(security: "is_granted('project-management.tasks.manage')", processor: TaskCalendarProcessor::class),
-        new Delete(security: "is_granted('ROLE_ADMIN')", processor: TaskCalendarProcessor::class),
+        new Delete(security: "is_granted('project-management.tasks.manage')", processor: TaskCalendarProcessor::class),
    ],
    normalizationContext: ['groups' => ['task:read']],
    denormalizationContext: ['groups' => ['task:write']],
@@ -21,14 +21,14 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.tasks.view')", provider: TaskDocumentProvider::class),
-        new Get(security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
+        new Get(security: "is_granted('project-management.tasks.view')", provider: TaskDocumentProvider::class),
        new Post(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('project-management.tasks.manage')",
            processor: TaskDocumentProcessor::class,
            deserialize: false,
        ),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.tasks.manage')"),
    ],
    normalizationContext: ['groups' => ['task_document:read']],
    denormalizationContext: ['groups' => ['task_document:write']],
@@ -16,11 +16,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
    ],
    normalizationContext: ['groups' => ['task_effort:read']],
    denormalizationContext: ['groups' => ['task_effort:write']],
@@ -19,11 +19,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
    ],
    normalizationContext: ['groups' => ['task_group:read']],
    denormalizationContext: ['groups' => ['task_group:write']],
@@ -16,11 +16,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
    ],
    normalizationContext: ['groups' => ['task_priority:read']],
    denormalizationContext: ['groups' => ['task_priority:write']],
@@ -20,11 +20,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
    ],
    normalizationContext: ['groups' => ['task_recurrence:read']],
    denormalizationContext: ['groups' => ['task_recurrence:write']],
@@ -18,11 +18,11 @@ use Symfony\Component\Validator\Constraints as Assert;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
    ],
    normalizationContext: ['groups' => ['task_status:read']],
    denormalizationContext: ['groups' => ['task_status:write']],
@@ -17,11 +17,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
    ],
    normalizationContext: ['groups' => ['task_tag:read']],
    denormalizationContext: ['groups' => ['task_tag:write']],
@@ -21,11 +21,11 @@ use Symfony\Component\Validator\Constraints as Assert;
 #[ApiResource(
    operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')", processor: WorkflowDeleteProcessor::class),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')", processor: WorkflowDeleteProcessor::class),
    ],
    normalizationContext: ['groups' => ['workflow:read']],
    denormalizationContext: ['groups' => ['workflow:write']],
@@ -31,13 +31,13 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
    operations: [
-        new GetCollection(security: "is_granted('ROLE_USER')"),
+        new GetCollection(security: "is_granted('time-tracking.entries.view')"),
        new GetCollection(
            name: 'time_entries_range',
            uriTemplate: '/time_entries/range',
            description: 'List time entries for a bounded date range without pagination (used by the time-tracking calendar)',
            paginationEnabled: false,
-            security: "is_granted('ROLE_USER')",
+            security: "is_granted('time-tracking.entries.view')",
        ),
        new GetCollection(
            name: 'active_time_entry',
@@ -45,12 +45,12 @@ use Symfony\Component\Serializer\Attribute\Groups;
            provider: ActiveTimeEntryProvider::class,
            description: 'Get the active timer for the current user',
            paginationEnabled: false,
-            security: "is_granted('ROLE_USER')",
+            security: "is_granted('time-tracking.entries.view')",
        ),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('time-tracking.entries.view')"),
-        new Post(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('time-tracking.entries.manage')"),
-        new Patch(security: "is_granted('ROLE_ADMIN') or object.getUser() == user"),
+        new Patch(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.manage') and object.getUser() == user)"),
-        new Delete(security: "is_granted('ROLE_ADMIN') or object.getUser() == user"),
+        new Delete(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.manage') and object.getUser() == user)"),
    ],
    normalizationContext: ['groups' => ['time_entry:read']],
    denormalizationContext: ['groups' => ['time_entry:write']],
@@ -26,15 +26,13 @@ final class TimeTrackingModule implements ModuleInterface
    /**
     * Permissions RBAC fin du Module TimeTracking (2.1).
     *
     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
     * reste en ROLE_USER (non recâblée ici).
     *
     * @return list<array{code: string, label: string}>
     */
    public static function permissions(): array
    {
        return [
            ['code' => 'time-tracking.entries.view', 'label' => 'Voir les saisies de temps'],
            ['code' => 'time-tracking.entries.manage', 'label' => 'Gérer les saisies de temps'],
            ['code' => 'time-tracking.entries.export', 'label' => 'Exporter les saisies de temps'],
        ];
    }
@@ -0,0 +1,82 @@
 <?php
 declare(strict_types=1);
 namespace App\Tests\Functional\Module\ProjectManagement;
 use App\Module\Core\Domain\Entity\Permission;
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 /**
 * Vérifie que les ressources métier sont bien gardées par les permissions RBAC
 * granulaires et non plus par le simple ROLE_USER.
 *
 * @internal
 */
 final class ProjectAccessControlTest extends WebTestCase
 {
    public function testAuthenticatedUserWithoutPermissionIsForbidden(): void
    {
        $client = self::createClient();
        $em     = self::getContainer()->get(EntityManagerInterface::class);
        $user = $this->createPlainUser($em, 'proj-noperm-'.uniqid());
        $em->flush();
        $client->loginUser($user);
        $client->request('GET', '/api/projects');
        self::assertResponseStatusCodeSame(403);
    }
    public function testUserWithViewPermissionCanListProjects(): void
    {
        $client = self::createClient();
        $em     = self::getContainer()->get(EntityManagerInterface::class);
        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'project-management.projects.view']);
        self::assertInstanceOf(Permission::class, $permission, 'Le catalogue de permissions doit contenir project-management.projects.view (lancer app:sync-permissions).');
        $user = $this->createPlainUser($em, 'proj-view-'.uniqid());
        $user->addDirectPermission($permission);
        $em->flush();
        $client->loginUser($user);
        $client->request('GET', '/api/projects');
        self::assertResponseIsSuccessful();
    }
    public function testViewPermissionDoesNotGrantWrite(): void
    {
        $client = self::createClient();
        $em     = self::getContainer()->get(EntityManagerInterface::class);
        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'project-management.projects.view']);
        self::assertInstanceOf(Permission::class, $permission);
        $user = $this->createPlainUser($em, 'proj-noWrite-'.uniqid());
        $user->addDirectPermission($permission);
        $em->flush();
        $client->loginUser($user);
        $client->request('POST', '/api/projects', server: [
            'CONTENT_TYPE' => 'application/ld+json',
        ], content: json_encode(['name' => 'Should be denied']));
        self::assertResponseStatusCodeSame(403);
    }
    private function createPlainUser(EntityManagerInterface $em, string $username): User
    {
        $user = new User();
        $user->setUsername($username);
        $user->setPassword('x');
        $user->setRoles(['ROLE_USER']);
        $em->persist($user);
        return $user;
    }
 }
`@@ -1,2 +1,2 @@`
	`parameters:`	`parameters:`
	`app.version: '0.4.32'`	`app.version: '0.4.34'`