fix(rbac) : enforce granular permissions on business resources

Les ressources métier (ProjectManagement, Directory, TimeTracking) étaient
gardées par is_granted('ROLE_USER')/'ROLE_ADMIN', ignorant les permissions
RBAC granulaires déclarées par les modules : un utilisateur sans permission
voyait quand même projets, tâches, clients, etc.

- PermissionVoter : le regex excluait les tirets, donc project-management.* et
  time-tracking.* n'étaient supportées par aucun voter (refus pour tous, admin
  compris car le bypass ROLE_ADMIN est interne au voter). Ajout du tiret.
- Câblage des permissions *.view (lecture) / *.manage (écriture) sur les 17
  ressources métier. Métadonnées tâches lisibles via projects.view OR tasks.view.
  Directory partagé client/prospect via clients.* OR prospects.*. TimeEntry
  conserve le self-service (object.getUser() == user).
- Sidebar : gating par permission effective des onglets Projets / Mes tâches /
  Suivi du temps (config/sidebar.php).
- Test fonctionnel ProjectAccessControlTest (0 perm -> 403, view -> 200,
  view ne donne pas l'écriture -> 403).

config/sidebar.php

@@ -23,9 +23,9 @@ return [
         'icon'  => 'mdi:view-dashboard-outline',
         'items' => [
             ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
-            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline', 'module' => 'project-management'],
-            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline', 'module' => 'project-management'],
-            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline', 'module' => 'project-management', 'permission' => 'project-management.tasks.view'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline', 'module' => 'project-management', 'permission' => 'project-management.projects.view'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking', 'permission' => 'time-tracking.entries.view'],
             // Gating module uniquement (cf. en-tête) : rendu visuel + badge gérés côté layout.
             ['label' => 'sidebar.general.mail', 'to' => '/mail', 'icon' => 'mdi:email-outline', 'module' => 'mail'],
         ],

src/Module/Core/Infrastructure/Security/PermissionVoter.php

@@ -14,7 +14,9 @@ use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  */
 final class PermissionVoter extends Voter
 {
-    private const string PATTERN = '/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$/';
+    // Les codes de permission sont au format module.resource.action où chaque
+    // segment peut contenir des tirets (ex. project-management, time-tracking).
+    private const string PATTERN = '/^[a-z][a-z0-9_-]*(\.[a-z][a-z0-9_-]*)+$/';
 
     protected function supports(string $attribute, mixed $subject): bool
     {

src/Module/Directory/Domain/Entity/Address.php

@@ -23,11 +23,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[Auditable]
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
+        new Get(security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
+        new Post(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
+        new Patch(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
+        new Delete(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
     ],
     normalizationContext: ['groups' => ['address:read']],
     denormalizationContext: ['groups' => ['address:write']],

src/Module/Directory/Domain/Entity/Client.php

@@ -25,11 +25,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[Auditable]
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view')"),
+        new Get(security: "is_granted('directory.clients.view')"),
+        new Post(security: "is_granted('directory.clients.manage')"),
+        new Patch(security: "is_granted('directory.clients.manage')"),
+        new Delete(security: "is_granted('directory.clients.manage')"),
     ],
     normalizationContext: ['groups' => ['client:read']],
     denormalizationContext: ['groups' => ['client:write']],

src/Module/Directory/Domain/Entity/CommercialReport.php

@@ -26,11 +26,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
+        new Get(security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
+        new Post(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
+        new Patch(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
+        new Delete(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
     ],
     normalizationContext: ['groups' => ['commercial_report:read']],
     denormalizationContext: ['groups' => ['commercial_report:write']],

src/Module/Directory/Domain/Entity/Contact.php

@@ -23,11 +23,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[Auditable]
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
+        new Get(security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
+        new Post(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
+        new Patch(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
+        new Delete(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
     ],
     normalizationContext: ['groups' => ['contact:read']],
     denormalizationContext: ['groups' => ['contact:write']],

src/Module/Directory/Domain/Entity/Prospect.php

@@ -27,14 +27,14 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[Auditable]
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.prospects.view')"),
+        new Get(security: "is_granted('directory.prospects.view')"),
+        new Post(security: "is_granted('directory.prospects.manage')"),
+        new Patch(security: "is_granted('directory.prospects.manage')"),
+        new Delete(security: "is_granted('directory.prospects.manage')"),
         new Post(
             uriTemplate: '/prospects/{id}/convert',
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('directory.prospects.manage')",
             processor: ConvertProspectProcessor::class,
         ),
     ],

src/Module/Directory/Domain/Entity/ReportDocument.php

@@ -20,14 +20,14 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
+        new Get(security: "is_granted('directory.clients.view') or is_granted('directory.prospects.view')"),
         new Post(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')",
             processor: ReportDocumentProcessor::class,
             deserialize: false,
         ),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('directory.clients.manage') or is_granted('directory.prospects.manage')"),
     ],
     normalizationContext: ['groups' => ['report_document:read']],
     denormalizationContext: ['groups' => ['report_document:write']],

src/Module/ProjectManagement/Domain/Entity/Project.php

@@ -30,18 +30,18 @@ use Symfony\Component\Validator\Constraints as Assert;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view')"),
+        new Get(security: "is_granted('project-management.projects.view')"),
         new Post(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('project-management.projects.manage')",
             denormalizationContext: ['groups' => ['project:write', 'project:create']],
         ),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage')"),
         new Post(
             uriTemplate: '/projects/{id}/switch-workflow',
             uriVariables: ['id' => new Link(fromClass: Project::class)],
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('project-management.projects.manage')",
             input: false,
             output: SwitchWorkflowOutput::class,
             normalizationContext: ['groups' => ['switch_workflow:read']],

src/Module/ProjectManagement/Domain/Entity/Task.php

@@ -33,11 +33,11 @@ use Symfony\Component\Validator\Context\ExecutionContextInterface;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')", processor: TaskNumberProcessor::class),
-        new Patch(security: "is_granted('ROLE_ADMIN')", processor: TaskCalendarProcessor::class),
-        new Delete(security: "is_granted('ROLE_ADMIN')", processor: TaskCalendarProcessor::class),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.tasks.manage')", processor: TaskNumberProcessor::class),
+        new Patch(security: "is_granted('project-management.tasks.manage')", processor: TaskCalendarProcessor::class),
+        new Delete(security: "is_granted('project-management.tasks.manage')", processor: TaskCalendarProcessor::class),
     ],
     normalizationContext: ['groups' => ['task:read']],
     denormalizationContext: ['groups' => ['task:write']],

src/Module/ProjectManagement/Domain/Entity/TaskDocument.php

@@ -21,14 +21,14 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
-        new Get(security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.tasks.view')", provider: TaskDocumentProvider::class),
+        new Get(security: "is_granted('project-management.tasks.view')", provider: TaskDocumentProvider::class),
         new Post(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('project-management.tasks.manage')",
             processor: TaskDocumentProcessor::class,
             deserialize: false,
         ),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_document:read']],
     denormalizationContext: ['groups' => ['task_document:write']],

src/Module/ProjectManagement/Domain/Entity/TaskEffort.php

@@ -16,11 +16,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_effort:read']],
     denormalizationContext: ['groups' => ['task_effort:write']],

src/Module/ProjectManagement/Domain/Entity/TaskGroup.php

@@ -19,11 +19,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_group:read']],
     denormalizationContext: ['groups' => ['task_group:write']],

src/Module/ProjectManagement/Domain/Entity/TaskPriority.php

@@ -16,11 +16,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_priority:read']],
     denormalizationContext: ['groups' => ['task_priority:write']],

src/Module/ProjectManagement/Domain/Entity/TaskRecurrence.php

@@ -20,11 +20,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_recurrence:read']],
     denormalizationContext: ['groups' => ['task_recurrence:write']],

src/Module/ProjectManagement/Domain/Entity/TaskStatus.php

@@ -18,11 +18,11 @@ use Symfony\Component\Validator\Constraints as Assert;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_status:read']],
     denormalizationContext: ['groups' => ['task_status:write']],

src/Module/ProjectManagement/Domain/Entity/TaskTag.php

@@ -17,11 +17,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_tag:read']],
     denormalizationContext: ['groups' => ['task_tag:write']],

src/Module/ProjectManagement/Domain/Entity/Workflow.php

@@ -21,11 +21,11 @@ use Symfony\Component\Validator\Constraints as Assert;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')", processor: WorkflowDeleteProcessor::class),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')", processor: WorkflowDeleteProcessor::class),
     ],
     normalizationContext: ['groups' => ['workflow:read']],
     denormalizationContext: ['groups' => ['workflow:write']],

src/Module/TimeTracking/Domain/Entity/TimeEntry.php

@@ -31,13 +31,13 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(security: "is_granted('ROLE_USER')"),
+        new GetCollection(security: "is_granted('time-tracking.entries.view')"),
         new GetCollection(
             name: 'time_entries_range',
             uriTemplate: '/time_entries/range',
             description: 'List time entries for a bounded date range without pagination (used by the time-tracking calendar)',
             paginationEnabled: false,
-            security: "is_granted('ROLE_USER')",
+            security: "is_granted('time-tracking.entries.view')",
         ),
         new GetCollection(
             name: 'active_time_entry',
@@ -45,12 +45,12 @@ use Symfony\Component\Serializer\Attribute\Groups;
             provider: ActiveTimeEntryProvider::class,
             description: 'Get the active timer for the current user',
             paginationEnabled: false,
-            security: "is_granted('ROLE_USER')",
+            security: "is_granted('time-tracking.entries.view')",
         ),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_USER')"),
-        new Patch(security: "is_granted('ROLE_ADMIN') or object.getUser() == user"),
-        new Delete(security: "is_granted('ROLE_ADMIN') or object.getUser() == user"),
+        new Get(security: "is_granted('time-tracking.entries.view')"),
+        new Post(security: "is_granted('time-tracking.entries.view')"),
+        new Patch(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.view') and object.getUser() == user)"),
+        new Delete(security: "is_granted('ROLE_ADMIN') or (is_granted('time-tracking.entries.view') and object.getUser() == user)"),
     ],
     normalizationContext: ['groups' => ['time_entry:read']],
     denormalizationContext: ['groups' => ['time_entry:write']],

tests/Functional/Module/ProjectManagement/ProjectAccessControlTest.php

@@ -0,0 +1,82 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\ProjectManagement;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * Vérifie que les ressources métier sont bien gardées par les permissions RBAC
+ * granulaires et non plus par le simple ROLE_USER.
+ *
+ * @internal
+ */
+final class ProjectAccessControlTest extends WebTestCase
+{
+    public function testAuthenticatedUserWithoutPermissionIsForbidden(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $user = $this->createPlainUser($em, 'proj-noperm-'.uniqid());
+        $em->flush();
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/projects');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testUserWithViewPermissionCanListProjects(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'project-management.projects.view']);
+        self::assertInstanceOf(Permission::class, $permission, 'Le catalogue de permissions doit contenir project-management.projects.view (lancer app:sync-permissions).');
+
+        $user = $this->createPlainUser($em, 'proj-view-'.uniqid());
+        $user->addDirectPermission($permission);
+        $em->flush();
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/projects');
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testViewPermissionDoesNotGrantWrite(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'project-management.projects.view']);
+        self::assertInstanceOf(Permission::class, $permission);
+
+        $user = $this->createPlainUser($em, 'proj-noWrite-'.uniqid());
+        $user->addDirectPermission($permission);
+        $em->flush();
+        $client->loginUser($user);
+
+        $client->request('POST', '/api/projects', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode(['name' => 'Should be denied']));
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    private function createPlainUser(EntityManagerInterface $em, string $username): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setPassword('x');
+        $user->setRoles(['ROLE_USER']);
+        $em->persist($user);
+
+        return $user;
+    }
+}