fix(rbac) : enforce granular permissions on business resources

Les ressources métier (ProjectManagement, Directory, TimeTracking) étaient
gardées par is_granted('ROLE_USER')/'ROLE_ADMIN', ignorant les permissions
RBAC granulaires déclarées par les modules : un utilisateur sans permission
voyait quand même projets, tâches, clients, etc.

- PermissionVoter : le regex excluait les tirets, donc project-management.* et
  time-tracking.* n'étaient supportées par aucun voter (refus pour tous, admin
  compris car le bypass ROLE_ADMIN est interne au voter). Ajout du tiret.
- Câblage des permissions *.view (lecture) / *.manage (écriture) sur les 17
  ressources métier. Métadonnées tâches lisibles via projects.view OR tasks.view.
  Directory partagé client/prospect via clients.* OR prospects.*. TimeEntry
  conserve le self-service (object.getUser() == user).
- Sidebar : gating par permission effective des onglets Projets / Mes tâches /
  Suivi du temps (config/sidebar.php).
- Test fonctionnel ProjectAccessControlTest (0 perm -> 403, view -> 200,
  view ne donne pas l'écriture -> 403).

src/Module/ProjectManagement/Domain/Entity/Project.php

@@ -30,18 +30,18 @@ use Symfony\Component\Validator\Constraints as Assert;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view')"),
+        new Get(security: "is_granted('project-management.projects.view')"),
         new Post(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('project-management.projects.manage')",
             denormalizationContext: ['groups' => ['project:write', 'project:create']],
         ),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('project-management.projects.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage')"),
         new Post(
             uriTemplate: '/projects/{id}/switch-workflow',
             uriVariables: ['id' => new Link(fromClass: Project::class)],
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('project-management.projects.manage')",
             input: false,
             output: SwitchWorkflowOutput::class,
             normalizationContext: ['groups' => ['switch_workflow:read']],

src/Module/ProjectManagement/Domain/Entity/Task.php

@@ -33,11 +33,11 @@ use Symfony\Component\Validator\Context\ExecutionContextInterface;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')", processor: TaskNumberProcessor::class),
-        new Patch(security: "is_granted('ROLE_ADMIN')", processor: TaskCalendarProcessor::class),
-        new Delete(security: "is_granted('ROLE_ADMIN')", processor: TaskCalendarProcessor::class),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.tasks.manage')", processor: TaskNumberProcessor::class),
+        new Patch(security: "is_granted('project-management.tasks.manage')", processor: TaskCalendarProcessor::class),
+        new Delete(security: "is_granted('project-management.tasks.manage')", processor: TaskCalendarProcessor::class),
     ],
     normalizationContext: ['groups' => ['task:read']],
     denormalizationContext: ['groups' => ['task:write']],

src/Module/ProjectManagement/Domain/Entity/TaskDocument.php

@@ -21,14 +21,14 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
-        new Get(security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.tasks.view')", provider: TaskDocumentProvider::class),
+        new Get(security: "is_granted('project-management.tasks.view')", provider: TaskDocumentProvider::class),
         new Post(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('project-management.tasks.manage')",
             processor: TaskDocumentProcessor::class,
             deserialize: false,
         ),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_document:read']],
     denormalizationContext: ['groups' => ['task_document:write']],

src/Module/ProjectManagement/Domain/Entity/TaskEffort.php

@@ -16,11 +16,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_effort:read']],
     denormalizationContext: ['groups' => ['task_effort:write']],

src/Module/ProjectManagement/Domain/Entity/TaskGroup.php

@@ -19,11 +19,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_group:read']],
     denormalizationContext: ['groups' => ['task_group:write']],

src/Module/ProjectManagement/Domain/Entity/TaskPriority.php

@@ -16,11 +16,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_priority:read']],
     denormalizationContext: ['groups' => ['task_priority:write']],

src/Module/ProjectManagement/Domain/Entity/TaskRecurrence.php

@@ -20,11 +20,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_recurrence:read']],
     denormalizationContext: ['groups' => ['task_recurrence:write']],

src/Module/ProjectManagement/Domain/Entity/TaskStatus.php

@@ -18,11 +18,11 @@ use Symfony\Component\Validator\Constraints as Assert;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_status:read']],
     denormalizationContext: ['groups' => ['task_status:write']],

src/Module/ProjectManagement/Domain/Entity/TaskTag.php

@@ -17,11 +17,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
     ],
     normalizationContext: ['groups' => ['task_tag:read']],
     denormalizationContext: ['groups' => ['task_tag:write']],

src/Module/ProjectManagement/Domain/Entity/Workflow.php

@@ -21,11 +21,11 @@ use Symfony\Component\Validator\Constraints as Assert;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
-        new Get(security: "is_granted('ROLE_USER')"),
-        new Post(security: "is_granted('ROLE_ADMIN')"),
-        new Patch(security: "is_granted('ROLE_ADMIN')"),
-        new Delete(security: "is_granted('ROLE_ADMIN')", processor: WorkflowDeleteProcessor::class),
+        new GetCollection(paginationEnabled: false, security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Get(security: "is_granted('project-management.projects.view') or is_granted('project-management.tasks.view')"),
+        new Post(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Patch(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')"),
+        new Delete(security: "is_granted('project-management.projects.manage') or is_granted('project-management.tasks.manage')", processor: WorkflowDeleteProcessor::class),
     ],
     normalizationContext: ['groups' => ['workflow:read']],
     denormalizationContext: ['groups' => ['workflow:write']],