refactor(client-portal) : remove client portal feature entirely
- drop ClientPortal module, ClientTicket entity, ROLE_CLIENT and all couplings (Task, TaskDocument, User, Notification) back to an internal-only model - migration drops client_ticket / user_allowed_projects / related FK columns and removes leftover external client accounts (would otherwise be promoted to ROLE_USER) - remove client-portal frontend module, admin tickets tab, user portal section, portal nav item and portal/clientTicket i18n keys - fix directory nav icon (invalid mdi:contact-multiple-outline -> mdi:card-account-details-outline) - add 'make sync-permissions' target, wire it into install/db-reset and the prod deploy script
This commit is contained in:
Matthieu
@@ -19,7 +19,6 @@ use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskCalendarPr
|
||||
use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskNumberProcessor;
|
||||
use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRepository;
|
||||
use App\Shared\Domain\Contract\BlamableInterface;
|
||||
use App\Shared\Domain\Contract\ClientTicketInterface;
|
||||
use App\Shared\Domain\Contract\TaskInterface;
|
||||
use App\Shared\Domain\Contract\TimestampableInterface;
|
||||
use App\Shared\Domain\Contract\UserInterface;
|
||||
@@ -164,16 +163,6 @@ class Task implements TaskInterface, TimestampableInterface, BlamableInterface
|
||||
#[Groups(['task:read', 'task:write'])]
|
||||
private ?TaskRecurrence $recurrence = null;
|
||||
|
||||
/**
|
||||
* Optional manual link to a client ticket. Exposed (number/type/status/title)
|
||||
* in task:read so the kanban can show the linked-ticket icon without giving
|
||||
* ROLE_USER access to the /api/client_tickets collection.
|
||||
*/
|
||||
#[ORM\ManyToOne(targetEntity: ClientTicketInterface::class)]
|
||||
#[ORM\JoinColumn(name: 'client_ticket_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
|
||||
#[Groups(['task:read', 'task:write'])]
|
||||
private ?ClientTicketInterface $clientTicket = null;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->tags = new ArrayCollection();
|
||||
@@ -452,18 +441,6 @@ class Task implements TaskInterface, TimestampableInterface, BlamableInterface
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function getClientTicket(): ?ClientTicketInterface
|
||||
{
|
||||
return $this->clientTicket;
|
||||
}
|
||||
|
||||
public function setClientTicket(?ClientTicketInterface $clientTicket): static
|
||||
{
|
||||
$this->clientTicket = $clientTicket;
|
||||
|
||||
return $this;
|
||||
}
|
||||
|
||||
#[Assert\Callback]
|
||||
public function validateScheduledDates(ExecutionContextInterface $context): void
|
||||
{
|
||||
|
||||
@@ -14,7 +14,6 @@ use ApiPlatform\Metadata\Post;
|
||||
use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProcessor;
|
||||
use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProvider;
|
||||
use App\Module\ProjectManagement\Infrastructure\EventListener\TaskDocumentListener;
|
||||
use App\Shared\Domain\Contract\ClientTicketInterface;
|
||||
use App\Shared\Domain\Contract\UserInterface;
|
||||
use DateTimeImmutable;
|
||||
use Doctrine\ORM\Mapping as ORM;
|
||||
@@ -22,10 +21,10 @@ use Symfony\Component\Serializer\Attribute\Groups;
|
||||
|
||||
#[ApiResource(
|
||||
operations: [
|
||||
new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER') or is_granted('ROLE_CLIENT')", provider: TaskDocumentProvider::class),
|
||||
new Get(security: "is_granted('ROLE_USER') or is_granted('ROLE_CLIENT')", provider: TaskDocumentProvider::class),
|
||||
new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
|
||||
new Get(security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
|
||||
new Post(
|
||||
security: "is_granted('ROLE_ADMIN') or is_granted('ROLE_CLIENT')",
|
||||
security: "is_granted('ROLE_ADMIN')",
|
||||
processor: TaskDocumentProcessor::class,
|
||||
deserialize: false,
|
||||
),
|
||||
@@ -35,11 +34,9 @@ use Symfony\Component\Serializer\Attribute\Groups;
|
||||
denormalizationContext: ['groups' => ['task_document:write']],
|
||||
order: ['id' => 'DESC'],
|
||||
)]
|
||||
#[ApiFilter(SearchFilter::class, properties: ['task' => 'exact', 'clientTicket' => 'exact'])]
|
||||
#[ApiFilter(SearchFilter::class, properties: ['task' => 'exact'])]
|
||||
#[ORM\Entity]
|
||||
#[ORM\EntityListeners([TaskDocumentListener::class])]
|
||||
// A document must be attached to either a task or a client ticket.
|
||||
#[ORM\Table(name: 'task_document')]
|
||||
class TaskDocument
|
||||
{
|
||||
#[ORM\Id]
|
||||
@@ -49,16 +46,10 @@ class TaskDocument
|
||||
private ?int $id = null;
|
||||
|
||||
#[ORM\ManyToOne(targetEntity: Task::class, inversedBy: 'documents')]
|
||||
#[ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
|
||||
#[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
|
||||
#[Groups(['task_document:read', 'task_document:write'])]
|
||||
private ?Task $task = null;
|
||||
|
||||
/** Client ticket this document is attached to (alternative to task). */
|
||||
#[ORM\ManyToOne(targetEntity: ClientTicketInterface::class)]
|
||||
#[ORM\JoinColumn(name: 'client_ticket_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
|
||||
#[Groups(['task_document:read', 'task_document:write', 'client_ticket:read'])]
|
||||
private ?ClientTicketInterface $clientTicket = null;
|
||||
|
||||
#[ORM\Column(length: 255)]
|
||||
#[Groups(['task_document:read', 'task:read'])]
|
||||
private ?string $originalName = null;
|
||||
@@ -109,18 +100,6 @@ class TaskDocument
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function getClientTicket(): ?ClientTicketInterface
|
||||
{
|
||||
return $this->clientTicket;
|
||||
}
|
||||
|
||||
public function setClientTicket(?ClientTicketInterface $clientTicket): static
|
||||
{
|
||||
$this->clientTicket = $clientTicket;
|
||||
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function getOriginalName(): ?string
|
||||
{
|
||||
return $this->originalName;
|
||||
|
||||
+22
-91
@@ -14,8 +14,6 @@ use App\Module\Integration\Domain\Service\FileSource;
|
||||
use App\Module\Integration\Domain\Service\SharePathResolver;
|
||||
use App\Module\ProjectManagement\Domain\Entity\Task;
|
||||
use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
|
||||
use App\Shared\Domain\Contract\ClientTicketInterface;
|
||||
use App\Shared\Domain\Contract\UserInterface;
|
||||
use DateTimeImmutable;
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
use Symfony\Bundle\SecurityBundle\Security;
|
||||
@@ -77,12 +75,11 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
|
||||
*/
|
||||
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): TaskDocument
|
||||
{
|
||||
// Défense en profondeur : l'opération Post est déjà protégée par
|
||||
// ROLE_ADMIN ou ROLE_CLIENT, mais on re-vérifie ici pour que les deux
|
||||
// chemins (upload ET lien partage) restent sûrs si la configuration de
|
||||
// sécurité de l'opération venait à changer.
|
||||
if (!$this->security->isGranted('ROLE_ADMIN') && !$this->security->isGranted('ROLE_CLIENT')) {
|
||||
throw new AccessDeniedHttpException('Creating documents requires admin or client privileges.');
|
||||
// Défense en profondeur : l'opération Post est déjà protégée par ROLE_ADMIN, mais on
|
||||
// re-vérifie ici pour que les deux chemins (upload ET lien partage) restent sûrs si la
|
||||
// configuration de sécurité de l'opération venait à changer.
|
||||
if (!$this->security->isGranted('ROLE_ADMIN')) {
|
||||
throw new AccessDeniedHttpException('Creating task documents requires admin privileges.');
|
||||
}
|
||||
|
||||
$request = $this->requestStack->getCurrentRequest();
|
||||
@@ -94,14 +91,6 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
|
||||
// Deux modes de création : upload d'un fichier (multipart) ou lien vers un fichier du partage SMB (JSON).
|
||||
$sharePath = $this->extractSharePath($request);
|
||||
|
||||
// Sécurité : un utilisateur client ne peut PAS créer de lien vers le
|
||||
// partage SMB interne (référence de fichier arbitraire hors de son
|
||||
// périmètre) — seul le téléversement lui est permis. Le lien partage
|
||||
// reste réservé aux administrateurs.
|
||||
if (null !== $sharePath && !$this->security->isGranted('ROLE_ADMIN')) {
|
||||
throw new AccessDeniedHttpException('Les utilisateurs clients ne peuvent pas créer de lien vers le partage ; un téléversement est requis.');
|
||||
}
|
||||
|
||||
$document = null !== $sharePath
|
||||
? $this->createShareLink($request, $sharePath)
|
||||
: $this->createUpload($request);
|
||||
@@ -147,6 +136,8 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
|
||||
throw new BadRequestHttpException('File size exceeds 50 MB limit.');
|
||||
}
|
||||
|
||||
$task = $this->resolveTask($request->request->get('task', ''));
|
||||
|
||||
// Use server-detected MIME type (finfo), not the client-supplied one
|
||||
$originalName = $file->getClientOriginalName();
|
||||
$mimeType = $file->getMimeType() ?: 'application/octet-stream';
|
||||
@@ -166,7 +157,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
|
||||
$file->move($this->uploadDir, $fileName);
|
||||
|
||||
$document = new TaskDocument();
|
||||
$this->attachTarget($document, $request);
|
||||
$document->setTask($task);
|
||||
$document->setOriginalName($originalName);
|
||||
$document->setFileName($fileName);
|
||||
$document->setMimeType($mimeType);
|
||||
@@ -177,6 +168,15 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
|
||||
|
||||
private function createShareLink(Request $request, string $rawSharePath): TaskDocument
|
||||
{
|
||||
$taskIri = $request->request->get('task');
|
||||
|
||||
if (!is_string($taskIri) || '' === $taskIri) {
|
||||
$payload = json_decode($request->getContent() ?: '{}', true);
|
||||
$taskIri = is_array($payload) ? ($payload['task'] ?? '') : '';
|
||||
}
|
||||
|
||||
$task = $this->resolveTask((string) $taskIri);
|
||||
|
||||
try {
|
||||
$path = $this->pathResolver->normalizeRelative($rawSharePath);
|
||||
} catch (InvalidPathException) {
|
||||
@@ -198,7 +198,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
|
||||
}
|
||||
|
||||
$document = new TaskDocument();
|
||||
$this->attachTarget($document, $request);
|
||||
$document->setTask($task);
|
||||
$document->setOriginalName($entry->name);
|
||||
$document->setSharePath($path);
|
||||
$document->setMimeType($entry->mimeType);
|
||||
@@ -233,61 +233,12 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Attaches the document to a task OR a client ticket, enforcing per-role
|
||||
* access. Exactly one of the two targets must be provided.
|
||||
*
|
||||
* - ROLE_ADMIN may attach to any task or any client ticket.
|
||||
* - ROLE_CLIENT may only attach to a client ticket they submitted, and may
|
||||
* never attach to a task.
|
||||
*/
|
||||
private function attachTarget(TaskDocument $document, Request $request): void
|
||||
{
|
||||
$taskIri = $this->readField($request, 'task');
|
||||
$clientTicketIri = $this->readField($request, 'clientTicket');
|
||||
|
||||
if ('' === $taskIri && '' === $clientTicketIri) {
|
||||
throw new BadRequestHttpException('A task or a clientTicket IRI is required.');
|
||||
}
|
||||
if ('' !== $taskIri && '' !== $clientTicketIri) {
|
||||
throw new BadRequestHttpException('Provide either a task or a clientTicket, not both.');
|
||||
}
|
||||
|
||||
$isClient = $this->security->isGranted('ROLE_CLIENT') && !$this->security->isGranted('ROLE_ADMIN');
|
||||
|
||||
if ('' !== $clientTicketIri) {
|
||||
$document->setClientTicket($this->resolveClientTicket($clientTicketIri, $isClient));
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if ($isClient) {
|
||||
throw new AccessDeniedHttpException('Client users can only attach documents to a client ticket.');
|
||||
}
|
||||
|
||||
$document->setTask($this->resolveTask($taskIri));
|
||||
}
|
||||
|
||||
private function readField(Request $request, string $field): string
|
||||
{
|
||||
$value = $request->request->get($field);
|
||||
|
||||
if (is_string($value) && '' !== $value) {
|
||||
return $value;
|
||||
}
|
||||
|
||||
if (str_contains((string) $request->headers->get('Content-Type'), 'application/json')) {
|
||||
$payload = json_decode($request->getContent() ?: '{}', true);
|
||||
if (is_array($payload) && isset($payload[$field]) && is_string($payload[$field])) {
|
||||
return $payload[$field];
|
||||
}
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
private function resolveTask(string $taskIri): Task
|
||||
{
|
||||
if ('' === $taskIri) {
|
||||
throw new BadRequestHttpException('A task IRI is required.');
|
||||
}
|
||||
|
||||
$task = $this->entityManager->getRepository(Task::class)->find((int) basename($taskIri));
|
||||
|
||||
if (null === $task) {
|
||||
@@ -296,24 +247,4 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
|
||||
|
||||
return $task;
|
||||
}
|
||||
|
||||
private function resolveClientTicket(string $ticketIri, bool $isClient): ClientTicketInterface
|
||||
{
|
||||
$ticket = $this->entityManager->getRepository(ClientTicketInterface::class)->find((int) basename($ticketIri));
|
||||
|
||||
if (null === $ticket) {
|
||||
throw new BadRequestHttpException('Client ticket not found.');
|
||||
}
|
||||
|
||||
if ($isClient) {
|
||||
$user = $this->security->getUser();
|
||||
assert($user instanceof UserInterface);
|
||||
|
||||
if ($ticket->getSubmittedBy() !== $user) {
|
||||
throw new AccessDeniedHttpException('You can only attach documents to your own tickets.');
|
||||
}
|
||||
}
|
||||
|
||||
return $ticket;
|
||||
}
|
||||
}
|
||||
|
||||
+4
-41
@@ -12,12 +12,6 @@ use Doctrine\ORM\EntityManagerInterface;
|
||||
use Symfony\Bundle\SecurityBundle\Security;
|
||||
|
||||
/**
|
||||
* Provider for TaskDocument read operations.
|
||||
*
|
||||
* - ROLE_ADMIN: every document.
|
||||
* - ROLE_USER: documents attached to a task (task IS NOT NULL).
|
||||
* - ROLE_CLIENT: documents attached to a client ticket the user submitted.
|
||||
*
|
||||
* @implements ProviderInterface<TaskDocument>
|
||||
*/
|
||||
final readonly class TaskDocumentProvider implements ProviderInterface
|
||||
@@ -32,56 +26,25 @@ final readonly class TaskDocumentProvider implements ProviderInterface
|
||||
$user = $this->security->getUser();
|
||||
assert($user instanceof UserInterface);
|
||||
|
||||
$isAdmin = $this->security->isGranted('ROLE_ADMIN');
|
||||
$isClient = $this->security->isGranted('ROLE_CLIENT');
|
||||
|
||||
$repo = $this->entityManager->getRepository(TaskDocument::class);
|
||||
|
||||
// Single item.
|
||||
// Single item
|
||||
if (isset($uriVariables['id'])) {
|
||||
$document = $repo->find($uriVariables['id']);
|
||||
if (null === $document) {
|
||||
return null;
|
||||
}
|
||||
if ($isAdmin) {
|
||||
return $document;
|
||||
}
|
||||
if ($isClient) {
|
||||
$ticket = $document->getClientTicket();
|
||||
|
||||
return null !== $ticket && $ticket->getSubmittedBy() === $user ? $document : null;
|
||||
}
|
||||
|
||||
// ROLE_USER: task-linked documents only.
|
||||
return null !== $document->getTask() ? $document : null;
|
||||
return $repo->find($uriVariables['id']);
|
||||
}
|
||||
|
||||
// Collection.
|
||||
// Collection
|
||||
$qb = $repo->createQueryBuilder('d')
|
||||
->orderBy('d.id', 'DESC')
|
||||
;
|
||||
|
||||
if ($isClient && !$isAdmin) {
|
||||
$qb->innerJoin('d.clientTicket', 'ct')
|
||||
->andWhere('ct.submittedBy = :user')
|
||||
->setParameter('user', $user)
|
||||
;
|
||||
} elseif (!$isAdmin) {
|
||||
// ROLE_USER: only documents attached to a task.
|
||||
$qb->andWhere('d.task IS NOT NULL');
|
||||
}
|
||||
|
||||
// Apply filters from query parameters
|
||||
$filters = $context['filters'] ?? [];
|
||||
if (isset($filters['task'])) {
|
||||
$qb->andWhere('d.task = :task')
|
||||
->setParameter('task', self::extractId($filters['task']))
|
||||
;
|
||||
}
|
||||
if (isset($filters['clientTicket'])) {
|
||||
$qb->andWhere('d.clientTicket = :clientTicket')
|
||||
->setParameter('clientTicket', self::extractId($filters['clientTicket']))
|
||||
;
|
||||
}
|
||||
|
||||
return $qb->getQuery()->getResult();
|
||||
}
|
||||
|
||||
-16
@@ -10,13 +10,11 @@ use App\Module\Integration\Domain\Service\FileSource;
|
||||
use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
||||
use Symfony\Bundle\SecurityBundle\Security;
|
||||
use Symfony\Component\HttpFoundation\BinaryFileResponse;
|
||||
use Symfony\Component\HttpFoundation\HeaderUtils;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
use Symfony\Component\HttpFoundation\ResponseHeaderBag;
|
||||
use Symfony\Component\HttpFoundation\StreamedResponse;
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\Routing\Attribute\Route;
|
||||
use Symfony\Component\Security\Http\Attribute\IsGranted;
|
||||
@@ -28,7 +26,6 @@ class TaskDocumentDownloadController extends AbstractController
|
||||
public function __construct(
|
||||
private readonly EntityManagerInterface $entityManager,
|
||||
private readonly FileSource $fileSource,
|
||||
private readonly Security $security,
|
||||
private readonly string $uploadDir,
|
||||
) {}
|
||||
|
||||
@@ -42,19 +39,6 @@ class TaskDocumentDownloadController extends AbstractController
|
||||
throw new NotFoundHttpException('Document not found.');
|
||||
}
|
||||
|
||||
$isAdmin = $this->security->isGranted('ROLE_ADMIN');
|
||||
$isClient = $this->security->isGranted('ROLE_CLIENT') && !$isAdmin;
|
||||
if (!$isAdmin) {
|
||||
if ($isClient) {
|
||||
$ticket = $document->getClientTicket();
|
||||
if (null === $ticket || $ticket->getSubmittedBy() !== $this->security->getUser()) {
|
||||
throw new AccessDeniedHttpException();
|
||||
}
|
||||
} elseif (null === $document->getTask()) {
|
||||
throw new AccessDeniedHttpException();
|
||||
}
|
||||
}
|
||||
|
||||
$mimeType = $document->getMimeType() ?? 'application/octet-stream';
|
||||
|
||||
// Inline for images (except SVG) and PDFs, attachment for everything else.
|
||||
|
||||
Reference in New Issue
Block a user