refactor(client-portal) : remove client portal feature entirely
- drop ClientPortal module, ClientTicket entity, ROLE_CLIENT and all couplings (Task, TaskDocument, User, Notification) back to an internal-only model - migration drops client_ticket / user_allowed_projects / related FK columns and removes leftover external client accounts (would otherwise be promoted to ROLE_USER) - remove client-portal frontend module, admin tickets tab, user portal section, portal nav item and portal/clientTicket i18n keys - fix directory nav icon (invalid mdi:contact-multiple-outline -> mdi:card-account-details-outline) - add 'make sync-permissions' target, wire it into install/db-reset and the prod deploy script
This commit is contained in:
Matthieu
@@ -1,293 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Tests\Functional\Module\ClientPortal;
|
||||
|
||||
use App\Module\ClientPortal\Domain\Entity\ClientTicket;
|
||||
use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
|
||||
use App\Module\ClientPortal\Domain\Enum\ClientTicketType;
|
||||
use App\Module\Core\Domain\Entity\Notification;
|
||||
use App\Module\Core\Domain\Entity\User;
|
||||
use App\Module\ProjectManagement\Domain\Entity\Project;
|
||||
use DateTimeImmutable;
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
use PHPUnit\Framework\Attributes\DataProvider;
|
||||
use Symfony\Bundle\FrameworkBundle\KernelBrowser;
|
||||
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
|
||||
|
||||
use function count;
|
||||
|
||||
/**
|
||||
* Phase 1 security boundary: a pure ROLE_CLIENT user is walled off from the
|
||||
* internal API but can reach its own client portal collection.
|
||||
*
|
||||
* @internal
|
||||
*/
|
||||
final class ClientTicketApiTest extends WebTestCase
|
||||
{
|
||||
public function testClientUserCannotListTasks(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$this->loginClient($client, 'client-liot');
|
||||
|
||||
$client->request('GET', '/api/tasks');
|
||||
|
||||
self::assertResponseStatusCodeSame(403);
|
||||
}
|
||||
|
||||
public function testClientUserCannotListProjects(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$this->loginClient($client, 'client-liot');
|
||||
|
||||
$client->request('GET', '/api/projects');
|
||||
|
||||
self::assertResponseStatusCodeSame(403);
|
||||
}
|
||||
|
||||
/**
|
||||
* Regression guard for the post-migration security review: internal
|
||||
* endpoints that were only behind IS_AUTHENTICATED_FULLY (or had no
|
||||
* security) must reject a pure ROLE_CLIENT.
|
||||
*/
|
||||
#[DataProvider('internalEndpointsForbiddenToClients')]
|
||||
public function testClientUserIsWalledOffFromInternalEndpoints(string $uri): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$this->loginClient($client, 'client-liot');
|
||||
|
||||
$client->request('GET', $uri);
|
||||
|
||||
self::assertResponseStatusCodeSame(403);
|
||||
}
|
||||
|
||||
/** @return iterable<string, array{string}> */
|
||||
public static function internalEndpointsForbiddenToClients(): iterable
|
||||
{
|
||||
yield 'users directory' => ['/api/users'];
|
||||
|
||||
yield 'smb share browse' => ['/api/share/browse'];
|
||||
|
||||
yield 'smb share status' => ['/api/share/status'];
|
||||
|
||||
yield 'bookstack links' => ['/api/tasks/1/bookstack/links'];
|
||||
}
|
||||
|
||||
public function testClientUserCanListOwnClientTickets(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$this->loginClient($client, 'client-liot');
|
||||
|
||||
$client->request('GET', '/api/client_tickets');
|
||||
|
||||
self::assertResponseIsSuccessful();
|
||||
$data = json_decode($client->getResponse()->getContent(), true);
|
||||
self::assertArrayHasKey('member', $data);
|
||||
self::assertNotEmpty($data['member']);
|
||||
// Tenancy invariant (robust to POST tests accumulating tickets in the
|
||||
// shared test DB): client-liot sees its own SIRH ticket but NEVER the
|
||||
// ticket submitted by another client (ACME, on the CRM project).
|
||||
$titles = array_column($data['member'], 'title');
|
||||
self::assertContains('Erreur lors de l\'export des congés', $titles);
|
||||
self::assertNotContains('Ajouter un filtre par commercial', $titles);
|
||||
}
|
||||
|
||||
public function testClientUserSeesOnlyOwnTickets(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$this->loginClient($client, 'client-acme');
|
||||
|
||||
$client->request('GET', '/api/client_tickets');
|
||||
|
||||
self::assertResponseIsSuccessful();
|
||||
$data = json_decode($client->getResponse()->getContent(), true);
|
||||
self::assertNotEmpty($data['member']);
|
||||
// Tenancy invariant: client-acme sees its own CRM ticket but NEVER the
|
||||
// ticket submitted by client-liot (on the SIRH project).
|
||||
$titles = array_column($data['member'], 'title');
|
||||
self::assertContains('Ajouter un filtre par commercial', $titles);
|
||||
self::assertNotContains('Erreur lors de l\'export des congés', $titles);
|
||||
}
|
||||
|
||||
public function testInternalUserCannotListClientTickets(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$this->loginClient($client, 'alice');
|
||||
|
||||
$client->request('GET', '/api/client_tickets');
|
||||
|
||||
self::assertResponseStatusCodeSame(403);
|
||||
}
|
||||
|
||||
public function testAdminCanListAllClientTickets(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$this->loginClient($client, 'admin');
|
||||
|
||||
$client->request('GET', '/api/client_tickets');
|
||||
|
||||
self::assertResponseIsSuccessful();
|
||||
$data = json_decode($client->getResponse()->getContent(), true);
|
||||
self::assertGreaterThanOrEqual(2, count($data['member']));
|
||||
}
|
||||
|
||||
public function testClientCanCreateTicketAndNumberIsGenerated(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$em = self::getContainer()->get(EntityManagerInterface::class);
|
||||
|
||||
$projectIri = $this->sirhProjectIri($em);
|
||||
$this->loginClient($client, 'client-liot');
|
||||
|
||||
$client->request('POST', '/api/client_tickets', server: [
|
||||
'CONTENT_TYPE' => 'application/ld+json',
|
||||
], content: json_encode([
|
||||
'type' => 'other',
|
||||
'title' => 'Demande de fonctionnalité',
|
||||
'description' => 'Une nouvelle option serait utile.',
|
||||
'project' => $projectIri,
|
||||
]));
|
||||
|
||||
self::assertResponseStatusCodeSame(201);
|
||||
$data = json_decode($client->getResponse()->getContent(), true);
|
||||
self::assertSame('new', $data['status']);
|
||||
self::assertGreaterThanOrEqual(1, $data['number']);
|
||||
}
|
||||
|
||||
public function testCreatingTicketNotifiesAdmins(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$em = self::getContainer()->get(EntityManagerInterface::class);
|
||||
|
||||
$projectIri = $this->sirhProjectIri($em);
|
||||
$this->loginClient($client, 'client-liot');
|
||||
|
||||
$title = 'Notif test '.uniqid('', true);
|
||||
$client->request('POST', '/api/client_tickets', server: [
|
||||
'CONTENT_TYPE' => 'application/ld+json',
|
||||
], content: json_encode([
|
||||
'type' => 'other',
|
||||
'title' => $title,
|
||||
'description' => 'Trigger an admin notification.',
|
||||
'project' => $projectIri,
|
||||
]));
|
||||
|
||||
self::assertResponseStatusCodeSame(201);
|
||||
$data = json_decode($client->getResponse()->getContent(), true);
|
||||
$ticketId = $data['id'];
|
||||
|
||||
$admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
|
||||
self::assertNotNull($admin);
|
||||
|
||||
$notification = $em->getRepository(Notification::class)->findOneBy([
|
||||
'user' => $admin,
|
||||
'type' => 'ticket_created',
|
||||
], ['createdAt' => 'DESC']);
|
||||
|
||||
self::assertInstanceOf(Notification::class, $notification);
|
||||
self::assertNotNull($notification->getRelatedTicket());
|
||||
self::assertSame($ticketId, $notification->getRelatedTicket()->getId());
|
||||
}
|
||||
|
||||
public function testChangingStatusNotifiesSubmitter(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$em = self::getContainer()->get(EntityManagerInterface::class);
|
||||
|
||||
// Set up a fresh `new` ticket whose submitter is a known client user,
|
||||
// so we can assert the submitter is the notification recipient.
|
||||
$submitter = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
|
||||
self::assertNotNull($submitter);
|
||||
$project = $em->getRepository(Project::class)->findOneBy(['code' => 'SIRH']);
|
||||
self::assertNotNull($project);
|
||||
|
||||
$ticket = new ClientTicket();
|
||||
$ticket->setType(ClientTicketType::Other);
|
||||
$ticket->setTitle('Status notif '.uniqid('', true));
|
||||
$ticket->setDescription('Will be moved to in_progress.');
|
||||
$ticket->setProject($project);
|
||||
$ticket->setSubmittedBy($submitter);
|
||||
$ticket->setStatus(ClientTicketStatus::New);
|
||||
$ticket->setNumber(9000 + random_int(1, 999));
|
||||
$ticket->setCreatedAt(new DateTimeImmutable());
|
||||
$ticket->setUpdatedAt(new DateTimeImmutable());
|
||||
$em->persist($ticket);
|
||||
$em->flush();
|
||||
$ticketId = $ticket->getId();
|
||||
|
||||
// Admin moves it to in_progress.
|
||||
$this->loginClient($client, 'admin');
|
||||
$client->request('PATCH', '/api/client_tickets/'.$ticketId, server: [
|
||||
'CONTENT_TYPE' => 'application/merge-patch+json',
|
||||
], content: json_encode(['status' => 'in_progress']));
|
||||
self::assertResponseIsSuccessful();
|
||||
|
||||
$notification = $em->getRepository(Notification::class)->findOneBy([
|
||||
'user' => $submitter,
|
||||
'type' => 'ticket_status_changed',
|
||||
], ['createdAt' => 'DESC']);
|
||||
|
||||
self::assertInstanceOf(Notification::class, $notification);
|
||||
self::assertNotNull($notification->getRelatedTicket());
|
||||
self::assertSame($ticketId, $notification->getRelatedTicket()->getId());
|
||||
}
|
||||
|
||||
public function testAdminCannotCreateTicket(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$em = self::getContainer()->get(EntityManagerInterface::class);
|
||||
|
||||
$projectIri = $this->sirhProjectIri($em);
|
||||
$this->loginClient($client, 'admin');
|
||||
|
||||
$client->request('POST', '/api/client_tickets', server: [
|
||||
'CONTENT_TYPE' => 'application/ld+json',
|
||||
], content: json_encode([
|
||||
'type' => 'other',
|
||||
'title' => 'Admin attempt',
|
||||
'description' => 'Should be forbidden.',
|
||||
'project' => $projectIri,
|
||||
]));
|
||||
|
||||
// Admin has no client, so ticket creation is denied.
|
||||
self::assertResponseStatusCodeSame(403);
|
||||
}
|
||||
|
||||
public function testRejectingTicketRequiresStatusComment(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
$em = self::getContainer()->get(EntityManagerInterface::class);
|
||||
$ticket = $em->getRepository(ClientTicket::class)
|
||||
->findOneBy(['status' => ClientTicketStatus::New])
|
||||
;
|
||||
self::assertNotNull($ticket);
|
||||
$id = $ticket->getId();
|
||||
|
||||
$this->loginClient($client, 'admin');
|
||||
|
||||
$client->request('PATCH', '/api/client_tickets/'.$id, server: [
|
||||
'CONTENT_TYPE' => 'application/merge-patch+json',
|
||||
], content: json_encode(['status' => 'rejected']));
|
||||
|
||||
self::assertResponseStatusCodeSame(422);
|
||||
}
|
||||
|
||||
private function sirhProjectIri(EntityManagerInterface $em): string
|
||||
{
|
||||
$project = $em->getRepository(Project::class)
|
||||
->findOneBy(['code' => 'SIRH'])
|
||||
;
|
||||
self::assertNotNull($project);
|
||||
|
||||
return '/api/projects/'.$project->getId();
|
||||
}
|
||||
|
||||
private function loginClient(KernelBrowser $client, string $username): void
|
||||
{
|
||||
$em = self::getContainer()->get(EntityManagerInterface::class);
|
||||
$user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
|
||||
self::assertInstanceOf(User::class, $user);
|
||||
$client->loginUser($user);
|
||||
}
|
||||
}
|
||||
@@ -6,14 +6,11 @@ namespace App\Tests\Unit\Shared\Doctrine;
|
||||
|
||||
use App\Shared\Application\CurrentUserProviderInterface;
|
||||
use App\Shared\Domain\Contract\BlamableInterface;
|
||||
use App\Shared\Domain\Contract\ClientInterface;
|
||||
use App\Shared\Domain\Contract\TimestampableInterface;
|
||||
use App\Shared\Domain\Contract\UserInterface;
|
||||
use App\Shared\Domain\Trait\TimestampableBlamableTrait;
|
||||
use App\Shared\Infrastructure\Doctrine\TimestampableBlamableSubscriber;
|
||||
use DateTimeImmutable;
|
||||
use Doctrine\Common\Collections\ArrayCollection;
|
||||
use Doctrine\Common\Collections\Collection;
|
||||
use PHPUnit\Framework\TestCase;
|
||||
use stdClass;
|
||||
|
||||
@@ -123,16 +120,6 @@ final class TimestampableBlamableSubscriberTest extends TestCase
|
||||
{
|
||||
return [];
|
||||
}
|
||||
|
||||
public function getClient(): ?ClientInterface
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
public function getAllowedProjects(): Collection
|
||||
{
|
||||
return new ArrayCollection();
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user