From a547fd38c23d0581d167970ae94b6b7abf9dd387 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 19:33:13 +0200
Subject: [PATCH] test(client-portal) : regression guard for ROLE_CLIENT
 endpoint isolation

Data-provided test asserting a pure ROLE_CLIENT gets 403 on the internal
endpoints hardened after the review (/api/users, /api/share/browse,
/api/share/status, bookstack links), so the fixes can't silently regress.
---
 .../ClientPortal/ClientTicketApiTest.php      | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php b/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
index 12f08d3..7ae3cb7 100644
--- a/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
+++ b/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
@@ -12,6 +12,7 @@ use App\Module\Core\Domain\Entity\User;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
+use PHPUnit\Framework\Attributes\DataProvider;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
@@ -45,6 +46,34 @@ final class ClientTicketApiTest extends WebTestCase
         self::assertResponseStatusCodeSame(403);
     }
 
+    /**
+     * Regression guard for the post-migration security review: internal
+     * endpoints that were only behind IS_AUTHENTICATED_FULLY (or had no
+     * security) must reject a pure ROLE_CLIENT.
+     */
+    #[DataProvider('internalEndpointsForbiddenToClients')]
+    public function testClientUserIsWalledOffFromInternalEndpoints(string $uri): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('GET', $uri);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    /** @return iterable<string, array{string}> */
+    public static function internalEndpointsForbiddenToClients(): iterable
+    {
+        yield 'users directory' => ['/api/users'];
+
+        yield 'smb share browse' => ['/api/share/browse'];
+
+        yield 'smb share status' => ['/api/share/status'];
+
+        yield 'bookstack links' => ['/api/tasks/1/bookstack/links'];
+    }
+
     public function testClientUserCanListOwnClientTickets(): void
     {
         $client = self::createClient();