feat(core) : add rbac role and permission entities with user relations

src/Module/Core/Domain/Entity/User.php

@@ -17,6 +17,8 @@ use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use DateTimeImmutable;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
@@ -135,9 +137,27 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     #[Groups(['me:read', 'user:list', 'user:write'])]
     private float $initialLeaveBalance = 0.0;
 
+    /**
+     * @var Collection<int, Role>
+     */
+    #[ORM\ManyToMany(targetEntity: Role::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_role')]
+    #[Groups(['user:rbac:read'])]
+    private Collection $rbacRoles;
+
+    /**
+     * @var Collection<int, Permission>
+     */
+    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_permission')]
+    #[Groups(['user:rbac:read'])]
+    private Collection $directPermissions;
+
     public function __construct()
     {
-        $this->createdAt = new DateTimeImmutable();
+        $this->createdAt         = new DateTimeImmutable();
+        $this->rbacRoles         = new ArrayCollection();
+        $this->directPermissions = new ArrayCollection();
     }
 
     public function getId(): ?int
@@ -373,4 +393,67 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
 
         return $this;
     }
+
+    /**
+     * @return Collection<int, Role>
+     */
+    public function getRbacRoles(): Collection
+    {
+        return $this->rbacRoles;
+    }
+
+    public function addRbacRole(Role $role): void
+    {
+        if (!$this->rbacRoles->contains($role)) {
+            $this->rbacRoles->add($role);
+        }
+    }
+
+    public function removeRbacRole(Role $role): void
+    {
+        $this->rbacRoles->removeElement($role);
+    }
+
+    /**
+     * @return Collection<int, Permission>
+     */
+    public function getDirectPermissions(): Collection
+    {
+        return $this->directPermissions;
+    }
+
+    public function addDirectPermission(Permission $permission): void
+    {
+        if (!$this->directPermissions->contains($permission)) {
+            $this->directPermissions->add($permission);
+        }
+    }
+
+    public function removeDirectPermission(Permission $permission): void
+    {
+        $this->directPermissions->removeElement($permission);
+    }
+
+    /**
+     * Permissions effectives = union (rôles RBAC → permissions) ∪ (permissions directes), triée, dédupliquée.
+     *
+     * @return list<string>
+     */
+    #[Groups(['me:read', 'user:rbac:read'])]
+    public function getEffectivePermissions(): array
+    {
+        $codes = [];
+        foreach ($this->rbacRoles as $role) {
+            foreach ($role->getPermissions() as $permission) {
+                $codes[$permission->getCode()] = true;
+            }
+        }
+        foreach ($this->directPermissions as $permission) {
+            $codes[$permission->getCode()] = true;
+        }
+        $keys = array_keys($codes);
+        sort($keys);
+
+        return $keys;
+    }
 }