Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 gitea-actions
|
79bd47266a | ||
 matthieu
|
8aa54c187b | ||
|
Matthieu
|
b61574bad2 | ||
|
Matthieu
|
b8fa1d168d | ||
|
gitea-actions
|
a2334789ae | ||
|
matthieu
|
fc18200d63 | ||
|
Matthieu
|
1ab2eeccca | ||
|
gitea-actions
|
95befb776e | ||
|
matthieu
|
2df7a218bc |
@@ -129,8 +129,9 @@ La librairie `@malio/layer-ui` fournit les composants de formulaire et d'action.
|
||||
## Déploiement (prod Docker)
|
||||
|
||||
- Script : `infra/prod/deploy.sh` (`./deploy.sh [tag]`) — doc complète : `doc/deployment-docker.md`
|
||||
- Étapes : maintenance → pull image → up → migrations → **`app:seed-rbac`** → **`app:sync-permissions`** → cache clear/warmup
|
||||
- Étapes : maintenance → pull image → up → migrations → **`app:seed-rbac`** → **`app:sync-permissions`** → **`app:assign-default-roles`** → cache clear/warmup
|
||||
- **RBAC** : les migrations créent les tables `role`/`permission` mais **n'insèrent aucune donnée**. Les rôles système (`admin`, `user`) viennent de `app:seed-rbac` (idempotent) et le catalogue des permissions de `app:sync-permissions` (à relancer à chaque ajout de permission). Symptôme si oubliées : page admin Rôles vide (« Aucun rôle trouvé »).
|
||||
- **Rattachement au rôle de base** : deux systèmes de rôles coexistent — le legacy `User::$roles` (`ROLE_USER`/`ROLE_ADMIN`, tableau Symfony) et le RBAC `User::$rbacRoles` (table `user_role`). **Aucun pont automatique** : `getEffectivePermissions()` ne lit que les `rbacRoles` + permissions directes. Un user doit donc être **explicitement rattaché** au rôle RBAC « user » pour hériter de ses permissions. C'est garanti automatiquement par `UserDefaultRoleListener` (prePersist, tout nouveau user) et `app:assign-default-roles` (backfill idempotent des users existants, lancé au déploiement). Symptôme si manquant : un non-admin avec des permissions sur le rôle « user » ne voit **rien** car son `effectivePermissions` reste `[]`. Les modifs de permissions d'un rôle sont **instantanées** côté backend (recalcul à chaque requête, sans cache) ; le frontend les reflète au prochain chargement de page (cache de session Pinia).
|
||||
|
||||
## Fixtures
|
||||
|
||||
|
||||
@@ -129,6 +129,10 @@ services:
|
||||
tags:
|
||||
- { name: doctrine.orm.entity_listener, entity: 'App\Module\ProjectManagement\Domain\Entity\Project', event: prePersist }
|
||||
|
||||
App\Module\Core\Infrastructure\EventListener\UserDefaultRoleListener:
|
||||
tags:
|
||||
- { name: doctrine.orm.entity_listener, entity: 'App\Module\Core\Domain\Entity\User', event: prePersist }
|
||||
|
||||
App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor:
|
||||
arguments:
|
||||
$uploadDir: '%task_document_upload_dir%'
|
||||
|
||||
+7
-3
@@ -38,12 +38,16 @@ return [
|
||||
],
|
||||
],
|
||||
[
|
||||
// Plus de gate de rôle au niveau section : chaque item porte sa propre
|
||||
// permission (RBAC fin), alignée sur la sécurité backend et les middlewares
|
||||
// de page. La section s'affiche dès qu'au moins un item est autorisé.
|
||||
'label' => 'sidebar.admin.section',
|
||||
'icon' => 'mdi:cog-outline',
|
||||
'roles' => ['ROLE_ADMIN'],
|
||||
'items' => [
|
||||
['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline', 'module' => 'absence'],
|
||||
['label' => 'sidebar.admin.directory', 'to' => '/directory', 'icon' => 'mdi:card-account-details-outline', 'module' => 'directory'],
|
||||
// team-absences : le module Absence est encore gardé par ROLE_ADMIN côté
|
||||
// backend (pas de permission absence.* câblée) → on reste sur un gate de rôle.
|
||||
['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline', 'module' => 'absence', 'roles' => ['ROLE_ADMIN']],
|
||||
['label' => 'sidebar.admin.directory', 'to' => '/directory', 'icon' => 'mdi:card-account-details-outline', 'module' => 'directory', 'permission' => ['directory.clients.view', 'directory.prospects.view', 'directory.providers.view']],
|
||||
['label' => 'sidebar.admin.reporting', 'to' => '/reporting', 'icon' => 'mdi:chart-line', 'module' => 'reporting', 'permission' => 'reporting.view'],
|
||||
['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline', 'permission' => 'core.users.view'],
|
||||
],
|
||||
|
||||
+1
-1
@@ -1,2 +1,2 @@
|
||||
parameters:
|
||||
app.version: '0.4.48'
|
||||
app.version: '0.4.51'
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
export default defineNuxtRouteMiddleware((to) => {
|
||||
const auth = useAuthStore()
|
||||
|
||||
if (!auth.isAuthenticated) {
|
||||
return navigateTo('/login')
|
||||
}
|
||||
|
||||
// Gate the route on the RBAC permission(s) declared via definePageMeta.
|
||||
// A string requires that single permission; an array requires ANY of them.
|
||||
// ROLE_ADMIN bypasses everything through usePermissions().can().
|
||||
const required = to.meta.permission
|
||||
|
||||
if (required === undefined) {
|
||||
return
|
||||
}
|
||||
|
||||
const { canAny } = usePermissions()
|
||||
const codes = Array.isArray(required) ? required : [required]
|
||||
|
||||
if (!canAny(codes)) {
|
||||
return navigateTo('/')
|
||||
}
|
||||
})
|
||||
Vendored
+16
@@ -0,0 +1,16 @@
|
||||
// Augments Nuxt page meta with the RBAC permission gate consumed by the
|
||||
// `permission` route middleware. A string requires that single permission;
|
||||
// an array requires ANY of the listed permissions.
|
||||
declare module '#app' {
|
||||
interface PageMeta {
|
||||
permission?: string | string[]
|
||||
}
|
||||
}
|
||||
|
||||
declare module 'vue-router' {
|
||||
interface RouteMeta {
|
||||
permission?: string | string[]
|
||||
}
|
||||
}
|
||||
|
||||
export {}
|
||||
@@ -136,7 +136,7 @@ import type { Client } from '~/modules/directory/services/dto/client'
|
||||
import { useClientService } from '~/modules/directory/services/clients'
|
||||
import { isValidEmail, isValidFrPhone, isValidUrl } from '~/modules/directory/utils/validation'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'directory.clients.view' })
|
||||
|
||||
const route = useRoute()
|
||||
const router = useRouter()
|
||||
|
||||
@@ -210,7 +210,7 @@ import type { Prestataire } from '~/modules/directory/services/dto/prestataire'
|
||||
import { usePrestataireService } from '~/modules/directory/services/prestataires'
|
||||
import { readHistoryTab, stampHistoryTab } from '~/utils/historyTab'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: ['directory.clients.view', 'directory.prospects.view', 'directory.providers.view'] })
|
||||
|
||||
type ProspectRow = Prospect
|
||||
|
||||
|
||||
@@ -136,7 +136,7 @@ import type { Prestataire } from '~/modules/directory/services/dto/prestataire'
|
||||
import { usePrestataireService } from '~/modules/directory/services/prestataires'
|
||||
import { isValidEmail, isValidFrPhone, isValidUrl } from '~/modules/directory/utils/validation'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'directory.providers.view' })
|
||||
|
||||
const route = useRoute()
|
||||
const router = useRouter()
|
||||
|
||||
@@ -158,7 +158,7 @@ import type { Prospect, ProspectStatus } from '~/modules/directory/services/dto/
|
||||
import { useProspectService } from '~/modules/directory/services/prospects'
|
||||
import { isValidEmail, isValidFrPhone, isValidUrl } from '~/modules/directory/utils/validation'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'directory.prospects.view' })
|
||||
|
||||
const route = useRoute()
|
||||
const router = useRouter()
|
||||
|
||||
@@ -206,7 +206,7 @@ import type { UserData } from '~/services/dto/user-data'
|
||||
import { useProjectService } from '~/modules/project-management/services/projects'
|
||||
import { useUserService } from '~/services/users'
|
||||
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'reporting.view' })
|
||||
|
||||
const { t } = useI18n()
|
||||
useHead({ title: t('reporting.title') })
|
||||
|
||||
@@ -40,7 +40,7 @@
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
definePageMeta({ middleware: ['admin'] })
|
||||
definePageMeta({ middleware: ['permission'], permission: 'core.users.view' })
|
||||
useHead({ title: 'Administration' })
|
||||
|
||||
const { can } = usePermissions()
|
||||
|
||||
@@ -33,6 +33,9 @@ sudo docker compose exec -T -u www-data app php bin/console app:seed-rbac
|
||||
echo "==> Syncing RBAC permissions catalog..."
|
||||
sudo docker compose exec -T -u www-data app php bin/console app:sync-permissions
|
||||
|
||||
echo "==> Assigning base RBAC role 'user' to users missing it (idempotent)..."
|
||||
sudo docker compose exec -T -u www-data app php bin/console app:assign-default-roles
|
||||
|
||||
echo "==> Clearing cache..."
|
||||
sudo docker compose exec -T -u www-data app php bin/console cache:clear --env=prod
|
||||
sudo docker compose exec -T -u www-data app php bin/console cache:warmup --env=prod
|
||||
|
||||
@@ -45,6 +45,11 @@ class AppFixtures extends Fixture
|
||||
|
||||
public function load(ObjectManager $manager): void
|
||||
{
|
||||
// Seed des rôles système RBAC (admin, user) AVANT toute création d'utilisateur :
|
||||
// UserDefaultRoleListener (prePersist) rattache le rôle « user » à chaque user,
|
||||
// le rôle doit donc déjà exister en base au moment du persist().
|
||||
$this->rbacSeeder->ensureSystemRoles();
|
||||
|
||||
// Users
|
||||
$admin = new User();
|
||||
$admin->setUsername('admin');
|
||||
@@ -826,9 +831,5 @@ class AppFixtures extends Fixture
|
||||
$manager->persist($pendingMarriage);
|
||||
|
||||
$manager->flush();
|
||||
|
||||
// Seed des rôles système RBAC (admin, user). Idempotent ; aucune matrice
|
||||
// métier attachée (cf. Décision 4 : les modules métier arrivent en 2.x).
|
||||
$this->rbacSeeder->ensureSystemRoles();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,76 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Module\Core\Application\Rbac;
|
||||
|
||||
use App\Module\Core\Domain\Entity\User;
|
||||
use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
|
||||
use App\Module\Core\Domain\Security\SystemRoles;
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
|
||||
use function count;
|
||||
|
||||
/**
|
||||
* Garantit que chaque utilisateur porte le rôle RBAC de base « user ».
|
||||
*
|
||||
* Le rôle « user » est le socle commun : il porte les permissions par défaut
|
||||
* des non-admins. Sans rattachement explicite dans user_role,
|
||||
* User::getEffectivePermissions() reste vide — le ROLE_USER legacy n'a aucun
|
||||
* lien avec le rôle RBAC « user ».
|
||||
*/
|
||||
final readonly class DefaultUserRoleAssigner
|
||||
{
|
||||
public function __construct(
|
||||
private RoleRepositoryInterface $roles,
|
||||
private EntityManagerInterface $em,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* Ajoute le rôle « user » à l'utilisateur s'il ne l'a pas déjà.
|
||||
* Ne flush pas : appelé en prePersist (création) ou par le backfill.
|
||||
*/
|
||||
public function ensureDefaultRole(User $user): void
|
||||
{
|
||||
$userRole = $this->roles->findByCode(SystemRoles::USER_CODE);
|
||||
if (null === $userRole) {
|
||||
// Rôle non seedé : dégradation gracieuse, on ne bloque pas la création.
|
||||
return;
|
||||
}
|
||||
|
||||
foreach ($user->getRbacRoles() as $role) {
|
||||
if (SystemRoles::USER_CODE === $role->getCode()) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
$user->addRbacRole($userRole);
|
||||
}
|
||||
|
||||
/**
|
||||
* Rattache le rôle « user » à tous les utilisateurs qui ne l'ont pas.
|
||||
* Idempotent. Retourne le nombre d'utilisateurs modifiés.
|
||||
*/
|
||||
public function backfill(): int
|
||||
{
|
||||
$userRole = $this->roles->findByCode(SystemRoles::USER_CODE);
|
||||
if (null === $userRole) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** @var list<User> $users */
|
||||
$users = $this->em
|
||||
->createQuery('SELECT u FROM '.User::class.' u WHERE :role NOT MEMBER OF u.rbacRoles')
|
||||
->setParameter('role', $userRole)
|
||||
->getResult()
|
||||
;
|
||||
|
||||
foreach ($users as $user) {
|
||||
$user->addRbacRole($userRole);
|
||||
}
|
||||
|
||||
$this->em->flush();
|
||||
|
||||
return count($users);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,35 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Module\Core\Infrastructure\Console;
|
||||
|
||||
use App\Module\Core\Application\Rbac\DefaultUserRoleAssigner;
|
||||
use Symfony\Component\Console\Attribute\AsCommand;
|
||||
use Symfony\Component\Console\Command\Command;
|
||||
use Symfony\Component\Console\Input\InputInterface;
|
||||
use Symfony\Component\Console\Output\OutputInterface;
|
||||
use Symfony\Component\Console\Style\SymfonyStyle;
|
||||
|
||||
use function sprintf;
|
||||
|
||||
#[AsCommand(
|
||||
name: 'app:assign-default-roles',
|
||||
description: 'Rattache le rôle RBAC de base « user » à tous les utilisateurs qui ne l\'ont pas.',
|
||||
)]
|
||||
final class AssignDefaultRolesCommand extends Command
|
||||
{
|
||||
public function __construct(private readonly DefaultUserRoleAssigner $assigner)
|
||||
{
|
||||
parent::__construct();
|
||||
}
|
||||
|
||||
protected function execute(InputInterface $input, OutputInterface $output): int
|
||||
{
|
||||
$io = new SymfonyStyle($input, $output);
|
||||
$count = $this->assigner->backfill();
|
||||
$io->success(sprintf('%d utilisateur(s) rattaché(s) au rôle « user ».', $count));
|
||||
|
||||
return Command::SUCCESS;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,26 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Module\Core\Infrastructure\EventListener;
|
||||
|
||||
use App\Module\Core\Application\Rbac\DefaultUserRoleAssigner;
|
||||
use App\Module\Core\Domain\Entity\User;
|
||||
use Doctrine\ORM\Event\PrePersistEventArgs;
|
||||
|
||||
/**
|
||||
* Assigne le rôle RBAC de base « user » à tout nouvel utilisateur qui n'en a pas,
|
||||
* quel que soit le chemin de persistance (API Platform, fixtures, MCP).
|
||||
*
|
||||
* Sans ça, un user créé n'est rattaché à aucun rôle RBAC et ses permissions
|
||||
* effectives restent vides, peu importe les permissions portées par le rôle.
|
||||
*/
|
||||
final readonly class UserDefaultRoleListener
|
||||
{
|
||||
public function __construct(private DefaultUserRoleAssigner $assigner) {}
|
||||
|
||||
public function prePersist(User $user, PrePersistEventArgs $args): void
|
||||
{
|
||||
$this->assigner->ensureDefaultRole($user);
|
||||
}
|
||||
}
|
||||
@@ -15,7 +15,9 @@ use Symfony\Component\Serializer\Attribute\Groups;
|
||||
uriTemplate: '/bookstack/shelves',
|
||||
normalizationContext: ['groups' => ['bookstack_shelf:read']],
|
||||
provider: BookStackShelfProvider::class,
|
||||
security: "is_granted('ROLE_ADMIN')",
|
||||
// Liste toutes les étagères visibles par le token BookStack global :
|
||||
// réservé à qui configure un projet (ProjectDrawer), pas à tout user.
|
||||
security: "is_granted('project-management.projects.manage')",
|
||||
),
|
||||
],
|
||||
)]
|
||||
|
||||
@@ -15,7 +15,9 @@ use Symfony\Component\Serializer\Attribute\Groups;
|
||||
uriTemplate: '/gitea/repositories',
|
||||
normalizationContext: ['groups' => ['gitea_repo:read']],
|
||||
provider: GiteaRepositoryProvider::class,
|
||||
security: "is_granted('ROLE_ADMIN')",
|
||||
// Liste l'intégralité des dépôts visibles par le token Gitea global :
|
||||
// réservé à qui configure un projet (ProjectDrawer), pas à tout user.
|
||||
security: "is_granted('project-management.projects.manage')",
|
||||
),
|
||||
],
|
||||
)]
|
||||
|
||||
@@ -7,10 +7,10 @@ namespace App\Shared\Domain\Sidebar;
|
||||
final class SidebarFilter
|
||||
{
|
||||
/**
|
||||
* @param list<array{label:string, icon:string, roles?:list<string>, permission?:string, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>, permission?:string}>}> $sections
|
||||
* @param list<string> $activeModuleIds
|
||||
* @param list<string> $activeRoles
|
||||
* @param list<string> $activePermissions
|
||||
* @param list<array{label:string, icon:string, roles?:list<string>, permission?:list<string>|string, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>, permission?:list<string>|string}>}> $sections
|
||||
* @param list<string> $activeModuleIds
|
||||
* @param list<string> $activeRoles
|
||||
* @param list<string> $activePermissions
|
||||
*
|
||||
* @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
|
||||
*/
|
||||
@@ -81,14 +81,21 @@ final class SidebarFilter
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<string> $activePermissions
|
||||
* @param null|list<string>|string $required une permission (string) ou un ensemble (any)
|
||||
* @param list<string> $activePermissions
|
||||
*/
|
||||
private static function permissionSatisfied(?string $required, array $activePermissions): bool
|
||||
private static function permissionSatisfied(array|string|null $required, array $activePermissions): bool
|
||||
{
|
||||
if (null === $required || '' === $required) {
|
||||
if (null === $required || '' === $required || [] === $required) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return in_array($required, $activePermissions, true);
|
||||
foreach ((array) $required as $code) {
|
||||
if (in_array($code, $activePermissions, true)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,58 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Tests\Functional\Module\Core;
|
||||
|
||||
use App\Module\Core\Application\Rbac\RbacSeeder;
|
||||
use App\Module\Core\Domain\Entity\User;
|
||||
use App\Module\Core\Domain\Security\SystemRoles;
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
use Symfony\Bundle\FrameworkBundle\Console\Application;
|
||||
use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
|
||||
use Symfony\Component\Console\Tester\CommandTester;
|
||||
|
||||
use function array_map;
|
||||
use function uniqid;
|
||||
|
||||
/**
|
||||
* @internal
|
||||
*/
|
||||
final class AssignDefaultRolesCommandTest extends KernelTestCase
|
||||
{
|
||||
public function testBackfillLinksUsersMissingTheUserRole(): void
|
||||
{
|
||||
$kernel = self::bootKernel();
|
||||
$em = self::getContainer()->get(EntityManagerInterface::class);
|
||||
self::getContainer()->get(RbacSeeder::class)->ensureSystemRoles();
|
||||
|
||||
// Crée un user puis simule l'état « legacy » (aucun rôle RBAC) en retirant
|
||||
// le rôle « user » auto-assigné à la création.
|
||||
$user = new User();
|
||||
$user->setUsername('backfill-'.uniqid());
|
||||
$user->setPassword('x');
|
||||
$em->persist($user);
|
||||
$em->flush();
|
||||
foreach ($user->getRbacRoles()->toArray() as $role) {
|
||||
$user->removeRbacRole($role);
|
||||
}
|
||||
$em->flush();
|
||||
$id = $user->getId();
|
||||
$em->clear();
|
||||
|
||||
$before = $em->getRepository(User::class)->find($id);
|
||||
self::assertInstanceOf(User::class, $before);
|
||||
self::assertCount(0, $before->getRbacRoles(), 'Précondition : le user ne doit avoir aucun rôle RBAC.');
|
||||
$em->clear();
|
||||
|
||||
$tester = new CommandTester(new Application($kernel)->find('app:assign-default-roles'));
|
||||
$tester->execute([]);
|
||||
$tester->assertCommandIsSuccessful();
|
||||
|
||||
$em->clear();
|
||||
$after = $em->getRepository(User::class)->find($id);
|
||||
self::assertInstanceOf(User::class, $after);
|
||||
$codes = array_map(static fn ($role) => $role->getCode(), $after->getRbacRoles()->toArray());
|
||||
self::assertContains(SystemRoles::USER_CODE, $codes, 'Le backfill doit rattacher le rôle « user ».');
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,45 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Tests\Functional\Module\Core;
|
||||
|
||||
use App\Module\Core\Application\Rbac\RbacSeeder;
|
||||
use App\Module\Core\Domain\Entity\User;
|
||||
use App\Module\Core\Domain\Security\SystemRoles;
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
|
||||
|
||||
use function array_map;
|
||||
use function uniqid;
|
||||
|
||||
/**
|
||||
* @internal
|
||||
*/
|
||||
final class UserDefaultRoleListenerTest extends KernelTestCase
|
||||
{
|
||||
public function testNewUserReceivesDefaultUserRole(): void
|
||||
{
|
||||
$kernel = self::bootKernel();
|
||||
$em = self::getContainer()->get(EntityManagerInterface::class);
|
||||
self::getContainer()->get(RbacSeeder::class)->ensureSystemRoles();
|
||||
|
||||
$user = new User();
|
||||
$user->setUsername('listener-'.uniqid());
|
||||
$user->setPassword('x');
|
||||
$em->persist($user);
|
||||
$em->flush();
|
||||
$id = $user->getId();
|
||||
|
||||
$em->clear();
|
||||
$reloaded = $em->getRepository(User::class)->find($id);
|
||||
self::assertInstanceOf(User::class, $reloaded);
|
||||
|
||||
$codes = array_map(static fn ($role) => $role->getCode(), $reloaded->getRbacRoles()->toArray());
|
||||
self::assertContains(
|
||||
SystemRoles::USER_CODE,
|
||||
$codes,
|
||||
'Un utilisateur fraîchement créé doit être rattaché au rôle RBAC de base « user ».',
|
||||
);
|
||||
}
|
||||
}
|
||||
@@ -127,4 +127,33 @@ final class SidebarFilterTest extends TestCase
|
||||
$out = SidebarFilter::filter($sections, [], [], ['core.users.view']);
|
||||
self::assertCount(1, $out['sections'][0]['items']);
|
||||
}
|
||||
|
||||
public function testItemWithPermissionArrayIsVisibleWhenAnyGranted(): void
|
||||
{
|
||||
$sections = [[
|
||||
'label' => 's', 'icon' => 'i',
|
||||
'items' => [[
|
||||
'label' => 'a', 'to' => '/a', 'icon' => 'i',
|
||||
'permission' => ['directory.clients.view', 'directory.prospects.view', 'directory.providers.view'],
|
||||
]],
|
||||
]];
|
||||
|
||||
// L'utilisateur ne détient qu'une des permissions listées => item visible (any).
|
||||
$out = SidebarFilter::filter($sections, [], [], ['directory.prospects.view']);
|
||||
self::assertCount(1, $out['sections'][0]['items']);
|
||||
}
|
||||
|
||||
public function testItemWithPermissionArrayIsHiddenWhenNoneGranted(): void
|
||||
{
|
||||
$sections = [[
|
||||
'label' => 's', 'icon' => 'i',
|
||||
'items' => [[
|
||||
'label' => 'a', 'to' => '/a', 'icon' => 'i',
|
||||
'permission' => ['directory.clients.view', 'directory.prospects.view'],
|
||||
]],
|
||||
]];
|
||||
|
||||
$out = SidebarFilter::filter($sections, [], [], ['reporting.view']);
|
||||
self::assertSame([], $out['sections']);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user