fix(rbac) : gate les listes Gitea/BookStack par projects.manage (et non ROLE_USER)

Suite à la revue de sécurité : ROLE_ADMIN était trop strict (les ressources
sœurs sont en ROLE_USER) mais ROLE_USER brut est trop permissif — ces endpoints
listent TOUS les dépôts/étagères visibles par le token d'intégration global, sans
filtrage par utilisateur. Comme ils ne sont consommés que par le ProjectDrawer
(configuration du dépôt/étagère d'un projet), on les gate sur la permission métier
project-management.projects.manage. Les admins conservent l'accès via le bypass
ROLE_ADMIN du PermissionVoter.

config/version.yaml

@@ -1,2 +1,2 @@
 parameters:
-    app.version: '0.4.54'
+    app.version: '0.4.49'

docs/mail-integration.md

@@ -23,14 +23,10 @@
 > 7. 139 connexions IMAP (une/dossier) → throttling OVH → réutilisation d'1 connexion (`closeConnection()` sur l'interface) + reconnexion ciblée après dossier en erreur.
 > - Contrat front/back réaligné dans `frontend/services/mail.ts` (route `/mail/folders/{path}/messages`, mapping `messages→items`, `fromAddress→fromEmail`, détail plat→imbriqué).
 >
-> ### Bugs corrigés 2026-06-29 (spam GlitchTip `syncFolder[...] listMessages failed: Folder ... not found`)
-> Deux causes racines, ~170 erreurs/cycle (toutes les 10 min) sur la prod :
-> 1. **Double-encodage UTF7-IMAP** : `listFolders()` stocke `$folder->path` = nom **brut UTF7-IMAP** (webklex `Folder::$path`). `ImapMailProvider` appelait ensuite `$client->getFolder($path)` qui ré-encode UTF8→UTF7-IMAP (`Client::getFolderByPath`, `$utf7=false`) → le `&` (shift UTF7) est ré-encodé → dossiers à accents/specials introuvables. **Fix** : `getFolder($path, null, utf7: true)` partout dans `ImapMailProvider` (les paths sont déjà UTF7-IMAP). Résout les ~7 dossiers à encodage spécial qui étaient « skippés ».
-> 2. **Dossiers fantômes jamais purgés** : `syncFolderStructure()` gardait en DB les dossiers disparus du serveur (Trash vidé, dossiers RH supprimés) → re-tentés à chaque cycle → `listMessages` → "not found" → log error en boucle. **Fix** : `syncFolderStructure()` retourne le set des chemins **présents sur le serveur** ; `doSyncAll()` skip silencieusement les dossiers DB absents de ce set (gardés en DB pour les liens messages/tâches, mais plus synchronisés). Si `listFolders` échoue (retour `null`), fallback = sync de tous les dossiers connus (comportement historique).
->
 > ### Points en suspens / à savoir
 > - **Mise à jour auto** = cron OS lançant `make mail-sync` toutes les 10 min (cf `docs/mail-cron-setup.md`). **Pas configuré en dev** — lancer à la main.
 > - **Bouton "Actualiser"** : dispatch async Messenger (`MailSyncRequested → async`). Sans worker `messenger:consume async` qui tourne, les demandes s'empilent sans s'exécuter. En prod : supervisor. En dev : lancer un worker.
+> - **~7 dossiers/139** à encodage spécial (ex: `INBOX/RH/.../SÉBASTIEN` en UTF7-modifié) ou réponses vides sont skippés proprement et réessayés au cycle suivant. Edge case webklex non bloquant.
 > - **Dépendance** : `webklex/php-imap ^6.2` tire des paquets Laravel (`illuminate/*` via `carbon ^3`) dans ce projet Symfony — fonctionnel mais à valider en review.
 > - 6 PHPUnit Notices (mocks sans expectations) non bloquantes.
 >

frontend/app/layouts/default.vue

@@ -60,16 +60,13 @@ const { sections } = useSidebar()
 
 const isEmployee = computed(() => Boolean(auth.user?.isEmployee))
 
-const { can } = usePermissions()
+const isMailVisible = computed(() => {
-
+    const roles: string[] = auth.user?.roles ?? []
-// L'onglet Messagerie est rendu côté layout (hors sidebar backend) : il faut donc
+    return roles.includes('ROLE_USER') || roles.includes('ROLE_ADMIN')
-// reproduire ici le gate de permission. ROLE_ADMIN bypasse via can().
+})
-const isMailVisible = computed(() => can('mail.access'))
 
 const { enabled: shareEnabled, ensureLoaded: ensureShareStatus } = useShareStatus()
-// Documents = explorateur de partage : visible si le module est actif ET la
+const isDocumentsVisible = computed(() => shareEnabled.value === true)
-// permission d'accès au partage est accordée (alignement avec le middleware de page).
-const isDocumentsVisible = computed(() => shareEnabled.value === true && can('integration.share.access'))
 
 const currentProjectId = computed(() => {
     const match = route.path.match(/^\/projects\/(\d+)/)

frontend/modules/mail/pages/mail.vue

@@ -6,7 +6,6 @@ const { t } = useI18n()
 const router = useRouter()
 const route = useRoute()
 
-definePageMeta({ middleware: ['permission'], permission: 'mail.access' })
 useHead({ title: t('mail.title') })
 
 // ─── Store ────────────────────────────────────────────────────────────────

frontend/pages/documents.vue

@@ -85,7 +85,6 @@ import type { Breadcrumb, FileEntry } from '~/modules/integration/services/dto/s
 import { useShareService } from '~/modules/integration/services/share'
 import { formatFileSize } from '~/utils/format'
 
-definePageMeta({ middleware: ['permission'], permission: 'integration.share.access' })
 useHead({ title: 'Documents' })
 
 const { browse, search } = useShareService()

src/Module/Mail/Application/Service/MailSyncService.php

@@ -64,22 +64,14 @@ final class MailSyncService
         }
     }
 
-    /**
+    public function syncFolderStructure(): void
-     * Synchronise the local folder list with the server.
-     *
-     * @return null|array<string, true> the set of folder paths currently present
-     *                                  on the server, or null when the remote list
-     *                                  could not be fetched (the caller then falls
-     *                                  back to syncing every known folder)
-     */
-    public function syncFolderStructure(): ?array
     {
         try {
             $remoteFolders = $this->provider->listFolders();
         } catch (MailProviderException $e) {
             $this->logger->error('syncFolderStructure: listFolders failed: '.$e->getMessage());
 
-            return null;
+            return;
         }
 
         $remotePathSet = [];
@@ -103,7 +95,16 @@ final class MailSyncService
 
         $this->entityManager->flush();
 
-        return $remotePathSet;
+        $allDbFolders = $this->folderRepository->findAllOrderedByPath();
+
+        foreach ($allDbFolders as $dbFolder) {
+            if (!isset($remotePathSet[$dbFolder->getPath()])) {
+                $this->logger->warning(sprintf(
+                    'syncFolderStructure: folder "%s" no longer exists on server — keeping in DB for safety',
+                    $dbFolder->getPath()
+                ));
+            }
+        }
     }
 
     public function syncFolder(MailFolder $folder): MailSyncReport
@@ -258,7 +259,7 @@ final class MailSyncService
 
     private function doSyncAll(DateTimeImmutable $startedAt): MailSyncReport
     {
-        $remotePathSet = $this->syncFolderStructure();
+        $this->syncFolderStructure();
 
         $totalCreated = 0;
         $totalUpdated = 0;
@@ -269,13 +270,6 @@ final class MailSyncService
         $folders = $this->folderRepository->findAllOrderedByPath();
 
         foreach ($folders as $folder) {
-            // Skip folders that no longer exist on the server. They are kept in
-            // the DB (linked messages and tasks still reference them) but retrying
-            // listMessages every cycle only floods the logs with "Folder not found".
-            if (null !== $remotePathSet && !isset($remotePathSet[$folder->getPath()])) {
-                continue;
-            }
-
             try {
                 $report = $this->syncFolder($folder);
                 $totalCreated += $report->createdCount;

src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php

@@ -103,11 +103,7 @@ final class ImapMailProvider implements MailProviderInterface
         $client = $this->getClient();
 
         try {
-            // Folder paths are stored exactly as the server returns them (raw
+            $folder = $client->getFolder($folderPath);
-            // UTF7-IMAP). Pass utf7: true so webklex matches them as-is instead of
-            // re-encoding UTF8 -> UTF7-IMAP, which double-encodes the "&" shift
-            // character and makes folders with accents/specials unresolvable.
-            $folder = $client->getFolder($folderPath, null, true);
             if (null === $folder) {
                 throw MailProviderException::operationFailed('listMessages', sprintf('Folder %s not found', $folderPath));
             }
@@ -142,7 +138,7 @@ final class ImapMailProvider implements MailProviderInterface
         $client = $this->getClient();
 
         try {
-            $folder = $client->getFolder($folderPath, null, true);
+            $folder = $client->getFolder($folderPath);
             if (null === $folder) {
                 throw MailProviderException::operationFailed('fetchMessage', sprintf('Folder %s not found', $folderPath));
             }
@@ -187,7 +183,7 @@ final class ImapMailProvider implements MailProviderInterface
         $client = $this->getClient();
 
         try {
-            $folder = $client->getFolder($folderPath, null, true);
+            $folder = $client->getFolder($folderPath);
             if (null === $folder) {
                 throw MailProviderException::operationFailed('markRead', sprintf('Folder %s not found', $folderPath));
             }
@@ -217,7 +213,7 @@ final class ImapMailProvider implements MailProviderInterface
         $client = $this->getClient();
 
         try {
-            $folder = $client->getFolder($folderPath, null, true);
+            $folder = $client->getFolder($folderPath);
             if (null === $folder) {
                 throw MailProviderException::operationFailed('markFlagged', sprintf('Folder %s not found', $folderPath));
             }
@@ -247,7 +243,7 @@ final class ImapMailProvider implements MailProviderInterface
         $client = $this->getClient();
 
         try {
-            $folder = $client->getFolder($folderPath, null, true);
+            $folder = $client->getFolder($folderPath);
             if (null === $folder) {
                 throw MailProviderException::operationFailed('moveMessage', sprintf('Folder %s not found', $folderPath));
             }
@@ -273,7 +269,7 @@ final class ImapMailProvider implements MailProviderInterface
         $client = $this->getClient();
 
         try {
-            $folder = $client->getFolder($folderPath, null, true);
+            $folder = $client->getFolder($folderPath);
             if (null === $folder) {
                 throw MailProviderException::operationFailed('fetchAttachment', sprintf('Folder %s not found', $folderPath));
             }

tests/Unit/Service/MailSyncServiceTest.php

@@ -132,69 +132,6 @@ class MailSyncServiceTest extends TestCase
         $service->syncFolderStructure();
     }
 
-    public function testSyncAllSkipsFoldersNoLongerPresentOnServer(): void
-    {
-        $config = new MailConfiguration();
-        $config->setEnabled(true);
-
-        $configRepo = $this->createMock(MailConfigurationRepositoryInterface::class);
-        $configRepo->method('findSingleton')->willReturn($config);
-
-        // The server only exposes INBOX; "Trash/STALE" was deleted remotely but
-        // still lingers in the DB.
-        $inboxDto = new MailFolderDto(
-            path: 'INBOX',
-            displayName: 'Inbox',
-            parentPath: null,
-            unreadCount: 0,
-            totalCount: 0,
-        );
-
-        $inboxFolder = new MailFolder();
-        $inboxFolder->setPath('INBOX');
-
-        $staleFolder = new MailFolder();
-        $staleFolder->setPath('Trash/STALE');
-
-        $provider = $this->createMock(MailProviderInterface::class);
-        $provider->method('listFolders')->willReturn([$inboxDto]);
-        // listMessages must only ever be called for INBOX, never the stale folder.
-        $provider->expects(self::once())
-            ->method('listMessages')
-            ->with('INBOX', 5000, 0)
-            ->willReturn([])
-        ;
-
-        $folderRepo = $this->createMock(MailFolderRepositoryInterface::class);
-        $folderRepo->method('findByPath')->willReturn($inboxFolder);
-        $folderRepo->method('findAllOrderedByPath')->willReturn([$inboxFolder, $staleFolder]);
-
-        $messageRepo = $this->createMock(MailMessageRepositoryInterface::class);
-        $messageRepo->method('findMaxUidInFolder')->willReturn(0);
-        $messageRepo->method('findAllUidsByFolder')->willReturn([]);
-        $messageRepo->method('findLastNByFolder')->willReturn([]);
-
-        $em = $this->createMock(EntityManagerInterface::class);
-        $em->method('isOpen')->willReturn(true);
-        $lockFactory = $this->makeLockFactory();
-
-        $service = new MailSyncService(
-            provider: $provider,
-            configRepository: $configRepo,
-            folderRepository: $folderRepo,
-            messageRepository: $messageRepo,
-            entityManager: $em,
-            lockFactory: $lockFactory,
-            logger: new NullLogger(),
-            managerRegistry: $this->createMock(ManagerRegistry::class),
-        );
-
-        $report = $service->syncAll();
-
-        self::assertSame(1, $report->foldersScanned);
-        self::assertSame([], $report->errors);
-    }
-
     public function testSyncFolderAbortsSuppressionWhenOver50Percent(): void
     {
         $config = new MailConfiguration();