src/Entity/ClientTicket.php

@@ -36,7 +36,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             processor: ClientTicketNumberProcessor::class,
         ),
         new Patch(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('ROLE_ADMIN') or (is_granted('ROLE_CLIENT') and object.getSubmittedBy() == user)",
             processor: ClientTicketStatusProcessor::class,
         ),
         new Delete(security: "is_granted('ROLE_ADMIN')"),

src/State/ClientTicketStatusProcessor.php

@@ -10,6 +10,7 @@ use App\Entity\ClientTicket;
 use App\Service\NotificationService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 /**
@@ -25,6 +26,7 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface
     public function __construct(
         private EntityManagerInterface $entityManager,
         private NotificationService $notificationService,
+        private Security $security,
     ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket
@@ -32,6 +34,13 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface
         assert($data instanceof ClientTicket);
 
         $originalData = $context['previous_data'] ?? null;
+
+        // ROLE_CLIENT: can only edit content fields, not status
+        if (!$this->security->isGranted('ROLE_ADMIN') && $originalData instanceof ClientTicket) {
+            $data->setStatus($originalData->getStatus());
+            $data->setStatusComment($originalData->getStatusComment());
+        }
+
         if ($originalData instanceof ClientTicket) {
             $oldStatus = $originalData->getStatus();
             $newStatus = $data->getStatus();