MALIO-DEV/Lesstime
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 32 Wiki Activity
Files
68c3e6fbacdfeae0e32118715a438addbe9a3b83
Lesstime/tests/Functional/Module/ProjectManagement/ProjectAccessControlTest.php
T
Matthieu 9705b335ef fix(rbac) : enforce granular permissions on business resources 
Les ressources métier (ProjectManagement, Directory, TimeTracking) étaient
gardées par is_granted('ROLE_USER')/'ROLE_ADMIN', ignorant les permissions
RBAC granulaires déclarées par les modules : un utilisateur sans permission
voyait quand même projets, tâches, clients, etc.

- PermissionVoter : le regex excluait les tirets, donc project-management.* et
  time-tracking.* n'étaient supportées par aucun voter (refus pour tous, admin
  compris car le bypass ROLE_ADMIN est interne au voter). Ajout du tiret.
- Câblage des permissions *.view (lecture) / *.manage (écriture) sur les 17
  ressources métier. Métadonnées tâches lisibles via projects.view OR tasks.view.
  Directory partagé client/prospect via clients.* OR prospects.*. TimeEntry
  conserve le self-service (object.getUser() == user).
- Sidebar : gating par permission effective des onglets Projets / Mes tâches /
  Suivi du temps (config/sidebar.php).
- Test fonctionnel ProjectAccessControlTest (0 perm -> 403, view -> 200,
  view ne donne pas l'écriture -> 403).
2026-06-23 17:05:33 +02:00

83 lines
2.7 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Tests\Functional\Module\ProjectManagement;
use App\Module\Core\Domain\Entity\Permission;
use App\Module\Core\Domain\Entity\User;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
/**
* Vérifie que les ressources métier sont bien gardées par les permissions RBAC
* granulaires et non plus par le simple ROLE_USER.
*
* @internal
*/
final class ProjectAccessControlTest extends WebTestCase
{
public function testAuthenticatedUserWithoutPermissionIsForbidden(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$user = $this->createPlainUser($em, 'proj-noperm-'.uniqid());
$em->flush();
$client->loginUser($user);
$client->request('GET', '/api/projects');
self::assertResponseStatusCodeSame(403);
}
public function testUserWithViewPermissionCanListProjects(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'project-management.projects.view']);
self::assertInstanceOf(Permission::class, $permission, 'Le catalogue de permissions doit contenir project-management.projects.view (lancer app:sync-permissions).');
$user = $this->createPlainUser($em, 'proj-view-'.uniqid());
$user->addDirectPermission($permission);
$em->flush();
$client->loginUser($user);
$client->request('GET', '/api/projects');
self::assertResponseIsSuccessful();
}
public function testViewPermissionDoesNotGrantWrite(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'project-management.projects.view']);
self::assertInstanceOf(Permission::class, $permission);
$user = $this->createPlainUser($em, 'proj-noWrite-'.uniqid());
$user->addDirectPermission($permission);
$em->flush();
$client->loginUser($user);
$client->request('POST', '/api/projects', server: [
'CONTENT_TYPE' => 'application/ld+json',
], content: json_encode(['name' => 'Should be denied']));
self::assertResponseStatusCodeSame(403);
}
private function createPlainUser(EntityManagerInterface $em, string $username): User
{
$user = new User();
$user->setUsername($username);
$user->setPassword('x');
$user->setRoles(['ROLE_USER']);
$em->persist($user);
return $user;
}
}
Reference in New Issue View Git Blame Copy Permalink