Matthieu
808a290845
LST-69 (3.2) phase 1. New ClientPortal module + security foundations for the client portal (spec docs/superpowers/specs/2026-03-15-client-portal-design.md). - Security: User::getRoles() no longer adds ROLE_USER to ROLE_CLIENT users; role_hierarchy ROLE_ADMIN: [ROLE_USER, ROLE_CLIENT]. Existing Task/Project/ Client/TimeEntry/metadata endpoints already required ROLE_USER -> a pure ROLE_CLIENT is walled off (verified: 403). - User (Core): client (ManyToOne ClientInterface, SET NULL) + allowedProjects (ManyToMany ProjectInterface). UserInterface extended (getClient/ getAllowedProjects). - New ClientTicket entity (module ClientPortal) + enums + repository + API with per-client isolation (ClientTicketProvider: own tickets ∩ allowedProjects), per-project numbering under advisory lock (rejects if user.client null), status transition rules. ClientTicketInterface contract for Task/TaskDocument. - TaskDocument generalized: task nullable + clientTicket (CASCADE) + CHECK; per-role access. Task.clientTicket exposed in task:read. - Additive migration; demo client fixtures. - Tenancy tests assert the isolation invariant (a client never sees another client's tickets) rather than brittle absolute counts (shared test DB). 178 tests green, mapping valid, cs-fixer clean.
184 lines
6.3 KiB
PHP
184 lines
6.3 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Tests\Functional\Module\ClientPortal;
|
|
|
|
use App\Module\ClientPortal\Domain\Entity\ClientTicket;
|
|
use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
|
|
use App\Module\Core\Domain\Entity\User;
|
|
use App\Module\ProjectManagement\Domain\Entity\Project;
|
|
use Doctrine\ORM\EntityManagerInterface;
|
|
use Symfony\Bundle\FrameworkBundle\KernelBrowser;
|
|
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
|
|
|
|
use function count;
|
|
|
|
/**
|
|
* Phase 1 security boundary: a pure ROLE_CLIENT user is walled off from the
|
|
* internal API but can reach its own client portal collection.
|
|
*
|
|
* @internal
|
|
*/
|
|
final class ClientTicketApiTest extends WebTestCase
|
|
{
|
|
public function testClientUserCannotListTasks(): void
|
|
{
|
|
$client = self::createClient();
|
|
$this->loginClient($client, 'client-liot');
|
|
|
|
$client->request('GET', '/api/tasks');
|
|
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testClientUserCannotListProjects(): void
|
|
{
|
|
$client = self::createClient();
|
|
$this->loginClient($client, 'client-liot');
|
|
|
|
$client->request('GET', '/api/projects');
|
|
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testClientUserCanListOwnClientTickets(): void
|
|
{
|
|
$client = self::createClient();
|
|
$this->loginClient($client, 'client-liot');
|
|
|
|
$client->request('GET', '/api/client_tickets');
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = json_decode($client->getResponse()->getContent(), true);
|
|
self::assertArrayHasKey('member', $data);
|
|
self::assertNotEmpty($data['member']);
|
|
// Tenancy invariant (robust to POST tests accumulating tickets in the
|
|
// shared test DB): client-liot sees its own SIRH ticket but NEVER the
|
|
// ticket submitted by another client (ACME, on the CRM project).
|
|
$titles = array_column($data['member'], 'title');
|
|
self::assertContains('Erreur lors de l\'export des congés', $titles);
|
|
self::assertNotContains('Ajouter un filtre par commercial', $titles);
|
|
}
|
|
|
|
public function testClientUserSeesOnlyOwnTickets(): void
|
|
{
|
|
$client = self::createClient();
|
|
$this->loginClient($client, 'client-acme');
|
|
|
|
$client->request('GET', '/api/client_tickets');
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = json_decode($client->getResponse()->getContent(), true);
|
|
self::assertNotEmpty($data['member']);
|
|
// Tenancy invariant: client-acme sees its own CRM ticket but NEVER the
|
|
// ticket submitted by client-liot (on the SIRH project).
|
|
$titles = array_column($data['member'], 'title');
|
|
self::assertContains('Ajouter un filtre par commercial', $titles);
|
|
self::assertNotContains('Erreur lors de l\'export des congés', $titles);
|
|
}
|
|
|
|
public function testInternalUserCannotListClientTickets(): void
|
|
{
|
|
$client = self::createClient();
|
|
$this->loginClient($client, 'alice');
|
|
|
|
$client->request('GET', '/api/client_tickets');
|
|
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testAdminCanListAllClientTickets(): void
|
|
{
|
|
$client = self::createClient();
|
|
$this->loginClient($client, 'admin');
|
|
|
|
$client->request('GET', '/api/client_tickets');
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = json_decode($client->getResponse()->getContent(), true);
|
|
self::assertGreaterThanOrEqual(2, count($data['member']));
|
|
}
|
|
|
|
public function testClientCanCreateTicketAndNumberIsGenerated(): void
|
|
{
|
|
$client = self::createClient();
|
|
$em = self::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
$projectIri = $this->sirhProjectIri($em);
|
|
$this->loginClient($client, 'client-liot');
|
|
|
|
$client->request('POST', '/api/client_tickets', server: [
|
|
'CONTENT_TYPE' => 'application/ld+json',
|
|
], content: json_encode([
|
|
'type' => 'other',
|
|
'title' => 'Demande de fonctionnalité',
|
|
'description' => 'Une nouvelle option serait utile.',
|
|
'project' => $projectIri,
|
|
]));
|
|
|
|
self::assertResponseStatusCodeSame(201);
|
|
$data = json_decode($client->getResponse()->getContent(), true);
|
|
self::assertSame('new', $data['status']);
|
|
self::assertGreaterThanOrEqual(1, $data['number']);
|
|
}
|
|
|
|
public function testAdminCannotCreateTicket(): void
|
|
{
|
|
$client = self::createClient();
|
|
$em = self::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
$projectIri = $this->sirhProjectIri($em);
|
|
$this->loginClient($client, 'admin');
|
|
|
|
$client->request('POST', '/api/client_tickets', server: [
|
|
'CONTENT_TYPE' => 'application/ld+json',
|
|
], content: json_encode([
|
|
'type' => 'other',
|
|
'title' => 'Admin attempt',
|
|
'description' => 'Should be forbidden.',
|
|
'project' => $projectIri,
|
|
]));
|
|
|
|
// Admin has no client, so ticket creation is denied.
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testRejectingTicketRequiresStatusComment(): void
|
|
{
|
|
$client = self::createClient();
|
|
$em = self::getContainer()->get(EntityManagerInterface::class);
|
|
$ticket = $em->getRepository(ClientTicket::class)
|
|
->findOneBy(['status' => ClientTicketStatus::New])
|
|
;
|
|
self::assertNotNull($ticket);
|
|
$id = $ticket->getId();
|
|
|
|
$this->loginClient($client, 'admin');
|
|
|
|
$client->request('PATCH', '/api/client_tickets/'.$id, server: [
|
|
'CONTENT_TYPE' => 'application/merge-patch+json',
|
|
], content: json_encode(['status' => 'rejected']));
|
|
|
|
self::assertResponseStatusCodeSame(422);
|
|
}
|
|
|
|
private function sirhProjectIri(EntityManagerInterface $em): string
|
|
{
|
|
$project = $em->getRepository(Project::class)
|
|
->findOneBy(['code' => 'SIRH'])
|
|
;
|
|
self::assertNotNull($project);
|
|
|
|
return '/api/projects/'.$project->getId();
|
|
}
|
|
|
|
private function loginClient(KernelBrowser $client, string $username): void
|
|
{
|
|
$em = self::getContainer()->get(EntityManagerInterface::class);
|
|
$user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
|
|
self::assertInstanceOf(User::class, $user);
|
|
$client->loginUser($user);
|
|
}
|
|
}
|