MALIO-DEV/Lesstime
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 32 Wiki Activity
Files
a547fd38c23d0581d167970ae94b6b7abf9dd387
Lesstime/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
T
Matthieu a547fd38c2 test(client-portal) : regression guard for ROLE_CLIENT endpoint isolation 
Data-provided test asserting a pure ROLE_CLIENT gets 403 on the internal
endpoints hardened after the review (/api/users, /api/share/browse,
/api/share/status, bookstack links), so the fixes can't silently regress.
2026-06-21 19:33:13 +02:00

294 lines
11 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Tests\Functional\Module\ClientPortal;
use App\Module\ClientPortal\Domain\Entity\ClientTicket;
use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
use App\Module\ClientPortal\Domain\Enum\ClientTicketType;
use App\Module\Core\Domain\Entity\Notification;
use App\Module\Core\Domain\Entity\User;
use App\Module\ProjectManagement\Domain\Entity\Project;
use DateTimeImmutable;
use Doctrine\ORM\EntityManagerInterface;
use PHPUnit\Framework\Attributes\DataProvider;
use Symfony\Bundle\FrameworkBundle\KernelBrowser;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
use function count;
/**
* Phase 1 security boundary: a pure ROLE_CLIENT user is walled off from the
* internal API but can reach its own client portal collection.
*
* @internal
*/
final class ClientTicketApiTest extends WebTestCase
{
public function testClientUserCannotListTasks(): void
{
$client = self::createClient();
$this->loginClient($client, 'client-liot');
$client->request('GET', '/api/tasks');
self::assertResponseStatusCodeSame(403);
}
public function testClientUserCannotListProjects(): void
{
$client = self::createClient();
$this->loginClient($client, 'client-liot');
$client->request('GET', '/api/projects');
self::assertResponseStatusCodeSame(403);
}
/**
* Regression guard for the post-migration security review: internal
* endpoints that were only behind IS_AUTHENTICATED_FULLY (or had no
* security) must reject a pure ROLE_CLIENT.
*/
#[DataProvider('internalEndpointsForbiddenToClients')]
public function testClientUserIsWalledOffFromInternalEndpoints(string $uri): void
{
$client = self::createClient();
$this->loginClient($client, 'client-liot');
$client->request('GET', $uri);
self::assertResponseStatusCodeSame(403);
}
/** @return iterable<string, array{string}> */
public static function internalEndpointsForbiddenToClients(): iterable
{
yield 'users directory' => ['/api/users'];
yield 'smb share browse' => ['/api/share/browse'];
yield 'smb share status' => ['/api/share/status'];
yield 'bookstack links' => ['/api/tasks/1/bookstack/links'];
}
public function testClientUserCanListOwnClientTickets(): void
{
$client = self::createClient();
$this->loginClient($client, 'client-liot');
$client->request('GET', '/api/client_tickets');
self::assertResponseIsSuccessful();
$data = json_decode($client->getResponse()->getContent(), true);
self::assertArrayHasKey('member', $data);
self::assertNotEmpty($data['member']);
// Tenancy invariant (robust to POST tests accumulating tickets in the
// shared test DB): client-liot sees its own SIRH ticket but NEVER the
// ticket submitted by another client (ACME, on the CRM project).
$titles = array_column($data['member'], 'title');
self::assertContains('Erreur lors de l\'export des congés', $titles);
self::assertNotContains('Ajouter un filtre par commercial', $titles);
}
public function testClientUserSeesOnlyOwnTickets(): void
{
$client = self::createClient();
$this->loginClient($client, 'client-acme');
$client->request('GET', '/api/client_tickets');
self::assertResponseIsSuccessful();
$data = json_decode($client->getResponse()->getContent(), true);
self::assertNotEmpty($data['member']);
// Tenancy invariant: client-acme sees its own CRM ticket but NEVER the
// ticket submitted by client-liot (on the SIRH project).
$titles = array_column($data['member'], 'title');
self::assertContains('Ajouter un filtre par commercial', $titles);
self::assertNotContains('Erreur lors de l\'export des congés', $titles);
}
public function testInternalUserCannotListClientTickets(): void
{
$client = self::createClient();
$this->loginClient($client, 'alice');
$client->request('GET', '/api/client_tickets');
self::assertResponseStatusCodeSame(403);
}
public function testAdminCanListAllClientTickets(): void
{
$client = self::createClient();
$this->loginClient($client, 'admin');
$client->request('GET', '/api/client_tickets');
self::assertResponseIsSuccessful();
$data = json_decode($client->getResponse()->getContent(), true);
self::assertGreaterThanOrEqual(2, count($data['member']));
}
public function testClientCanCreateTicketAndNumberIsGenerated(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$projectIri = $this->sirhProjectIri($em);
$this->loginClient($client, 'client-liot');
$client->request('POST', '/api/client_tickets', server: [
'CONTENT_TYPE' => 'application/ld+json',
], content: json_encode([
'type' => 'other',
'title' => 'Demande de fonctionnalité',
'description' => 'Une nouvelle option serait utile.',
'project' => $projectIri,
]));
self::assertResponseStatusCodeSame(201);
$data = json_decode($client->getResponse()->getContent(), true);
self::assertSame('new', $data['status']);
self::assertGreaterThanOrEqual(1, $data['number']);
}
public function testCreatingTicketNotifiesAdmins(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$projectIri = $this->sirhProjectIri($em);
$this->loginClient($client, 'client-liot');
$title = 'Notif test '.uniqid('', true);
$client->request('POST', '/api/client_tickets', server: [
'CONTENT_TYPE' => 'application/ld+json',
], content: json_encode([
'type' => 'other',
'title' => $title,
'description' => 'Trigger an admin notification.',
'project' => $projectIri,
]));
self::assertResponseStatusCodeSame(201);
$data = json_decode($client->getResponse()->getContent(), true);
$ticketId = $data['id'];
$admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
self::assertNotNull($admin);
$notification = $em->getRepository(Notification::class)->findOneBy([
'user' => $admin,
'type' => 'ticket_created',
], ['createdAt' => 'DESC']);
self::assertInstanceOf(Notification::class, $notification);
self::assertNotNull($notification->getRelatedTicket());
self::assertSame($ticketId, $notification->getRelatedTicket()->getId());
}
public function testChangingStatusNotifiesSubmitter(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
// Set up a fresh `new` ticket whose submitter is a known client user,
// so we can assert the submitter is the notification recipient.
$submitter = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
self::assertNotNull($submitter);
$project = $em->getRepository(Project::class)->findOneBy(['code' => 'SIRH']);
self::assertNotNull($project);
$ticket = new ClientTicket();
$ticket->setType(ClientTicketType::Other);
$ticket->setTitle('Status notif '.uniqid('', true));
$ticket->setDescription('Will be moved to in_progress.');
$ticket->setProject($project);
$ticket->setSubmittedBy($submitter);
$ticket->setStatus(ClientTicketStatus::New);
$ticket->setNumber(9000 + random_int(1, 999));
$ticket->setCreatedAt(new DateTimeImmutable());
$ticket->setUpdatedAt(new DateTimeImmutable());
$em->persist($ticket);
$em->flush();
$ticketId = $ticket->getId();
// Admin moves it to in_progress.
$this->loginClient($client, 'admin');
$client->request('PATCH', '/api/client_tickets/'.$ticketId, server: [
'CONTENT_TYPE' => 'application/merge-patch+json',
], content: json_encode(['status' => 'in_progress']));
self::assertResponseIsSuccessful();
$notification = $em->getRepository(Notification::class)->findOneBy([
'user' => $submitter,
'type' => 'ticket_status_changed',
], ['createdAt' => 'DESC']);
self::assertInstanceOf(Notification::class, $notification);
self::assertNotNull($notification->getRelatedTicket());
self::assertSame($ticketId, $notification->getRelatedTicket()->getId());
}
public function testAdminCannotCreateTicket(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$projectIri = $this->sirhProjectIri($em);
$this->loginClient($client, 'admin');
$client->request('POST', '/api/client_tickets', server: [
'CONTENT_TYPE' => 'application/ld+json',
], content: json_encode([
'type' => 'other',
'title' => 'Admin attempt',
'description' => 'Should be forbidden.',
'project' => $projectIri,
]));
// Admin has no client, so ticket creation is denied.
self::assertResponseStatusCodeSame(403);
}
public function testRejectingTicketRequiresStatusComment(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$ticket = $em->getRepository(ClientTicket::class)
->findOneBy(['status' => ClientTicketStatus::New])
;
self::assertNotNull($ticket);
$id = $ticket->getId();
$this->loginClient($client, 'admin');
$client->request('PATCH', '/api/client_tickets/'.$id, server: [
'CONTENT_TYPE' => 'application/merge-patch+json',
], content: json_encode(['status' => 'rejected']));
self::assertResponseStatusCodeSame(422);
}
private function sirhProjectIri(EntityManagerInterface $em): string
{
$project = $em->getRepository(Project::class)
->findOneBy(['code' => 'SIRH'])
;
self::assertNotNull($project);
return '/api/projects/'.$project->getId();
}
private function loginClient(KernelBrowser $client, string $username): void
{
$em = self::getContainer()->get(EntityManagerInterface::class);
$user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
self::assertInstanceOf(User::class, $user);
$client->loginUser($user);
}
}
Reference in New Issue View Git Blame Copy Permalink