fix : correction des Heures et ajout d'une validation pour les chefs de site

src/State/WorkHourSiteValidationProcessor.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Entity\User;
+use App\Entity\WorkHour;
+use App\Security\EmployeeScopeService;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+final readonly class WorkHourSiteValidationProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private Security $security,
+        private EmployeeScopeService $employeeScopeService,
+        private EntityManagerInterface $entityManager,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): WorkHour
+    {
+        if (!$data instanceof WorkHour) {
+            throw new AccessDeniedHttpException('Invalid payload.');
+        }
+
+        $user = $this->security->getUser();
+        if (!$user instanceof User) {
+            throw new AccessDeniedHttpException('Authentication required.');
+        }
+
+        // Réservé aux profils "Sites" (ni admin, ni self).
+        if (in_array('ROLE_ADMIN', $user->getRoles(), true) || in_array('ROLE_SELF', $user->getRoles(), true)) {
+            throw new AccessDeniedHttpException('Only site managers can update site validation.');
+        }
+
+        $siteId = $data->getEmployee()?->getSite()?->getId();
+        if (!$siteId) {
+            throw new AccessDeniedHttpException('Employee site is required.');
+        }
+
+        $allowedSiteIds = $this->employeeScopeService->getAllowedSiteIds($user);
+        if (!in_array($siteId, $allowedSiteIds, true)) {
+            throw new AccessDeniedHttpException('Employee is outside your site scope.');
+        }
+
+        $this->entityManager->flush();
+
+        return $data;
+    }
+}