MALIO-DEV/Starseed
3
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

feat(technique) : ProviderProvider + ProviderProcessor + cloisonnement site (ERP-134)

Browse Source 
Coeur API du repertoire prestataires (M3), jumeau du M2 fournisseurs :

- ProviderProvider : liste paginee (Paginator ORM), filtres
  search/categoryCode/siteId/includeArchived, tri companyName ASC,
  exclusion archives + soft-deletes (RG-3.16). Cloisonnement par site
  pilote par l'utilisateur (RG-3.17 / § 2.13) : liste restreinte au
  currentSite avant pagination (totalItems = perimetre), detail hors
  perimetre -> 404, bypass via sites.bypass_scope.
- ProviderProcessor : normalisation companyName (RG-3.11), POST formulaire
  principal (companyName + categories + sites), PATCH partiels par groupe
  en mode strict (RG-3.15, 403 sur tout le payload), archivage
  (RG-3.13/3.14), 409 doublon de nom (RG-3.10), garde d'ecriture cloisonnee
  des sites (RG-3.03/3.17, 422 sur sites pour les users sites.read_ref).
- ProviderReadGroupContextBuilder : gating comptabilite par AJOUT du groupe
  provider:read:accounting si accounting.view (jamais par retrait).
- ProviderFieldNormalizer : miroir SupplierFieldNormalizer.
- ApiResource cable (provider + processor) sur l'entite Provider.

Tests : ProviderApiTest, ProviderListTest, ProviderRbacGatingTest,
ProviderSiteScopeTest (26 tests). Suite complete verte (612 tests).
This commit is contained in:
Matthieu
2026-06-12 11:03:19 +02:00
parent 58474404b4
commit 0ca1fb159a
12 changed files with 1841 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Module/Technique/Api/AbstractProviderApiTestCase.php
+287
View File
@@ -0,0 +1,287 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Technique\Api;
use ApiPlatform\Symfony\Bundle\Test\Client;
use App\Module\Catalog\Domain\Entity\Category;
use App\Module\Catalog\Domain\Entity\CategoryType;
use App\Module\Core\Domain\Entity\Permission;
use App\Module\Core\Domain\Entity\Role;
use App\Module\Core\Domain\Entity\User;
use App\Module\Sites\Domain\Entity\Site;
use App\Module\Technique\Domain\Entity\Provider;
use App\Tests\Module\Core\Api\AbstractApiTestCase;
use DateTimeImmutable;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
/**
* Base des tests fonctionnels du repertoire prestataires (M3 — module Technique).
* Jumelle de la base fournisseurs (M2), recentree sur le perimetre ERP-134
* (Provider + Processor + cloisonnement site).
*
* Donnees (RETEX M1/M2 — pas de fixtures globales pour les tests) : chaque test
* seede ses prestataires en base via les helpers ci-dessous, puis le tearDown les
* purge. Les 3 sites (Chatellerault 86 / Saint-Jean 17 / Pommevic 82) sont seedes
* par SitesFixtures (make test-db-setup) ; on les recupere par code postal.
*
* Categories : `providerCategory('NETTOYAGE')` fetch-or-create une categorie de
* type PRESTATAIRE (requis par RG-3.09). Pour fabriquer une categorie d'un AUTRE
* type (test de rejet RG-3.09), utiliser `foreignCategory()`.
*
* Cleanup : tearDown purge prestataires AVANT categories/users (provider_category
* et provider_site sont ON DELETE CASCADE cote provider — le DELETE DQL sur
* Provider libere categories et sites pour les purges suivantes).
*
* @internal
*/
abstract class AbstractProviderApiTestCase extends AbstractApiTestCase
{
protected const string LD = 'application/ld+json';
protected const string MERGE = 'application/merge-patch+json';
protected const string TEST_CATEGORY_PREFIX = 'test_prov_cat_';
/** Codes postaux des 3 sites fixtures (cf. SitesFixtures). */
protected const string SITE_86 = '86100'; // Chatellerault
protected const string SITE_17 = '17400'; // Saint-Jean
protected const string SITE_82 = '82400'; // Pommevic
protected function tearDown(): void
{
$em = $this->getEm();
$em->createQuery('DELETE FROM '.Provider::class)->execute();
$em->createQuery('DELETE FROM '.Category::class.' c WHERE c.name LIKE :prefix')
->setParameter('prefix', self::TEST_CATEGORY_PREFIX.'%')->execute()
;
$em->createQuery('DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix')
->setParameter('prefix', 'test_%')->execute()
;
$em->createQuery('DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix')
->setParameter('prefix', 'test_%')->execute()
;
parent::tearDown();
}
protected function createAdminClient(): Client
{
return $this->authenticatedClient('admin', 'admin');
}
/**
* Recupere (ou cree) le type PRESTATAIRE. Idempotent (unicite category_type.code).
*/
protected function providerCategoryType(): CategoryType
{
$em = $this->getEm();
$existing = $em->getRepository(CategoryType::class)->findOneBy(['code' => 'PRESTATAIRE']);
if (null !== $existing) {
return $existing;
}
$type = new CategoryType();
$type->setCode('PRESTATAIRE');
$type->setLabel('Prestataire');
$em->persist($type);
$em->flush();
return $type;
}
/**
* Fetch-or-create une categorie de type PRESTATAIRE par code (defaut NETTOYAGE).
* Idempotent (lookup par code, aligne sur l'index unique partiel uq_category_code)
* et auto-suffisant. Nom prefixe -> purge par tearDown.
*/
protected function providerCategory(string $code = 'NETTOYAGE'): Category
{
$em = $this->getEm();
$existing = $em->getRepository(Category::class)->findOneBy(['code' => $code, 'deletedAt' => null]);
if (null !== $existing) {
return $existing;
}
$category = new Category();
$category->setName(self::TEST_CATEGORY_PREFIX.strtolower($code));
$category->setCode($code);
$category->addCategoryType($this->providerCategoryType());
$em->persist($category);
$em->flush();
return $category;
}
/**
* Cree une categorie d'un type DIFFERENT de PRESTATAIRE (pour tester le rejet
* RG-3.09). Code unique pour ne pas collisionner avec une categorie existante.
*/
protected function foreignCategory(): Category
{
$em = $this->getEm();
$suffix = substr(bin2hex(random_bytes(4)), 0, 8);
$type = $em->getRepository(CategoryType::class)->findOneBy(['code' => 'CLIENT']);
if (null === $type) {
$type = new CategoryType();
$type->setCode('CLIENT');
$type->setLabel('Client');
$em->persist($type);
}
$category = new Category();
$category->setName(self::TEST_CATEGORY_PREFIX.'foreign_'.$suffix);
$category->setCode('FOREIGN_'.strtoupper($suffix));
$category->addCategoryType($type);
$em->persist($category);
$em->flush();
return $category;
}
/**
* Recupere un site fixture par code postal (cf. SitesFixtures). Echoue
* explicitement si absent (fixtures non chargees / module Sites off).
*/
protected function site(string $postalCode): Site
{
$site = $this->getEm()->getRepository(Site::class)->findOneBy(['postalCode' => $postalCode]);
self::assertNotNull(
$site,
sprintf('Site fixture "%s" introuvable : SitesFixtures charge (make test-db-setup) ?', $postalCode),
);
return $site;
}
/**
* Seede directement un Provider minimal (sans passer par l'API), pour les tests
* de liste / archivage / cloisonnement. Nom stocke en MAJUSCULES pour refleter
* l'etat normalise (RG-3.11) qu'aurait produit le ProviderProcessor. Porte une
* categorie PRESTATAIRE + les sites donnes (par code postal).
*
* @param list<string> $sitePostalCodes codes postaux des sites a rattacher
*/
protected function seedProvider(
string $companyName,
array $sitePostalCodes = [self::SITE_86],
bool $isArchived = false,
string $categoryCode = 'NETTOYAGE',
?string $siren = null,
): Provider {
$em = $this->getEm();
$provider = new Provider();
$provider->setCompanyName(mb_strtoupper($companyName, 'UTF-8'));
$provider->addCategory($this->providerCategory($categoryCode));
foreach ($sitePostalCodes as $postalCode) {
$provider->addSite($this->site($postalCode));
}
if (null !== $siren) {
$provider->setSiren($siren);
}
$provider->setIsArchived($isArchived);
if ($isArchived) {
$provider->setArchivedAt(new DateTimeImmutable());
}
$em->persist($provider);
$em->flush();
return $provider;
}
/**
* Payload minimal valide du formulaire principal (companyName + 1 categorie
* PRESTATAIRE + sites donnes). Categorie NETTOYAGE par defaut.
*
* @param list<string> $sitePostalCodes
*
* @return array<string, mixed>
*/
protected function validMainPayload(string $companyName, array $sitePostalCodes = [self::SITE_86]): array
{
$siteIris = array_map(fn (string $pc): string => '/api/sites/'.$this->site($pc)->getId(), $sitePostalCodes);
return [
'companyName' => $companyName,
'categories' => ['/api/categories/'.$this->providerCategory()->getId()],
'sites' => $siteIris,
];
}
/**
* Cree un utilisateur non-admin CLOISONNE : porte les permissions donnees via
* un role jetable, rattache aux seuls sites donnes (par code postal), avec un
* currentSite positionne. N'a PAS `sites.bypass_scope` (sauf si fourni dans
* $permissionCodes) -> sujet ideal des tests de cloisonnement (RG-3.17).
*
* Contrairement a createUserWithPermissions() (parent, qui attache TOUS les
* sites et ne pose pas de currentSite), ce helper controle finement le
* perimetre site de l'user.
*
* @param list<string> $permissionCodes
* @param list<string> $sitePostalCodes sites a rattacher (user_site)
*
* @return array{username: string, password: string}
*/
protected function createScopedUser(
array $permissionCodes,
array $sitePostalCodes,
?string $currentSitePostalCode = null,
): array {
$em = $this->getEm();
$suffix = substr(bin2hex(random_bytes(4)), 0, 8);
$username = 'test_scoped_'.$suffix;
$password = 'testpass';
/** @var UserPasswordHasherInterface $hasher */
$hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
$role = new Role('test_'.$suffix, 'Test Role '.$suffix, false);
foreach ($permissionCodes as $code) {
$permission = $em->getRepository(Permission::class)->findOneBy(['code' => $code]);
self::assertNotNull($permission, sprintf('Permission "%s" introuvable (app:sync-permissions ?).', $code));
$role->addPermission($permission);
}
$em->persist($role);
$user = new User();
$user->setUsername($username);
$user->setIsAdmin(false);
$user->setPassword($hasher->hashPassword($user, $password));
$user->addRbacRole($role);
foreach ($sitePostalCodes as $postalCode) {
$user->addSite($this->site($postalCode));
}
if (null !== $currentSitePostalCode) {
$user->setCurrentSite($this->site($currentSitePostalCode));
}
$em->persist($user);
$em->flush();
$em->clear();
return ['username' => $username, 'password' => $password];
}
/**
* Indexe les violations d'un corps 422 par propertyPath (assert ciblee).
*
* @param array<string, mixed> $body corps decode (toArray(false))
*
* @return array<string, string> propertyPath => message
*/
protected function violationsByPath(array $body): array
{
$byPath = [];
foreach ($body['violations'] ?? [] as $v) {
$byPath[$v['propertyPath']] = $v['message'];
}
return $byPath;
}
}
tests/Module/Technique/Api/ProviderApiTest.php
+115
View File
@@ -0,0 +1,115 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Technique\Api;
/**
* Tests fonctionnels du formulaire principal prestataire (POST + PATCH) — ERP-134.
* Couvre : creation (RG-3.03 sites obligatoires, RG-3.09 type categorie),
* normalisation companyName (RG-3.11), 409 doublon (RG-3.10).
*
* @internal
*/
final class ProviderApiTest extends AbstractProviderApiTestCase
{
public function testPostMainCreatesProvider(): void
{
$client = $this->createAdminClient();
$response = $client->request('POST', '/api/providers', [
'headers' => ['Content-Type' => self::LD],
'json' => $this->validMainPayload('Maintenance Pro', [self::SITE_86]),
]);
self::assertSame(201, $response->getStatusCode());
$body = $response->toArray();
// RG-3.11 : companyName normalise en MAJUSCULES.
self::assertSame('MAINTENANCE PRO', $body['companyName']);
self::assertArrayHasKey('id', $body);
// sites embarque (relation directe, site:read) avec name/postalCode.
self::assertCount(1, $body['sites']);
self::assertSame('86100', $body['sites'][0]['postalCode']);
}
public function testPostWithoutSiteIsRejected(): void
{
$client = $this->createAdminClient();
$payload = $this->validMainPayload('Sans Site', [self::SITE_86]);
$payload['sites'] = [];
$response = $client->request('POST', '/api/providers', [
'headers' => ['Content-Type' => self::LD],
'json' => $payload,
]);
// RG-3.03 : au moins un site obligatoire.
self::assertSame(422, $response->getStatusCode());
self::assertArrayHasKey('sites', $this->violationsByPath($response->toArray(false)));
}
public function testPostWithoutCategoryIsRejected(): void
{
$client = $this->createAdminClient();
$payload = $this->validMainPayload('Sans Categorie', [self::SITE_86]);
$payload['categories'] = [];
$response = $client->request('POST', '/api/providers', [
'headers' => ['Content-Type' => self::LD],
'json' => $payload,
]);
// RG-3.09 : au moins une categorie obligatoire.
self::assertSame(422, $response->getStatusCode());
self::assertArrayHasKey('categories', $this->violationsByPath($response->toArray(false)));
}
public function testPostWithForeignCategoryTypeIsRejected(): void
{
$client = $this->createAdminClient();
$foreign = $this->foreignCategory();
$payload = $this->validMainPayload('Mauvais Type', [self::SITE_86]);
$payload['categories'] = ['/api/categories/'.$foreign->getId()];
$response = $client->request('POST', '/api/providers', [
'headers' => ['Content-Type' => self::LD],
'json' => $payload,
]);
// RG-3.09 : categorie hors type PRESTATAIRE -> 422 sur `categories`.
self::assertSame(422, $response->getStatusCode());
self::assertArrayHasKey('categories', $this->violationsByPath($response->toArray(false)));
}
public function testDuplicateCompanyNameReturns409(): void
{
$this->seedProvider('Doublon Sarl', [self::SITE_86]);
$client = $this->createAdminClient();
$response = $client->request('POST', '/api/providers', [
'headers' => ['Content-Type' => self::LD],
// Casse differente : l'unicite est insensible a la casse (LOWER).
'json' => $this->validMainPayload('doublon sarl', [self::SITE_86]),
]);
// RG-3.10 : doublon de nom (case-insensitive) -> 409.
self::assertSame(409, $response->getStatusCode());
}
public function testSameNameAfterArchiveIsAllowed(): void
{
// Index partiel : l'unicite ignore les archives -> reutilisation du nom OK.
$this->seedProvider('Recyclage Express', [self::SITE_86], isArchived: true);
$client = $this->createAdminClient();
$response = $client->request('POST', '/api/providers', [
'headers' => ['Content-Type' => self::LD],
'json' => $this->validMainPayload('Recyclage Express', [self::SITE_86]),
]);
self::assertSame(201, $response->getStatusCode());
}
}
tests/Module/Technique/Api/ProviderListTest.php
+83
View File
@@ -0,0 +1,83 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Technique\Api;
/**
* Tests de la liste paginee /api/providers (ProviderProvider) — ERP-134.
* Couvre : envelope Hydra, tri companyName ASC, exclusion des archives,
* ?includeArchived (RG-3.16). Joue en admin (bypass_scope -> pas de cloisonnement).
*
* @internal
*/
final class ProviderListTest extends AbstractProviderApiTestCase
{
public function testListReturnsHydraEnvelopeSortedByName(): void
{
$this->seedProvider('Zeta Services', [self::SITE_86]);
$this->seedProvider('Alpha Nettoyage', [self::SITE_86]);
$this->seedProvider('Mu Maintenance', [self::SITE_86]);
$client = $this->createAdminClient();
$response = $client->request('GET', '/api/providers', [
'headers' => ['Accept' => self::LD],
]);
self::assertSame(200, $response->getStatusCode());
$body = $response->toArray();
// Envelope Hydra : totalItems present + member.
self::assertSame(3, $body['totalItems']);
$names = array_column($body['member'], 'companyName');
// Tri companyName ASC (RG-3.16) — noms normalises en MAJUSCULES.
self::assertSame(['ALPHA NETTOYAGE', 'MU MAINTENANCE', 'ZETA SERVICES'], $names);
}
public function testListExcludesArchivedByDefault(): void
{
$this->seedProvider('Actif Sas', [self::SITE_86]);
$this->seedProvider('Archive Sarl', [self::SITE_86], isArchived: true);
$client = $this->createAdminClient();
$response = $client->request('GET', '/api/providers', [
'headers' => ['Accept' => self::LD],
]);
self::assertSame(200, $response->getStatusCode());
$body = $response->toArray();
self::assertSame(1, $body['totalItems']);
self::assertSame('ACTIF SAS', $body['member'][0]['companyName']);
}
public function testListIncludeArchivedReintegratesArchived(): void
{
$this->seedProvider('Actif Sas', [self::SITE_86]);
$this->seedProvider('Archive Sarl', [self::SITE_86], isArchived: true);
$client = $this->createAdminClient();
$response = $client->request('GET', '/api/providers?includeArchived=true', [
'headers' => ['Accept' => self::LD],
]);
self::assertSame(200, $response->getStatusCode());
self::assertSame(2, $response->toArray()['totalItems']);
}
public function testListFiltersBySiteIdViaDirectRelation(): void
{
$this->seedProvider('Site 86 Only', [self::SITE_86]);
$this->seedProvider('Site 17 Only', [self::SITE_17]);
$client = $this->createAdminClient();
$site17 = $this->site(self::SITE_17);
$response = $client->request('GET', '/api/providers?siteId='.$site17->getId(), [
'headers' => ['Accept' => self::LD],
]);
self::assertSame(200, $response->getStatusCode());
$body = $response->toArray();
self::assertSame(1, $body['totalItems']);
self::assertSame('SITE 17 ONLY', $body['member'][0]['companyName']);
}
}
tests/Module/Technique/Api/ProviderRbacGatingTest.php
+159
View File
@@ -0,0 +1,159 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Technique\Api;
use App\Module\Technique\Domain\Entity\Provider;
/**
* Tests du gating comptabilite + mode strict par groupe (ProviderProcessor /
* ProviderReadGroupContextBuilder) — ERP-134.
*
* Couvre : gating accounting PAR OMISSION (siren/ribs absents sans accounting.view,
* bug #4 M1), mode strict RG-3.15 (403 sur tout le payload), gating archive (RG-3.13).
*
* Les users sont crees via createUserWithPermissions() (parent) : rattaches a TOUS
* les sites SANS currentSite -> CurrentSiteProvider::get() = null -> aucun
* cloisonnement, on isole ainsi le comportement RBAC du comportement site.
*
* @internal
*/
final class ProviderRbacGatingTest extends AbstractProviderApiTestCase
{
public function testAccountingFieldsOmittedWithoutAccountingView(): void
{
$provider = $this->seedProvider('Compta Masquee', [self::SITE_86], siren: '123456789');
$id = $provider->getId();
// Profil type Commerciale : view + manage SANS accounting.view.
$creds = $this->createUserWithPermissions(['technique.providers.view']);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$response = $client->request('GET', '/api/providers/'.$id, ['headers' => ['Accept' => self::LD]]);
self::assertSame(200, $response->getStatusCode());
$body = $response->toArray();
// Gating par omission : scalaires comptables ET ribs totalement absents.
self::assertArrayNotHasKey('siren', $body);
self::assertArrayNotHasKey('ribs', $body);
// isArchived reste expose (bug #3 M1 : la cle ne doit pas etre droppee).
self::assertArrayHasKey('isArchived', $body);
}
public function testAccountingFieldsPresentWithAccountingView(): void
{
$provider = $this->seedProvider('Compta Visible', [self::SITE_86], siren: '987654321');
$id = $provider->getId();
$creds = $this->createUserWithPermissions([
'technique.providers.view',
'technique.providers.accounting.view',
]);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$response = $client->request('GET', '/api/providers/'.$id, ['headers' => ['Accept' => self::LD]]);
self::assertSame(200, $response->getStatusCode());
$body = $response->toArray();
self::assertSame('987654321', $body['siren']);
// La cle ribs apparait (collection vide ici, mais presente).
self::assertArrayHasKey('ribs', $body);
}
public function testStrictModeRejectsMixedGroupsForManageOnlyUser(): void
{
$provider = $this->seedProvider('Strict Cible', [self::SITE_86]);
$id = $provider->getId();
// Profil type Bureau : manage SANS accounting.manage.
$creds = $this->createUserWithPermissions([
'technique.providers.view',
'technique.providers.manage',
]);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$response = $client->request('PATCH', '/api/providers/'.$id, [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['companyName' => 'Renomme', 'siren' => '111222333'],
]);
// RG-3.15 : payload melangeant main + accounting sans accounting.manage
// -> 403 sur tout le payload (mode strict, pas de filtrage silencieux).
self::assertSame(403, $response->getStatusCode());
// Aucun champ n'a ete persiste (rollback du mode strict).
$this->getEm()->clear();
$reloaded = $this->getEm()->getRepository(Provider::class)->find($id);
self::assertSame('STRICT CIBLE', $reloaded->getCompanyName());
self::assertNull($reloaded->getSiren());
}
public function testAccountingOnlyUserCanPatchAccountingButNotMain(): void
{
$provider = $this->seedProvider('Compta Editrice', [self::SITE_86]);
$id = $provider->getId();
// Profil type Compta : accounting.view + accounting.manage SANS manage.
$creds = $this->createUserWithPermissions([
'technique.providers.view',
'technique.providers.accounting.view',
'technique.providers.accounting.manage',
]);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
// PATCH accounting -> 200.
$ok = $client->request('PATCH', '/api/providers/'.$id, [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['siren' => '555666777'],
]);
self::assertSame(200, $ok->getStatusCode());
// PATCH main (companyName) -> 403 (pas de permission manage).
$ko = $client->request('PATCH', '/api/providers/'.$id, [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['companyName' => 'Interdit'],
]);
self::assertSame(403, $ko->getStatusCode());
}
public function testArchiveRequiresArchivePermission(): void
{
$provider = $this->seedProvider('A Archiver', [self::SITE_86]);
$id = $provider->getId();
// Bureau (manage) sans archive -> 403.
$creds = $this->createUserWithPermissions([
'technique.providers.view',
'technique.providers.manage',
]);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$response = $client->request('PATCH', '/api/providers/'.$id, [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['isArchived' => true],
]);
// RG-3.13 : l'archivage exige technique.providers.archive.
self::assertSame(403, $response->getStatusCode());
}
public function testAdminCanArchiveAndSetsArchivedAt(): void
{
$provider = $this->seedProvider('Archivable', [self::SITE_86]);
$id = $provider->getId();
$client = $this->createAdminClient();
$response = $client->request('PATCH', '/api/providers/'.$id, [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['isArchived' => true],
]);
self::assertSame(200, $response->getStatusCode());
$this->getEm()->clear();
$reloaded = $this->getEm()->getRepository(Provider::class)->find($id);
self::assertTrue($reloaded->isArchived());
self::assertNotNull($reloaded->getArchivedAt());
}
}
tests/Module/Technique/Api/ProviderSiteScopeTest.php
+171
View File
@@ -0,0 +1,171 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Technique\Api;
/**
* Tests du cloisonnement par site pilote par l'utilisateur (RG-3.17 / § 2.13) —
* ERP-134. Couvre la LECTURE (liste filtree avant pagination + totalItems, detail
* 404 hors perimetre, bypass voit tout) et l'ECRITURE (sites hors user_site -> 422).
*
* Cloisonnement pilote par l'USER (pas le role) : on cree des users non-admin SANS
* `sites.bypass_scope`, rattaches a un site precis avec un currentSite. L'admin
* (isAdmin -> bypass total) sert de temoin « voit tout ».
*
* @internal
*/
final class ProviderSiteScopeTest extends AbstractProviderApiTestCase
{
protected function setUp(): void
{
parent::setUp();
// Pre-requis : le module Sites doit etre actif (sinon currentSite = null,
// cloisonnement no-op et ces tests perdent leur sens).
$this->skipIfSitesModuleDisabled();
}
public function testListIsScopedToCurrentSiteForNonBypassUser(): void
{
$this->seedProvider('Presta Site 86', [self::SITE_86]);
$this->seedProvider('Presta Site 17', [self::SITE_17]);
$this->seedProvider('Presta Site 82', [self::SITE_82]);
$creds = $this->createScopedUser(
['technique.providers.view'],
sitePostalCodes: [self::SITE_86],
currentSitePostalCode: self::SITE_86,
);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$response = $client->request('GET', '/api/providers', ['headers' => ['Accept' => self::LD]]);
self::assertSame(200, $response->getStatusCode());
$body = $response->toArray();
// totalItems reflete le PERIMETRE de l'user (filtre avant pagination).
self::assertSame(1, $body['totalItems']);
self::assertSame('PRESTA SITE 86', $body['member'][0]['companyName']);
}
public function testDetailOutOfScopeReturns404(): void
{
$inScope = $this->seedProvider('Dans Perimetre', [self::SITE_86]);
$outOfScope = $this->seedProvider('Hors Perimetre', [self::SITE_17]);
$creds = $this->createScopedUser(
['technique.providers.view'],
sitePostalCodes: [self::SITE_86],
currentSitePostalCode: self::SITE_86,
);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
// In-scope -> 200.
$ok = $client->request('GET', '/api/providers/'.$inScope->getId(), ['headers' => ['Accept' => self::LD]]);
self::assertSame(200, $ok->getStatusCode());
// Out-of-scope -> 404 (ne pas reveler l'existence hors perimetre).
$ko = $client->request('GET', '/api/providers/'.$outOfScope->getId(), ['headers' => ['Accept' => self::LD]]);
self::assertSame(404, $ko->getStatusCode());
}
public function testBypassUserSeesAllSites(): void
{
$this->seedProvider('Presta Site 86', [self::SITE_86]);
$this->seedProvider('Presta Site 17', [self::SITE_17]);
$this->seedProvider('Presta Site 82', [self::SITE_82]);
// Admin = bypass total.
$client = $this->createAdminClient();
$response = $client->request('GET', '/api/providers', ['headers' => ['Accept' => self::LD]]);
self::assertSame(200, $response->getStatusCode());
self::assertSame(3, $response->toArray()['totalItems']);
}
public function testWriteOutOfScopeSiteRejectedAtIriResolution(): void
{
// User non-bypass / non-read_ref : la resolution de l'IRI du site hors
// perimetre echoue en amont (SiteCollectionScopedExtension : item Site
// « introuvable ») -> 400 anti-enumeration, avant le ProviderProcessor.
$creds = $this->createScopedUser(
['technique.providers.view', 'technique.providers.manage'],
sitePostalCodes: [self::SITE_86],
currentSitePostalCode: self::SITE_86,
);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$response = $client->request('POST', '/api/providers', [
'headers' => ['Content-Type' => self::LD],
'json' => $this->validMainPayload('Hors Scope Sas', [self::SITE_17]),
]);
self::assertSame(400, $response->getStatusCode());
}
public function testWriteOutOfScopeSiteRejectedByProcessorGuard(): void
{
// User `sites.read_ref` : peut RESOUDRE n'importe quel site (referentiel
// transverse) mais n'opere que sur ses user_site. La garde guardSiteScope
// du ProviderProcessor est alors l'enforcement autoritaire de RG-3.17
// -> 422 sur `sites` (mappable inline, ERP-101).
$creds = $this->createScopedUser(
['technique.providers.view', 'technique.providers.manage', 'sites.read_ref'],
sitePostalCodes: [self::SITE_86],
currentSitePostalCode: self::SITE_86,
);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$response = $client->request('POST', '/api/providers', [
'headers' => ['Content-Type' => self::LD],
'json' => $this->validMainPayload('Hors Scope Guard', [self::SITE_17]),
]);
self::assertSame(422, $response->getStatusCode());
self::assertArrayHasKey('sites', $this->violationsByPath($response->toArray(false)));
}
public function testWriteAllowsSiteWithinUserScope(): void
{
$creds = $this->createScopedUser(
['technique.providers.view', 'technique.providers.manage'],
sitePostalCodes: [self::SITE_86],
currentSitePostalCode: self::SITE_86,
);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
// Site 86 = un des user_site -> 201.
$response = $client->request('POST', '/api/providers', [
'headers' => ['Content-Type' => self::LD],
'json' => $this->validMainPayload('Dans Scope Sas', [self::SITE_86]),
]);
self::assertSame(201, $response->getStatusCode());
}
public function testPatchAddingOutOfScopeSiteIsRejected(): void
{
$provider = $this->seedProvider('Patch Sites', [self::SITE_86]);
$id = $provider->getId();
// read_ref pour pouvoir resoudre l'IRI du site 17 (sinon 400 en amont) et
// exercer la garde guardSiteScope sur le PATCH.
$creds = $this->createScopedUser(
['technique.providers.view', 'technique.providers.manage', 'sites.read_ref'],
sitePostalCodes: [self::SITE_86],
currentSitePostalCode: self::SITE_86,
);
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$site86 = $this->site(self::SITE_86)->getId();
$site17 = $this->site(self::SITE_17)->getId();
$response = $client->request('PATCH', '/api/providers/'.$id, [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['sites' => ['/api/sites/'.$site86, '/api/sites/'.$site17]],
]);
// RG-3.17 : ajouter un site hors user_site -> 422 (garde Processor).
self::assertSame(422, $response->getStatusCode());
self::assertArrayHasKey('sites', $this->violationsByPath($response->toArray(false)));
}
}