MALIO-DEV/Starseed
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(commercial) : cover RG-1.01..1.29 except role-gated (M1) + polish stack (#38)
Auto Tag Develop / tag (push) Successful in 7s
Details

Browse Source 
Dernier wagon de la stack back M1. ERP-60 = polish stack + couverture de tests PHPUnit NON dépendante des rôles métier (cf. spec § 7 / § 8.1).

## Phase 0 — polish stack (déjà mergé dans les branches basses via rebase)
- ERP-59 : route sidebar `/clients` (au lieu de `/commercial/clients`), cohérente avec `/suppliers`.
- One-liner pagination Client abandonné : `pagination_client_enabled: true` est déjà le défaut global → `?pagination=false` marche déjà sur `/api/clients` (décision P7).

## Phase 1 — tests (combler les trous, zéro duplication)
8 nouvelles suites couvrant les RG non encore testées par ERP-55/56/57/58 :
- `ClientFormulaireMainTest` — RG-1.02 (téléphone secondaire, max 2).
- `ClientAddressTest` — RG-1.06/07/08 + RG-1.11 (CHECK BDD prospect/billing).
- `ClientUniquenessTest` — RG-1.15/1.17 (Q4 : SIREN/email NON uniques).
- `ClientArchiveTest` — **RG-1.23 : 409 restauration en conflit (gap P1)**.
- `ClientAuditTest` — RG-1.27 (created* figés / updatedBy modificateur) + iban/bic présents dans le diff audité.
- `ClientMigrationTest` — index partiel unique `uq_client_company_name_active` (1 seul) ; pas d'index siren/email.
- `ClientSecurityTest` — 401 anonyme + 403 sans `commercial.clients.view`.
- `ClientPatchStrictTest` — RG-1.28 (403 strict mix de groupes, fonctionnel).

Cahier de test complet (mapping de TOUTES les RG → test) : `docs/specs/M1-clients/cahier-test-back-M1.md`.

## Délégué à ERP-74 (#493)
Matrice RBAC différenciée (bureau/compta/commerciale/usine) + RG-1.04 fonctionnel — exigent les rôles métier seedés après le merge de la stack.

## Gaps documentés (cahier)
- RG-1.29 validation écriture (catégorie type sur adresse → 422) non implémentée back (hors § 8.1, ticket test-only).
- Violations CHECK adresse → rejet (≥400) sans mapping fin 422 (amélioration possible).

## Vérifs
`make db-reset && make php-cs-fixer-allow-risky && make test` → **421 tests OK, 1386 assertions, 0 risky**. Nouveaux tests : 17, 71 assertions.

---------

Co-authored-by: Matthieu <contact@malio.fr>
Reviewed-on: #38
Co-authored-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
Co-committed-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
This commit was merged in pull request #38.
This commit is contained in:
THOLOT DECHENE Matthieu
2026-06-01 19:46:39 +00:00
committed by admin malio
parent 9507664bd0
commit 120058049c
37 changed files with 3230 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Module/Commercial/Api/ClientAddressTest.php
+149
View File
@@ -0,0 +1,149 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
use App\Module\Sites\Domain\Entity\Site;
/**
* Tests fonctionnels de l'onglet Adresse — combler les trous (ERP-60).
*
* RG-1.09 (code postal) et RG-1.10 (>= 1 site) sont DEJA couverts par
* ClientSubResourceApiTest (ERP-57) et ne sont pas reduplique ici. Ce fichier
* cible les contraintes CHECK BDD non encore testees :
* - RG-1.06 / RG-1.07 / RG-1.08 : `chk_client_address_prospect_exclusive`
* (is_prospect exclusif de is_delivery / is_billing) ;
* - RG-1.11 : `chk_client_address_billing_email` (billing_email obligatoire
* ssi is_billing).
*
* Note : ces regles sont portees par des CHECK Postgres (pas d'Assert ni de
* regle Processor au M1). On verifie donc que la combinaison invalide est
* REJETEE par le serveur (statut >= 400), sans coupler le test au code exact :
* une violation CHECK non mappee remonte aujourd'hui en erreur serveur ; un
* mapping fin vers 422 serait une amelioration ulterieure (hors perimetre
* ERP-60, test-only).
*
* RG-1.29 (filtrage du type de categorie SECTEUR/AUTRE sur une adresse) n'est
* PAS testee : la validation d'ecriture correspondante n'est pas implementee
* cote back au M1 (et ne figure pas dans la liste § 8.1). Documentee comme gap
* dans le cahier de test #478.
*
* @internal
*/
final class ClientAddressTest extends AbstractCommercialApiTestCase
{
private const string LD = 'application/ld+json';
/**
* RG-1.06 / RG-1.07 : une adresse de prospection ne peut pas etre une
* adresse de livraison (CHECK chk_client_address_prospect_exclusive).
*/
public function testProspectAddressCannotBeDelivery(): void
{
$this->skipIfSitesModuleDisabled();
$client = $this->createAdminClient();
$seed = $this->seedClient('Prospect Delivery');
$response = $client->request('POST', '/api/clients/'.$seed->getId().'/addresses', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'isProspect' => true,
'isDelivery' => true,
'postalCode' => '86100',
'city' => 'Châtellerault',
'street' => '1 rue du Test',
'sites' => [$this->firstSiteIri()],
],
]);
self::assertGreaterThanOrEqual(400, $response->getStatusCode());
}
/**
* RG-1.06 / RG-1.08 : une adresse de prospection ne peut pas etre une
* adresse de facturation (meme CHECK). On fournit billingEmail pour que la
* seule violation possible soit l'exclusivite prospect/billing.
*/
public function testProspectAddressCannotBeBilling(): void
{
$this->skipIfSitesModuleDisabled();
$client = $this->createAdminClient();
$seed = $this->seedClient('Prospect Billing');
$response = $client->request('POST', '/api/clients/'.$seed->getId().'/addresses', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'isProspect' => true,
'isBilling' => true,
'billingEmail' => 'facturation@test.fr',
'postalCode' => '86100',
'city' => 'Châtellerault',
'street' => '1 rue du Test',
'sites' => [$this->firstSiteIri()],
],
]);
self::assertGreaterThanOrEqual(400, $response->getStatusCode());
}
/**
* RG-1.11 : une adresse de facturation exige un billingEmail
* (CHECK chk_client_address_billing_email).
*/
public function testBillingAddressRequiresBillingEmail(): void
{
$this->skipIfSitesModuleDisabled();
$client = $this->createAdminClient();
$seed = $this->seedClient('Billing No Email');
$response = $client->request('POST', '/api/clients/'.$seed->getId().'/addresses', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'isBilling' => true,
'postalCode' => '86100',
'city' => 'Châtellerault',
'street' => '1 rue du Test',
'sites' => [$this->firstSiteIri()],
],
]);
self::assertGreaterThanOrEqual(400, $response->getStatusCode());
}
/**
* RG-1.11 (sens inverse) : une adresse NON facturable ne peut pas porter un
* billingEmail (meme CHECK).
*/
public function testNonBillingAddressRejectsBillingEmail(): void
{
$this->skipIfSitesModuleDisabled();
$client = $this->createAdminClient();
$seed = $this->seedClient('Non Billing With Email');
$response = $client->request('POST', '/api/clients/'.$seed->getId().'/addresses', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'isBilling' => false,
'billingEmail' => 'parasite@test.fr',
'postalCode' => '86100',
'city' => 'Châtellerault',
'street' => '1 rue du Test',
'sites' => [$this->firstSiteIri()],
],
]);
self::assertGreaterThanOrEqual(400, $response->getStatusCode());
}
/**
* Retourne l'IRI du premier site seede (fixtures Sites).
*/
private function firstSiteIri(): string
{
$site = $this->getEm()->getRepository(Site::class)->findOneBy([]);
self::assertNotNull($site, 'Aucun site seede : impossible de tester les adresses.');
return '/api/sites/'.$site->getId();
}
}
tests/Module/Commercial/Api/ClientArchiveTest.php
+47
View File
@@ -0,0 +1,47 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
/**
* Tests d'archivage / restauration — combler les trous (ERP-60).
*
* Le cas nominal RG-1.22 (archive pose archivedAt) + RG-1.23 (restauration
* repasse archivedAt a null) ainsi que le 422 « archive + autre champ » sont
* DEJA couverts par ClientApiTest (ERP-55). Ce fichier cible le trou identifie
* en revue (P1 review ERP-55) : le 409 de RESTAURATION en conflit d'unicite.
*
* @internal
*/
final class ClientArchiveTest extends AbstractCommercialApiTestCase
{
private const string MERGE = 'application/merge-patch+json';
/**
* RG-1.23 : restaurer un client archive dont le nom a ete repris par un
* client actif entre-temps doit echouer en 409 (l'index partiel
* uq_client_company_name_active n'admet qu'un seul actif portant ce nom).
*
* Scenario :
* 1. un client « ACME CONFLICT » est archive (donc hors index partiel) ;
* 2. un autre client actif « ACME CONFLICT » est cree (autorise tant que le
* premier reste archive) ;
* 3. la restauration du premier le rendrait actif -> collision d'unicite
* -> ClientProcessor traduit la UniqueConstraintViolationException en 409.
*/
public function testRestoreConflictReturns409(): void
{
$client = $this->createAdminClient();
$archived = $this->seedClient('Acme Conflict', true);
$this->seedClient('Acme Conflict', false);
$client->request('PATCH', '/api/clients/'.$archived->getId(), [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['isArchived' => false],
]);
self::assertResponseStatusCodeSame(409);
}
}
tests/Module/Commercial/Api/ClientAuditTest.php
+142
View File
@@ -0,0 +1,142 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
use App\Module\Commercial\Domain\Entity\Client as ClientEntity;
use DateTimeImmutable;
use Doctrine\DBAL\Connection;
/**
* Tests Audit + Timestampable/Blamable du repertoire clients (ERP-60).
*
* Couvre :
* - RG-1.27 : createdAt / createdBy figes au POST, updatedBy reflete bien
* l'auteur de la modification (POST admin puis PATCH par un autre user) ;
* - Audit (§ 6.1) : le RIB est `#[Auditable]` SANS `#[AuditIgnore]` sur iban /
* bic — ces champs sensibles DOIVENT donc apparaitre dans le diff audite
* (decision Matthieu, revue MR 29/05/2026).
*
* @internal
*/
final class ClientAuditTest extends AbstractCommercialApiTestCase
{
private const string LD = 'application/ld+json';
private const string MERGE = 'application/merge-patch+json';
private const string RIB_TYPE = 'commercial.ClientRib';
private const string VALID_IBAN = 'FR1420041010050500013M02606';
private const string VALID_BIC = 'BNPAFRPPXXX';
private ?Connection $auditConnection = null;
protected function setUp(): void
{
parent::setUp();
self::bootKernel();
/** @var Connection $conn */
$conn = self::getContainer()->get('doctrine.dbal.audit_connection');
$this->auditConnection = $conn;
}
protected function tearDown(): void
{
if (null !== $this->auditConnection) {
$this->auditConnection->close();
}
parent::tearDown();
}
/**
* RG-1.27 : createdAt / createdBy sont poses au POST puis figes ; updatedBy
* suit l'auteur de la derniere modification. On cree en admin puis on
* modifie avec un user `commercial.clients.manage` distinct : createdBy reste
* l'admin, updatedBy devient le manager, createdAt ne bouge pas.
*/
public function testCreatedFrozenAndUpdatedByReflectsModifier(): void
{
// 1. User modificateur (non-admin) cree AVANT le reboot de kernel induit
// par les clients authentifies suivants ; il est persiste en base.
$manageCreds = $this->createUserWithPermission('commercial.clients.manage');
// 2. Creation en admin (createdBy = admin).
$admin = $this->createAdminClient();
$cat = $this->createCategory('SECTEUR');
$created = $admin->request('POST', '/api/clients', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'companyName' => 'Blamable Co',
'firstName' => 'A',
'phonePrimary' => '0102030405',
'email' => 'blamable@test.fr',
'categories' => ['/api/categories/'.$cat->getId()],
],
])->toArray();
self::assertResponseStatusCodeSame(201);
$id = (int) $created['id'];
$createdAtTs = new DateTimeImmutable((string) $created['createdAt'])->getTimestamp();
// 3. Modification par le manager (updatedBy = manager).
$manage = $this->authenticatedClient($manageCreds['username'], $manageCreds['password']);
$manage->request('PATCH', '/api/clients/'.$id, [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['companyName' => 'Blamable Renamed'],
]);
self::assertResponseStatusCodeSame(200);
// 4. Verification cote base (etat re-charge depuis la BDD).
$em = $this->getEm();
$em->clear();
$reloaded = $em->getRepository(ClientEntity::class)->find($id);
self::assertNotNull($reloaded);
self::assertSame('admin', $reloaded->getCreatedBy()?->getUserIdentifier(), 'createdBy doit rester l\'admin createur.');
self::assertSame(
$manageCreds['username'],
$reloaded->getUpdatedBy()?->getUserIdentifier(),
'updatedBy doit refleter le dernier modificateur.',
);
self::assertSame($createdAtTs, $reloaded->getCreatedAt()?->getTimestamp(), 'createdAt doit etre fige au POST.');
self::assertNotNull($reloaded->getUpdatedAt());
self::assertGreaterThanOrEqual($createdAtTs, $reloaded->getUpdatedAt()->getTimestamp());
}
/**
* Audit § 6.1 : la creation d'un RIB produit une ligne audit_log
* `commercial.ClientRib` / `create` dont le snapshot contient iban et bic
* (champs volontairement NON ignores).
*/
public function testRibCreateAuditIncludesIbanAndBic(): void
{
$admin = $this->createAdminClient();
$seed = $this->seedClient('Rib Audit Host');
$rib = $admin->request('POST', '/api/clients/'.$seed->getId().'/ribs', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'label' => 'Compte audite',
'bic' => self::VALID_BIC,
'iban' => self::VALID_IBAN,
],
])->toArray();
self::assertResponseStatusCodeSame(201);
$rows = $this->auditConnection->fetchAllAssociative(
'SELECT changes FROM audit_log '
.'WHERE entity_type = :type AND entity_id = :id AND action = :action '
.'ORDER BY performed_at DESC',
['type' => self::RIB_TYPE, 'id' => (string) $rib['id'], 'action' => 'create'],
);
self::assertGreaterThanOrEqual(1, count($rows), 'Un audit_log "create" doit etre genere pour le RIB.');
/** @var array<string, mixed> $changes */
$changes = json_decode((string) $rows[0]['changes'], true, flags: JSON_THROW_ON_ERROR);
self::assertArrayHasKey('iban', $changes, 'iban doit figurer dans le diff audite (pas d\'AuditIgnore).');
self::assertArrayHasKey('bic', $changes, 'bic doit figurer dans le diff audite (pas d\'AuditIgnore).');
self::assertSame(self::VALID_IBAN, $changes['iban']);
self::assertSame(self::VALID_BIC, $changes['bic']);
}
}
tests/Module/Commercial/Api/ClientExportControllerTest.php
+185
View File
@@ -0,0 +1,185 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
use PhpOffice\PhpSpreadsheet\IOFactory;
/**
* Tests fonctionnels de l'export XLSX du repertoire clients (M1, § 4.6).
*
* Couvre : reponse 200 (Content-Type + Content-Disposition), exclusion des
* archives par defaut, respect des filtres ?search / ?categoryType, gating de
* la colonne SIREN selon commercial.clients.accounting.view, 403 sans
* commercial.clients.view, 401 anonyme.
*
* @internal
*/
final class ClientExportControllerTest extends AbstractCommercialApiTestCase
{
private const string XLSX_MIME = 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet';
private const string EXPORT_URL = '/api/clients/export.xlsx';
public function testExportReturnsXlsxResponseWithAttachmentFilename(): void
{
$client = $this->createAdminClient();
$this->seedClient('Export Alpha');
$response = $client->request('GET', self::EXPORT_URL);
self::assertResponseIsSuccessful();
$headers = $response->getHeaders(false);
self::assertStringContainsString(self::XLSX_MIME, $headers['content-type'][0] ?? '');
$disposition = $headers['content-disposition'][0] ?? '';
self::assertStringContainsString('attachment; filename="repertoire-clients-', $disposition);
self::assertMatchesRegularExpression(
'/filename="repertoire-clients-\d{8}\.xlsx"/',
$disposition,
);
// Le binaire est un XLSX relisible dont la 1re ligne porte les en-tetes.
$grid = $this->gridFromResponse($response->getContent());
$headers = $grid[0];
self::assertSame('Nom entreprise', $headers[0]);
self::assertContains('Catégories', $headers);
self::assertContains('Sites', $headers);
self::assertContains('Date de création', $headers);
}
public function testExportExcludesArchivedByDefault(): void
{
$client = $this->createAdminClient();
$this->seedClient('Active One');
$this->seedClient('Archived One', true);
$names = $this->companyNames($client->request('GET', self::EXPORT_URL)->getContent());
self::assertContains('ACTIVE ONE', $names);
self::assertNotContains('ARCHIVED ONE', $names);
}
public function testExportRespectsSearchFilter(): void
{
$client = $this->createAdminClient();
$this->seedClient('Searchable Alpha');
$this->seedClient('Other Beta');
$names = $this->companyNames(
$client->request('GET', self::EXPORT_URL.'?search=alpha')->getContent(),
);
self::assertContains('SEARCHABLE ALPHA', $names);
self::assertNotContains('OTHER BETA', $names);
}
public function testExportRespectsCategoryTypeFilter(): void
{
$client = $this->createAdminClient();
$this->seedClient('Distrib Co', false, 'DISTRIBUTEUR');
$this->seedClient('Secteur Co', false, 'SECTEUR');
$names = $this->companyNames(
$client->request('GET', self::EXPORT_URL.'?categoryType=DISTRIBUTEUR')->getContent(),
);
self::assertContains('DISTRIB CO', $names);
self::assertNotContains('SECTEUR CO', $names);
}
public function testSirenColumnPresentWithAccountingView(): void
{
// L'admin bypass le RBAC : il a donc accounting.view -> colonne SIREN.
$client = $this->createAdminClient();
$seed = $this->seedClient('Siren Co');
$em = $this->getEm();
$seed->setSiren('123456789');
$em->flush();
$grid = $this->gridFromResponse($client->request('GET', self::EXPORT_URL)->getContent());
self::assertContains('SIREN', $grid[0]);
self::assertStringContainsString('123456789', $this->flatten($grid));
}
public function testSirenColumnAbsentWithoutAccountingView(): void
{
// Seed via admin, puis relecture par un user qui n'a QUE clients.view.
$admin = $this->createAdminClient();
$seed = $this->seedClient('No Siren Co');
$em = $this->getEm();
$seed->setSiren('987654321');
$em->flush();
$creds = $this->createUserWithPermission('commercial.clients.view');
$viewer = $this->authenticatedClient($creds['username'], $creds['password']);
$grid = $this->gridFromResponse($viewer->request('GET', self::EXPORT_URL)->getContent());
self::assertNotContains('SIREN', $grid[0]);
self::assertStringNotContainsString('987654321', $this->flatten($grid));
}
public function testForbiddenWithoutClientsViewPermission(): void
{
$creds = $this->createUserWithPermission('core.users.view');
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$client->request('GET', self::EXPORT_URL);
self::assertResponseStatusCodeSame(403);
}
public function testUnauthorizedWhenAnonymous(): void
{
$client = self::createClient();
$client->request('GET', self::EXPORT_URL);
self::assertResponseStatusCodeSame(401);
}
/**
* Relit le binaire XLSX d'une reponse et renvoie la grille de cellules.
*
* @return array<int, array<int, mixed>>
*/
private function gridFromResponse(string $binary): array
{
$tmp = tempnam(sys_get_temp_dir(), 'xlsx_export_test_');
self::assertIsString($tmp);
file_put_contents($tmp, $binary);
try {
return IOFactory::load($tmp)->getActiveSheet()->toArray();
} finally {
@unlink($tmp);
}
}
/**
* Extrait la colonne « Nom entreprise » (1re colonne) des lignes de donnees.
*
* @return list<string>
*/
private function companyNames(string $binary): array
{
$grid = $this->gridFromResponse($binary);
$rows = array_slice($grid, 1); // saute l'en-tete
return array_values(array_map(static fn (array $row): string => (string) ($row[0] ?? ''), $rows));
}
/**
* Aplatit toute la grille en une chaine, pour les assertions de presence.
*
* @param array<int, array<int, mixed>> $grid
*/
private function flatten(array $grid): string
{
return implode('|', array_map(
static fn (array $row): string => implode('|', array_map(static fn ($cell): string => (string) $cell, $row)),
$grid,
));
}
}
tests/Module/Commercial/Api/ClientFormulaireMainTest.php
+84
View File
@@ -0,0 +1,84 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
use App\Module\Commercial\Domain\Entity\Client as ClientEntity;
/**
* Tests fonctionnels du formulaire principal — combler les trous (ERP-60).
*
* RG-1.01 (prenom OU nom obligatoire) et RG-1.03 (distributor/broker exclusifs
* + type de categorie) sont DEJA couverts par ClientApiTest (ERP-55) : on ne les
* reduplique pas ici. Ce fichier ne couvre que RG-1.02 (telephone secondaire),
* non encore testee.
*
* @internal
*/
final class ClientFormulaireMainTest extends AbstractCommercialApiTestCase
{
private const string LD = 'application/ld+json';
/**
* RG-1.02 : le telephone secondaire est optionnel mais persiste (2 colonnes
* distinctes). Verifie aussi la normalisation chiffres-seuls (RG-1.20) sur
* la colonne secondaire.
*/
public function testPostPersistsSecondaryPhoneNormalized(): void
{
$client = $this->createAdminClient();
$cat = $this->createCategory('SECTEUR');
$data = $client->request('POST', '/api/clients', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'companyName' => 'Two Phones SARL',
'firstName' => 'A',
'phonePrimary' => '06.12.34.56.78',
'phoneSecondary' => '05 49 00 11 22',
'email' => 'twophones@test.fr',
'categories' => ['/api/categories/'.$cat->getId()],
],
])->toArray();
self::assertResponseStatusCodeSame(201);
self::assertSame('0612345678', $data['phonePrimary']);
self::assertSame('0549001122', $data['phoneSecondary']);
}
/**
* RG-1.02 : maximum 2 telephones — le modele n'expose que phonePrimary et
* phoneSecondary. Un eventuel 3e champ envoye par un appel API direct est
* ignore (aucune 3e colonne), il ne peut donc pas creer un troisieme numero.
*/
public function testThirdPhoneFieldIsIgnored(): void
{
$client = $this->createAdminClient();
$cat = $this->createCategory('SECTEUR');
$data = $client->request('POST', '/api/clients', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'companyName' => 'Third Phone SARL',
'firstName' => 'A',
'phonePrimary' => '0612345678',
'phoneSecondary' => '0549001122',
'phoneTertiary' => '0700000000',
'email' => 'thirdphone@test.fr',
'categories' => ['/api/categories/'.$cat->getId()],
],
])->toArray();
self::assertResponseStatusCodeSame(201);
// Le champ inconnu est ignore par le denormaliseur : il n'apparait pas
// dans la representation et n'a pas ete persiste.
self::assertArrayNotHasKey('phoneTertiary', $data);
// Confirmation cote base : seules les 2 colonnes telephone existent.
$persisted = $this->getEm()->getRepository(ClientEntity::class)->find($data['id']);
self::assertNotNull($persisted);
self::assertSame('0612345678', $persisted->getPhonePrimary());
self::assertSame('0549001122', $persisted->getPhoneSecondary());
}
}
tests/Module/Commercial/Api/ClientMigrationTest.php
+67
View File
@@ -0,0 +1,67 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
/**
* Tests de structure / migration M1 (ERP-60).
*
* Verifie la decision Q4 (29/05/2026) au niveau du schema Postgres :
* - l'unique index partiel fonctionnel uq_client_company_name_active existe
* (un seul, sur LOWER(company_name), partiel sur les actifs non archives /
* non supprimes) — seule unicite metier conservee (RG-1.16) ;
* - les anciens index uq_client_siren_active (RG-1.15) et uq_client_email_active
* (RG-1.17) ont ete supprimes / ne sont jamais crees.
*
* @internal
*/
final class ClientMigrationTest extends AbstractCommercialApiTestCase
{
public function testCompanyNameActivePartialIndexExistsExactlyOnce(): void
{
$rows = $this->clientIndexes();
$companyNameIndexes = array_filter(
$rows,
static fn (array $r): bool => 'uq_client_company_name_active' === $r['indexname'],
);
self::assertCount(
1,
$companyNameIndexes,
'Il doit exister exactement UN index uq_client_company_name_active.',
);
// Confirme la nature fonctionnelle (LOWER) + partielle (WHERE) de l'index.
// Postgres serialise l'expression sous la forme `lower((company_name)::text)`,
// d'ou des verifications de sous-chaines distinctes.
$def = strtolower((string) array_values($companyNameIndexes)[0]['indexdef']);
self::assertStringContainsString('unique', $def);
self::assertStringContainsString('lower', $def);
self::assertStringContainsString('company_name', $def);
self::assertStringContainsString('where', $def, 'L\'index doit etre partiel (clause WHERE sur les actifs).');
}
public function testNoSirenOrEmailUniqueIndex(): void
{
$names = array_map(static fn (array $r): string => $r['indexname'], $this->clientIndexes());
// RG-1.15 / RG-1.17 supprimees (Q4) : aucun index unique siren / email.
self::assertNotContains('uq_client_siren_active', $names);
self::assertNotContains('uq_client_email_active', $names);
}
/**
* @return list<array{indexname: string, indexdef: string}>
*/
private function clientIndexes(): array
{
self::bootKernel();
/** @var list<array{indexname: string, indexdef: string}> $rows */
return $this->getEm()->getConnection()->fetchAllAssociative(
"SELECT indexname, indexdef FROM pg_indexes WHERE schemaname = 'public' AND tablename = 'client'",
);
}
}
tests/Module/Commercial/Api/ClientPatchStrictTest.php
+52
View File
@@ -0,0 +1,52 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
use App\Module\Commercial\Domain\Entity\Client as ClientEntity;
/**
* Test fonctionnel du mode strict PATCH multi-groupes (RG-1.28) — ERP-60.
*
* Le cas est deja couvert en unitaire (ClientProcessorTest) ; on en ajoute la
* preuve fonctionnelle HTTP, SANS dependre d'un role metier : un utilisateur
* portant `commercial.clients.manage` mais PAS `commercial.clients.accounting.manage`
* qui envoie un PATCH melant un champ principal (companyName) et un champ
* comptable (siren) recoit un 403 sur l'ENSEMBLE du payload — aucun champ n'est
* applique (pas de filtrage silencieux).
*
* ⚠ La matrice differenciee par role metier (Bureau / Compta / Commerciale) est
* DELEGUEE a ERP-74 (#493). Ici on n'utilise qu'un user mono-permission.
*
* @internal
*/
final class ClientPatchStrictTest extends AbstractCommercialApiTestCase
{
private const string MERGE = 'application/merge-patch+json';
public function testMixedGroupsPatchWithoutAccountingPermissionIsForbidden(): void
{
$seed = $this->seedClient('Strict Mix');
$credentials = $this->createUserWithPermission('commercial.clients.manage');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
'headers' => ['Content-Type' => self::MERGE],
'json' => [
'companyName' => 'Renamed Strict',
'siren' => '123456789',
],
]);
// RG-1.28 : 403 strict (le champ comptable siren exige accounting.manage).
self::assertResponseStatusCodeSame(403);
// Aucun champ applique : le companyName d'origine est intact.
$em = $this->getEm();
$em->clear();
$reloaded = $em->getRepository(ClientEntity::class)->find($seed->getId());
self::assertNotNull($reloaded);
self::assertSame('STRICT MIX', $reloaded->getCompanyName());
}
}
tests/Module/Commercial/Api/ClientSecurityTest.php
+57
View File
@@ -0,0 +1,57 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
/**
* Tests de securite GENERIQUE de /api/clients (ERP-60).
*
* Couvre les garde-fous non dependants des roles metier :
* - 401 si requete anonyme (firewall JWT) ;
* - 403 si l'utilisateur authentifie ne porte pas `commercial.clients.view`.
*
* ⚠ La matrice RBAC differenciee par role metier (bureau / compta / commerciale
* / usine) et le test fonctionnel RG-1.04 sont DELEGUES a ERP-74 (#493) : ils
* exigent les roles seedes apres le merge de la stack. NE PAS les ajouter ici.
*
* @internal
*/
final class ClientSecurityTest extends AbstractCommercialApiTestCase
{
private const string LD = 'application/ld+json';
public function testAnonymousGetCollectionReturns401(): void
{
$client = self::createClient();
$client->request('GET', '/api/clients', ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(401);
}
public function testAnonymousGetItemReturns401(): void
{
$seed = $this->seedClient('Anon Item');
$client = self::createClient();
$client->request('GET', '/api/clients/'.$seed->getId(), ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(401);
}
public function testForbiddenWithoutClientsViewPermission(): void
{
// User authentifie portant une permission SANS rapport avec les clients.
$seed = $this->seedClient('Forbidden Target');
$credentials = $this->createUserWithPermission('core.users.view');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
// Collection.
$client->request('GET', '/api/clients', ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(403);
// Detail.
$client->request('GET', '/api/clients/'.$seed->getId(), ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(403);
}
}
tests/Module/Commercial/Api/ClientSubResourceApiTest.php
+320
View File
@@ -0,0 +1,320 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
use App\Module\Commercial\Domain\Entity\Client as ClientEntity;
use App\Module\Commercial\Domain\Entity\ClientContact;
use App\Module\Commercial\Domain\Entity\ClientRib;
use App\Module\Commercial\Domain\Entity\PaymentType;
use App\Module\Sites\Domain\Entity\Site;
/**
* Tests fonctionnels des sous-ressources Contacts / Adresses / RIB (ERP-57,
* spec § 4.5). Couvrent : CRUD via admin, normalisation serveur
* (RG-1.19/1.20/1.21), validations (Assert\Count sites RG-1.10, Assert\Iban/Bic),
* regles metier RG-1.13 (DELETE dernier RIB sous LCR -> 409) et RG-1.14 (DELETE
* dernier contact -> 409), plus le gating comptable (POST/PATCH/DELETE de
* client_ribs sans accounting.manage -> 403).
*
* @internal
*/
final class ClientSubResourceApiTest extends AbstractCommercialApiTestCase
{
private const string LD = 'application/ld+json';
private const string MERGE = 'application/merge-patch+json';
private const string VALID_IBAN = 'FR1420041010050500013M02606';
private const string VALID_BIC = 'BNPAFRPPXXX';
// === Contacts ===
public function testPostContactNormalizesFields(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Contact Host');
$data = $client->request('POST', '/api/clients/'.$seed->getId().'/contacts', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'firstName' => 'JEAN',
'lastName' => 'dupont',
'phonePrimary' => '06.12.34.56.78',
'email' => 'Jean.DUPONT@ACME.FR',
],
])->toArray();
self::assertResponseStatusCodeSame(201);
// RG-1.19 / 1.20 / 1.21
self::assertSame('Jean', $data['firstName']);
self::assertSame('Dupont', $data['lastName']);
self::assertSame('0612345678', $data['phonePrimary']);
self::assertSame('jean.dupont@acme.fr', $data['email']);
}
public function testPostContactWithoutNameReturns422(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Contact No Name');
$client->request('POST', '/api/clients/'.$seed->getId().'/contacts', [
'headers' => ['Content-Type' => self::LD],
'json' => ['jobTitle' => 'Directeur'],
]);
// RG-1.05
self::assertResponseStatusCodeSame(422);
}
public function testPatchContactNormalizes(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Contact Patch');
$contact = $this->seedContact($seed, 'Paul');
$data = $client->request('PATCH', '/api/client_contacts/'.$contact->getId(), [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['lastName' => 'martin'],
])->toArray();
self::assertResponseStatusCodeSame(200);
self::assertSame('Martin', $data['lastName']);
}
public function testDeleteContactWhenSeveralReturns204(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Contact Multi');
$this->seedContact($seed, 'Premier');
$second = $this->seedContact($seed, 'Second');
$client->request('DELETE', '/api/client_contacts/'.$second->getId());
self::assertResponseStatusCodeSame(204);
}
public function testDeleteLastContactReturns409(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Contact Solo');
$only = $this->seedContact($seed, 'Unique');
$client->request('DELETE', '/api/client_contacts/'.$only->getId());
// RG-1.14
self::assertResponseStatusCodeSame(409);
}
// === Adresses ===
public function testPostAddressNormalizesBillingEmail(): void
{
$this->skipIfSitesModuleDisabled();
$client = $this->createAdminClient();
$seed = $this->seedClient('Address Host');
$siteIri = $this->firstSiteIri();
$data = $client->request('POST', '/api/clients/'.$seed->getId().'/addresses', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'isBilling' => true,
'billingEmail' => 'Facturation@ACME.FR',
'postalCode' => '86100',
'city' => 'Châtellerault',
'street' => '1 rue du Test',
'sites' => [$siteIri],
],
])->toArray();
self::assertResponseStatusCodeSame(201);
// RG-1.21
self::assertSame('facturation@acme.fr', $data['billingEmail']);
}
public function testPostAddressWithoutSiteReturns422(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Address No Site');
$client->request('POST', '/api/clients/'.$seed->getId().'/addresses', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'postalCode' => '86100',
'city' => 'Châtellerault',
'street' => '1 rue du Test',
'sites' => [],
],
]);
// RG-1.10 (Assert\Count min 1)
self::assertResponseStatusCodeSame(422);
}
public function testPostAddressWithInvalidPostalCodeReturns422(): void
{
$this->skipIfSitesModuleDisabled();
$client = $this->createAdminClient();
$seed = $this->seedClient('Address Bad CP');
$siteIri = $this->firstSiteIri();
$client->request('POST', '/api/clients/'.$seed->getId().'/addresses', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'postalCode' => '123',
'city' => 'Châtellerault',
'street' => '1 rue du Test',
'sites' => [$siteIri],
],
]);
// RG-1.09 (Assert\Regex ^[0-9]{4,5}$)
self::assertResponseStatusCodeSame(422);
}
// === RIBs ===
public function testPostRibByAdminReturns201(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Rib Host');
$data = $client->request('POST', '/api/clients/'.$seed->getId().'/ribs', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'label' => 'Compte principal',
'bic' => self::VALID_BIC,
'iban' => self::VALID_IBAN,
],
])->toArray();
self::assertResponseStatusCodeSame(201);
self::assertSame('Compte principal', $data['label']);
}
public function testPostRibWithInvalidIbanReturns422(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Rib Bad Iban');
$client->request('POST', '/api/clients/'.$seed->getId().'/ribs', [
'headers' => ['Content-Type' => self::LD],
'json' => [
'label' => 'Compte invalide',
'bic' => self::VALID_BIC,
'iban' => 'INVALID-IBAN',
],
]);
// Assert\Iban
self::assertResponseStatusCodeSame(422);
}
public function testDeleteRibNonLcrReturns204(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Rib Non LCR');
$rib = $this->seedRib($seed);
$client->request('DELETE', '/api/client_ribs/'.$rib->getId());
self::assertResponseStatusCodeSame(204);
}
public function testDeleteLastRibUnderLcrReturns409(): void
{
$client = $this->createAdminClient();
$seed = $this->seedClient('Rib LCR Solo');
$this->setPaymentType($seed, 'LCR');
$rib = $this->seedRib($seed);
$client->request('DELETE', '/api/client_ribs/'.$rib->getId());
// RG-1.13
self::assertResponseStatusCodeSame(409);
}
public function testRibWriteWithoutAccountingManageReturns403(): void
{
// Un utilisateur portant seulement commercial.clients.manage (sans
// accounting.manage) ne peut ni creer, ni modifier, ni supprimer un RIB.
$seed = $this->seedClient('Rib Forbidden');
$rib = $this->seedRib($seed);
$credentials = $this->createUserWithPermission('commercial.clients.manage');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('POST', '/api/clients/'.$seed->getId().'/ribs', [
'headers' => ['Content-Type' => self::LD],
'json' => ['label' => 'X', 'bic' => self::VALID_BIC, 'iban' => self::VALID_IBAN],
]);
self::assertResponseStatusCodeSame(403);
$client->request('PATCH', '/api/client_ribs/'.$rib->getId(), [
'headers' => ['Content-Type' => self::MERGE],
'json' => ['label' => 'Y'],
]);
self::assertResponseStatusCodeSame(403);
$client->request('DELETE', '/api/client_ribs/'.$rib->getId());
self::assertResponseStatusCodeSame(403);
}
// === Helpers ===
/**
* Seede un ClientContact rattache a un client (sans passer par l'API).
*/
private function seedContact(ClientEntity $client, string $firstName): ClientContact
{
$em = $this->getEm();
$contact = new ClientContact();
$contact->setFirstName($firstName);
$contact->setClient($client);
$em->persist($contact);
$em->flush();
return $contact;
}
/**
* Seede un ClientRib valide rattache a un client (sans passer par l'API).
*/
private function seedRib(ClientEntity $client): ClientRib
{
$em = $this->getEm();
$rib = new ClientRib();
$rib->setLabel('Seed RIB');
$rib->setBic(self::VALID_BIC);
$rib->setIban(self::VALID_IBAN);
$rib->setClient($client);
$em->persist($rib);
$em->flush();
return $rib;
}
/**
* Affecte un type de reglement (par code) au client seede.
*/
private function setPaymentType(ClientEntity $client, string $code): void
{
$em = $this->getEm();
$type = $em->getRepository(PaymentType::class)->findOneBy(['code' => $code]);
self::assertNotNull($type, sprintf('PaymentType "%s" introuvable (fixtures).', $code));
$managed = $em->getRepository(ClientEntity::class)->find($client->getId());
$managed->setPaymentType($type);
$em->flush();
}
/**
* Retourne l'IRI du premier site seede (fixtures Sites). Skip en amont si le
* module Sites est desactive.
*/
private function firstSiteIri(): string
{
$site = $this->getEm()->getRepository(Site::class)->findOneBy([]);
self::assertNotNull($site, 'Aucun site seede : impossible de tester les adresses.');
return '/api/sites/'.$site->getId();
}
}
tests/Module/Commercial/Api/ClientUniquenessTest.php
+73
View File
@@ -0,0 +1,73 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
use App\Module\Commercial\Domain\Entity\Client as ClientEntity;
/**
* Tests d'unicite — combler les trous (ERP-60).
*
* RG-1.16 (doublon de companyName parmi les actifs -> 409) est DEJA couvert par
* ClientApiTest::testPostDuplicateCompanyNameReturns409 (ERP-55). Ce fichier
* verifie l'envers de la decision Q4 (29/05/2026) : le SIREN (RG-1.15 supprimee)
* et l'email (RG-1.17 supprimee) NE SONT PLUS contraints uniques.
*
* @internal
*/
final class ClientUniquenessTest extends AbstractCommercialApiTestCase
{
private const string LD = 'application/ld+json';
/**
* RG-1.16 / RG-1.17 (Q4) : deux clients actifs peuvent partager le meme
* email principal — aucune contrainte d'unicite (un email peut servir
* plusieurs clients).
*/
public function testDuplicateEmailIsAllowed(): void
{
$client = $this->createAdminClient();
$cat = $this->createCategory('SECTEUR');
$iri = '/api/categories/'.$cat->getId();
$payload = static fn (string $name): array => [
'companyName' => $name,
'firstName' => 'A',
'phonePrimary' => '0102030405',
'email' => 'partage@test.fr',
'categories' => [$iri],
];
$client->request('POST', '/api/clients', ['headers' => ['Content-Type' => self::LD], 'json' => $payload('Email Share One')]);
self::assertResponseStatusCodeSame(201);
// Meme email, nom different -> doit passer (pas d'index unique email).
$client->request('POST', '/api/clients', ['headers' => ['Content-Type' => self::LD], 'json' => $payload('Email Share Two')]);
self::assertResponseStatusCodeSame(201);
}
/**
* RG-1.15 (Q4) : deux clients peuvent partager le meme SIREN (etablissements
* multiples). Le SIREN n'est pas ecrivable au POST (groupe accounting), on
* seede donc directement via l'ORM et on prouve que le flush ne leve aucune
* violation d'unicite.
*/
public function testDuplicateSirenIsAllowed(): void
{
// Boot kernel pour disposer de l'EM (pas d'appel HTTP necessaire ici).
self::bootKernel();
$em = $this->getEm();
$one = $this->seedClient('Siren Share One');
$two = $this->seedClient('Siren Share Two');
$one->setSiren('123456789');
$two->setSiren('123456789');
$em->flush();
// Aucune exception : preuve qu'il n'existe pas d'index unique sur siren.
self::assertSame('123456789', $em->getRepository(ClientEntity::class)->find($one->getId())->getSiren());
self::assertSame('123456789', $em->getRepository(ClientEntity::class)->find($two->getId())->getSiren());
}
}
tests/Module/Commercial/Api/ReferentialApiTest.php
+253
View File
@@ -0,0 +1,253 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
use App\Module\Commercial\Domain\Entity\TvaMode;
use PHPUnit\Framework\Attributes\DataProvider;
/**
* Tests fonctionnels des 4 referentiels comptables lecture seule (ERP-56) :
* tva_mode, payment_delay, payment_type, bank. Cf. spec-back M1 § 4.7.
*
* Couvre les criteres d'acceptation du ticket :
* - les 4 GetCollection repondent 200 avec le seed (CommercialReferentialFixtures) ;
* - tri par defaut position ASC puis label ASC ;
* - POST / PATCH / DELETE -> 405 (aucune operation d'ecriture declaree) ;
* - user authentifie sans commercial.clients.view -> 403 ;
* - anonyme -> 401 ;
* - pagination serveur active (ERP-72) + echappatoire ?pagination=false.
*
* @internal
*/
final class ReferentialApiTest extends AbstractCommercialApiTestCase
{
private const string LD = 'application/ld+json';
/**
* Endpoint => codes attendus dans le seed (sous-ensemble verifie present).
*
* @var array<string, list<string>>
*/
private const SEED = [
'/api/tva_modes' => ['FRANCE_VENTES', 'EXPORT_VENTES', 'INTRACOM_VENTES'],
'/api/payment_delays' => ['J15', 'J30', 'A_RECEPTION'],
'/api/payment_types' => ['VIREMENT', 'LCR', 'NON_SOUMISE', 'CHEQUE'],
'/api/banks' => ['SG', 'CIC', 'CA'],
];
/**
* Purge les eventuelles lignes de test inserees dans tva_mode (tri label).
* Les codes du seed ne commencent jamais par TEST_, donc cette purge ne
* touche pas les referentiels metier.
*/
protected function tearDown(): void
{
$this->getEm()
->createQuery('DELETE FROM '.TvaMode::class.' t WHERE t.code LIKE :prefix')
->setParameter('prefix', 'TEST\_%')
->execute()
;
parent::tearDown();
}
/**
* Critere : chaque endpoint repond 200 et expose le seed (id, code, label,
* position) sous le groupe de lecture du referentiel.
*
* @param list<string> $expectedCodes
*/
#[DataProvider('endpointProvider')]
public function testCollectionReturns200WithSeed(string $endpoint, array $expectedCodes): void
{
$client = $this->createAdminClient();
$response = $client->request('GET', $endpoint.'?pagination=false', ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(200);
$members = $response->toArray()['member'];
$codes = array_map(static fn (array $m): string => $m['code'], $members);
foreach ($expectedCodes as $expected) {
self::assertContains($expected, $codes, $endpoint.' doit exposer le code seede '.$expected);
}
// Le DTO de lecture expose bien id / code / label / position.
$first = $members[0];
self::assertArrayHasKey('id', $first);
self::assertArrayHasKey('label', $first);
self::assertArrayHasKey('position', $first);
}
/**
* Critere : GET item repond 200 (recupere via un id reel de la collection).
*/
public function testGetItemReturns200(): void
{
$client = $this->createAdminClient();
$first = $client->request('GET', '/api/tva_modes?pagination=false', ['headers' => ['Accept' => self::LD]])
->toArray()['member'][0]
;
$client->request('GET', '/api/tva_modes/'.$first['id'], ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(200);
}
/**
* Critere : tri par defaut position ASC. Le seed tva_mode est ordonne
* FRANCE_VENTES (10) < EXPORT_VENTES (20) < INTRACOM_VENTES (30).
*/
public function testDefaultSortByPositionAsc(): void
{
$client = $this->createAdminClient();
$codes = array_map(
static fn (array $m): string => $m['code'],
$client->request('GET', '/api/tva_modes?pagination=false', ['headers' => ['Accept' => self::LD]])->toArray()['member'],
);
$expectedOrder = ['FRANCE_VENTES', 'EXPORT_VENTES', 'INTRACOM_VENTES'];
$filtered = array_values(array_intersect($codes, $expectedOrder));
self::assertSame(
$expectedOrder,
$filtered,
'Les modes de TVA doivent etre tries position ASC (§ 4.7).',
);
}
/**
* Critere : a position egale, tri label ASC (departage). On insere deux
* lignes de test partageant la meme position, labels volontairement dans le
* desordre alphabetique ; le tearDown les purge ensuite.
*/
public function testTieBreakSortByLabelAsc(): void
{
$em = $this->getEm();
foreach ([['TEST_TIE_Z', 'ZZZ Tie'], ['TEST_TIE_A', 'AAA Tie']] as [$code, $label]) {
$mode = new TvaMode();
$mode->setCode($code);
$mode->setLabel($label);
$mode->setPosition(9000);
$em->persist($mode);
}
$em->flush();
$client = $this->createAdminClient();
$codes = array_map(
static fn (array $m): string => $m['code'],
$client->request('GET', '/api/tva_modes?pagination=false', ['headers' => ['Accept' => self::LD]])->toArray()['member'],
);
$tie = array_values(array_intersect($codes, ['TEST_TIE_A', 'TEST_TIE_Z']));
self::assertSame(
['TEST_TIE_A', 'TEST_TIE_Z'],
$tie,
'A position egale, le tri secondaire doit etre label ASC (§ 4.7).',
);
}
/**
* Critere ERP-72 : la collection est paginee par defaut. Preuve : une page
* au-dela des donnees est vide (un provider non pagine ignorerait `page`).
* Avec ?pagination=false, le parametre `page` est ignore -> tout revient.
*/
public function testPaginationActiveAndClientToggle(): void
{
$client = $this->createAdminClient();
// Page 2 d'un referentiel tenant sur une page : vide -> pagination active.
$page2 = $client->request('GET', '/api/tva_modes?page=2', ['headers' => ['Accept' => self::LD]])->toArray();
self::assertArrayHasKey('totalItems', $page2);
self::assertSame([], $page2['member'], 'La page 2 doit etre vide : pagination serveur active.');
// ?pagination=false : `page` ignore, le seed complet est renvoye.
$all = $client->request('GET', '/api/tva_modes?pagination=false&page=2', ['headers' => ['Accept' => self::LD]])->toArray();
self::assertNotEmpty($all['member'], '?pagination=false doit desactiver la pagination (page ignoree).');
}
/**
* Critere : aucune operation d'ecriture n'est declaree -> POST sur la
* collection renvoie 405 Method Not Allowed sur les 4 referentiels.
*
* @param list<string> $expectedCodes
*/
#[DataProvider('endpointProvider')]
public function testPostReturns405(string $endpoint, array $expectedCodes): void
{
$client = $this->createAdminClient();
$client->request('POST', $endpoint, [
'headers' => ['Content-Type' => self::LD],
'json' => ['code' => 'X', 'label' => 'X', 'position' => 1],
]);
self::assertResponseStatusCodeSame(405);
}
/**
* Critere : PATCH et DELETE sur un item renvoient 405 (lecture seule).
*/
public function testPatchAndDeleteReturn405(): void
{
$client = $this->createAdminClient();
$first = $client->request('GET', '/api/tva_modes?pagination=false', ['headers' => ['Accept' => self::LD]])
->toArray()['member'][0]
;
$iri = '/api/tva_modes/'.$first['id'];
$client->request('PATCH', $iri, [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['label' => 'Renamed'],
]);
self::assertResponseStatusCodeSame(405);
$client->request('DELETE', $iri);
self::assertResponseStatusCodeSame(405);
}
/**
* Critere : un utilisateur authentifie sans la permission
* commercial.clients.view obtient 403 sur les 4 endpoints.
*
* @param list<string> $expectedCodes
*/
#[DataProvider('endpointProvider')]
public function testForbiddenWithoutPermission(string $endpoint, array $expectedCodes): void
{
// User jetable portant une permission SANS rapport (existe en base mais
// ne donne pas commercial.clients.view).
$creds = $this->createUserWithPermission('core.users.view');
$client = $this->authenticatedClient($creds['username'], $creds['password']);
$client->request('GET', $endpoint, ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(403);
}
/**
* Critere : un appel anonyme (non authentifie) obtient 401 sur les 4
* endpoints.
*
* @param list<string> $expectedCodes
*/
#[DataProvider('endpointProvider')]
public function testUnauthorizedWhenAnonymous(string $endpoint, array $expectedCodes): void
{
$client = self::createClient();
$client->request('GET', $endpoint, ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(401);
}
/**
* @return iterable<string, array{string, list<string>}>
*/
public static function endpointProvider(): iterable
{
foreach (self::SEED as $endpoint => $codes) {
yield $endpoint => [$endpoint, $codes];
}
}
}