MALIO-DEV/Starseed
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

test(commercial) : cover RG-1.01..1.29 except role-gated (M1)
Pull Request — Quality gate / Backend (PHP CS + PHPUnit) (pull_request) Successful in 1m52s
Details
Pull Request — Quality gate / Frontend (lint + Vitest + build) (pull_request) Successful in 1m10s
Details

Browse Source
This commit is contained in:
Matthieu
2026-06-01 16:50:05 +02:00
parent bebaa009b9
commit 1c0ebceaf9
9 changed files with 750 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Module/Commercial/Api/ClientPatchStrictTest.php
+52
View File
@@ -0,0 +1,52 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
use App\Module\Commercial\Domain\Entity\Client as ClientEntity;
/**
* Test fonctionnel du mode strict PATCH multi-groupes (RG-1.28) — ERP-60.
*
* Le cas est deja couvert en unitaire (ClientProcessorTest) ; on en ajoute la
* preuve fonctionnelle HTTP, SANS dependre d'un role metier : un utilisateur
* portant `commercial.clients.manage` mais PAS `commercial.clients.accounting.manage`
* qui envoie un PATCH melant un champ principal (companyName) et un champ
* comptable (siren) recoit un 403 sur l'ENSEMBLE du payload — aucun champ n'est
* applique (pas de filtrage silencieux).
*
* ⚠ La matrice differenciee par role metier (Bureau / Compta / Commerciale) est
* DELEGUEE a ERP-74 (#493). Ici on n'utilise qu'un user mono-permission.
*
* @internal
*/
final class ClientPatchStrictTest extends AbstractCommercialApiTestCase
{
private const string MERGE = 'application/merge-patch+json';
public function testMixedGroupsPatchWithoutAccountingPermissionIsForbidden(): void
{
$seed = $this->seedClient('Strict Mix');
$credentials = $this->createUserWithPermission('commercial.clients.manage');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
'headers' => ['Content-Type' => self::MERGE],
'json' => [
'companyName' => 'Renamed Strict',
'siren' => '123456789',
],
]);
// RG-1.28 : 403 strict (le champ comptable siren exige accounting.manage).
self::assertResponseStatusCodeSame(403);
// Aucun champ applique : le companyName d'origine est intact.
$em = $this->getEm();
$em->clear();
$reloaded = $em->getRepository(ClientEntity::class)->find($seed->getId());
self::assertNotNull($reloaded);
self::assertSame('STRICT MIX', $reloaded->getCompanyName());
}
}