refactor(core) : RBAC #344 - polish review - narrow rbac read group + fail-fast processors

2026-04-15 14:28:02 +02:00
parent 3c7dc88fe7
commit 534bdbccdd
5 changed files with 54 additions and 14 deletions
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -43,7 +43,7 @@ use Symfony\Component\Serializer\Attribute\SerializedName;
            uriTemplate: '/users/{id}/rbac',
            // TODO ticket #345 : remplacer par is_granted('core.users.manage')
            security: "is_granted('ROLE_ADMIN')",
-            normalizationContext: ['groups' => ['user:list']],
+            normalizationContext: ['groups' => ['user:rbac:read']],
            denormalizationContext: ['groups' => ['user:rbac:write']],
            processor: UserRbacProcessor::class,
        ),
@@ -58,7 +58,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
    #[ORM\Id]
    #[ORM\GeneratedValue]
    #[ORM\Column]
-    #[Groups(['me:read', 'user:list'])]
+    #[Groups(['me:read', 'user:list', 'user:rbac:read'])]
    private ?int $id = null;

    #[ORM\Column(length: 180, unique: true)]
@@ -66,7 +66,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
    private ?string $username = null;

    #[ORM\Column(name: 'is_admin', options: ['default' => false])]
-    #[Groups(['me:read', 'user:list', 'user:rbac:write'])]
+    #[Groups(['me:read', 'user:list', 'user:rbac:write', 'user:rbac:read'])]
    private bool $isAdmin = false;

    /**
@@ -81,7 +81,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     */
    #[ORM\ManyToMany(targetEntity: Role::class, fetch: 'EAGER')]
    #[ORM\JoinTable(name: 'user_role')]
-    #[Groups(['me:read', 'user:list', 'user:rbac:write'])]
+    #[Groups(['me:read', 'user:list', 'user:rbac:write', 'user:rbac:read'])]
    // La propriete s'appelle `rbacRoles` cote PHP pour ne pas entrer en
    // collision avec UserInterface::getRoles() (qui renvoie list<string>) ;
    // on reexpose la cle JSON sous `roles` via SerializedName pour rester
@@ -99,7 +99,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     */
    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
    #[ORM\JoinTable(name: 'user_permission')]
-    #[Groups(['me:read', 'user:list', 'user:rbac:write'])]
+    #[Groups(['me:read', 'user:list', 'user:rbac:write', 'user:rbac:read'])]
    private Collection $directPermissions;

    #[ORM\Column]
@@ -152,6 +152,8 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     * la Collection peut ne pas etre hydratee. On se contente d'un calcul
     * base sur un scalaire.
     *
+     * @see getRbacRoles() pour la collection RBAC metier (exposee en JSON sous la cle "roles").
+     *
     * @return list<string>
     */
    public function getRoles(): array