fix(core) : RBAC review fixes - code readonly in edit, TOCTOU doc, canManage reactive, itemsPerPage 999

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 11:17:13 +02:00
parent d49c317c49
commit 793c58a4a8
5 changed files with 25 additions and 14 deletions
--- a/frontend/modules/core/components/RoleDrawer.vue
+++ b/frontend/modules/core/components/RoleDrawer.vue
@@ -19,8 +19,7 @@
                :label="t('admin.roles.form.code')"
                input-class="w-full"
                required
-                :readonly="isEditMode && role?.isSystem"
-                :hint="isEditMode && role?.isSystem ? t('admin.roles.delete.systemTooltip') : ''"
+                :readonly="isEditMode"
            />

            <MalioInputTextArea
@@ -121,7 +120,7 @@ const permissionsByModule = computed<PermissionModule[]>(() => {
 async function loadPermissions() {
    const data = await api.get<{ member: Permission[] }>(
        '/permissions',
-        { 'orphan': false, itemsPerPage: 200 },
+        { 'orphan': false, itemsPerPage: 999 },
        { toast: false },
    )
    allPermissions.value = data.member
@@ -183,19 +182,24 @@ function handleToggleAll(module: string, selected: boolean) {
 async function handleSave() {
    saving.value = true
    try {
-        const body = {
-            label: form.value.label,
-            code: form.value.code,
-            description: form.value.description || null,
-            permissions: Array.from(selectedPermissionIds.value).map(id => `/api/permissions/${id}`),
-        }
+        const permissions = Array.from(selectedPermissionIds.value).map(id => `/api/permissions/${id}`)

        if (isEditMode.value && props.role) {
-            await api.patch(`/roles/${props.role.id}`, body, {
+            // Le code est immuable apres creation (garde backend RoleProcessor)
+            await api.patch(`/roles/${props.role.id}`, {
+                label: form.value.label,
+                description: form.value.description || null,
+                permissions,
+            }, {
                toastSuccessMessage: t('admin.roles.toast.updated'),
            })
        } else {
-            await api.post('/roles', body, {
+            await api.post('/roles', {
+                label: form.value.label,
+                code: form.value.code,
+                description: form.value.description || null,
+                permissions,
+            }, {
                toastSuccessMessage: t('admin.roles.toast.created'),
            })
        }
--- a/frontend/modules/core/components/UserRbacDrawer.vue
+++ b/frontend/modules/core/components/UserRbacDrawer.vue
@@ -186,7 +186,7 @@ const effectivePermissions = computed<EffectivePermission[]>(() => {
 async function loadData() {
    const [rolesData, permsData] = await Promise.all([
        api.get<{ member: Role[] }>('/roles', {}, { toast: false }),
-        api.get<{ member: Permission[] }>('/permissions', { orphan: false, itemsPerPage: 200 }, { toast: false }),
+        api.get<{ member: Permission[] }>('/permissions', { orphan: false, itemsPerPage: 999 }, { toast: false }),
    ])
    allRoles.value = rolesData.member
    allPermissions.value = permsData.member