fix(commercial) : compare categories by value in guardManage (avoid false 403 on full-representation PATCH)

2026-06-01 23:00:51 +02:00
parent 49cf798fc9
commit 840fc3671e
2 changed files with 116 additions and 3 deletions
@@ -218,6 +218,60 @@ final class ClientRBACMatrixTest extends AbstractCommercialApiTestCase
        self::assertResponseStatusCodeSame(201);
    }

+    public function testComptaFullRepresentationPatchWithUnchangedCategoriesIsNotForbidden(): void
+    {
+        // FIX review MR #40 : un Compta (accounting.manage, PAS manage) faisant un
+        // PATCH representation complete de l'onglet Comptabilite et reincluant ses
+        // categories INCHANGEES ne doit PAS prendre de 403. guardManage compare
+        // desormais les categories par valeur (et non par simple presence) : seul
+        // l'onglet Comptabilite change ici -> 200.
+        $seed     = $this->seedClient('Compta Cat Unchanged');
+        $category = $seed->getCategories()->first();
+        self::assertNotFalse($category);
+        $catId  = $category->getId();
+        $client = $this->authAs('compta');
+
+        $client->request('PATCH', '/api/clients/'.$seed->getId(), [
+            'headers' => ['Content-Type' => self::MERGE],
+            'json'    => [
+                'siren'      => '123456789',
+                'categories' => ['/api/categories/'.$catId],
+            ],
+        ]);
+        self::assertResponseStatusCodeSame(200);
+    }
+
+    public function testComptaChangingCategoriesIsForbidden(): void
+    {
+        // Non-regression : si le Compta change REELLEMENT l'ensemble des
+        // categories (sans manage) -> 403 via guardManage. La comparaison par
+        // valeur detecte bien le changement.
+        $seed   = $this->seedClient('Compta Cat Change');
+        $newCat = $this->createCategory('SECTEUR');
+        $client = $this->authAs('compta');
+
+        $client->request('PATCH', '/api/clients/'.$seed->getId(), [
+            'headers' => ['Content-Type' => self::MERGE],
+            'json'    => ['categories' => ['/api/categories/'.$newCat->getId()]],
+        ]);
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testBureauChangingCategoriesIsAllowed(): void
+    {
+        // Non-regression : un role porteur de `manage` (Bureau) peut changer les
+        // categories -> 200.
+        $seed   = $this->seedClient('Bureau Cat Change');
+        $newCat = $this->createCategory('SECTEUR');
+        $client = $this->authAs('bureau');
+
+        $client->request('PATCH', '/api/clients/'.$seed->getId(), [
+            'headers' => ['Content-Type' => self::MERGE],
+            'json'    => ['categories' => ['/api/categories/'.$newCat->getId()]],
+        ]);
+        self::assertResponseStatusCodeSame(200);
+    }
+
    private function authAs(string $role): Client
    {
        return $this->authenticatedClient($role, self::PWD);