test(catalog) : M7 — tests RG-7.01→7.08 + contrat de sérialisation stockage (ERP-215)
This commit is contained in:
@@ -0,0 +1,90 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Tests\Module\Catalog\Api;
|
||||
|
||||
/**
|
||||
* RBAC du stockage (M7, ERP-210 — admin-only). Jumeau du ProductRBACMatrixTest.
|
||||
*
|
||||
* La matrice est volontairement tres restrictive : seul l'Admin porte
|
||||
* `catalog.storages.view` / `.manage`. Les 4 personas metier MALIO (Bureau, Compta,
|
||||
* Commerciale, Usine) n'ont AUCUNE permission stockage -> 403 partout. Un porteur de
|
||||
* `view` lit (200) mais ne peut pas creer (403). Anonyme -> 401.
|
||||
*
|
||||
* @internal
|
||||
*/
|
||||
final class StorageRBACMatrixTest extends AbstractStorageApiTestCase
|
||||
{
|
||||
/** Personas metier sans permission stockage (admin-only). */
|
||||
private const array PERSONAS = ['Bureau', 'Compta', 'Commerciale', 'Usine'];
|
||||
|
||||
public function testAdminHasFullAccess(): void
|
||||
{
|
||||
$client = $this->createAdminClient();
|
||||
|
||||
$client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
|
||||
self::assertResponseStatusCodeSame(200);
|
||||
|
||||
$client->request('POST', '/api/storages', [
|
||||
'headers' => ['Content-Type' => self::LD],
|
||||
'json' => $this->validStoragePayload(),
|
||||
]);
|
||||
self::assertResponseStatusCodeSame(201);
|
||||
}
|
||||
|
||||
public function testBusinessPersonasAreForbiddenEverywhere(): void
|
||||
{
|
||||
$storage = $this->seedStorageEntity();
|
||||
$id = (int) $storage->getId();
|
||||
|
||||
foreach (self::PERSONAS as $persona) {
|
||||
$client = $this->createPersonaClient($persona);
|
||||
|
||||
$client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
|
||||
self::assertResponseStatusCodeSame(403, $persona.' ne doit pas lister les stockages.');
|
||||
|
||||
$client->request('GET', '/api/storages/'.$id, ['headers' => ['Accept' => self::LD]]);
|
||||
self::assertResponseStatusCodeSame(403, $persona.' ne doit pas consulter un stockage.');
|
||||
|
||||
$client->request('POST', '/api/storages', [
|
||||
'headers' => ['Content-Type' => self::LD],
|
||||
'json' => $this->validStoragePayload(),
|
||||
]);
|
||||
self::assertResponseStatusCodeSame(403, $persona.' ne doit pas creer de stockage.');
|
||||
|
||||
$client->request('PATCH', '/api/storages/'.$id, [
|
||||
'headers' => ['Content-Type' => self::MERGE],
|
||||
'json' => ['numero' => 'X'],
|
||||
]);
|
||||
self::assertResponseStatusCodeSame(403, $persona.' ne doit pas modifier un stockage.');
|
||||
}
|
||||
}
|
||||
|
||||
public function testViewPermissionReadsButCannotManage(): void
|
||||
{
|
||||
$storage = $this->seedStorageEntity();
|
||||
$client = $this->authView();
|
||||
|
||||
$client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
|
||||
self::assertResponseStatusCodeSame(200);
|
||||
|
||||
$client->request('GET', '/api/storages/'.$storage->getId(), ['headers' => ['Accept' => self::LD]]);
|
||||
self::assertResponseStatusCodeSame(200);
|
||||
|
||||
// view sans manage : creation refusee au niveau securite (403).
|
||||
$client->request('POST', '/api/storages', [
|
||||
'headers' => ['Content-Type' => self::LD],
|
||||
'json' => $this->validStoragePayload(),
|
||||
]);
|
||||
self::assertResponseStatusCodeSame(403);
|
||||
}
|
||||
|
||||
public function testAnonymousIsUnauthorized(): void
|
||||
{
|
||||
$client = self::createClient();
|
||||
|
||||
$client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
|
||||
self::assertResponseStatusCodeSame(401);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user