RBAC - Système complet de permissions (Backend + Frontend) (#7)
Some checks failed
Auto Tag Develop / tag (push) Has been cancelled
Some checks failed
Auto Tag Develop / tag (push) Has been cancelled
## Résumé
Implémentation complète du système RBAC (Role-Based Access Control) pour Coltura.
### Backend
- Entités Permission et Role avec API Platform CRUD
- PermissionVoter : vérification des permissions effectives (rôles + directes), admin bypass
- Endpoints `PATCH /users/{id}/rbac` pour assigner rôles, permissions directes et isAdmin
- AdminHeadcountGuard : protection contre la suppression du dernier admin
- Commande `app:sync-permissions` pour synchroniser les permissions déclarées par les modules
- Filtrage sidebar par permission RBAC (`permission` key optionnelle dans sidebar.php)
- 115 tests PHPUnit (fonctionnels + unitaires)
### Frontend
- Composable `usePermissions()` avec `can()`, `canAny()`, `canAll()` et admin bypass
- Page `/admin/roles` : DataTable, création/édition via drawer, suppression avec confirmation
- Page `/admin/users` : DataTable, drawer RBAC avec rôles, permissions directes, résumé effectif
- PermissionGroup : checkboxes groupées par module avec "tout sélectionner"
- EffectivePermissions : résumé lecture seule avec badges source ("via Rôle X" / "Direct")
- Warning auto-édition, toggle isAdmin
- Tests Vitest pour usePermissions
### Permissions déclarées
- `core.users.view` — Voir les utilisateurs
- `core.users.manage` — Gérer les utilisateurs
- `core.roles.view` — Voir les rôles RBAC
- `core.roles.manage` — Gérer les rôles et permissions
- `GET /api/permissions` accessible à tout utilisateur authentifié (catalogue read-only)
## Tickets Lesstime
- ERP-23 (#343) — Entités Permission et Role
- ERP-24 (#344) — API CRUD Roles & Permissions
- ERP-25 (#345) — Voter Symfony + usePermissions
- ERP-26 (#346) — Interface Admin : Gestion des Rôles
- ERP-27 (#347) — Interface Admin : Permissions Utilisateur
## Test plan
- [ ] `make db-reset` puis vérifier les fixtures (admin/alice/bob, rôles système)
- [ ] Login admin : sidebar affiche Gestion des rôles + Utilisateurs
- [ ] Login alice : sidebar masque ces onglets (pas de permission)
- [ ] Page /admin/roles : CRUD rôles, permissions groupées, protection rôles système
- [ ] Page /admin/users : assignation rôles + permissions directes, résumé effectif
- [ ] Warning auto-édition quand admin modifie ses propres droits
- [ ] `make test` : 115 tests PHPUnit passent
- [ ] `cd frontend && npm run test` : tests Vitest passent
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Matthieu <mtholot19@gmail.com>
Co-authored-by: tristan <tristan@yuno.malio.fr>
Reviewed-on: MALIO-DEV/Coltura#7
Co-authored-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
Co-committed-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
This commit was merged in pull request #7.
This commit is contained in:
259
frontend/modules/core/components/UserRbacDrawer.vue
Normal file
259
frontend/modules/core/components/UserRbacDrawer.vue
Normal file
@@ -0,0 +1,259 @@
|
||||
<template>
|
||||
<MalioDrawer
|
||||
:model-value="modelValue"
|
||||
:title="t('admin.users.drawer.title', { username: user?.username ?? '' })"
|
||||
drawer-class="w-full max-w-lg"
|
||||
@update:model-value="emit('update:modelValue', $event)"
|
||||
>
|
||||
<div class="flex flex-col gap-6 p-4">
|
||||
<!-- Avertissement auto-edition -->
|
||||
<div
|
||||
v-if="isSelfEdit"
|
||||
class="flex items-center gap-2 rounded-lg border border-yellow-300 bg-yellow-50 px-4 py-3 text-sm text-yellow-800"
|
||||
>
|
||||
<Icon name="mdi:alert-outline" class="size-5 shrink-0" />
|
||||
{{ t('admin.users.drawer.selfWarning') }}
|
||||
</div>
|
||||
|
||||
<!-- Toggle Administrateur -->
|
||||
<MalioCheckbox
|
||||
id="admin-toggle"
|
||||
:label="t('admin.users.drawer.adminToggle')"
|
||||
:model-value="form.isAdmin"
|
||||
label-class="font-semibold text-sm text-neutral-700"
|
||||
@update:model-value="form.isAdmin = $event"
|
||||
/>
|
||||
|
||||
<!-- Section Roles -->
|
||||
<div>
|
||||
<h4 class="mb-3 text-sm font-semibold text-neutral-700">
|
||||
{{ t('admin.users.drawer.rolesSection') }}
|
||||
</h4>
|
||||
<div class="flex flex-col gap-2">
|
||||
<MalioCheckbox
|
||||
v-for="role in allRoles"
|
||||
:key="role.id"
|
||||
:id="`role-${role.id}`"
|
||||
:label="role.label"
|
||||
:model-value="selectedRoleIds.has(role.id)"
|
||||
label-class="text-sm text-neutral-600"
|
||||
@update:model-value="(val: boolean) => toggleRole(role.id, val)"
|
||||
/>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- Section Permissions directes -->
|
||||
<div>
|
||||
<h4 class="mb-3 text-sm font-semibold text-neutral-700">
|
||||
{{ t('admin.users.drawer.directPermissionsSection') }}
|
||||
</h4>
|
||||
<div v-if="permissionsByModule.length === 0" class="text-sm text-neutral-400">
|
||||
{{ t('admin.roles.permissions.noPermissions') }}
|
||||
</div>
|
||||
<div class="flex flex-col gap-4">
|
||||
<PermissionGroup
|
||||
v-for="group in permissionsByModule"
|
||||
:key="group.module"
|
||||
:module="group.module"
|
||||
:module-label="group.module"
|
||||
:permissions="group.permissions"
|
||||
:selected-ids="selectedDirectPermissionIds"
|
||||
@toggle="handleTogglePermission"
|
||||
@toggle-all="handleToggleAll"
|
||||
/>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- Section Resume permissions effectives -->
|
||||
<div>
|
||||
<h4 class="mb-3 text-sm font-semibold text-neutral-700">
|
||||
{{ t('admin.users.drawer.summarySection') }}
|
||||
</h4>
|
||||
<EffectivePermissions :permissions="effectivePermissions" />
|
||||
</div>
|
||||
|
||||
<!-- Boutons -->
|
||||
<div class="flex justify-end gap-3 border-t border-neutral-200 pt-4">
|
||||
<MalioButton
|
||||
:label="t('common.cancel')"
|
||||
variant="tertiary"
|
||||
@click="emit('update:modelValue', false)"
|
||||
/>
|
||||
<MalioButton
|
||||
:label="t('common.save')"
|
||||
variant="primary"
|
||||
:disabled="saving"
|
||||
@click="handleSave"
|
||||
/>
|
||||
</div>
|
||||
</div>
|
||||
</MalioDrawer>
|
||||
</template>
|
||||
|
||||
<script setup lang="ts">
|
||||
import type { Permission, Role, UserListItem, EffectivePermission } from '~/shared/types/rbac'
|
||||
|
||||
interface PermissionModule {
|
||||
module: string
|
||||
permissions: Permission[]
|
||||
}
|
||||
|
||||
const { t } = useI18n()
|
||||
const api = useApi()
|
||||
const auth = useAuthStore()
|
||||
|
||||
const props = defineProps<{
|
||||
modelValue: boolean
|
||||
user: UserListItem | null
|
||||
}>()
|
||||
|
||||
const emit = defineEmits<{
|
||||
'update:modelValue': [value: boolean]
|
||||
saved: []
|
||||
}>()
|
||||
|
||||
const saving = ref(false)
|
||||
const allRoles = ref<Role[]>([])
|
||||
const allPermissions = ref<Permission[]>([])
|
||||
|
||||
const form = ref({ isAdmin: false })
|
||||
const selectedRoleIds = ref(new Set<number>())
|
||||
const selectedDirectPermissionIds = ref(new Set<number>())
|
||||
|
||||
// Detecter l'auto-edition
|
||||
const isSelfEdit = computed(() => props.user?.id === auth.user?.id)
|
||||
|
||||
// Extraire un ID depuis une IRI API Platform
|
||||
function iriToId(iri: string): number {
|
||||
return Number(iri.split('/').pop())
|
||||
}
|
||||
|
||||
// Grouper les permissions par module (pour les checkboxes)
|
||||
const permissionsByModule = computed<PermissionModule[]>(() => {
|
||||
const groups = new Map<string, Permission[]>()
|
||||
for (const perm of allPermissions.value) {
|
||||
if (perm.orphan) continue
|
||||
const list = groups.get(perm.module) || []
|
||||
list.push(perm)
|
||||
groups.set(perm.module, list)
|
||||
}
|
||||
return Array.from(groups.entries())
|
||||
.map(([module, permissions]) => ({ module, permissions }))
|
||||
.sort((a, b) => a.module.localeCompare(b.module))
|
||||
})
|
||||
|
||||
// Calculer les permissions effectives avec leurs sources
|
||||
const effectivePermissions = computed<EffectivePermission[]>(() => {
|
||||
const permMap = new Map<number, Permission>()
|
||||
for (const p of allPermissions.value) {
|
||||
if (!p.orphan) permMap.set(p.id, p)
|
||||
}
|
||||
|
||||
// Construire la map permissionId -> sources[]
|
||||
const result = new Map<number, string[]>()
|
||||
|
||||
// Permissions heritees des roles
|
||||
for (const roleId of selectedRoleIds.value) {
|
||||
const role = allRoles.value.find(r => r.id === roleId)
|
||||
if (!role) continue
|
||||
for (const p of role.permissions) {
|
||||
const pid = typeof p === 'string' ? iriToId(p) : p.id
|
||||
const sources = result.get(pid) || []
|
||||
sources.push(t('admin.users.drawer.sourceRole', { role: role.label }))
|
||||
result.set(pid, sources)
|
||||
}
|
||||
}
|
||||
|
||||
// Permissions directes
|
||||
for (const pid of selectedDirectPermissionIds.value) {
|
||||
const sources = result.get(pid) || []
|
||||
sources.push(t('admin.users.drawer.sourceDirect'))
|
||||
result.set(pid, sources)
|
||||
}
|
||||
|
||||
// Construire la liste finale
|
||||
return Array.from(result.entries())
|
||||
.map(([pid, sources]) => {
|
||||
const perm = permMap.get(pid)
|
||||
if (!perm) return null
|
||||
return { code: perm.code, label: perm.label, module: perm.module, sources }
|
||||
})
|
||||
.filter((p): p is EffectivePermission => p !== null)
|
||||
.sort((a, b) => a.code.localeCompare(b.code))
|
||||
})
|
||||
|
||||
// Charger roles et permissions
|
||||
async function loadData() {
|
||||
const [rolesData, permsData] = await Promise.all([
|
||||
api.get<{ member: Role[] }>('/roles', {}, { toast: false }),
|
||||
api.get<{ member: Permission[] }>('/permissions', { orphan: false, itemsPerPage: 999 }, { toast: false }),
|
||||
])
|
||||
allRoles.value = rolesData.member
|
||||
allPermissions.value = permsData.member
|
||||
}
|
||||
|
||||
// Remplir le formulaire quand le user change
|
||||
watch(() => props.user, (user) => {
|
||||
if (user) {
|
||||
form.value.isAdmin = user.isAdmin
|
||||
selectedRoleIds.value = new Set(user.roles.map(iriToId))
|
||||
selectedDirectPermissionIds.value = new Set(user.directPermissions.map(iriToId))
|
||||
} else {
|
||||
form.value.isAdmin = false
|
||||
selectedRoleIds.value = new Set()
|
||||
selectedDirectPermissionIds.value = new Set()
|
||||
}
|
||||
}, { immediate: true })
|
||||
|
||||
// Charger les donnees quand le drawer s'ouvre
|
||||
watch(() => props.modelValue, (open) => {
|
||||
if (open) loadData()
|
||||
})
|
||||
|
||||
function toggleRole(id: number, selected: boolean) {
|
||||
const ids = new Set(selectedRoleIds.value)
|
||||
if (selected) ids.add(id)
|
||||
else ids.delete(id)
|
||||
selectedRoleIds.value = ids
|
||||
}
|
||||
|
||||
function handleTogglePermission(id: number, selected: boolean) {
|
||||
const ids = new Set(selectedDirectPermissionIds.value)
|
||||
if (selected) ids.add(id)
|
||||
else ids.delete(id)
|
||||
selectedDirectPermissionIds.value = ids
|
||||
}
|
||||
|
||||
function handleToggleAll(module: string, selected: boolean) {
|
||||
const ids = new Set(selectedDirectPermissionIds.value)
|
||||
const group = permissionsByModule.value.find(g => g.module === module)
|
||||
if (!group) return
|
||||
for (const perm of group.permissions) {
|
||||
if (selected) ids.add(perm.id)
|
||||
else ids.delete(perm.id)
|
||||
}
|
||||
selectedDirectPermissionIds.value = ids
|
||||
}
|
||||
|
||||
async function handleSave() {
|
||||
if (!props.user) return
|
||||
saving.value = true
|
||||
try {
|
||||
await api.patch(`/users/${props.user.id}/rbac`, {
|
||||
isAdmin: form.value.isAdmin,
|
||||
roles: Array.from(selectedRoleIds.value).map(id => `/api/roles/${id}`),
|
||||
directPermissions: Array.from(selectedDirectPermissionIds.value).map(id => `/api/permissions/${id}`),
|
||||
}, {
|
||||
toastSuccessMessage: t('admin.users.toast.updated'),
|
||||
})
|
||||
// Rafraichir les donnees du user courant si auto-edition
|
||||
if (isSelfEdit.value) {
|
||||
await auth.refreshUser()
|
||||
}
|
||||
emit('saved')
|
||||
emit('update:modelValue', false)
|
||||
} finally {
|
||||
saving.value = false
|
||||
}
|
||||
}
|
||||
</script>
|
||||
Reference in New Issue
Block a user