MALIO-DEV/Starseed
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

RBAC - Système complet de permissions (Backend + Frontend) (#7)
Some checks failed
Auto Tag Develop / tag (push) Has been cancelled
Details

Browse Source 
## Résumé

Implémentation complète du système RBAC (Role-Based Access Control) pour Coltura.

### Backend
- Entités Permission et Role avec API Platform CRUD
- PermissionVoter : vérification des permissions effectives (rôles + directes), admin bypass
- Endpoints `PATCH /users/{id}/rbac` pour assigner rôles, permissions directes et isAdmin
- AdminHeadcountGuard : protection contre la suppression du dernier admin
- Commande `app:sync-permissions` pour synchroniser les permissions déclarées par les modules
- Filtrage sidebar par permission RBAC (`permission` key optionnelle dans sidebar.php)
- 115 tests PHPUnit (fonctionnels + unitaires)

### Frontend
- Composable `usePermissions()` avec `can()`, `canAny()`, `canAll()` et admin bypass
- Page `/admin/roles` : DataTable, création/édition via drawer, suppression avec confirmation
- Page `/admin/users` : DataTable, drawer RBAC avec rôles, permissions directes, résumé effectif
- PermissionGroup : checkboxes groupées par module avec "tout sélectionner"
- EffectivePermissions : résumé lecture seule avec badges source ("via Rôle X" / "Direct")
- Warning auto-édition, toggle isAdmin
- Tests Vitest pour usePermissions

### Permissions déclarées
- `core.users.view` — Voir les utilisateurs
- `core.users.manage` — Gérer les utilisateurs
- `core.roles.view` — Voir les rôles RBAC
- `core.roles.manage` — Gérer les rôles et permissions
- `GET /api/permissions` accessible à tout utilisateur authentifié (catalogue read-only)

## Tickets Lesstime

- ERP-23 (#343) — Entités Permission et Role
- ERP-24 (#344) — API CRUD Roles & Permissions
- ERP-25 (#345) — Voter Symfony + usePermissions
- ERP-26 (#346) — Interface Admin : Gestion des Rôles
- ERP-27 (#347) — Interface Admin : Permissions Utilisateur

## Test plan

- [ ] `make db-reset` puis vérifier les fixtures (admin/alice/bob, rôles système)
- [ ] Login admin : sidebar affiche Gestion des rôles + Utilisateurs
- [ ] Login alice : sidebar masque ces onglets (pas de permission)
- [ ] Page /admin/roles : CRUD rôles, permissions groupées, protection rôles système
- [ ] Page /admin/users : assignation rôles + permissions directes, résumé effectif
- [ ] Warning auto-édition quand admin modifie ses propres droits
- [ ] `make test` : 115 tests PHPUnit passent
- [ ] `cd frontend && npm run test` : tests Vitest passent

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Matthieu <mtholot19@gmail.com>
Co-authored-by: tristan <tristan@yuno.malio.fr>
Reviewed-on: MALIO-DEV/Coltura#7
Co-authored-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
Co-committed-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
This commit was merged in pull request #7.
This commit is contained in:
THOLOT DECHENE Matthieu
2026-04-17 12:34:38 +00:00
committed by Autin
parent b59d0f8a44
commit e8c2789435
65 changed files with 9985 additions and 386 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
tests/Module/Core/Api/AbstractApiTestCase.php Normal file
View File

@@ -0,0 +1,133 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Core\Api;
use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;
use ApiPlatform\Symfony\Bundle\Test\Client;
use App\Module\Core\Domain\Entity\Permission;
use App\Module\Core\Domain\Entity\Role;
use App\Module\Core\Domain\Entity\User;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
/**
* Classe de base pour les tests fonctionnels API Platform du module Core.
*
* Mutualise :
* - `$alwaysBootKernel = true` : bascule le nouveau comportement API Platform 5
* et evite la deprecation emise a la creation du client de test.
* - `authenticatedClient()` : cree un client authentifie via `/login_check`
* (cookie BEARER HTTP-only pose par lexik_jwt_authentication).
* - `getEm()` : recupere l'EntityManager depuis le container courant.
* A rappeler apres chaque createClient() car le kernel est reboote.
* - `createUserWithPermission()` : cree un user non-admin jetable portant
* une permission specifique via un role custom. Utile pour prouver qu'un
* non-admin avec la permission obtient 200, et sans la permission 403.
*
* @internal
*/
abstract class AbstractApiTestCase extends ApiTestCase
{
// Bascule explicite sur le nouveau comportement API Platform 5 pour
// eviter la deprecation emise a la creation du client de test.
protected static ?bool $alwaysBootKernel = true;
/**
* Recupere l'EntityManager depuis le container courant. A utiliser a
* chaque appel : apres un createClient(), le kernel est reboote et tout
* EM precedemment capture est invalide.
*/
protected function getEm(): EntityManagerInterface
{
if (!self::$kernel) {
self::bootKernel();
}
return self::getContainer()->get('doctrine')->getManager();
}
/**
* Cree un client authentifie via /login_check. La configuration du projet
* pose le JWT dans un cookie HTTP-only `BEARER` (cf. lexik_jwt_authentication.yaml)
* et retire le token du body de reponse ; le client BrowserKit persiste
* automatiquement le cookie pour les requetes suivantes.
*/
protected function authenticatedClient(string $username, string $password): Client
{
$client = self::createClient();
$response = $client->request('POST', '/login_check', [
'headers' => ['Content-Type' => 'application/json'],
'json' => ['username' => $username, 'password' => $password],
]);
self::assertContains(
$response->getStatusCode(),
[200, 204],
'Login failed for '.$username.': '.$response->getStatusCode(),
);
return $client;
}
/**
* Cree un utilisateur non-admin portant une permission specifique via un
* role custom jetable. A utiliser dans les tests fonctionnels qui doivent
* prouver qu'un non-admin avec la permission requise obtient 200, et
* sans la permission obtient 403.
*
* Le user et le role sont persistes avec un suffixe aleatoire pour eviter
* les collisions inter-tests. Le password est "testpass".
*
* Prerequis : la permission identifiee par $permissionCode doit exister en
* base (seeder via `app:sync-permissions`). Si elle est introuvable, le test
* echoue immediatement avec un message explicite.
*
* @param string $permissionCode Le code de la permission (ex: "core.users.view")
*
* @return array{username: string, password: string} Les identifiants pour authenticatedClient()
*/
protected function createUserWithPermission(string $permissionCode): array
{
if (!self::$kernel) {
self::bootKernel();
}
$em = $this->getEm();
/** @var null|Permission $permission */
$permission = $em->getRepository(Permission::class)->findOneBy(['code' => $permissionCode]);
self::assertNotNull(
$permission,
sprintf(
'Permission "%s" introuvable en base. Assurez-vous que `app:sync-permissions` a ete execute.',
$permissionCode,
),
);
$suffix = substr(bin2hex(random_bytes(4)), 0, 8);
$username = 'testuser_'.$suffix;
$password = 'testpass';
/** @var UserPasswordHasherInterface $hasher */
$hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
$role = new Role('test_'.$suffix, 'Test Role '.$suffix, false);
$role->addPermission($permission);
$em->persist($role);
$user = new User();
$user->setUsername($username);
$user->setIsAdmin(false);
$user->setPassword($hasher->hashPassword($user, $password));
$user->addRbacRole($role);
$em->persist($user);
$em->flush();
$em->clear();
return ['username' => $username, 'password' => $password];
}
}

169
tests/Module/Core/Api/MeApiTest.php Normal file
View File

@@ -0,0 +1,169 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Core\Api;
use App\Module\Core\Domain\Entity\Permission;
use App\Module\Core\Domain\Entity\Role;
use App\Module\Core\Domain\Entity\User;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
/**
* Tests fonctionnels de l'endpoint GET /api/me.
*
* Verifie que la reponse inclut `isAdmin` et `effectivePermissions`
* dans le groupe de serialisation `me:read`.
*
* Strategie de donnees :
* - Les tests 1-3 s'appuient exclusivement sur les fixtures (admin/alice).
* - Le test 4 cree un user jetable prefixe `test_me_` + role + permission,
* purges en tearDown.
*
* @internal
*/
final class MeApiTest extends AbstractApiTestCase
{
private const TEST_USER_PREFIX = 'test_me_';
private const TEST_ROLE_PREFIX = 'test_me_';
private const TEST_PERMISSION_PREFIX = 'test.me.';
protected function tearDown(): void
{
$this->cleanupTestData();
parent::tearDown();
}
/**
* L'admin (isAdmin=true, role systeme sans permission explicite) doit
* obtenir un payload /me avec isAdmin=true et effectivePermissions=[].
*/
public function testMeEndpointReturnsIsAdminAndEffectivePermissionsForAdmin(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/me', [
'headers' => ['Accept' => 'application/ld+json'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertSame('admin', $data['username'], 'Le champ username doit etre "admin".');
self::assertTrue($data['isAdmin'], 'isAdmin doit etre true pour l\'admin fixture.');
self::assertArrayHasKey('effectivePermissions', $data, 'effectivePermissions doit etre present dans le payload.');
self::assertIsArray($data['effectivePermissions'], 'effectivePermissions doit etre un tableau JSON.');
// Le role systeme admin n'a pas de permissions explicites : tableau vide attendu.
self::assertSame([], $data['effectivePermissions'], 'effectivePermissions doit etre [] pour l\'admin sans permissions explicites.');
}
/**
* Un utilisateur standard (isAdmin=false, role user sans permission) doit
* obtenir isAdmin=false et effectivePermissions=[].
*/
public function testMeEndpointReturnsEmptyPermissionsForStandardUser(): void
{
$client = $this->authenticatedClient('alice', 'alice');
$response = $client->request('GET', '/api/me', [
'headers' => ['Accept' => 'application/ld+json'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertFalse($data['isAdmin'], 'isAdmin doit etre false pour alice.');
self::assertArrayHasKey('effectivePermissions', $data, 'effectivePermissions doit etre present dans le payload.');
self::assertSame([], $data['effectivePermissions'], 'effectivePermissions doit etre [] pour un user sans role avec permission.');
}
/**
* Une requete non authentifiee sur /api/me doit retourner 401.
*/
public function testMeEndpointRequiresAuthentication(): void
{
$client = self::createClient();
$client->request('GET', '/api/me', [
'headers' => ['Accept' => 'application/ld+json'],
]);
self::assertResponseStatusCodeSame(401);
}
/**
* Un user rattache a un role portant la permission `core.users.view` doit
* retrouver cette permission dans effectivePermissions, triee alphabetiquement.
*/
public function testMeEndpointReturnsEffectivePermissionsForUserWithRolePermissions(): void
{
// --- Preparation des donnees de test ---
self::bootKernel();
$em = $this->getEm();
$this->cleanupTestData();
/** @var UserPasswordHasherInterface $hasher */
$hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
$permission = new Permission('test.me.core.users.view', 'View users (test me)', 'core');
$em->persist($permission);
$role = new Role('test_me_viewer', 'Viewer (test me)', false);
$role->addPermission($permission);
$em->persist($role);
$user = new User();
$user->setUsername('test_me_viewer_user');
$user->setIsAdmin(false);
$user->setPassword($hasher->hashPassword($user, 'secret'));
$user->addRbacRole($role);
$em->persist($user);
$em->flush();
$em->clear();
// --- Appel API ---
$client = $this->authenticatedClient('test_me_viewer_user', 'secret');
$response = $client->request('GET', '/api/me', [
'headers' => ['Accept' => 'application/ld+json'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertArrayHasKey('effectivePermissions', $data, 'effectivePermissions doit etre present dans le payload.');
self::assertContains(
'test.me.core.users.view',
$data['effectivePermissions'],
'effectivePermissions doit contenir le code de permission du role attribue.',
);
// Verifie le tri alphabetique (contrat spec section 9 ticket-343).
$sorted = $data['effectivePermissions'];
$copy = $sorted;
sort($copy);
self::assertSame($copy, $sorted, 'effectivePermissions doit etre trie alphabetiquement.');
}
/**
* Purge les entites de test creees par les methodes ci-dessus.
* Ordre : users d'abord (FK vers roles), puis roles, puis permissions.
*/
private function cleanupTestData(): void
{
$em = $this->getEm();
$em->createQuery(
'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
)->setParameter('prefix', self::TEST_USER_PREFIX.'%')->execute();
$em->createQuery(
'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
)->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
$em->createQuery(
'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
)->setParameter('prefix', self::TEST_PERMISSION_PREFIX.'%')->execute();
}
}

208
tests/Module/Core/Api/PermissionApiTest.php Normal file
View File

@@ -0,0 +1,208 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Core\Api;
use App\Module\Core\Domain\Entity\Permission;
use App\Module\Core\Domain\Entity\Role;
use App\Module\Core\Domain\Entity\User;
/**
* Tests fonctionnels de l'exposition API Platform de l'entite Permission.
*
* Strategie de donnees : on cree directement quelques instances de Permission
* via l'EntityManager au setUp (choix le plus simple et le plus rapide, pas
* besoin de booter la commande app:sync-permissions). Les fixtures de test
* sont prefixees par "test." pour ne pas collisionner avec d'eventuelles
* permissions reelles et sont nettoyees en tearDown.
*
* @internal
*/
final class PermissionApiTest extends AbstractApiTestCase
{
private const TEST_CODE_PREFIX = 'test.';
protected function setUp(): void
{
parent::setUp();
// On boote le kernel une fois pour pouvoir seeder les fixtures.
// ATTENTION : ne pas stocker l'EntityManager dans une propriete,
// chaque createClient() dans les tests rebootera le kernel et
// invalidera tout EM capture ici (cf. $alwaysBootKernel = true).
self::bootKernel();
$em = $this->getEm();
// Nettoyage defensif au cas ou un run precedent aurait laisse des restes.
$this->cleanupTestPermissions();
// Donnees de test : deux permissions "core" dont une orpheline,
// plus une permission d'un autre module pour verifier le filtre.
$p1 = new Permission('test.core.users.view', 'View users (test)', 'core');
$p2 = new Permission('test.core.users.manage', 'Manage users (test)', 'core');
$p3 = new Permission('test.commercial.clients.view', 'View clients (test)', 'commercial');
$p2->markOrphan();
$em->persist($p1);
$em->persist($p2);
$em->persist($p3);
$em->flush();
$em->clear();
}
protected function tearDown(): void
{
$this->cleanupTestPermissions();
parent::tearDown();
}
public function testGetCollectionAsAdminReturns200(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/permissions');
self::assertResponseIsSuccessful();
$data = $response->toArray();
// API Platform 4 emet du JSON-LD 1.1 avec un @context qui utilise un
// @vocab : les cles sortent donc non prefixees (`member`, `totalItems`)
// au lieu des anciennes `hydra:member` / `hydra:totalItems`.
self::assertArrayHasKey('member', $data);
self::assertGreaterThanOrEqual(3, $data['totalItems']);
}
public function testCollectionFilterByModule(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/permissions', [
'query' => ['module' => 'core'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
foreach ($data['member'] as $item) {
self::assertSame('core', $item['module']);
}
// Doit contenir au moins nos deux permissions core de test.
$codes = array_column($data['member'], 'code');
self::assertContains('test.core.users.view', $codes);
self::assertContains('test.core.users.manage', $codes);
self::assertNotContains('test.commercial.clients.view', $codes);
}
public function testCollectionFilterByOrphanTrue(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/permissions', [
'query' => ['orphan' => 'true'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
foreach ($data['member'] as $item) {
self::assertTrue($item['orphan']);
}
$codes = array_column($data['member'], 'code');
// La permission marquee orpheline dans setUp() doit remonter...
self::assertContains('test.core.users.manage', $codes);
// ...et celles non orphelines doivent etre exclues.
self::assertNotContains('test.core.users.view', $codes);
self::assertNotContains('test.commercial.clients.view', $codes);
}
public function testCollectionFilterByOrphanFalse(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/permissions', [
'query' => ['orphan' => 'false'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
foreach ($data['member'] as $item) {
self::assertFalse($item['orphan']);
}
$codes = array_column($data['member'], 'code');
self::assertContains('test.core.users.view', $codes);
self::assertNotContains('test.core.users.manage', $codes);
}
public function testGetItemAsAdminReturnsAllReadFields(): void
{
/** @var null|Permission $permission */
$permission = $this->getEm()->getRepository(Permission::class)
->findOneBy(['code' => 'test.core.users.view'])
;
self::assertNotNull($permission);
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/permissions/'.$permission->getId());
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertSame($permission->getId(), $data['id']);
self::assertSame('test.core.users.view', $data['code']);
self::assertSame('View users (test)', $data['label']);
self::assertSame('core', $data['module']);
self::assertFalse($data['orphan']);
}
public function testPostIsMethodNotAllowed(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$client->request('POST', '/api/permissions', [
'headers' => ['Content-Type' => 'application/ld+json'],
'json' => ['code' => 'test.foo.bar.baz', 'label' => 'Foo', 'module' => 'foo'],
]);
self::assertResponseStatusCodeSame(405);
}
public function testUnauthenticatedReturns401(): void
{
$client = self::createClient();
$client->request('GET', '/api/permissions');
self::assertResponseStatusCodeSame(401);
}
public function testStandardUserCanListPermissions(): void
{
// Le catalogue de permissions est accessible a tout utilisateur authentifie.
$client = $this->authenticatedClient('alice', 'alice');
$client->request('GET', '/api/permissions');
self::assertResponseIsSuccessful();
}
public function testStandardUserCanGetPermission(): void
{
$permission = $this->getEm()->getRepository(Permission::class)
->findOneBy(['code' => 'test.core.users.view'])
;
self::assertNotNull($permission);
$client = $this->authenticatedClient('alice', 'alice');
$client->request('GET', '/api/permissions/'.$permission->getId());
self::assertResponseIsSuccessful();
}
private function cleanupTestPermissions(): void
{
$em = $this->getEm();
// Purge des users et roles jetables crees par createUserWithPermission().
$em->createQuery(
'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
)->setParameter('prefix', 'testuser_%')->execute();
$em->createQuery(
'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
)->setParameter('prefix', 'test_%')->execute();
$em->createQuery(
'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
)->setParameter('prefix', self::TEST_CODE_PREFIX.'%')->execute();
}
}

481
tests/Module/Core/Api/RoleApiTest.php Normal file
View File

@@ -0,0 +1,481 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Core\Api;
use App\Module\Core\Domain\Entity\Permission;
use App\Module\Core\Domain\Entity\Role;
use App\Module\Core\Domain\Entity\User;
use App\Module\Core\Domain\Security\SystemRoles;
/**
* Tests fonctionnels de l'exposition API Platform de l'entite Role (CRUD nominal).
*
* Strategie :
* - Les roles systeme `admin` et `user` sont deja charges par les fixtures
* (cf. AppFixtures::ensureSystemRole). On ne les touche JAMAIS.
* - Les roles et permissions crees pour les tests ont le prefixe `test.` et
* sont purges en setUp + tearDown par DQL prefixe.
* - Les cas 403 sur role systeme et 400 sur modification de `code` sont
* reportes a la Task 3 (RoleProcessor) et ne sont PAS testes ici.
*
* @internal
*/
final class RoleApiTest extends AbstractApiTestCase
{
// Prefixe pour les roles de test : `test_` (underscore) parce que les
// codes de role doivent matcher `/^[a-z][a-z0-9_]*$/` (pas de point
// autorise, contrairement aux permissions).
private const TEST_ROLE_PREFIX = 'test_';
// Prefixe pour les permissions de test : `test.` (point) parce que les
// codes de permission doivent contenir au moins un `.` (convention
// module.resource.action validee dans le constructeur Permission).
private const TEST_PERMISSION_PREFIX = 'test.';
protected function setUp(): void
{
parent::setUp();
self::bootKernel();
$em = $this->getEm();
// Nettoyage defensif au cas ou un run precedent aurait laisse des restes.
$this->cleanupTestData();
// Permissions de test reutilisables (notamment pour le PATCH).
$p1 = new Permission('test.core.roles.view', 'View roles (test)', 'core');
$p2 = new Permission('test.core.roles.manage', 'Manage roles (test)', 'core');
$em->persist($p1);
$em->persist($p2);
// Role custom existant : utilise pour les GET / PATCH / DELETE.
$editor = new Role('test_editor', 'Editeur (test)', false, 'Role de test editeur');
$em->persist($editor);
// Deuxieme role custom : pour enrichir les collections.
$viewer = new Role('test_viewer', 'Visualisateur (test)', false);
$em->persist($viewer);
$em->flush();
$em->clear();
}
protected function tearDown(): void
{
$this->cleanupTestData();
parent::tearDown();
}
public function testPostCreatesCustomRoleAsAdmin(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('POST', '/api/roles', [
'headers' => ['Content-Type' => 'application/ld+json'],
'json' => [
'code' => 'test_new_editor',
'label' => 'Nouvel editeur',
'description' => 'Role de test',
],
]);
self::assertResponseStatusCodeSame(201);
$data = $response->toArray();
self::assertSame('test_new_editor', $data['code']);
self::assertSame('Nouvel editeur', $data['label']);
self::assertFalse($data['isSystem']);
// Verification cote base : le role existe et isSystem = false.
$persisted = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_new_editor']);
self::assertNotNull($persisted);
self::assertFalse($persisted->isSystem());
}
public function testPostWithDuplicateCodeReturns422(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$client->request('POST', '/api/roles', [
'headers' => ['Content-Type' => 'application/ld+json'],
'json' => [
// `admin` est un role systeme charge par les fixtures.
'code' => SystemRoles::ADMIN_CODE,
'label' => 'Tentative de doublon',
],
]);
self::assertResponseStatusCodeSame(422);
}
public function testPostWithInvalidCodeReturns422(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$client->request('POST', '/api/roles', [
'headers' => ['Content-Type' => 'application/ld+json'],
'json' => [
// Majuscules interdites par la regex snake_case.
'code' => 'BadCode',
'label' => 'Code invalide',
],
]);
self::assertResponseStatusCodeSame(422);
}
public function testPostWithIsSystemTrueIgnoresItAndPersistsFalse(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('POST', '/api/roles', [
'headers' => ['Content-Type' => 'application/ld+json'],
'json' => [
'code' => 'test_sneaky',
'label' => 'Tentative systeme',
'isSystem' => true,
],
]);
self::assertResponseStatusCodeSame(201);
$data = $response->toArray();
self::assertFalse($data['isSystem']);
$persisted = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_sneaky']);
self::assertNotNull($persisted);
self::assertFalse($persisted->isSystem());
}
public function testGetCollectionAsAdminReturnsRoles(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/roles');
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertArrayHasKey('member', $data);
// Au moins admin systeme + user systeme + test_editor + test_viewer.
self::assertGreaterThanOrEqual(4, $data['totalItems']);
$codes = array_column($data['member'], 'code');
self::assertContains('test_editor', $codes);
}
public function testGetCollectionFilterByIsSystemTrue(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/roles', [
'query' => ['isSystem' => 'true'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
foreach ($data['member'] as $item) {
self::assertTrue($item['isSystem']);
}
$codes = array_column($data['member'], 'code');
self::assertNotContains('test_editor', $codes);
self::assertNotContains('test_viewer', $codes);
}
public function testGetItemReturnsAllReadFields(): void
{
$role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
self::assertNotNull($role);
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/roles/'.$role->getId());
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertSame('test_editor', $data['code']);
self::assertSame('Editeur (test)', $data['label']);
self::assertSame('Role de test editeur', $data['description']);
self::assertFalse($data['isSystem']);
self::assertArrayHasKey('permissions', $data);
self::assertIsArray($data['permissions']);
}
public function testPatchCustomRoleUpdatesLabelAndAddsPermission(): void
{
$em = $this->getEm();
$role = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
self::assertNotNull($role);
$permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'test.core.roles.view']);
self::assertNotNull($permission);
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('PATCH', '/api/roles/'.$role->getId(), [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => [
'label' => 'Editeur modifie',
'permissions' => ['/api/permissions/'.$permission->getId()],
],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertSame('Editeur modifie', $data['label']);
self::assertCount(1, $data['permissions']);
// Verification cote base.
$em->clear();
/** @var Role $reloaded */
$reloaded = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
self::assertSame('Editeur modifie', $reloaded->getLabel());
self::assertCount(1, $reloaded->getPermissions());
}
public function testDeleteCustomRoleReturns204(): void
{
$role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_viewer']);
self::assertNotNull($role);
$id = $role->getId();
$client = $this->authenticatedClient('admin', 'admin');
$client->request('DELETE', '/api/roles/'.$id);
self::assertResponseStatusCodeSame(204);
$em = $this->getEm();
$em->clear();
self::assertNull($em->getRepository(Role::class)->find($id));
}
public function testDeleteCustomRoleAttachedToUserDoesNotDeleteUser(): void
{
// Scenario spec #344 sections 7 & 11 : supprimer un role custom rattache
// a un user doit laisser le user en base (la FK user_role est nettoyee
// par ON DELETE CASCADE, mais jamais le user lui-meme).
$em = $this->getEm();
// Creer un user de test dedie et lui rattacher le role custom `test_editor`.
$testUser = new User();
$testUser->setUsername('test_cascade_user');
// Le hashage du password est hors scope du test mais la colonne est NOT NULL.
$testUser->setPassword('not-hashed-ok-for-test');
/** @var Role $editor */
$editor = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
self::assertNotNull($editor);
$testUser->addRbacRole($editor);
$em->persist($testUser);
$em->flush();
$userId = $testUser->getId();
$editorId = $editor->getId();
$em->clear();
// DELETE du role editor via l'API.
$client = $this->authenticatedClient('admin', 'admin');
$client->request('DELETE', '/api/roles/'.$editorId);
self::assertResponseStatusCodeSame(204);
// Verification : l'user existe toujours et sa collection de roles est vide.
$em = $this->getEm();
/** @var null|User $refreshed */
$refreshed = $em->getRepository(User::class)->find($userId);
self::assertNotNull($refreshed, 'L\'user ne doit PAS etre supprime par le cascade.');
self::assertCount(0, $refreshed->getRbacRoles(), 'La relation user_role doit etre nettoyee par le cascade.');
// Cleanup explicite : cleanupTestData() ne purge pas les users.
$em->remove($refreshed);
$em->flush();
}
public function testDeleteSystemRoleReturns403(): void
{
$role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]);
self::assertNotNull($role);
$client = $this->authenticatedClient('admin', 'admin');
$client->request('DELETE', '/api/roles/'.$role->getId());
self::assertResponseStatusCodeSame(403);
// Le role systeme doit toujours exister.
$em = $this->getEm();
$em->clear();
self::assertNotNull($em->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]));
}
public function testPatchSystemRoleLabelReturns200(): void
{
$em = $this->getEm();
$role = $em->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]);
self::assertNotNull($role);
$originalLabel = $role->getLabel();
$roleId = $role->getId();
$client = $this->authenticatedClient('admin', 'admin');
try {
$response = $client->request('PATCH', '/api/roles/'.$roleId, [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['label' => 'Administrateur (modifie test)'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertSame('Administrateur (modifie test)', $data['label']);
self::assertSame(SystemRoles::ADMIN_CODE, $data['code']);
self::assertTrue($data['isSystem']);
} finally {
// Restauration defensive du label original pour ne pas polluer
// les tests suivants (les fixtures systeme sont partagees).
$em = $this->getEm();
/** @var null|Role $reloaded */
$reloaded = $em->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]);
if (null !== $reloaded && $reloaded->getLabel() !== $originalLabel) {
$reloaded->setLabel($originalLabel);
$em->flush();
}
}
}
public function testPatchRoleCodeChangeReturns400(): void
{
$role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
self::assertNotNull($role);
$client = $this->authenticatedClient('admin', 'admin');
$client->request('PATCH', '/api/roles/'.$role->getId(), [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['code' => 'test_editor_renamed'],
]);
self::assertResponseStatusCodeSame(400);
// Verification cote base : le code d'origine n'a pas bouge.
$em = $this->getEm();
$em->clear();
self::assertNotNull($em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']));
self::assertNull($em->getRepository(Role::class)->findOneBy(['code' => 'test_editor_renamed']));
}
public function testUnauthenticatedGetCollectionReturns401(): void
{
$client = self::createClient();
$client->request('GET', '/api/roles');
self::assertResponseStatusCodeSame(401);
}
public function testNonAdminGetCollectionReturns403(): void
{
$client = $this->authenticatedClient('alice', 'alice');
$client->request('GET', '/api/roles');
self::assertResponseStatusCodeSame(403);
}
// --- Tests voter RBAC : non-admin avec / sans permission ---
public function testListRolesAsUserWithViewPermissionReturns200(): void
{
// Un non-admin portant core.roles.view doit pouvoir lister les roles.
$credentials = $this->createUserWithPermission('core.roles.view');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('GET', '/api/roles');
self::assertResponseIsSuccessful();
}
public function testListRolesAsUserWithOnlyManagePermissionReturns403(): void
{
// Un user avec uniquement core.roles.manage ne peut PAS lister (list/get
// exige core.roles.view, cf. spec section 3 ticket-345).
$credentials = $this->createUserWithPermission('core.roles.manage');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('GET', '/api/roles');
self::assertResponseStatusCodeSame(403);
}
public function testListRolesAsStandardUserReturns403(): void
{
$client = $this->authenticatedClient('alice', 'alice');
$client->request('GET', '/api/roles');
self::assertResponseStatusCodeSame(403);
}
public function testCreateRoleAsUserWithManagePermissionReturns201(): void
{
// Un non-admin portant core.roles.manage doit pouvoir creer un role.
$credentials = $this->createUserWithPermission('core.roles.manage');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$response = $client->request('POST', '/api/roles', [
'headers' => ['Content-Type' => 'application/ld+json'],
'json' => [
'code' => 'test_created_by_manager',
'label' => 'Role cree par manager (test)',
],
]);
self::assertResponseStatusCodeSame(201);
$data = $response->toArray();
self::assertSame('test_created_by_manager', $data['code']);
}
public function testCreateRoleAsUserWithOnlyViewPermissionReturns403(): void
{
// Un user avec core.roles.view uniquement ne peut pas creer (POST exige .manage).
$credentials = $this->createUserWithPermission('core.roles.view');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('POST', '/api/roles', [
'headers' => ['Content-Type' => 'application/ld+json'],
'json' => [
'code' => 'test_shouldnotcreate',
'label' => 'Ne doit pas etre cree',
],
]);
self::assertResponseStatusCodeSame(403);
}
public function testCreateRoleAsStandardUserReturns403(): void
{
$client = $this->authenticatedClient('alice', 'alice');
$client->request('POST', '/api/roles', [
'headers' => ['Content-Type' => 'application/ld+json'],
'json' => [
'code' => 'test_shouldnotcreate_alice',
'label' => 'Ne doit pas etre cree',
],
]);
self::assertResponseStatusCodeSame(403);
}
/**
* Purge les donnees de test (roles et permissions prefixees `test.`).
* Ne touche JAMAIS aux roles systeme `admin` et `user` charges par les
* fixtures.
*/
private function cleanupTestData(): void
{
$em = $this->getEm();
// Le cascade FK de la migration #343 (ON DELETE CASCADE sur
// role_permission.role_id et permission_id) nettoie automatiquement
// role_permission lors du DELETE SQL emis par Doctrine, meme via DQL
// bulk delete : le cascade est applique au niveau FK par PostgreSQL,
// pas par l'Unit of Work Doctrine. Verifie par comptage avant/apres
// runs successifs de la suite (stable a la ligne de base systeme).
// Purge defensive des users de test crees par certains scenarios
// (ex: testDeleteCustomRoleAttachedToUserDoesNotDeleteUser). Doit etre
// fait AVANT la suppression des roles pour que le cascade FK ne soit
// pas sollicite en ordre inverse.
$em->createQuery(
'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
)->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
$em->createQuery(
'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
)->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
$em->createQuery(
'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
)->setParameter('prefix', self::TEST_PERMISSION_PREFIX.'%')->execute();
}
}

195
tests/Module/Core/Api/UserApiTest.php Normal file
View File

@@ -0,0 +1,195 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Core\Api;
use App\Module\Core\Domain\Entity\Role;
use App\Module\Core\Domain\Entity\User;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
/**
* Tests fonctionnels de l'exposition API Platform de l'entite User.
*
* Strategie :
* - Les fixtures chargent 3 users : admin (is_admin=true), alice, bob.
* - Les tests de lecture s'appuient sur les fixtures sans les modifier.
* - Les tests de suppression et de guard "dernier admin" creent des users
* additionnels via EntityManager, purges en tearDown.
* - On ne supprime JAMAIS les users fixture (admin / alice / bob).
*
* @internal
*/
final class UserApiTest extends AbstractApiTestCase
{
private const TEST_USER_PREFIX = 'test_';
private const TEST_ROLE_PREFIX = 'test_';
protected function tearDown(): void
{
$this->cleanupTestData();
parent::tearDown();
}
// --- Tests lecture collection ---
public function testListUsersAsAdminReturns200(): void
{
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('GET', '/api/users');
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertArrayHasKey('member', $data);
// Au moins 3 users fixture.
self::assertGreaterThanOrEqual(3, $data['totalItems']);
}
public function testListUsersAsUserWithViewPermissionReturns200(): void
{
// Un non-admin portant core.users.view doit pouvoir lister les users.
$credentials = $this->createUserWithPermission('core.users.view');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('GET', '/api/users');
self::assertResponseIsSuccessful();
}
public function testListUsersAsStandardUserReturns403(): void
{
// alice n'a aucune permission RBAC : acces refuse.
$client = $this->authenticatedClient('alice', 'alice');
$client->request('GET', '/api/users');
self::assertResponseStatusCodeSame(403);
}
// --- Tests suppression ---
public function testDeleteNonAdminUserAsAdminReturns204(): void
{
// Confirme que la suppression d'un user non-admin fonctionne.
$em = $this->getEm();
/** @var UserPasswordHasherInterface $hasher */
$hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
$target = new User();
$target->setUsername('test_deletable_user');
$target->setIsAdmin(false);
$target->setPassword($hasher->hashPassword($target, 'secret'));
$em->persist($target);
$em->flush();
$targetId = $target->getId();
$em->clear();
$client = $this->authenticatedClient('admin', 'admin');
$client->request('DELETE', '/api/users/'.$targetId);
self::assertResponseStatusCodeSame(204);
// Verification cote base : le user n'existe plus.
$em = $this->getEm();
$em->clear();
self::assertNull($em->getRepository(User::class)->find($targetId));
}
public function testDeleteSecondAdminReturns204(): void
{
// Quand il y a 2 admins, supprimer le second est autorise (garde non declenchee).
$em = $this->getEm();
/** @var UserPasswordHasherInterface $hasher */
$hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
$secondAdmin = new User();
$secondAdmin->setUsername('test_second_admin');
$secondAdmin->setIsAdmin(true);
$secondAdmin->setPassword($hasher->hashPassword($secondAdmin, 'secret'));
$em->persist($secondAdmin);
$em->flush();
$secondAdminId = $secondAdmin->getId();
$em->clear();
// Auth en tant qu'admin fixture, supprime le second admin.
$client = $this->authenticatedClient('admin', 'admin');
$client->request('DELETE', '/api/users/'.$secondAdminId);
self::assertResponseStatusCodeSame(204);
$em = $this->getEm();
$em->clear();
self::assertNull($em->getRepository(User::class)->find($secondAdminId));
}
public function testDeleteLastAdminReturns400(): void
{
// Scenario "dernier admin global" : un seul admin existe (fixture admin).
// Il tente de se supprimer lui-meme -> garde activee -> 400.
$em = $this->getEm();
/** @var null|User $fixtureAdmin */
$fixtureAdmin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
self::assertNotNull($fixtureAdmin, 'L\'user admin fixture doit exister.');
$fixtureAdminId = $fixtureAdmin->getId();
// Garantit qu'il n'y a qu'un seul admin au moment du test :
// s'assure que test_second_admin n'existe pas (tearDown le purge, mais
// soyons defensifs si un test precedent n'a pas nettoye).
$em->createQuery(
'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix AND u.username != :admin'
)->setParameters(['prefix' => 'test_%', 'admin' => 'admin'])->execute();
// Auth en tant que l'admin fixture et tente l'auto-suppression.
$client = $this->authenticatedClient('admin', 'admin');
$response = $client->request('DELETE', '/api/users/'.$fixtureAdminId);
self::assertResponseStatusCodeSame(400);
// Verification cote base : l'admin fixture doit toujours exister.
$em = $this->getEm();
$em->clear();
self::assertNotNull(
$em->getRepository(User::class)->find($fixtureAdminId),
'Le dernier admin ne doit PAS etre supprime.',
);
}
public function testDeleteAsStandardUserReturns403(): void
{
$em = $this->getEm();
/** @var null|User $alice */
$alice = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
self::assertNotNull($alice);
/** @var null|User $bob */
$bob = $em->getRepository(User::class)->findOneBy(['username' => 'bob']);
self::assertNotNull($bob);
// alice sans permission ne peut pas supprimer bob.
$client = $this->authenticatedClient('alice', 'alice');
$client->request('DELETE', '/api/users/'.$bob->getId());
self::assertResponseStatusCodeSame(403);
}
/**
* Purge les entites de test creees par cette suite.
* Ne touche JAMAIS aux fixtures (admin / alice / bob).
*/
private function cleanupTestData(): void
{
$em = $this->getEm();
// Purge des users jetables crees par les tests (y compris testuser_ de createUserWithPermission).
$em->createQuery(
'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
)->setParameter('prefix', self::TEST_USER_PREFIX.'%')->execute();
// Purge des roles jetables crees par createUserWithPermission.
$em->createQuery(
'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
)->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
}
}

305
tests/Module/Core/Api/UserRbacApiTest.php Normal file
View File

@@ -0,0 +1,305 @@
<?php
declare(strict_types=1);
namespace App\Tests\Module\Core\Api;
use App\Module\Core\Domain\Entity\Permission;
use App\Module\Core\Domain\Entity\Role;
use App\Module\Core\Domain\Entity\User;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
/**
* Tests fonctionnels de l'endpoint RBAC dedie `PATCH /api/users/{id}/rbac`.
*
* Strategie de donnees :
* - On cree des users, roles et permissions prefixes `test_` / `test.`
* en setUp et on les purge en tearDown.
* - On ne touche JAMAIS aux fixtures (admin / alice / bob). Les cas qui
* ont besoin d'un user standard authentifie s'appuient sur alice sans
* modification d'etat.
* - Les users de test incluent un admin dedie pour le cas d'auto-suicide,
* pour ne pas risquer de corrompre l'admin fixture.
*
* @internal
*/
final class UserRbacApiTest extends AbstractApiTestCase
{
private const TEST_USER_PREFIX = 'test_';
private const TEST_ROLE_PREFIX = 'test_';
private const TEST_PERMISSION_PREFIX = 'test.';
protected function setUp(): void
{
parent::setUp();
self::bootKernel();
$em = $this->getEm();
$this->cleanupTestData();
/** @var UserPasswordHasherInterface $hasher */
$hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
// User cible standard (non admin).
$target = new User();
$target->setUsername('test_target');
$target->setIsAdmin(false);
$target->setPassword($hasher->hashPassword($target, 'secret'));
$em->persist($target);
// User admin dedie pour le cas d'auto-suicide (pas l'admin fixture).
$selfAdmin = new User();
$selfAdmin->setUsername('test_self_admin');
$selfAdmin->setIsAdmin(true);
$selfAdmin->setPassword($hasher->hashPassword($selfAdmin, 'secret'));
$em->persist($selfAdmin);
// Role custom pour tester le remplacement de la collection roles.
$role = new Role('test_editor', 'Editeur (test)', false);
$em->persist($role);
// Permission custom pour tester directPermissions.
$permission = new Permission('test.core.users.view', 'View users (test)', 'core');
$em->persist($permission);
$em->flush();
$em->clear();
}
protected function tearDown(): void
{
$this->cleanupTestData();
parent::tearDown();
}
public function testPatchRbacPromotesUserToAdmin(): void
{
$target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertNotNull($target);
$client = $this->authenticatedClient('admin', 'admin');
$client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['isAdmin' => true],
]);
self::assertResponseIsSuccessful();
$em = $this->getEm();
$em->clear();
/** @var User $reloaded */
$reloaded = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertTrue($reloaded->isAdmin());
}
public function testPatchRbacReplacesRolesCollection(): void
{
$em = $this->getEm();
$target = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
$role = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
self::assertNotNull($target);
self::assertNotNull($role);
$client = $this->authenticatedClient('admin', 'admin');
$client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['roles' => ['/api/roles/'.$role->getId()]],
]);
self::assertResponseIsSuccessful();
$em = $this->getEm();
$em->clear();
/** @var User $reloaded */
$reloaded = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertCount(1, $reloaded->getRbacRoles());
self::assertSame('test_editor', $reloaded->getRbacRoles()->first()->getCode());
}
public function testPatchRbacReplacesDirectPermissionsCollection(): void
{
$em = $this->getEm();
$target = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
$permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'test.core.users.view']);
self::assertNotNull($target);
self::assertNotNull($permission);
$client = $this->authenticatedClient('admin', 'admin');
$client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['directPermissions' => ['/api/permissions/'.$permission->getId()]],
]);
self::assertResponseIsSuccessful();
$em = $this->getEm();
$em->clear();
/** @var User $reloaded */
$reloaded = $em->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertCount(1, $reloaded->getDirectPermissions());
self::assertSame('test.core.users.view', $reloaded->getDirectPermissions()->first()->getCode());
}
public function testPatchRbacAsStandardUserReturns403(): void
{
$target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertNotNull($target);
$client = $this->authenticatedClient('alice', 'alice');
$client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['isAdmin' => true],
]);
self::assertResponseStatusCodeSame(403);
}
public function testPatchRbacUnauthenticatedReturns401(): void
{
$target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertNotNull($target);
$client = self::createClient();
$client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['isAdmin' => true],
]);
self::assertResponseStatusCodeSame(401);
}
public function testPatchRbacIgnoresUsernameField(): void
{
$target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertNotNull($target);
$targetId = $target->getId();
$client = $this->authenticatedClient('admin', 'admin');
$client->request('PATCH', '/api/users/'.$targetId.'/rbac', [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => [
'username' => 'test_target_renamed',
'isAdmin' => true,
],
]);
self::assertResponseIsSuccessful();
$em = $this->getEm();
$em->clear();
/** @var User $reloaded */
$reloaded = $em->getRepository(User::class)->find($targetId);
// `username` n'est pas dans `user:rbac:write` : ignore en denormalization.
self::assertSame('test_target', $reloaded->getUsername());
// `isAdmin` est bien applique.
self::assertTrue($reloaded->isAdmin());
}
public function testPatchProfileEndpointDoesNotModifyIsAdmin(): void
{
// Confirme la decision 0fc4e16 : `isAdmin` n'est plus dans `user:write`,
// donc `PATCH /api/users/{id}` sans `/rbac` ne peut plus promouvoir.
$target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertNotNull($target);
$targetId = $target->getId();
self::assertFalse($target->isAdmin());
$client = $this->authenticatedClient('admin', 'admin');
$client->request('PATCH', '/api/users/'.$targetId, [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['isAdmin' => true],
]);
// Peu importe le code : le champ ne doit tout simplement pas bouger.
$em = $this->getEm();
$em->clear();
/** @var User $reloaded */
$reloaded = $em->getRepository(User::class)->find($targetId);
self::assertFalse($reloaded->isAdmin());
}
// --- Tests voter RBAC : non-admin avec / sans permission ---
public function testPatchRbacAsUserWithManagePermissionReturns200(): void
{
// Un non-admin portant core.users.manage doit pouvoir appeler PATCH /rbac.
$target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertNotNull($target);
$credentials = $this->createUserWithPermission('core.users.manage');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['isAdmin' => false],
]);
self::assertResponseIsSuccessful();
}
public function testPatchRbacAsUserWithOnlyViewPermissionReturns403(): void
{
// Un user avec core.users.view uniquement ne peut pas ecrire via /rbac.
$target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
self::assertNotNull($target);
$credentials = $this->createUserWithPermission('core.users.view');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
$client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['isAdmin' => true],
]);
self::assertResponseStatusCodeSame(403);
}
public function testPatchRbacSelfRemovingAdminReturns400(): void
{
// On utilise le user admin dedie (test_self_admin) pour ne pas
// corrompre l'admin fixture en cas de bug.
$em = $this->getEm();
$selfAdmin = $em->getRepository(User::class)->findOneBy(['username' => 'test_self_admin']);
self::assertNotNull($selfAdmin);
$selfAdminId = $selfAdmin->getId();
$client = $this->authenticatedClient('test_self_admin', 'secret');
$client->request('PATCH', '/api/users/'.$selfAdminId.'/rbac', [
'headers' => ['Content-Type' => 'application/merge-patch+json'],
'json' => ['isAdmin' => false],
]);
self::assertResponseStatusCodeSame(400);
$em = $this->getEm();
$em->clear();
/** @var User $reloaded */
$reloaded = $em->getRepository(User::class)->find($selfAdminId);
self::assertTrue($reloaded->isAdmin());
}
private function cleanupTestData(): void
{
$em = $this->getEm();
// Ordre important : delier les collections avant de supprimer les
// entites referencees pour que les FK cascade s'appliquent via le
// schema PostgreSQL.
$em->createQuery(
'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
)->setParameter('prefix', self::TEST_USER_PREFIX.'%')->execute();
$em->createQuery(
'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
)->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
$em->createQuery(
'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
)->setParameter('prefix', self::TEST_PERMISSION_PREFIX.'%')->execute();
}
}