refactor(frontend) : ERP-26 - migrate roles table to MalioDataTable component

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix(frontend) : ERP-26 - fix Hydra response format (member not hydra:member) and IRI permissions
2026-04-16 09:32:54 +02:00 · 2026-04-16 09:30:49 +02:00 · 2026-04-16 09:21:50 +02:00 · 2026-04-16 09:20:10 +02:00 · 2026-04-16 09:18:07 +02:00 · 2026-04-16 09:16:08 +02:00
17 changed files with 142 additions and 608 deletions
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -8,8 +8,6 @@ declare(strict_types=1);
 * This file defines the sidebar sections displayed in the frontend.
 * Each item references the module that owns it via the `module` key.
 * Items whose module is not active (see config/modules.php) are filtered out.
 * Items may also declare a `permission` key (RBAC permission code) : the item
 * is hidden from users who do not hold that permission.
 *
 * This config is decoupled from the modules themselves: you can freely
 * move an item from one section to another without touching the module code.
@@ -35,18 +33,10 @@ return [
                'module' => 'core',
            ],
            [
-                'label'      => 'sidebar.core.roles',
+                'label'  => 'sidebar.core.roles',
-                'to'         => '/admin/roles',
+                'to'     => '/admin/roles',
-                'icon'       => 'mdi:shield-account-outline',
+                'icon'   => 'mdi:shield-account-outline',
-                'module'     => 'core',
+                'module' => 'core',
                'permission' => 'core.roles.view',
            ],
            [
                'label'      => 'sidebar.core.users',
                'to'         => '/admin/users',
                'icon'       => 'mdi:account-group-outline',
                'module'     => 'core',
                'permission' => 'core.users.view',
            ],
            [
                'label'  => 'sidebar.general.logout',
--- a/config/version.yaml
+++ b/config/version.yaml
@@ -1,2 +1,2 @@
 parameters:
-    app.version: '0.1.31'
+    app.version: '0.1.29'
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -24,8 +24,7 @@
            "suppliers": "Répertoire fournisseurs"
        },
        "core": {
-            "roles": "Gestion des rôles",
+            "roles": "Gestion des roles"
            "users": "Utilisateurs"
        }
    },
    "dashboard": {
@@ -63,62 +62,38 @@
    },
    "admin": {
        "roles": {
-            "title": "Gestion des rôles",
+            "title": "Gestion des roles",
-            "newRole": "Nouveau rôle",
+            "newRole": "Nouveau role",
-            "editRole": "Modifier le rôle",
+            "editRole": "Modifier le role",
-            "createRole": "Créer un rôle",
+            "createRole": "Creer un role",
-            "noRoles": "Aucun rôle configuré",
+            "noRoles": "Aucun role configure",
            "table": {
-                "label": "Libellé",
+                "label": "Libelle",
                "code": "Code",
                "permissions": "Permissions",
-                "system": "Système"
+                "system": "Systeme",
                "actions": "Actions"
            },
            "form": {
-                "label": "Libellé",
+                "label": "Libelle",
                "code": "Code",
                "description": "Description",
                "permissions": "Permissions"
            },
            "delete": {
-                "title": "Supprimer le rôle",
+                "title": "Supprimer le role",
-                "message": "Êtes-vous sûr de vouloir supprimer le rôle \"{label}\" ? Cette action est irréversible.",
+                "message": "Etes-vous sur de vouloir supprimer le role \"{label}\" ? Cette action est irreversible.",
-                "systemTooltip": "Rôle système non supprimable"
+                "systemTooltip": "Role systeme non supprimable"
            },
            "toast": {
-                "created": "Rôle créé avec succès",
+                "created": "Role cree avec succes",
-                "updated": "Rôle mis à jour avec succès",
+                "updated": "Role mis a jour avec succes",
-                "deleted": "Rôle supprimé avec succès"
+                "deleted": "Role supprime avec succes"
            },
            "permissions": {
                "selectAll": "Tout selectionner",
                "noPermissions": "Aucune permission disponible"
            }
        },
        "users": {
            "title": "Gestion des utilisateurs",
            "noUsers": "Aucun utilisateur",
            "table": {
                "username": "Nom d'utilisateur",
                "admin": "Administrateur",
                "roles": "Roles",
                "directPermissions": "Permissions directes"
            },
            "drawer": {
                "title": "Permissions de {username}",
                "selfWarning": "Vous modifiez vos propres droits",
                "adminToggle": "Administrateur (bypass total)",
                "rolesSection": "Rôles",
                "directPermissionsSection": "Permissions directes",
                "summarySection": "Résumé des permissions effectives",
                "noEffectivePermissions": "Aucune permission effective",
                "sourceRole": "via {role}",
                "sourceDirect": "Direct",
                "lastAdminWarning": "Impossible de retirer le statut administrateur du dernier admin"
            },
            "toast": {
                "updated": "Permissions mises à jour avec succès"
            }
        }
    }
 }
--- a/frontend/modules/core/components/EffectivePermissions.vue
+++ b/frontend/modules/core/components/EffectivePermissions.vue
@@ -1,68 +0,0 @@
 <template>
    <div>
        <div v-if="permissions.length === 0" class="text-sm text-neutral-400">
            {{ t('admin.users.drawer.noEffectivePermissions') }}
        </div>
        <div v-else class="divide-y divide-neutral-100 rounded-lg border border-neutral-200">
            <div
                v-for="perm in groupedPermissions"
                :key="perm.module"
                class="px-4 py-2"
            >
                <!-- En-tête du module -->
                <p class="text-xs font-semibold uppercase text-neutral-400 mb-1">
                    {{ perm.module }}
                </p>
                <div
                    v-for="item in perm.items"
                    :key="item.code"
                    class="flex items-center justify-between py-1"
                >
                    <span class="text-sm text-neutral-700">{{ item.label }}</span>
                    <div class="flex gap-1">
                        <span
                            v-for="source in item.sources"
                            :key="source"
                            :class="[
                                'inline-flex items-center rounded-full px-2 py-0.5 text-xs font-medium',
                                source === t('admin.users.drawer.sourceDirect')
                                    ? 'bg-green-100 text-green-800'
                                    : 'bg-blue-100 text-blue-800'
                            ]"
                        >
                            {{ source }}
                        </span>
                    </div>
                </div>
            </div>
        </div>
    </div>
 </template>
 <script setup lang="ts">
 import type { EffectivePermission } from '~/shared/types/rbac'
 const { t } = useI18n()
 const props = defineProps<{
    permissions: EffectivePermission[]
 }>()
 // Grouper par module pour l'affichage
 interface PermissionModuleGroup {
    module: string
    items: EffectivePermission[]
 }
 const groupedPermissions = computed<PermissionModuleGroup[]>(() => {
    const groups = new Map<string, EffectivePermission[]>()
    for (const perm of props.permissions) {
        const list = groups.get(perm.module) || []
        list.push(perm)
        groups.set(perm.module, list)
    }
    return Array.from(groups.entries())
        .map(([module, items]) => ({ module, items }))
        .sort((a, b) => a.module.localeCompare(b.module))
 })
 </script>
--- a/frontend/modules/core/components/PermissionGroup.vue
+++ b/frontend/modules/core/components/PermissionGroup.vue
@@ -30,7 +30,13 @@
 </template>
 <script setup lang="ts">
-import type { Permission } from '~/shared/types/rbac'
+interface Permission {
    id: number
    code: string
    label: string
    module: string
    orphan: boolean
 }
 const props = defineProps<{
    module: string
--- a/frontend/modules/core/components/RoleDeleteModal.vue
+++ b/frontend/modules/core/components/RoleDeleteModal.vue
@@ -22,8 +22,6 @@
                        <MalioButton
                            :label="t('common.delete')"
                            variant="danger"
                            icon-name="mdi:delete-outline"
                            icon-position="left"
                            :disabled="loading"
                            @click="confirm"
                        />
@@ -57,14 +55,6 @@ function cancel() {
 function confirm() {
    emit('confirm')
 }
 // Fermer la modale avec la touche Escape
 function onKeydown(e: KeyboardEvent) {
    if (e.key === 'Escape') cancel()
 }
 onMounted(() => document.addEventListener('keydown', onKeydown))
 onUnmounted(() => document.removeEventListener('keydown', onKeydown))
 </script>
 <style scoped>
--- a/frontend/modules/core/components/RoleDrawer.vue
+++ b/frontend/modules/core/components/RoleDrawer.vue
@@ -19,7 +19,8 @@
                :label="t('admin.roles.form.code')"
                input-class="w-full"
                required
-                :readonly="isEditMode"
+                :readonly="isEditMode && role?.isSystem"
                :hint="isEditMode && role?.isSystem ? t('admin.roles.delete.systemTooltip') : ''"
            />
            <MalioInputTextArea
@@ -53,18 +54,8 @@
            <!-- Boutons -->
            <div class="flex justify-end gap-3 border-t border-neutral-200 pt-4">
                <MalioButton
                    v-if="isEditMode"
                    :label="t('common.delete')"
                    variant="danger"
                    icon-name="mdi:delete-outline"
                    icon-position="left"
                    :disabled="role?.isSystem"
                    @click="emit('delete')"
                />
                <MalioButton
                    v-else
                    :label="t('common.cancel')"
-                    variant="tertiary"
+                    variant="secondary"
                    @click="emit('update:modelValue', false)"
                />
                <MalioButton
@@ -79,7 +70,22 @@
 </template>
 <script setup lang="ts">
-import type { Permission, Role } from '~/shared/types/rbac'
+interface Permission {
    id: number
    code: string
    label: string
    module: string
    orphan: boolean
 }
 interface Role {
    id: number
    code: string
    label: string
    description: string | null
    isSystem: boolean
    permissions: (Permission | string)[]
 }
 interface PermissionModule {
    module: string
@@ -97,7 +103,6 @@ const props = defineProps<{
 const emit = defineEmits<{
    'update:modelValue': [value: boolean]
    saved: []
    delete: []
 }>()
 const saving = ref(false)
@@ -131,7 +136,7 @@ const permissionsByModule = computed<PermissionModule[]>(() => {
 async function loadPermissions() {
    const data = await api.get<{ member: Permission[] }>(
        '/permissions',
-        { 'orphan': false, itemsPerPage: 999 },
+        { 'orphan': false, itemsPerPage: 200 },
        { toast: false },
    )
    allPermissions.value = data.member
@@ -193,24 +198,19 @@ function handleToggleAll(module: string, selected: boolean) {
 async function handleSave() {
    saving.value = true
    try {
-        const permissions = Array.from(selectedPermissionIds.value).map(id => `/api/permissions/${id}`)
+        const body = {
            label: form.value.label,
            code: form.value.code,
            description: form.value.description || null,
            permissions: Array.from(selectedPermissionIds.value).map(id => `/api/permissions/${id}`),
        }
        if (isEditMode.value && props.role) {
-            // Le code est immuable apres creation (garde backend RoleProcessor)
+            await api.patch(`/roles/${props.role.id}`, body, {
            await api.patch(`/roles/${props.role.id}`, {
                label: form.value.label,
                description: form.value.description || null,
                permissions,
            }, {
                toastSuccessMessage: t('admin.roles.toast.updated'),
            })
        } else {
-            await api.post('/roles', {
+            await api.post('/roles', body, {
                label: form.value.label,
                code: form.value.code,
                description: form.value.description || null,
                permissions,
            }, {
                toastSuccessMessage: t('admin.roles.toast.created'),
            })
        }
--- a/frontend/modules/core/components/UserRbacDrawer.vue
+++ b/frontend/modules/core/components/UserRbacDrawer.vue
@@ -1,259 +0,0 @@
 <template>
    <MalioDrawer
        :model-value="modelValue"
        :title="t('admin.users.drawer.title', { username: user?.username ?? '' })"
        drawer-class="w-full max-w-lg"
        @update:model-value="emit('update:modelValue', $event)"
    >
        <div class="flex flex-col gap-6 p-4">
            <!-- Avertissement auto-edition -->
            <div
                v-if="isSelfEdit"
                class="flex items-center gap-2 rounded-lg border border-yellow-300 bg-yellow-50 px-4 py-3 text-sm text-yellow-800"
            >
                <Icon name="mdi:alert-outline" class="size-5 shrink-0" />
                {{ t('admin.users.drawer.selfWarning') }}
            </div>
            <!-- Toggle Administrateur -->
            <MalioCheckbox
                id="admin-toggle"
                :label="t('admin.users.drawer.adminToggle')"
                :model-value="form.isAdmin"
                label-class="font-semibold text-sm text-neutral-700"
                @update:model-value="form.isAdmin = $event"
            />
            <!-- Section Roles -->
            <div>
                <h4 class="mb-3 text-sm font-semibold text-neutral-700">
                    {{ t('admin.users.drawer.rolesSection') }}
                </h4>
                <div class="flex flex-col gap-2">
                    <MalioCheckbox
                        v-for="role in allRoles"
                        :key="role.id"
                        :id="`role-${role.id}`"
                        :label="role.label"
                        :model-value="selectedRoleIds.has(role.id)"
                        label-class="text-sm text-neutral-600"
                        @update:model-value="(val: boolean) => toggleRole(role.id, val)"
                    />
                </div>
            </div>
            <!-- Section Permissions directes -->
            <div>
                <h4 class="mb-3 text-sm font-semibold text-neutral-700">
                    {{ t('admin.users.drawer.directPermissionsSection') }}
                </h4>
                <div v-if="permissionsByModule.length === 0" class="text-sm text-neutral-400">
                    {{ t('admin.roles.permissions.noPermissions') }}
                </div>
                <div class="flex flex-col gap-4">
                    <PermissionGroup
                        v-for="group in permissionsByModule"
                        :key="group.module"
                        :module="group.module"
                        :module-label="group.module"
                        :permissions="group.permissions"
                        :selected-ids="selectedDirectPermissionIds"
                        @toggle="handleTogglePermission"
                        @toggle-all="handleToggleAll"
                    />
                </div>
            </div>
            <!-- Section Resume permissions effectives -->
            <div>
                <h4 class="mb-3 text-sm font-semibold text-neutral-700">
                    {{ t('admin.users.drawer.summarySection') }}
                </h4>
                <EffectivePermissions :permissions="effectivePermissions" />
            </div>
            <!-- Boutons -->
            <div class="flex justify-end gap-3 border-t border-neutral-200 pt-4">
                <MalioButton
                    :label="t('common.cancel')"
                    variant="tertiary"
                    @click="emit('update:modelValue', false)"
                />
                <MalioButton
                    :label="t('common.save')"
                    variant="primary"
                    :disabled="saving"
                    @click="handleSave"
                />
            </div>
        </div>
    </MalioDrawer>
 </template>
 <script setup lang="ts">
 import type { Permission, Role, UserListItem, EffectivePermission } from '~/shared/types/rbac'
 interface PermissionModule {
    module: string
    permissions: Permission[]
 }
 const { t } = useI18n()
 const api = useApi()
 const auth = useAuthStore()
 const props = defineProps<{
    modelValue: boolean
    user: UserListItem | null
 }>()
 const emit = defineEmits<{
    'update:modelValue': [value: boolean]
    saved: []
 }>()
 const saving = ref(false)
 const allRoles = ref<Role[]>([])
 const allPermissions = ref<Permission[]>([])
 const form = ref({ isAdmin: false })
 const selectedRoleIds = ref(new Set<number>())
 const selectedDirectPermissionIds = ref(new Set<number>())
 // Detecter l'auto-edition
 const isSelfEdit = computed(() => props.user?.id === auth.user?.id)
 // Extraire un ID depuis une IRI API Platform
 function iriToId(iri: string): number {
    return Number(iri.split('/').pop())
 }
 // Grouper les permissions par module (pour les checkboxes)
 const permissionsByModule = computed<PermissionModule[]>(() => {
    const groups = new Map<string, Permission[]>()
    for (const perm of allPermissions.value) {
        if (perm.orphan) continue
        const list = groups.get(perm.module) || []
        list.push(perm)
        groups.set(perm.module, list)
    }
    return Array.from(groups.entries())
        .map(([module, permissions]) => ({ module, permissions }))
        .sort((a, b) => a.module.localeCompare(b.module))
 })
 // Calculer les permissions effectives avec leurs sources
 const effectivePermissions = computed<EffectivePermission[]>(() => {
    const permMap = new Map<number, Permission>()
    for (const p of allPermissions.value) {
        if (!p.orphan) permMap.set(p.id, p)
    }
    // Construire la map permissionId -> sources[]
    const result = new Map<number, string[]>()
    // Permissions heritees des roles
    for (const roleId of selectedRoleIds.value) {
        const role = allRoles.value.find(r => r.id === roleId)
        if (!role) continue
        for (const p of role.permissions) {
            const pid = typeof p === 'string' ? iriToId(p) : p.id
            const sources = result.get(pid) || []
            sources.push(t('admin.users.drawer.sourceRole', { role: role.label }))
            result.set(pid, sources)
        }
    }
    // Permissions directes
    for (const pid of selectedDirectPermissionIds.value) {
        const sources = result.get(pid) || []
        sources.push(t('admin.users.drawer.sourceDirect'))
        result.set(pid, sources)
    }
    // Construire la liste finale
    return Array.from(result.entries())
        .map(([pid, sources]) => {
            const perm = permMap.get(pid)
            if (!perm) return null
            return { code: perm.code, label: perm.label, module: perm.module, sources }
        })
        .filter((p): p is EffectivePermission => p !== null)
        .sort((a, b) => a.code.localeCompare(b.code))
 })
 // Charger roles et permissions
 async function loadData() {
    const [rolesData, permsData] = await Promise.all([
        api.get<{ member: Role[] }>('/roles', {}, { toast: false }),
        api.get<{ member: Permission[] }>('/permissions', { orphan: false, itemsPerPage: 999 }, { toast: false }),
    ])
    allRoles.value = rolesData.member
    allPermissions.value = permsData.member
 }
 // Remplir le formulaire quand le user change
 watch(() => props.user, (user) => {
    if (user) {
        form.value.isAdmin = user.isAdmin
        selectedRoleIds.value = new Set(user.roles.map(iriToId))
        selectedDirectPermissionIds.value = new Set(user.directPermissions.map(iriToId))
    } else {
        form.value.isAdmin = false
        selectedRoleIds.value = new Set()
        selectedDirectPermissionIds.value = new Set()
    }
 }, { immediate: true })
 // Charger les donnees quand le drawer s'ouvre
 watch(() => props.modelValue, (open) => {
    if (open) loadData()
 })
 function toggleRole(id: number, selected: boolean) {
    const ids = new Set(selectedRoleIds.value)
    if (selected) ids.add(id)
    else ids.delete(id)
    selectedRoleIds.value = ids
 }
 function handleTogglePermission(id: number, selected: boolean) {
    const ids = new Set(selectedDirectPermissionIds.value)
    if (selected) ids.add(id)
    else ids.delete(id)
    selectedDirectPermissionIds.value = ids
 }
 function handleToggleAll(module: string, selected: boolean) {
    const ids = new Set(selectedDirectPermissionIds.value)
    const group = permissionsByModule.value.find(g => g.module === module)
    if (!group) return
    for (const perm of group.permissions) {
        if (selected) ids.add(perm.id)
        else ids.delete(perm.id)
    }
    selectedDirectPermissionIds.value = ids
 }
 async function handleSave() {
    if (!props.user) return
    saving.value = true
    try {
        await api.patch(`/users/${props.user.id}/rbac`, {
            isAdmin: form.value.isAdmin,
            roles: Array.from(selectedRoleIds.value).map(id => `/api/roles/${id}`),
            directPermissions: Array.from(selectedDirectPermissionIds.value).map(id => `/api/permissions/${id}`),
        }, {
            toastSuccessMessage: t('admin.users.toast.updated'),
        })
        // Rafraichir les donnees du user courant si auto-edition
        if (isSelfEdit.value) {
            await auth.refreshUser()
        }
        emit('saved')
        emit('update:modelValue', false)
    } finally {
        saving.value = false
    }
 }
 </script>
--- a/frontend/modules/core/pages/admin/roles.vue
+++ b/frontend/modules/core/pages/admin/roles.vue
@@ -9,7 +9,6 @@
                v-if="can('core.roles.manage')"
                :label="t('admin.roles.newRole')"
                icon-name="mdi:plus"
                icon-position="left"
                @click="openCreateDrawer"
            />
        </div>
@@ -20,7 +19,7 @@
            :columns="columns"
            :items="roleItems"
            :total-items="roles.length"
-            :row-clickable="canManage"
+            :row-clickable="true"
            :empty-message="t('admin.roles.noRoles')"
            @row-click="onRowClick"
        >
@@ -38,6 +37,25 @@
                    {{ t('admin.roles.table.system') }}
                </span>
            </template>
            <template #cell-actions="{ item }">
                <div class="flex items-center justify-end gap-2" @click.stop>
                    <MalioButtonIcon
                        v-if="can('core.roles.manage')"
                        icon="mdi:pencil-outline"
                        :aria-label="t('common.edit')"
                        variant="ghost"
                        @click="openEditDrawer(getRoleById(item.id as number)!)"
                    />
                    <MalioButtonIcon
                        v-if="can('core.roles.manage')"
                        icon="mdi:delete-outline"
                        :aria-label="t('common.delete')"
                        variant="ghost"
                        :disabled="item.isSystem as boolean"
                        @click="confirmDelete(getRoleById(item.id as number)!)"
                    />
                </div>
            </template>
        </MalioDataTable>
        <!-- Drawer creation/edition -->
@@ -45,7 +63,6 @@
            v-model="drawerOpen"
            :role="selectedRole"
            @saved="onRoleSaved"
            @delete="onDeleteRequest"
        />
        <!-- Modale de suppression -->
@@ -59,12 +76,26 @@
 </template>
 <script setup lang="ts">
-import type { Role } from '~/shared/types/rbac'
+interface Permission {
    id: number
    code: string
    label: string
    module: string
    orphan: boolean
 }
 interface Role {
    id: number
    code: string
    label: string
    description: string | null
    isSystem: boolean
    permissions: (Permission | string)[]
 }
 const { t } = useI18n()
 const api = useApi()
 const { can } = usePermissions()
 const canManage = computed(() => can('core.roles.manage'))
 useHead({ title: t('admin.roles.title') })
@@ -76,6 +107,7 @@ const columns = [
    { key: 'code', label: t('admin.roles.table.code') },
    { key: 'permissions', label: t('admin.roles.table.permissions') },
    { key: 'system', label: t('admin.roles.table.system') },
    { key: 'actions', label: t('admin.roles.table.actions') },
 ]
 // Transformer les roles en items compatibles MalioDataTable
@@ -87,6 +119,7 @@ const roleItems = computed(() =>
        permissions: role.permissions.length,
        isSystem: role.isSystem,
        system: '', // colonne geree par le slot
        actions: '', // colonne geree par le slot
    }))
 )
@@ -129,9 +162,9 @@ function openEditDrawer(role: Role) {
    drawerOpen.value = true
 }
-function onDeleteRequest() {
+function confirmDelete(role: Role) {
-    if (!selectedRole.value || selectedRole.value.isSystem) return
+    if (role.isSystem) return
-    roleToDelete.value = selectedRole.value
+    roleToDelete.value = role
    deleteModalOpen.value = true
 }
@@ -144,7 +177,6 @@ async function handleDelete() {
        })
        deleteModalOpen.value = false
        roleToDelete.value = null
        drawerOpen.value = false
        await loadRoles()
    } finally {
        deleting.value = false
--- a/frontend/modules/core/pages/admin/users.vue
+++ b/frontend/modules/core/pages/admin/users.vue
@@ -1,107 +0,0 @@
 <template>
    <div>
        <!-- En-tete -->
        <div class="flex items-center justify-between">
            <h1 class="text-xl font-bold text-primary-500 sm:text-2xl">
                {{ t('admin.users.title') }}
            </h1>
        </div>
        <!-- Table des utilisateurs -->
        <MalioDataTable
            class="mt-6"
            :columns="columns"
            :items="userItems"
            :total-items="users.length"
            :row-clickable="canManage"
            :empty-message="t('admin.users.noUsers')"
            @row-click="onRowClick"
        >
            <template #cell-admin="{ item }">
                <span
                    v-if="item.admin"
                    class="inline-flex items-center rounded-full bg-purple-100 px-2.5 py-0.5 text-xs font-medium text-purple-800"
                >
                    {{ t('admin.users.table.admin') }}
                </span>
            </template>
        </MalioDataTable>
        <!-- Drawer RBAC -->
        <UserRbacDrawer
            v-model="drawerOpen"
            :user="selectedUser"
            @saved="onUserSaved"
        />
    </div>
 </template>
 <script setup lang="ts">
 import type { UserListItem } from '~/shared/types/rbac'
 const { t } = useI18n()
 const api = useApi()
 const { can } = usePermissions()
 useHead({ title: t('admin.users.title') })
 const canManage = computed(() => can('core.users.manage'))
 const users = ref<UserListItem[]>([])
 const loading = ref(false)
 const drawerOpen = ref(false)
 const selectedUser = ref<UserListItem | null>(null)
 const columns = [
    { key: 'username', label: t('admin.users.table.username') },
    { key: 'admin', label: t('admin.users.table.admin') },
    { key: 'roles', label: t('admin.users.table.roles') },
    { key: 'directPermissions', label: t('admin.users.table.directPermissions') },
 ]
 const userItems = computed(() =>
    users.value.map(user => ({
        id: user.id,
        username: user.username,
        admin: user.isAdmin,
        roles: user.roles.length,
        directPermissions: user.directPermissions.length,
    }))
 )
 async function loadUsers() {
    loading.value = true
    try {
        const data = await api.get<{ member: UserListItem[] }>(
            '/users',
            {},
            { toast: false },
        )
        users.value = data.member
    } finally {
        loading.value = false
    }
 }
 function getUserById(id: number): UserListItem | undefined {
    return users.value.find(u => u.id === id)
 }
 function openDrawer(user: UserListItem) {
    selectedUser.value = user
    drawerOpen.value = true
 }
 function onRowClick(item: Record<string, unknown>) {
    const user = getUserById(item.id as number)
    if (user) openDrawer(user)
 }
 function onUserSaved() {
    loadUsers()
 }
 onMounted(() => {
    loadUsers()
 })
 </script>
--- a/frontend/shared/types/rbac.ts
+++ b/frontend/shared/types/rbac.ts
@@ -1,31 +0,0 @@
 export interface Permission {
    id: number
    code: string
    label: string
    module: string
    orphan: boolean
 }
 export interface Role {
    id: number
    code: string
    label: string
    description: string | null
    isSystem: boolean
    permissions: (Permission | string)[]
 }
 export interface UserListItem {
    id: number
    username: string
    isAdmin: boolean
    roles: string[]
    directPermissions: string[]
 }
 export interface EffectivePermission {
    code: string
    label: string
    module: string
    sources: string[]
 }
--- a/12
+++ b/12
@@ -38,7 +38,7 @@ restart: env-init
 	$(DOCKER_COMPOSE) down
 	CURRENT_UID=$(shell id -u) CURRENT_GID=$(shell id -g) $(DOCKER_COMPOSE) up -d
-install: copy-git-hook composer-install cache-clear node-use build-nuxtJS migration-migrate test-db-setup
+install: copy-git-hook composer-install cache-clear node-use build-nuxtJS migration-migrate
 # Supprime tout est réinstalle tout (Attention ça supprime la bdd aussi)
 reset: delete_built_dir remove_orphans build-without-cache start wait install
@@ -83,15 +83,6 @@ build-without-cache:
 migration-migrate:
 	$(SYMFONY_CONSOLE) doctrine:migrations:migrate --no-interaction
 # Cree et initialise la base de test utilisee par PHPUnit
 # (le suffixe "_test" est applique automatiquement par Doctrine en APP_ENV=test)
 # Ordre : fixtures -> sync-permissions, car fixtures:load purge la table permission
 test-db-setup:
 	$(SYMFONY_CONSOLE) doctrine:database:create --env=test --if-not-exists
 	$(SYMFONY_CONSOLE) doctrine:migrations:migrate --env=test --no-interaction
 	$(SYMFONY_CONSOLE) --env=test --no-interaction doctrine:fixtures:load
 	$(SYMFONY_CONSOLE) --env=test --no-interaction app:sync-permissions
 fixtures:
 	$(SYMFONY_CONSOLE) --no-interaction doctrine:fixtures:load
@@ -109,7 +100,6 @@ db-reset:
 	$(MAKE) migration-migrate
 	$(MAKE) fixtures
 	$(MAKE) sync-permissions
 	$(MAKE) test-db-setup
 # Restart la bdd
 db-restart:
--- a/src/Module/Core/CoreModule.php
+++ b/src/Module/Core/CoreModule.php
@@ -34,6 +34,7 @@ final class CoreModule
            ['code' => 'core.users.manage', 'label' => 'Gerer les utilisateurs (creer, editer, supprimer)'],
            ['code' => 'core.roles.view', 'label' => 'Voir les roles RBAC'],
            ['code' => 'core.roles.manage', 'label' => 'Gerer les roles et permissions'],
            ['code' => 'core.permissions.view', 'label' => 'Voir le catalogue des permissions'],
        ];
    }
 }
--- a/src/Module/Core/Domain/Entity/Permission.php
+++ b/src/Module/Core/Domain/Entity/Permission.php
@@ -19,11 +19,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
    operations: [
        new GetCollection(
            normalizationContext: ['groups' => ['permission:read']],
-            security: "is_granted('ROLE_USER')",
+            security: "is_granted('core.permissions.view')",
        ),
        new Get(
            normalizationContext: ['groups' => ['permission:read']],
-            security: "is_granted('ROLE_USER')",
+            security: "is_granted('core.permissions.view')",
        ),
    ],
 )]
--- a/src/Module/Core/Domain/Security/AdminHeadcountGuard.php
+++ b/src/Module/Core/Domain/Security/AdminHeadcountGuard.php
@@ -53,13 +53,6 @@ final class AdminHeadcountGuard implements AdminHeadcountGuardInterface
     * La verification est volontairement conservative (<=1) pour couvrir
     * le cas defensif ou la base serait deja dans un etat incoherent (0 admin).
     *
     * TOCTOU accepte : la verification n'utilise pas de verrou pessimiste
     * (SELECT ... FOR UPDATE). Deux demotions concurrentes pourraient donc
     * passer le garde simultanement. Ce risque est accepte dans le contexte
     * PME/CRM ou les operations d'administration sont rares et mono-operateur.
     * Si la concurrence admin devient un enjeu, ajouter un verrou pessimiste
     * sur countAdmins() ou une contrainte CHECK en base.
     *
     * @throws LastAdminProtectionException si le nombre d'admins est inferieur ou egal a 1
     */
    private function checkAdminHeadcount(): void
--- a/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
+++ b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
@@ -7,7 +7,6 @@ namespace App\Shared\Infrastructure\ApiPlatform\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
 use Symfony\Bundle\SecurityBundle\Security;
 /**
 * @implements ProviderInterface<object>
@@ -17,10 +16,10 @@ class SidebarProvider implements ProviderInterface
    /** @var list<string> */
    private readonly array $activeModuleIds;
-    /** @var list<array{label: string, icon: string, items: list<array{label: string, to: string, icon: string, module: string, permission?: string}>}> */
+    /** @var list<array{label: string, icon: string, items: list<array{label: string, to: string, icon: string, module: string}>}> */
    private readonly array $sidebarConfig;
-    public function __construct(private readonly Security $security)
+    public function __construct()
    {
        $configDir = dirname(__DIR__, 5).'/config';
@@ -59,18 +58,6 @@ class SidebarProvider implements ProviderInterface
                    continue;
                }
                // Filtrage par permission RBAC : si l'item declare une permission
                // requise et que l'utilisateur courant ne la possede pas, l'item
                // est masque et sa route ajoutee aux routes desactivees.
                $requiredPermission = $item['permission'] ?? null;
                if (null !== $requiredPermission && !$this->security->isGranted($requiredPermission)) {
                    if (isset($item['to'])) {
                        $disabledRoutes[] = $item['to'];
                    }
                    continue;
                }
                $items[] = [
                    'label' => $item['label'],
                    'to'    => $item['to'],
--- a/tests/Module/Core/Api/PermissionApiTest.php
+++ b/tests/Module/Core/Api/PermissionApiTest.php
@@ -166,16 +166,51 @@ final class PermissionApiTest extends AbstractApiTestCase
        self::assertResponseStatusCodeSame(401);
    }
-    public function testStandardUserCanListPermissions(): void
+    public function testNonAdminReturns403(): void
    {
        // Le catalogue de permissions est accessible a tout utilisateur authentifie.
        $client = $this->authenticatedClient('alice', 'alice');
        $client->request('GET', '/api/permissions');
        self::assertResponseStatusCodeSame(403);
    }
    // --- Tests voter RBAC : non-admin avec / sans permission ---
    public function testListPermissionsAsUserWithViewPermissionReturns200(): void
    {
        // Un non-admin portant core.permissions.view doit pouvoir lister.
        $credentials = $this->createUserWithPermission('core.permissions.view');
        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
        $client->request('GET', '/api/permissions');
        self::assertResponseIsSuccessful();
    }
-    public function testStandardUserCanGetPermission(): void
+    public function testListPermissionsAsStandardUserReturns403(): void
    {
        // alice n'a aucune permission RBAC : acces refuse.
        $client = $this->authenticatedClient('alice', 'alice');
        $client->request('GET', '/api/permissions');
        self::assertResponseStatusCodeSame(403);
    }
    public function testGetPermissionAsUserWithViewPermissionReturns200(): void
    {
        // Recupere l'id d'une permission existante pour construire l'URL GET item.
        $permission = $this->getEm()->getRepository(Permission::class)
            ->findOneBy(['code' => 'test.core.users.view'])
        ;
        self::assertNotNull($permission);
        $credentials = $this->createUserWithPermission('core.permissions.view');
        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
        $client->request('GET', '/api/permissions/'.$permission->getId());
        self::assertResponseIsSuccessful();
    }
    public function testGetPermissionAsStandardUserReturns403(): void
    {
        $permission = $this->getEm()->getRepository(Permission::class)
            ->findOneBy(['code' => 'test.core.users.view'])
@@ -185,7 +220,7 @@ final class PermissionApiTest extends AbstractApiTestCase
        $client = $this->authenticatedClient('alice', 'alice');
        $client->request('GET', '/api/permissions/'.$permission->getId());
-        self::assertResponseIsSuccessful();
+        self::assertResponseStatusCodeSame(403);
    }
    private function cleanupTestPermissions(): void
Author	SHA1	Message	Date
Matthieu	3fe44e4de2	refactor(frontend) : ERP-26 - migrate roles table to MalioDataTable component Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 09:32:54 +02:00
Matthieu	07d53cdf8c	fix(frontend) : ERP-26 - fix Hydra response format (member not hydra:member) and IRI permissions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 09:30:49 +02:00
Matthieu	6101bd85ce	build(frontend) : ERP-26 - bump @malio/layer-ui to ^1.3.0 (DataTable) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 09:21:50 +02:00
Matthieu	6e0c875bd7	feat(frontend) : ERP-26 - admin roles page with table, drawer, delete modal Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 09:20:10 +02:00
Matthieu	2cb5a7a0b0	feat(frontend) : ERP-26 - RoleDrawer component (create/edit with permissions) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 09:18:07 +02:00
Matthieu	84f91428bc	feat(frontend) : ERP-26 - RoleDeleteModal component Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 09:16:08 +02:00
Matthieu	44c73b6551	feat(frontend) : ERP-26 - PermissionGroup component	2026-04-16 09:10:58 +02:00
Matthieu	9117bc0a6c	feat(frontend) : ERP-26 - sidebar entry + i18n keys for admin roles	2026-04-16 09:08:51 +02:00
Matthieu	c1a620f593	build(core) : RBAC #345 - nuxt-test and test-all makefile targets	2026-04-15 17:19:35 +02:00
Matthieu	6cc576f000	test(frontend) : RBAC #345 - vitest setup + usePermissions unit tests	2026-04-15 17:15:27 +02:00
Matthieu	91b2ae0c65	build(core) : RBAC #345 - sync permissions in db-reset	2026-04-15 16:39:44 +02:00
Matthieu	45f40ed1b3	feat(frontend) : RBAC #345 - usePermissions composable Ajout de isAdmin et effectivePermissions dans UserData, creation du composable usePermissions() (can/canAny/canAll) avec bypass admin.	2026-04-15 16:38:15 +02:00
Matthieu	6df4316950	test(core) : RBAC #345 - functional coverage voter + last admin guard	2026-04-15 16:38:15 +02:00
Matthieu	d1e4402368	feat(core) : RBAC #345 - expose effectivePermissions via /api/me - Ajoute #[Groups(['me:read'])] sur getEffectivePermissions() dans User.php - Fixe la serialisation de isAdmin : le prefixe "is" etait strip par Symfony, expose desormais via le getter avec #[SerializedName('isAdmin')] + groups lecture, la propriete conserve uniquement le groupe d'ecriture user:rbac:write - Cree MeApiTest avec 4 tests fonctionnels (isAdmin admin, permissions vides user, 401 sans auth, effectivePermissions avec role portant une permission)	2026-04-15 16:10:11 +02:00
Matthieu	b05c10097f	refactor(core) : RBAC #345 - replace ROLE_ADMIN placeholders with RBAC codes	2026-04-15 16:02:57 +02:00
Matthieu	80b63cd7d7	feat(core) : RBAC #345 - UserRbacProcessor last admin guard	2026-04-15 16:00:34 +02:00
Matthieu	ba5eb804f2	feat(core) : RBAC #345 - UserProcessor DELETE guard Introduit AdminHeadcountGuardInterface pour permettre le mock en tests unitaires, puis cree UserProcessor qui protege DELETE /api/users/{id} contre la suppression du dernier administrateur via la garde domaine.	2026-04-15 15:57:19 +02:00
Matthieu	ab2f11d40d	feat(core) : RBAC #345 - PermissionVoter symfony	2026-04-15 15:51:23 +02:00
Matthieu	4325b1d8a0	feat(core) : RBAC #345 - AdminHeadcountGuard domain service	2026-04-15 15:45:55 +02:00
Matthieu	b7aa445cef	feat(core) : RBAC #345 - add core.roles.view permission	2026-04-15 15:42:42 +02:00
Matthieu	fd4ed25c63	docs(core) : RBAC #345 - spec voter + usePermissions	2026-04-15 15:28:51 +02:00
Matthieu	0ccbc70f27	fix(core) : RBAC #344 - ferme leak user list + test cascade delete role	2026-04-15 14:53:49 +02:00
Matthieu	534bdbccdd	refactor(core) : RBAC #344 - polish review - narrow rbac read group + fail-fast processors	2026-04-15 14:28:02 +02:00
Matthieu	3c7dc88fe7	feat(core) : RBAC #344 - UserRbacProcessor + endpoint /users/{id}/rbac Ajoute une operation Patch dediee `PATCH /api/users/{id}/rbac` (nom `user_rbac_patch`) qui accepte exclusivement les champs RBAC isAdmin, roles et directPermissions via le groupe user:rbac:write. L'endpoint est separe volontairement du Patch profil existant pour isoler la modification des droits de celle des donnees profil (decision `0fc4e16`). UserRbacProcessor delegue au PersistProcessor Doctrine decore et applique une garde auto-suicide : un admin ne peut pas retirer ses propres droits administrateur (compare l'etat entrant a l'etat UnitOfWork). La garde 'dernier admin' globale est reportee au ticket #345. La propriete Doctrine $roles est renommee $rbacRoles pour eviter la collision avec UserInterface::getRoles() (qui renvoie list<string>) lors de la normalization API Platform. La cle JSON reste `roles` grace a SerializedName, le contrat API est inchange. Tests : 6 unitaires (UserRbacProcessorTest) + 8 fonctionnels (UserRbacApiTest) couvrant promotion admin, remplacement des collections roles/directPermissions, 401/403, filtrage du groupe denormalization (`username` ignore), preservation de isAdmin sur le Patch profil, et garde auto-suicide.	2026-04-15 14:17:18 +02:00
Matthieu	168a47f2b8	refactor(test) : RBAC #344 - AbstractApiTestCase pour mutualiser auth JWT Extrait l'helper authenticatedClient(), $alwaysBootKernel et getEm() dans une classe de base commune aux tests fonctionnels API Platform du module Core. Supprime la duplication entre PermissionApiTest et RoleApiTest (flaggee en code review de la Task 2). Prepare le terrain pour le nouveau UserRbacApiTest introduit avec la Task 4.	2026-04-15 12:14:20 +02:00
Matthieu	87aa1d0b04	test(core) : RBAC #344 - renforce docblock setCode + assertion message exception	2026-04-15 12:05:26 +02:00
Matthieu	d527fbe2d1	feat(core) : RBAC #344 - RoleProcessor + gardes systeme et code immuable	2026-04-15 11:58:37 +02:00
Matthieu	efc12c8bdb	fix(test) : RBAC #344 - role test cleanup + SystemRoles constant + assertion seuil	2026-04-15 11:53:01 +02:00
Matthieu	7be0260b29	feat(core) : RBAC #344 - API Platform Role CRUD nominal + validators	2026-04-15 11:41:21 +02:00
Matthieu	f79f061131	fix(test) : RBAC #344 - corrige EM stale et ajoute cas orphan=true	2026-04-15 11:15:41 +02:00
Matthieu	fdb7aded82	feat(core) : RBAC #344 - API Platform Permission en lecture seule - Expose l'entite Permission via ApiResource (GetCollection + Get uniquement) - Serialisation limitee au groupe permission:read (id, code, label, module, orphan) - Securite temporaire is_granted('ROLE_ADMIN'), a remplacer par is_granted('core.permissions.view') au ticket #345 - Filtres : SearchFilter exact sur module, BooleanFilter sur orphan - Configure api_platform.mapping.paths pour que le compile pass AP decouvre les ApiResource/ApiFilter declares dans src/Module/Core/Domain/Entity - Ajoute symfony/browser-kit et symfony/http-client en dev pour les tests fonctionnels API Platform, plus KERNEL_CLASS dans phpunit.dist.xml - Tests fonctionnels PermissionApiTest : collection, get item, filtres module et orphan, 405 sur POST, 401 non authentifie, 403 non-admin	2026-04-15 11:03:22 +02:00
Matthieu	1cf550721b	docs(rbac) : spec ticket #344 - API CRUD roles & permissions	2026-04-15 10:31:10 +02:00
Matthieu	46fa7d17ae	chore(core) : merge RBAC ticket #343 + fix user:write sensibles (PR #2 ) Some checks failed Auto Tag Develop / tag (push) Has been cancelled Details	2026-04-15 10:30:59 +02:00
Matthieu	0fc4e1651b	fix(core) : retire user:write des champs RBAC sensibles du User isAdmin, roles et directPermissions ne doivent pas etre modifiables via PATCH /api/users/{id}. L exposition en ecriture sera traitee par un processor dedie dans le ticket #344 (spec section 2 OUT). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-15 08:15:43 +02:00
Matthieu	d8bda517f9	docs : ajoute note delegation Codex pour taches mecaniques	2026-04-15 08:12:17 +02:00
Matthieu	7ccc913862	docs : exception CLAUDE.md pour les migrations multi-namespace Documente le bug Doctrine Migrations 3.x (tri par FQCN au lieu de version timestamp avec plusieurs migrations_paths) et la regle provisoire : migrations d'init au namespace racine, namespace modulaire reserve aux migrations applicatives. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 17:25:26 +02:00
Matthieu	eb0b49a7ef	fix(core) : RBAC migration deplacee vers le namespace DoctrineMigrations racine Bug decouvert a l'execution de 'make db-reset' sur base vide : Doctrine Migrations 3.x avec plusieurs 'migrations_paths' execute les migrations dans l'ordre (namespace, version) et non (version, namespace). Le Version20260414150034 sous 'App\Module\Core\...' passait donc avant Version20260407095546 sous 'DoctrineMigrations', provoquant un "relation user does not exist". Deplacement du fichier vers 'migrations/' (namespace DoctrineMigrations). Le chemin modulaire reste configure pour les futurs modules, mais la migration RBAC d'initialisation vit a la racine pour que 'make db-reset' fonctionne en one-shot. Smoke test end-to-end valide : - db-reset + fixtures : admin (is_admin=t, role admin), alice/bob (is_admin=f, role user) - app:sync-permissions : 4 permissions Core ajoutees, idempotent au 2e run - User::getRoles() : ['ROLE_USER', 'ROLE_ADMIN'] pour admin, ['ROLE_USER'] pour alice/bob - User::getEffectivePermissions() : union triee des permissions via roles Ticket #343 - 7/7 : smoke test end-to-end OK. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 17:21:43 +02:00
Matthieu	0a496f34e0	fix(core) : RBAC Task 6 polish - descriptions des roles systeme coherentes ensureSystemRole() recopie desormais la description depuis la migration RBAC pour que les chemins prod (migration) et dev (fixtures) produisent un etat identique. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 17:15:23 +02:00
Matthieu	aafe08b6ad	feat(core) : RBAC Task 6 - fixtures et CreateUserCommand branches sur les roles systeme - AppFixtures : rattachement des users aux entites Role via RoleRepositoryInterface. Re-seed idempotent des roles systeme dans ensureSystemRole() pour compenser le purger Doctrine qui vide la table role avant load(), afin que "make db-reset && make fixtures" reste un workflow one-shot. - CreateUserCommand : flag --admin attache au role systeme admin + is_admin, sinon au role user. Gestion d'erreur explicite si les roles systeme sont absents (FAILURE + message pointant vers la migration). - CreateUserCommand devient final, descriptions traduites en francais. Ticket #343 - 6/7 : fixtures et command alignes sur le RBAC relationnel. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 17:12:09 +02:00
Matthieu	d68aa0456a	feat(core) : RBAC Task 5 - migration Doctrine RBAC + data-migration JSON roles - Nouvelles tables permission, role, role_permission, user_role, user_permission - Ajout user.is_admin (BOOLEAN, default false) - Seed des roles systeme admin et user via SQL brut (autonome, pas besoin de fixtures pour cette etape) - Migration des donnees : is_admin reflete ROLE_ADMIN du JSON roles, puis rattachement user_role selon admin/user - Drop user.roles en dernier (apres la migration de donnees) - down() recree la colonne roles et la rehydrate depuis is_admin Ticket #343 - 5/7 : persistance + migration donnees safe. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 17:02:26 +02:00
Matthieu	3b1f18b0e0	feat(core) : RBAC Task 4 - CoreModule::permissions() + SyncPermissionsCommand - CoreModule declare 4 permissions initiales (users.view/manage, roles.manage, permissions.view) - Nouvelle commande app:sync-permissions : * scan des Module::permissions() via config/modules.php validation stricte : cles [code, label], prefixe module, non-vides * upsert transactionnel non-destructif * revival des permissions orphelines qui reapparaissent * marquage orphan pour les permissions disparues du code * un seul flush() final (evite le flush-par-save de la repo save()) Ticket #343 - 4/7 : scanner et synchroniseur de permissions RBAC. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 16:56:50 +02:00
Matthieu	7aa32b1972	feat(core) : RBAC Task 3 - mutation User (isAdmin + roles RBAC + permissions directes) - Suppression de la colonne JSON roles (persiste jusqu'a la migration Task 5) - Ajout is_admin bool (seul levier de bypass RBAC via getRoles()) - Ajout ManyToMany User-Role (EAGER, table user_role) - Ajout ManyToMany User-Permission directes (EAGER, table user_permission) - getEffectivePermissions() : union dedupliquee triee, utilisee par le futur PermissionVoter (#345) - getRbacRoles() pour ne pas shadow getRoles() de UserInterface Symfony - Tests unitaires couvrant derivation getRoles, union, deduplication, tri Ticket #343 - 3/7 : migration du User vers le modele RBAC relationnel. Fetch EAGER documente : evite le lazy-load au refresh JWT. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 16:48:49 +02:00
Matthieu	3b34d00872	feat(core) : RBAC Task 2 - repositories Permission et Role - PermissionRepositoryInterface avec findByCode et findAllCodes (pour le sync command et le futur PermissionVoter) - RoleRepositoryInterface avec findByCode - Implementations Doctrine alignees sur DoctrineUserRepository - Alias DI dans config/services.yaml - Rebranchement de repositoryClass sur les entites Permission et Role Ticket #343 - 2/7 : couche persistence RBAC. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 16:40:44 +02:00
Matthieu	0fc0b57e37	refactor(core) : RBAC Task 1 - polish apres revue qualite - Permission : guards constructeur (code/label/module non vides, code avec point) - Permission::revive() reutilise updateMetadata() pour eviter la duplication - Suppression de SystemRolesTest (tautologique, ne capture aucun comportement) - Role::permissions : commentaire explicite sur la raison du fetch EAGER - Alignement des types de retour sur static (style User.php) - Nouveau test Role::addPermission avec permissions distinctes Ticket #343 - Task 1 polish (revue qualite). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 16:37:53 +02:00
Matthieu	f0ea9201f5	feat(core) : RBAC Task 1 - entites Permission et Role + domaine securite - Entite Permission avec methodes markOrphan/revive/updateMetadata - Entite Role avec addPermission/removePermission/ensureDeletable - Constantes SystemRoles (codes admin/user partages) - Exception SystemRoleDeletionException pour la garde de suppression - Tests unitaires couvrant le comportement domaine (pas de BDD) Ticket #343 - 1/7 : fondations RBAC (domaine pur, sans persistence). Les entites ne portent pas encore repositoryClass (ajoute en Task 2). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 16:30:15 +02:00
Matthieu	e3025bf2c9	docs(rbac) : plan et spec ticket #343 + conventions permissions - Spec detaillee des fondations RBAC backend (entites Role/Permission, sync command, migration, fixtures, tests) dans docs/rbac/ticket-343-spec.md - Ajout CLAUDE.md des regles projet : commentaires francais (PHP + TS/Vue) et convention de nommage des permissions module.resource[.sub].action Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 16:26:49 +02:00
`@@ -1,2 +1,2 @@`
	`parameters:`	`parameters:`
	`app.version: '0.1.31'`	`app.version: '0.1.29'`