Matthieu
2efdb8fec1
Ajoute CommercialModule::permissions() (5 codes commercial.clients.* : view, manage, accounting.view, accounting.manage, archive) — alignes sur les is_granted deja references par ERP-55 (Client ApiResource, ClientProcessor, ClientReadGroupContextBuilder). Synchronise les 3 sources RBAC (regle ABSOLUE n8) : item sidebar "Repertoire clients" (commercial.clients.view), persona user-full dans personas.ts et SeedE2ECommand.php, cle i18n sidebar.commercial.clients. Les roles metier Bureau/Compta/Commerciale/Usine sont seedes par ERP-74 : les 5 permissions sont mappees ici sur le seul persona technique user-full en attendant, sans creer de nouveau persona (regle n7).
143 lines
5.9 KiB
PHP
143 lines
5.9 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
/*
|
|
* Sidebar configuration.
|
|
*
|
|
* This file defines the sidebar sections displayed in the frontend.
|
|
*
|
|
* Each SECTION may declare :
|
|
* - `label` (required) : i18n key resolved by the frontend
|
|
* - `icon` (required) : MDI icon name
|
|
* - `items` (required) : list of items (see below)
|
|
* - `permission` (opt.) : RBAC permission code ; when set, the whole
|
|
* section (and every one of its items) is hidden
|
|
* from users who do not hold that permission.
|
|
* Use this for "umbrella" sections like
|
|
* Administration where you want to gate the
|
|
* entire group behind one coarse permission.
|
|
*
|
|
* Each ITEM may declare :
|
|
* - `label` (required) : i18n key
|
|
* - `to` (required) : Nuxt route
|
|
* - `icon` (required) : MDI icon name
|
|
* - `module` (required) : owner module ID ; item is hidden if the
|
|
* module is not listed in config/modules.php
|
|
* - `permission` (opt.) : RBAC permission code ; finer-grained gate
|
|
* applied in addition to the section-level one
|
|
*
|
|
* Precedence : section-level `permission` is evaluated first. If it fails,
|
|
* the whole section is skipped and every item's `to` is added to the
|
|
* `disabledRoutes` payload of /api/sidebar (so the front middleware can
|
|
* redirect any direct navigation). Individual items without their own
|
|
* permission are implicitly protected by the section-level one.
|
|
*
|
|
* This config is decoupled from the modules themselves: you can freely
|
|
* move an item from one section to another without touching the module code.
|
|
*/
|
|
|
|
return [
|
|
// Section "Administration" : regroupe toutes les pages de configuration
|
|
// applicative (RBAC, users, sites, audit log).
|
|
//
|
|
// CONVENTION : "etre admin" = detenir au moins une permission admin-scoped.
|
|
// En pratique, le groupe `core.*` represente l'administration applicative
|
|
// (users, roles, audit_log) ; les autres permissions admin-scoped proviennent
|
|
// des modules qui exposent leur propre page d'admin dans cette section
|
|
// (ex: `sites.view`). Un user qui n'a AUCUNE de ces permissions n'a pas
|
|
// acces a l'administration.
|
|
//
|
|
// Gate implicite : tous les items de cette section declarent une `permission`.
|
|
// Sans aucune permission correspondante, tous les items sont filtres, la
|
|
// section devient vide et est automatiquement masquee par SidebarProvider
|
|
// (cf. la boucle de filtrage : section vide => `continue`). Inutile donc
|
|
// d'ajouter un gate explicite au niveau section tant que chaque item porte
|
|
// sa propre permission.
|
|
//
|
|
// Pour imposer un gate explicite supplementaire (ex: "seuls les membres du
|
|
// groupe support voient l'administration, meme s'ils ont des permissions
|
|
// individuelles"), ajouter : 'permission' => 'core.admin.access'.
|
|
[
|
|
'label' => 'sidebar.administration.section',
|
|
'icon' => 'mdi:cog-outline',
|
|
'items' => [
|
|
[
|
|
'label' => 'sidebar.core.roles',
|
|
'to' => '/admin/roles',
|
|
'icon' => 'mdi:shield-account-outline',
|
|
'module' => 'core',
|
|
'permission' => 'core.roles.view',
|
|
],
|
|
[
|
|
'label' => 'sidebar.core.users',
|
|
'to' => '/admin/users',
|
|
'icon' => 'mdi:account-group-outline',
|
|
'module' => 'core',
|
|
'permission' => 'core.users.view',
|
|
],
|
|
[
|
|
'label' => 'sidebar.sites.admin',
|
|
'to' => '/admin/sites',
|
|
'icon' => 'mdi:domain',
|
|
'module' => 'sites',
|
|
'permission' => 'sites.view',
|
|
],
|
|
[
|
|
'label' => 'sidebar.catalog.categories',
|
|
'to' => '/admin/categories',
|
|
'icon' => 'mdi:tag-multiple-outline',
|
|
'module' => 'catalog',
|
|
'permission' => 'catalog.categories.view',
|
|
],
|
|
[
|
|
'label' => 'sidebar.core.audit_log',
|
|
'to' => '/admin/audit-log',
|
|
'icon' => 'mdi:clipboard-text-clock',
|
|
'module' => 'core',
|
|
'permission' => 'core.audit_log.view',
|
|
],
|
|
],
|
|
],
|
|
[
|
|
'label' => 'sidebar.commercial.section',
|
|
'icon' => 'mdi:account-arrow-left-outline',
|
|
'items' => [
|
|
[
|
|
'label' => 'sidebar.commercial.clients',
|
|
'to' => '/commercial/clients',
|
|
'icon' => 'mdi:account-group-outline',
|
|
'module' => 'commercial',
|
|
'permission' => 'commercial.clients.view',
|
|
],
|
|
[
|
|
'label' => 'sidebar.commercial.suppliers',
|
|
'to' => '/suppliers',
|
|
'icon' => 'mdi:account-arrow-left-outline',
|
|
'module' => 'commercial',
|
|
],
|
|
],
|
|
],
|
|
// Section "Mon compte" : espace personnel. Accessible a tout user authentifie
|
|
// (aucune permission RBAC requise, tous les items restent dans `core` pour
|
|
// rester toujours presents meme quand les modules metier sont desactives).
|
|
[
|
|
'label' => 'sidebar.account.section',
|
|
'icon' => 'mdi:account-circle-outline',
|
|
'items' => [
|
|
[
|
|
'label' => 'sidebar.account.dashboard',
|
|
'to' => '/',
|
|
'icon' => 'mdi:view-dashboard-outline',
|
|
'module' => 'core',
|
|
],
|
|
[
|
|
'label' => 'sidebar.account.logout',
|
|
'to' => '/logout',
|
|
'icon' => 'mdi:logout',
|
|
'module' => 'core',
|
|
],
|
|
],
|
|
],
|
|
];
|