matthieu
96ddd15c86
Auto Tag Develop / tag (push) Successful in 9s
## Contexte M1 · Ticket 1/3 (Backend) de la refonte contact. Le contact principal inline du `Client` (firstName, lastName, phonePrimary, phoneSecondary, email) faisait doublon avec la sous-entité `ClientContact` (onglet Contact). Il est supprimé : les contacts vivent désormais **uniquement** dans `client_contact`. RG-1.01 (firstName OU lastName sur Client) et RG-1.02 (max 2 téléphones sur Client) sont **supprimées** du Client — leur équivalent vit déjà sur `ClientContact` (RG-1.05 / RG-1.14). ## Changements - **Migration** `Version20260603120000` (namespace racine `DoctrineMigrations` — tri par timestamp, cf. AlphabeticalComparator) : **backfill** des clients sans contact vers `client_contact` (position 0) **avant** le `DROP` des 5 colonnes. `down()` best-effort documenté. - **Entité `Client`** : retrait des 5 propriétés + getters/setters + groupes de sérialisation. - **`ClientProcessor`** : `MAIN_FIELDS` / `changedBusinessFields()` / `normalize()` allégés ; `validateMainContact()` (RG-1.01) supprimée. - **Recherche répertoire (D1)** : sur `companyName` seul (les anciens critères lastName/email vivaient sur les colonnes supprimées). - **Export XLSX (D2)** : colonnes de contact retirées (Nom entreprise / Catégories / Sites / [SIREN] / Date). - **Fixtures** + **catalogue de commentaires SQL** (`ColumnCommentsCatalog`) alignés. - **Tests** fonctionnels et unitaires mis à jour. ## Décisions actées - **Migration** au namespace racine (et non modulaire Commercial) : une migration `App\Module\Commercial\…` trierait avant le `CREATE TABLE client` sur base fraîche → casse. Conforme à la règle ABSOLUE n°11. - **D1** = recherche `companyName` seul. **D2** = retrait des colonnes contact de l'export. ## Vérifications - ✅ `make db-reset && make migration-migrate` : migration rejouable sur base fraîche (backfill no-op si contacts déjà présents). - ✅ `make test` : 466 tests verts. - ✅ `make php-cs-fixer-allow-risky` : clean. - ✅ Contrat réel `GET /api/clients/{id}` : les 5 champs ont disparu de la racine, `contacts[]` porte l'info. --------- Co-authored-by: admin malio <malio@yuno.malio.fr> Co-authored-by: Matthieu <contact@malio.fr> Reviewed-on: #55 Co-authored-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr> Co-committed-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
343 lines
14 KiB
PHP
343 lines
14 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Tests\Module\Commercial\Api;
|
|
|
|
use ApiPlatform\Symfony\Bundle\Test\Client;
|
|
use App\Module\Core\Infrastructure\DataFixtures\RbacDemoFixtures;
|
|
use App\Module\Sites\Domain\Entity\Site;
|
|
use Symfony\Bundle\FrameworkBundle\Console\Application;
|
|
use Symfony\Component\Console\Input\ArrayInput;
|
|
use Symfony\Component\Console\Output\NullOutput;
|
|
|
|
/**
|
|
* Matrice RBAC complete du repertoire clients par role metier (spec-back M1
|
|
* § 2.7 + cahier ERP-74). Valide 200/403 par verbe et par onglet pour
|
|
* bureau / compta / commerciale / usine, plus le durcissement RG-1.04
|
|
* (Commerciale) au POST.
|
|
*
|
|
* Les comptes demo et la matrice sont seedes via la commande reelle
|
|
* `app:seed-rbac --with-demo-users` (le MEME chemin qu'en recette), idempotente.
|
|
* Pre-requis du run : `app:sync-permissions` a tourne (cf. make test-db-setup).
|
|
*
|
|
* @internal
|
|
*/
|
|
final class ClientRBACMatrixTest extends AbstractCommercialApiTestCase
|
|
{
|
|
private const string LD = 'application/ld+json';
|
|
private const string MERGE = 'application/merge-patch+json';
|
|
private const string PWD = RbacDemoFixtures::DEMO_PASSWORD;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
|
|
// Seed idempotent via la commande applicative (roles + matrice § 2.7 +
|
|
// comptes demo). Exerce aussi le chemin de code prod.
|
|
self::bootKernel();
|
|
$application = new Application(self::$kernel);
|
|
$application->setAutoExit(false);
|
|
$exit = $application->run(
|
|
new ArrayInput([
|
|
'command' => 'app:seed-rbac',
|
|
'--with-demo-users' => true,
|
|
'--password' => self::PWD,
|
|
]),
|
|
new NullOutput(),
|
|
);
|
|
self::assertSame(
|
|
0,
|
|
$exit,
|
|
'app:seed-rbac a echoue : les permissions commercial.clients.* sont-elles synchronisees (app:sync-permissions) ?',
|
|
);
|
|
|
|
// Liberer le kernel pour que authenticatedClient()/createClient() reparte propre.
|
|
self::ensureKernelShutdown();
|
|
}
|
|
|
|
public function testUsineIsForbiddenEverywhere(): void
|
|
{
|
|
$seed = $this->seedClient('Usine Target');
|
|
$client = $this->authAs('usine');
|
|
|
|
// Aucune permission : 403 sur tous les verbes.
|
|
$client->request('GET', '/api/clients', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
$client->request('GET', '/api/clients/'.$seed->getId(), ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
$client->request('POST', '/api/clients', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('Usine Post'),
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['companyName' => 'Renamed By Usine'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testBureauHasViewAndManageButNoAccountingNoArchive(): void
|
|
{
|
|
$seed = $this->seedClient('Bureau Target');
|
|
$cat = $this->createCategory('SECTEUR');
|
|
$client = $this->authAs('bureau');
|
|
|
|
// view
|
|
$client->request('GET', '/api/clients', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// manage : creation OK
|
|
$client->request('POST', '/api/clients', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('Bureau Created', $cat->getId()),
|
|
]);
|
|
self::assertResponseStatusCodeSame(201);
|
|
|
|
// manage : edition onglet principal OK
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['companyName' => 'Bureau Renamed'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// PAS accounting : edition onglet Comptabilite refusee
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['siren' => '123456789'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// PAS archive : archivage refuse
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['isArchived' => true],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testComptaCanEditAccountingOnly(): void
|
|
{
|
|
$seed = $this->seedClient('Compta Target');
|
|
$client = $this->authAs('compta');
|
|
|
|
// view
|
|
$client->request('GET', '/api/clients', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// PAS manage : creation refusee
|
|
$client->request('POST', '/api/clients', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('Compta Post'),
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// accounting.manage : edition onglet Comptabilite OK
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['siren' => '123456789'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// PAS manage : edition onglet principal refusee (guardManage)
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['companyName' => 'Compta Renamed'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// PAS manage : edition onglet Information refusee (guardManage)
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['description' => 'Une description'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// PAS archive : archivage refuse
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['isArchived' => true],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testCommercialeHasViewAndManageButNoAccountingNoArchive(): void
|
|
{
|
|
$seed = $this->seedClient('Commerciale Target');
|
|
$client = $this->authAs('commerciale');
|
|
|
|
// view
|
|
$client->request('GET', '/api/clients', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// manage : la creation passe la security d'operation (pas un 403 comme
|
|
// Compta) mais bute sur RG-1.04 (onglet Information incomplet) -> 422.
|
|
// C'est la preuve que Commerciale porte `manage` (sinon 403).
|
|
$client->request('POST', '/api/clients', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('Commerciale Post'),
|
|
]);
|
|
self::assertResponseStatusCodeSame(422);
|
|
|
|
// PAS accounting : edition onglet Comptabilite refusee
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['siren' => '123456789'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// PAS archive : archivage refuse
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['isArchived' => true],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testRG104CommercialePostIncompleteIs422AdminIs201(): void
|
|
{
|
|
$cat = $this->createCategory('SECTEUR');
|
|
|
|
// RG-1.04 durcie : Commerciale POST sans onglet Information complet -> 422.
|
|
$commerciale = $this->authAs('commerciale');
|
|
$commerciale->request('POST', '/api/clients', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('RG104 Commerciale', $cat->getId()),
|
|
]);
|
|
self::assertResponseStatusCodeSame(422);
|
|
|
|
// Meme payload par un Admin (non gate par RG-1.04) -> 201.
|
|
$admin = $this->createAdminClient();
|
|
$admin->request('POST', '/api/clients', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('RG104 Admin', $cat->getId()),
|
|
]);
|
|
self::assertResponseStatusCodeSame(201);
|
|
}
|
|
|
|
public function testComptaFullRepresentationPatchWithUnchangedCategoriesIsNotForbidden(): void
|
|
{
|
|
// FIX review MR #40 : un Compta (accounting.manage, PAS manage) faisant un
|
|
// PATCH representation complete de l'onglet Comptabilite et reincluant ses
|
|
// categories INCHANGEES ne doit PAS prendre de 403. guardManage compare
|
|
// desormais les categories par valeur (et non par simple presence) : seul
|
|
// l'onglet Comptabilite change ici -> 200.
|
|
$seed = $this->seedClient('Compta Cat Unchanged');
|
|
$category = $seed->getCategories()->first();
|
|
self::assertNotFalse($category);
|
|
$catId = $category->getId();
|
|
$client = $this->authAs('compta');
|
|
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => [
|
|
'siren' => '123456789',
|
|
'categories' => ['/api/categories/'.$catId],
|
|
],
|
|
]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
}
|
|
|
|
public function testComptaChangingCategoriesIsForbidden(): void
|
|
{
|
|
// Non-regression : si le Compta change REELLEMENT l'ensemble des
|
|
// categories (sans manage) -> 403 via guardManage. La comparaison par
|
|
// valeur detecte bien le changement.
|
|
$seed = $this->seedClient('Compta Cat Change');
|
|
$newCat = $this->createCategory('SECTEUR');
|
|
$client = $this->authAs('compta');
|
|
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['categories' => ['/api/categories/'.$newCat->getId()]],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testBureauChangingCategoriesIsAllowed(): void
|
|
{
|
|
// Non-regression : un role porteur de `manage` (Bureau) peut changer les
|
|
// categories -> 200.
|
|
$seed = $this->seedClient('Bureau Cat Change');
|
|
$newCat = $this->createCategory('SECTEUR');
|
|
$client = $this->authAs('bureau');
|
|
|
|
$client->request('PATCH', '/api/clients/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['categories' => ['/api/categories/'.$newCat->getId()]],
|
|
]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
}
|
|
|
|
public function testBusinessRolesCanReadCategoriesAndSitesReferentials(): void
|
|
{
|
|
// ERP-102 : /categories et /sites sont des referentiels TRANSVERSES.
|
|
// Tout role qui gere des clients (bureau / compta / commerciale) doit
|
|
// pouvoir les LISTER pour alimenter les selects de creation/filtre client,
|
|
// via la permission de lecture-referentiel dediee (catalog.categories.read_ref
|
|
// / sites.read_ref) attachee par la matrice § 2.7 — sans pour autant porter
|
|
// la permission d'administration `.view`. Usine, sans aucune permission,
|
|
// reste interdit.
|
|
// Le referentiel /sites est TRANSVERSE et COMPLET : le cloisonnement par
|
|
// site rattache (SiteCollectionScopedExtension) est neutralise par
|
|
// `sites.read_ref` (ERP-102). Les comptes demo ne sont rattaches qu'a un
|
|
// seul site (Chatellerault) alors que la base en compte plusieurs : on
|
|
// verifie donc que le role voit la TOTALITE du referentiel, pas son seul
|
|
// site rattache. Sans le bypass de scope, totalItems vaudrait 1.
|
|
$totalSites = $this->getEm()->getRepository(Site::class)->count([]);
|
|
self::assertGreaterThan(
|
|
1,
|
|
$totalSites,
|
|
'Pre-requis du test : la base doit contenir plusieurs sites pour distinguer scope et bypass.',
|
|
);
|
|
|
|
foreach (['bureau', 'compta', 'commerciale'] as $role) {
|
|
$client = $this->authAs($role);
|
|
|
|
$client->request('GET', '/api/categories', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200, sprintf('Le role %s doit pouvoir lister /categories', $role));
|
|
|
|
$response = $client->request('GET', '/api/sites', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200, sprintf('Le role %s doit pouvoir lister /sites', $role));
|
|
self::assertSame(
|
|
$totalSites,
|
|
$response->toArray()['totalItems'] ?? null,
|
|
sprintf('Le role %s doit voir tout le referentiel sites (%d), pas seulement son site rattache', $role, $totalSites),
|
|
);
|
|
}
|
|
|
|
// Usine : aucune permission -> reste a 403 sur les referentiels.
|
|
$usine = $this->authAs('usine');
|
|
$usine->request('GET', '/api/categories', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(403, 'Usine ne doit pas pouvoir lister /categories');
|
|
$usine->request('GET', '/api/sites', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(403, 'Usine ne doit pas pouvoir lister /sites');
|
|
}
|
|
|
|
private function authAs(string $role): Client
|
|
{
|
|
return $this->authenticatedClient($role, self::PWD);
|
|
}
|
|
|
|
/**
|
|
* Payload minimal valide de l'onglet principal (companyName + une categorie
|
|
* SECTEUR ; le contact inline a ete supprime). Si $categoryId est null, une
|
|
* categorie est creee a la volee.
|
|
*
|
|
* @return array<string, mixed>
|
|
*/
|
|
private function validMainPayload(string $companyName, ?int $categoryId = null): array
|
|
{
|
|
$categoryId ??= $this->createCategory('SECTEUR')->getId();
|
|
|
|
return [
|
|
'companyName' => $companyName,
|
|
'categories' => ['/api/categories/'.$categoryId],
|
|
];
|
|
}
|
|
}
|