91 lines
3.4 KiB
PHP
91 lines
3.4 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Tests\Module\Catalog\Api;
|
|
|
|
/**
|
|
* RBAC du stockage (M7, ERP-210 — admin-only). Jumeau du ProductRBACMatrixTest.
|
|
*
|
|
* La matrice est volontairement tres restrictive : seul l'Admin porte
|
|
* `catalog.storages.view` / `.manage`. Les 4 personas metier MALIO (Bureau, Compta,
|
|
* Commerciale, Usine) n'ont AUCUNE permission stockage -> 403 partout. Un porteur de
|
|
* `view` lit (200) mais ne peut pas creer (403). Anonyme -> 401.
|
|
*
|
|
* @internal
|
|
*/
|
|
final class StorageRBACMatrixTest extends AbstractStorageApiTestCase
|
|
{
|
|
/** Personas metier sans permission stockage (admin-only). */
|
|
private const array PERSONAS = ['Bureau', 'Compta', 'Commerciale', 'Usine'];
|
|
|
|
public function testAdminHasFullAccess(): void
|
|
{
|
|
$client = $this->createAdminClient();
|
|
|
|
$client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
$client->request('POST', '/api/storages', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validStoragePayload(),
|
|
]);
|
|
self::assertResponseStatusCodeSame(201);
|
|
}
|
|
|
|
public function testBusinessPersonasAreForbiddenEverywhere(): void
|
|
{
|
|
$storage = $this->seedStorageEntity();
|
|
$id = (int) $storage->getId();
|
|
|
|
foreach (self::PERSONAS as $persona) {
|
|
$client = $this->createPersonaClient($persona);
|
|
|
|
$client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(403, $persona.' ne doit pas lister les stockages.');
|
|
|
|
$client->request('GET', '/api/storages/'.$id, ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(403, $persona.' ne doit pas consulter un stockage.');
|
|
|
|
$client->request('POST', '/api/storages', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validStoragePayload(),
|
|
]);
|
|
self::assertResponseStatusCodeSame(403, $persona.' ne doit pas creer de stockage.');
|
|
|
|
$client->request('PATCH', '/api/storages/'.$id, [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['numero' => 'X'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403, $persona.' ne doit pas modifier un stockage.');
|
|
}
|
|
}
|
|
|
|
public function testViewPermissionReadsButCannotManage(): void
|
|
{
|
|
$storage = $this->seedStorageEntity();
|
|
$client = $this->authView();
|
|
|
|
$client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
$client->request('GET', '/api/storages/'.$storage->getId(), ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// view sans manage : creation refusee au niveau securite (403).
|
|
$client->request('POST', '/api/storages', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validStoragePayload(),
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testAnonymousIsUnauthorized(): void
|
|
{
|
|
$client = self::createClient();
|
|
|
|
$client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(401);
|
|
}
|
|
}
|