matthieu
6f9bb68170
Auto Tag Develop / tag (push) Successful in 7s
## ERP-92 — Tests PHPUnit M2 fournisseurs (#521) Suite fonctionnelle M2 assertant sur le **corps JSON** (jamais les annotations), jumelle de la suite clients M1. ### Couverture - **Contrat de sérialisation** (`SupplierSerializationContractTest`) : 4 régressions M1 re-testées — RIB gaté **absent** pour la Commerciale, booléens `triageProvider`/`isArchived` présents, embed `categories[].code/name`, embed `sites[].name/postalCode` (objet, pas IRI) — + enveloppe AP4 (`member`/`totalItems`/`view`, archivés exclus) + suppression du contact inline. - **Matrice RBAC réelle** (`app:seed-rbac`, pas de mock) : bureau/compta/commerciale/usine 200/403, gating `accounting` par **omission de clé**, mode strict PATCH (RG-2.16). - **Matrice RG-2.03 → RG-2.17** (création, normalisation RG-2.12, catégorie FOURNISSEUR RG-2.10, unicité RG-2.11, archivage RG-2.14/2.15, RG-2.07/2.08 compta, sous-ressources RG-2.04/2.05/2.06/2.09). - **Anti N+1 liste** : nombre de requêtes constant entre 2 et 4 fournisseurs. **Audit** Supplier + RIB (`iban`/`bic` dans le diff). ### Fix de contrat (découvert par la DoD) Les référentiels comptables (`TvaMode`/`PaymentType`/`PaymentDelay`/`Bank`) ne portaient que `client:read:accounting` (M1) → sur un fournisseur ils sortaient en **IRI nu**. Ajout de `supplier:read:accounting` → objet `{id, code, label}` embarqué (additif, zéro impact M1). Sans ce fix, #95/#96 auraient été développés contre un contrat faux. ### Infra `makefile` : `test-db-setup` recrée l'index partiel `uq_supplier_company_name_active` (droppé par `schema:update` comme celui du client — oubli M2). ### DoD ✅ § 4.0.bis : réponses JSON **réelles** (liste + détail admin/commerciale) collées. Front #93→#96 peuvent démarrer. ### Vérifs - `make test` : **574 tests OK** (suite complète verte) - `make php-cs-fixer-allow-risky` : 0 correction --------- Co-authored-by: Matthieu <contact@malio.fr> Reviewed-on: #71 Co-authored-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr> Co-committed-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
304 lines
12 KiB
PHP
304 lines
12 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Tests\Module\Commercial\Api;
|
|
|
|
use ApiPlatform\Symfony\Bundle\Test\Client;
|
|
use App\Module\Core\Infrastructure\DataFixtures\RbacDemoFixtures;
|
|
use Symfony\Bundle\FrameworkBundle\Console\Application;
|
|
use Symfony\Component\Console\Input\ArrayInput;
|
|
use Symfony\Component\Console\Output\NullOutput;
|
|
|
|
/**
|
|
* Matrice RBAC complete du repertoire fournisseurs par role metier (spec-back M2
|
|
* § 2.9 + ERP-90). Valide 200/403 par verbe et par onglet pour
|
|
* bureau / compta / commerciale / usine, le gating des champs comptables en
|
|
* lecture (omission de cle) et le durcissement RG-2.03 (Commerciale) au POST/PATCH.
|
|
*
|
|
* Les comptes demo et la matrice sont seedes via la commande reelle
|
|
* `app:seed-rbac --with-demo-users` (le MEME chemin qu'en recette), idempotente —
|
|
* pas de mock de role. Jumeau de ClientRBACMatrixTest (M1).
|
|
*
|
|
* Matrice § 2.9 (ERP-90) — rappel :
|
|
* - bureau : suppliers.view + manage (ni accounting, ni archive)
|
|
* - compta : suppliers.view + accounting.view + accounting.manage (PAS manage)
|
|
* - commerciale : suppliers.view + manage (PAS accounting), durcie RG-2.03
|
|
* - usine : aucune permission (403 partout)
|
|
* - archive : admin seul (aucun role metier)
|
|
*
|
|
* @internal
|
|
*/
|
|
final class SupplierRBACMatrixTest extends AbstractSupplierApiTestCase
|
|
{
|
|
private const string PWD = RbacDemoFixtures::DEMO_PASSWORD;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
|
|
// Seed idempotent via la commande applicative (roles + matrice § 2.9 +
|
|
// comptes demo). Exerce aussi le chemin de code prod.
|
|
self::bootKernel();
|
|
$application = new Application(self::$kernel);
|
|
$application->setAutoExit(false);
|
|
$exit = $application->run(
|
|
new ArrayInput([
|
|
'command' => 'app:seed-rbac',
|
|
'--with-demo-users' => true,
|
|
'--password' => self::PWD,
|
|
]),
|
|
new NullOutput(),
|
|
);
|
|
self::assertSame(
|
|
0,
|
|
$exit,
|
|
'app:seed-rbac a echoue : les permissions commercial.suppliers.* sont-elles synchronisees (app:sync-permissions) ?',
|
|
);
|
|
|
|
self::ensureKernelShutdown();
|
|
}
|
|
|
|
public function testUsineIsForbiddenEverywhere(): void
|
|
{
|
|
$seed = $this->seedSupplier('Usine Target');
|
|
$client = $this->authAs('usine');
|
|
|
|
$client->request('GET', '/api/suppliers', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
$client->request('GET', '/api/suppliers/'.$seed->getId(), ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
$client->request('POST', '/api/suppliers', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('Usine Post'),
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['companyName' => 'Renamed By Usine'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testBureauHasViewAndManageButNoAccountingNoArchive(): void
|
|
{
|
|
$seed = $this->seedSupplier('Bureau Target');
|
|
$cat = $this->supplierCategory('NEGOCIANT');
|
|
$client = $this->authAs('bureau');
|
|
|
|
// view
|
|
$client->request('GET', '/api/suppliers', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// manage : creation OK (bureau n'est pas gate par RG-2.03)
|
|
$client->request('POST', '/api/suppliers', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('Bureau Created', $cat->getId()),
|
|
]);
|
|
self::assertResponseStatusCodeSame(201);
|
|
|
|
// manage : edition onglet principal OK
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['companyName' => 'Bureau Renamed'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// PAS accounting : edition onglet Comptabilite refusee
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['siren' => '123456789'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// PAS archive : archivage refuse
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['isArchived' => true],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testBureauDetailHasNoAccountingFields(): void
|
|
{
|
|
// Bureau a view mais PAS accounting.view : les champs comptables sont
|
|
// ABSENTS du JSON (gating par omission, pas null).
|
|
$supplier = $this->seedCompleteSupplier('Bureau Gating Co');
|
|
$client = $this->authAs('bureau');
|
|
|
|
$data = $client->request('GET', '/api/suppliers/'.$supplier->getId(), ['headers' => ['Accept' => self::LD]])->toArray();
|
|
|
|
// Gating par omission sur l'ensemble des champs comptables (pas seulement
|
|
// siren/ribs) : une regression reintroduisant accountNumber/nTva/tvaMode/
|
|
// paymentType dans le groupe bureau serait sinon invisible.
|
|
self::assertArrayNotHasKey('siren', $data);
|
|
self::assertArrayNotHasKey('accountNumber', $data);
|
|
self::assertArrayNotHasKey('nTva', $data);
|
|
self::assertArrayNotHasKey('tvaMode', $data);
|
|
self::assertArrayNotHasKey('paymentType', $data);
|
|
self::assertArrayNotHasKey('ribs', $data);
|
|
}
|
|
|
|
public function testComptaCanEditAccountingOnly(): void
|
|
{
|
|
$seed = $this->seedSupplier('Compta Target');
|
|
$client = $this->authAs('compta');
|
|
|
|
// view
|
|
$client->request('GET', '/api/suppliers', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// PAS manage : creation refusee
|
|
$client->request('POST', '/api/suppliers', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('Compta Post'),
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// accounting.manage : edition onglet Comptabilite OK
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['siren' => '123456789'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// PAS manage : edition onglet principal refusee (guardManage)
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['companyName' => 'Compta Renamed'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// PAS manage : edition onglet Information refusee (guardManage)
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['description' => 'Une description'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// PAS archive : archivage refuse
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['isArchived' => true],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testComptaDetailHasAccountingFields(): void
|
|
{
|
|
// Compta a accounting.view : siren + ribs presents dans le JSON.
|
|
$supplier = $this->seedCompleteSupplier('Compta View Co');
|
|
$client = $this->authAs('compta');
|
|
|
|
$data = $client->request('GET', '/api/suppliers/'.$supplier->getId(), ['headers' => ['Accept' => self::LD]])->toArray();
|
|
|
|
self::assertArrayHasKey('siren', $data);
|
|
self::assertSame('123456789', $data['siren']);
|
|
self::assertArrayHasKey('ribs', $data);
|
|
self::assertNotEmpty($data['ribs']);
|
|
}
|
|
|
|
public function testCommercialeHasViewAndManageButNoAccountingNoArchive(): void
|
|
{
|
|
$seed = $this->seedSupplier('Commerciale Target');
|
|
$client = $this->authAs('commerciale');
|
|
|
|
// view
|
|
$client->request('GET', '/api/suppliers', ['headers' => ['Accept' => self::LD]]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
|
|
// manage : la creation passe la security d'operation (pas un 403 comme
|
|
// Compta) mais bute sur RG-2.03 (onglet Information incomplet) -> 422.
|
|
$response = $client->request('POST', '/api/suppliers', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('Commerciale Post'),
|
|
]);
|
|
self::assertResponseStatusCodeSame(422);
|
|
// Le 422 doit bien etre celui de RG-2.03 (onglet Information) et non un
|
|
// 422 orthogonal : on exige une violation sur un champ de completude.
|
|
self::assertArrayHasKey('description', $this->violationsByPath($response->toArray(false)));
|
|
|
|
// PAS accounting : edition onglet Comptabilite refusee
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['siren' => '123456789'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// PAS archive : archivage refuse
|
|
$client->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['isArchived' => true],
|
|
]);
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
public function testCommercialeDetailHasNoAccountingFields(): void
|
|
{
|
|
$supplier = $this->seedCompleteSupplier('Commerciale Gating Co');
|
|
$client = $this->authAs('commerciale');
|
|
|
|
$data = $client->request('GET', '/api/suppliers/'.$supplier->getId(), ['headers' => ['Accept' => self::LD]])->toArray();
|
|
|
|
self::assertArrayNotHasKey('siren', $data);
|
|
self::assertArrayNotHasKey('accountNumber', $data);
|
|
self::assertArrayNotHasKey('nTva', $data);
|
|
self::assertArrayNotHasKey('tvaMode', $data);
|
|
self::assertArrayNotHasKey('paymentType', $data);
|
|
self::assertArrayNotHasKey('ribs', $data);
|
|
}
|
|
|
|
public function testRG203CommercialePostIncompleteIs422AdminIs201(): void
|
|
{
|
|
$cat = $this->supplierCategory('NEGOCIANT');
|
|
|
|
// RG-2.03 : Commerciale POST sans onglet Information complet -> 422.
|
|
$commerciale = $this->authAs('commerciale');
|
|
$response = $commerciale->request('POST', '/api/suppliers', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('RG203 Commerciale', $cat->getId()),
|
|
]);
|
|
self::assertResponseStatusCodeSame(422);
|
|
self::assertArrayHasKey('description', $this->violationsByPath($response->toArray(false)));
|
|
|
|
// Meme payload par un Admin (non gate par RG-2.03) -> 201.
|
|
$admin = $this->createAdminClient();
|
|
$admin->request('POST', '/api/suppliers', [
|
|
'headers' => ['Content-Type' => self::LD],
|
|
'json' => $this->validMainPayload('RG203 Admin', $cat->getId()),
|
|
]);
|
|
self::assertResponseStatusCodeSame(201);
|
|
}
|
|
|
|
public function testRG203CommercialePatchIncompleteIs422(): void
|
|
{
|
|
// RG-2.03 : tout PATCH par une Commerciale exige l'Information complete.
|
|
// Le fournisseur seede a une Information vide -> meme un PATCH du nom -> 422.
|
|
$seed = $this->seedSupplier('Commerciale Patch Incomplete');
|
|
$commerciale = $this->authAs('commerciale');
|
|
|
|
$response = $commerciale->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['companyName' => 'Commerciale Renamed'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(422);
|
|
self::assertArrayHasKey('description', $this->violationsByPath($response->toArray(false)));
|
|
|
|
// Le meme PATCH par un Admin passe (non gate par RG-2.03) -> 200.
|
|
$admin = $this->createAdminClient();
|
|
$admin->request('PATCH', '/api/suppliers/'.$seed->getId(), [
|
|
'headers' => ['Content-Type' => self::MERGE],
|
|
'json' => ['companyName' => 'Admin Renamed'],
|
|
]);
|
|
self::assertResponseStatusCodeSame(200);
|
|
}
|
|
|
|
private function authAs(string $role): Client
|
|
{
|
|
return $this->authenticatedClient($role, self::PWD);
|
|
}
|
|
}
|