From 1b8bd6cd782df0793fc01fef3dccc97e7b106213 Mon Sep 17 00:00:00 2001 From: Mathias STRASSER Date: Thu, 19 Feb 2026 13:35:14 +0100 Subject: [PATCH] =?UTF-8?q?feat:=20Permettre=20la=20consultation=20et=20ge?= =?UTF-8?q?stion=20des=20droits=20=C3=A0=20l'image=20des=20=C3=A9l=C3=A8ve?= =?UTF-8?q?s?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Les administrateurs et enseignants ont besoin de consulter et gérer les autorisations de droit à l'image des élèves pour respecter la réglementation lors de publications contenant des photos (FR82). Cette fonctionnalité ajoute une page dédiée avec liste filtrable par statut, modification individuelle via dropdown, export CSV avec BOM UTF-8 pour Excel, et préparation du système d'avertissement avant publication (query/handler prêts, intégration à faire quand le module publication existera). Le filtrage par classe (AC2) est bloqué en attente d'une table d'affectation élève↔classe qui n'existe pas encore. --- backend/migrations/Version20260218135819.php | 41 + .../UpdateImageRightsCommand.php | 16 + .../UpdateImageRightsHandler.php | 48 ++ .../CheckImageRightsHandler.php | 43 ++ .../CheckImageRightsQuery.php | 14 + .../ImageRightsCheckResult.php | 17 + .../GetStudentsImageRightsHandler.php | 44 ++ .../GetStudentsImageRightsQuery.php | 14 + .../StudentImageRightsDto.php | 37 + .../Service/ImageRightsExporter.php | 41 + .../Domain/Event/DroitImageModifie.php | 39 + .../Domain/Model/User/ImageRightsStatus.php | 26 + .../Administration/Domain/Model/User/User.php | 32 + .../Domain/Repository/UserRepository.php | 7 + .../Processor/UpdateImageRightsProcessor.php | 111 +++ .../ImageRightsCollectionProvider.php | 60 ++ .../Provider/ImageRightsExportProvider.php | 72 ++ .../Api/Provider/ImageRightsItemProvider.php | 72 ++ .../Api/Resource/ImageRightsResource.php | 76 ++ .../Persistence/Cache/CacheUserRepository.php | 19 + .../Cache/CachedUserRepository.php | 19 + .../Doctrine/DoctrineUserRepository.php | 32 + .../InMemory/InMemoryUserRepository.php | 10 + .../Security/ImageRightsVoter.php | 99 +++ .../Api/ImageRightsEndpointsTest.php | 447 +++++++++++ .../UpdateImageRightsHandlerTest.php | 187 +++++ .../CheckImageRightsHandlerTest.php | 136 ++++ .../GetStudentsImageRightsHandlerTest.php | 144 ++++ .../Service/ImageRightsExporterTest.php | 113 +++ .../Model/User/ImageRightsStatusTest.php | 46 ++ .../Domain/Model/User/UserImageRightsTest.php | 138 ++++ .../ActivateAccountProcessorTest.php | 5 + frontend/e2e/calendar.spec.ts | 7 +- frontend/e2e/image-rights.spec.ts | 309 ++++++++ frontend/e2e/role-access-control.spec.ts | 22 +- frontend/eslint.config.js | 3 +- .../organisms/Dashboard/DashboardAdmin.svelte | 5 + frontend/src/routes/admin/+layout.svelte | 3 + .../routes/admin/image-rights/+page.svelte | 729 ++++++++++++++++++ 39 files changed, 3264 insertions(+), 19 deletions(-) create mode 100644 backend/migrations/Version20260218135819.php create mode 100644 backend/src/Administration/Application/Command/UpdateImageRights/UpdateImageRightsCommand.php create mode 100644 backend/src/Administration/Application/Command/UpdateImageRights/UpdateImageRightsHandler.php create mode 100644 backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsHandler.php create mode 100644 backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsQuery.php create mode 100644 backend/src/Administration/Application/Query/CheckImageRights/ImageRightsCheckResult.php create mode 100644 backend/src/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsHandler.php create mode 100644 backend/src/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsQuery.php create mode 100644 backend/src/Administration/Application/Query/GetStudentsImageRights/StudentImageRightsDto.php create mode 100644 backend/src/Administration/Application/Service/ImageRightsExporter.php create mode 100644 backend/src/Administration/Domain/Event/DroitImageModifie.php create mode 100644 backend/src/Administration/Domain/Model/User/ImageRightsStatus.php create mode 100644 backend/src/Administration/Infrastructure/Api/Processor/UpdateImageRightsProcessor.php create mode 100644 backend/src/Administration/Infrastructure/Api/Provider/ImageRightsCollectionProvider.php create mode 100644 backend/src/Administration/Infrastructure/Api/Provider/ImageRightsExportProvider.php create mode 100644 backend/src/Administration/Infrastructure/Api/Provider/ImageRightsItemProvider.php create mode 100644 backend/src/Administration/Infrastructure/Api/Resource/ImageRightsResource.php create mode 100644 backend/src/Administration/Infrastructure/Security/ImageRightsVoter.php create mode 100644 backend/tests/Functional/Administration/Api/ImageRightsEndpointsTest.php create mode 100644 backend/tests/Unit/Administration/Application/Command/UpdateImageRights/UpdateImageRightsHandlerTest.php create mode 100644 backend/tests/Unit/Administration/Application/Query/CheckImageRights/CheckImageRightsHandlerTest.php create mode 100644 backend/tests/Unit/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsHandlerTest.php create mode 100644 backend/tests/Unit/Administration/Application/Service/ImageRightsExporterTest.php create mode 100644 backend/tests/Unit/Administration/Domain/Model/User/ImageRightsStatusTest.php create mode 100644 backend/tests/Unit/Administration/Domain/Model/User/UserImageRightsTest.php create mode 100644 frontend/e2e/image-rights.spec.ts create mode 100644 frontend/src/routes/admin/image-rights/+page.svelte diff --git a/backend/migrations/Version20260218135819.php b/backend/migrations/Version20260218135819.php new file mode 100644 index 0000000..450271c --- /dev/null +++ b/backend/migrations/Version20260218135819.php @@ -0,0 +1,41 @@ +addSql(<<<'SQL' + ALTER TABLE users + ADD COLUMN image_rights_status VARCHAR(20) NOT NULL DEFAULT 'not_specified', + ADD COLUMN image_rights_updated_at TIMESTAMPTZ, + ADD COLUMN image_rights_updated_by UUID REFERENCES users(id) + SQL); + + $this->addSql(<<<'SQL' + CREATE INDEX idx_users_image_rights ON users(image_rights_status) + SQL); + } + + public function down(Schema $schema): void + { + $this->addSql('DROP INDEX IF EXISTS idx_users_image_rights'); + $this->addSql(<<<'SQL' + ALTER TABLE users + DROP COLUMN IF EXISTS image_rights_status, + DROP COLUMN IF EXISTS image_rights_updated_at, + DROP COLUMN IF EXISTS image_rights_updated_by + SQL); + } +} diff --git a/backend/src/Administration/Application/Command/UpdateImageRights/UpdateImageRightsCommand.php b/backend/src/Administration/Application/Command/UpdateImageRights/UpdateImageRightsCommand.php new file mode 100644 index 0000000..1277f89 --- /dev/null +++ b/backend/src/Administration/Application/Command/UpdateImageRights/UpdateImageRightsCommand.php @@ -0,0 +1,16 @@ +studentId); + $user = $this->userRepository->get($studentId); + + if (!$user->tenantId->equals(TenantId::fromString($command->tenantId))) { + throw UserNotFoundException::withId($studentId); + } + + if (!$user->aLeRole(Role::ELEVE)) { + throw UserNotFoundException::withId($studentId); + } + + $modifierId = UserId::fromString($command->modifiedBy); + $status = ImageRightsStatus::from($command->status); + + $user->modifierDroitImage($status, $modifierId, $this->clock->now()); + + $this->userRepository->save($user); + + return $user; + } +} diff --git a/backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsHandler.php b/backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsHandler.php new file mode 100644 index 0000000..494530d --- /dev/null +++ b/backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsHandler.php @@ -0,0 +1,43 @@ +studentId); + $user = $this->userRepository->get($studentId); + + if (!$user->tenantId->equals(TenantId::fromString($query->tenantId))) { + throw UserNotFoundException::withId($studentId); + } + + $status = $user->imageRightsStatus; + + return new ImageRightsCheckResult( + status: $status, + canPublish: $status->estAutorise(), + warningMessage: match ($status) { + ImageRightsStatus::REFUSED => "ATTENTION : Cet élève n'a PAS l'autorisation de droit à l'image. Publication interdite.", + ImageRightsStatus::NOT_SPECIFIED => "Attention : Le statut droit à l'image n'est pas renseigné pour cet élève.", + ImageRightsStatus::AUTHORIZED => null, + }, + ); + } +} diff --git a/backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsQuery.php b/backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsQuery.php new file mode 100644 index 0000000..5c24ba8 --- /dev/null +++ b/backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsQuery.php @@ -0,0 +1,14 @@ +userRepository->findStudentsByTenant( + TenantId::fromString($query->tenantId), + ); + + if ($query->status !== null) { + $filterStatus = ImageRightsStatus::tryFrom($query->status); + if ($filterStatus !== null) { + $students = array_filter( + $students, + static fn ($user) => $user->imageRightsStatus === $filterStatus, + ); + } + } + + return array_values(array_map( + static fn ($user) => StudentImageRightsDto::fromDomain($user), + $students, + )); + } +} diff --git a/backend/src/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsQuery.php b/backend/src/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsQuery.php new file mode 100644 index 0000000..e88dcd4 --- /dev/null +++ b/backend/src/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsQuery.php @@ -0,0 +1,14 @@ +id, + firstName: $user->firstName, + lastName: $user->lastName, + email: (string) $user->email, + imageRightsStatus: $user->imageRightsStatus->value, + imageRightsStatusLabel: $user->imageRightsStatus->label(), + imageRightsUpdatedAt: $user->imageRightsUpdatedAt, + className: $className, + ); + } +} diff --git a/backend/src/Administration/Application/Service/ImageRightsExporter.php b/backend/src/Administration/Application/Service/ImageRightsExporter.php new file mode 100644 index 0000000..c68c5d3 --- /dev/null +++ b/backend/src/Administration/Application/Service/ImageRightsExporter.php @@ -0,0 +1,41 @@ +lastName, + $student->firstName, + $student->className ?? '', + $student->imageRightsStatusLabel, + ], separator: ';', escape: '\\'); + } + + rewind($handle); + $csv = stream_get_contents($handle); + fclose($handle); + + // BOM UTF-8 pour que Excel Windows affiche correctement les accents + return "\xEF\xBB\xBF" . ($csv !== false ? $csv : ''); + } +} diff --git a/backend/src/Administration/Domain/Event/DroitImageModifie.php b/backend/src/Administration/Domain/Event/DroitImageModifie.php new file mode 100644 index 0000000..b9f070d --- /dev/null +++ b/backend/src/Administration/Domain/Event/DroitImageModifie.php @@ -0,0 +1,39 @@ +occurredOn; + } + + #[Override] + public function aggregateId(): UuidInterface + { + return $this->userId->value; + } +} diff --git a/backend/src/Administration/Domain/Model/User/ImageRightsStatus.php b/backend/src/Administration/Domain/Model/User/ImageRightsStatus.php new file mode 100644 index 0000000..8805fc3 --- /dev/null +++ b/backend/src/Administration/Domain/Model/User/ImageRightsStatus.php @@ -0,0 +1,26 @@ + 'Autorisé', + self::REFUSED => 'Refusé', + self::NOT_SPECIFIED => 'Non renseigné', + }; + } + + public function estAutorise(): bool + { + return $this === self::AUTHORIZED; + } +} diff --git a/backend/src/Administration/Domain/Model/User/User.php b/backend/src/Administration/Domain/Model/User/User.php index d8036fe..a74aead 100644 --- a/backend/src/Administration/Domain/Model/User/User.php +++ b/backend/src/Administration/Domain/Model/User/User.php @@ -6,6 +6,7 @@ namespace App\Administration\Domain\Model\User; use App\Administration\Domain\Event\CompteActive; use App\Administration\Domain\Event\CompteCreated; +use App\Administration\Domain\Event\DroitImageModifie; use App\Administration\Domain\Event\InvitationRenvoyee; use App\Administration\Domain\Event\MotDePasseChange; use App\Administration\Domain\Event\RoleAttribue; @@ -49,6 +50,9 @@ final class User extends AggregateRoot public private(set) ?DateTimeImmutable $invitedAt = null; public private(set) ?DateTimeImmutable $blockedAt = null; public private(set) ?string $blockedReason = null; + public private(set) ImageRightsStatus $imageRightsStatus = ImageRightsStatus::NOT_SPECIFIED; + public private(set) ?DateTimeImmutable $imageRightsUpdatedAt = null; + public private(set) ?UserId $imageRightsUpdatedBy = null; /** @var Role[] */ public private(set) array $roles; @@ -374,6 +378,28 @@ final class User extends AggregateRoot return $at > $this->invitedAt->modify('+7 days'); } + /** + * Updates the image rights status for this student. + */ + public function modifierDroitImage(ImageRightsStatus $nouveauStatut, UserId $modifiePar, DateTimeImmutable $at): void + { + $ancienStatut = $this->imageRightsStatus; + + $this->imageRightsStatus = $nouveauStatut; + $this->imageRightsUpdatedAt = $at; + $this->imageRightsUpdatedBy = $modifiePar; + + $this->recordEvent(new DroitImageModifie( + userId: $this->id, + email: (string) $this->email, + ancienStatut: $ancienStatut, + nouveauStatut: $nouveauStatut, + modifiePar: $modifiePar, + tenantId: $this->tenantId, + occurredOn: $at, + )); + } + /** * Changes the user's password. * @@ -415,6 +441,9 @@ final class User extends AggregateRoot ?DateTimeImmutable $invitedAt = null, ?DateTimeImmutable $blockedAt = null, ?string $blockedReason = null, + ImageRightsStatus $imageRightsStatus = ImageRightsStatus::NOT_SPECIFIED, + ?DateTimeImmutable $imageRightsUpdatedAt = null, + ?UserId $imageRightsUpdatedBy = null, ): self { if ($roles === []) { throw new InvalidArgumentException('Un utilisateur doit avoir au moins un rôle.'); @@ -439,6 +468,9 @@ final class User extends AggregateRoot $user->invitedAt = $invitedAt; $user->blockedAt = $blockedAt; $user->blockedReason = $blockedReason; + $user->imageRightsStatus = $imageRightsStatus; + $user->imageRightsUpdatedAt = $imageRightsUpdatedAt; + $user->imageRightsUpdatedBy = $imageRightsUpdatedBy; return $user; } diff --git a/backend/src/Administration/Domain/Repository/UserRepository.php b/backend/src/Administration/Domain/Repository/UserRepository.php index 61886c4..3f8eaeb 100644 --- a/backend/src/Administration/Domain/Repository/UserRepository.php +++ b/backend/src/Administration/Domain/Repository/UserRepository.php @@ -32,4 +32,11 @@ interface UserRepository * @return User[] */ public function findAllByTenant(TenantId $tenantId): array; + + /** + * Returns all students (ROLE_ELEVE) for a given tenant. + * + * @return User[] + */ + public function findStudentsByTenant(TenantId $tenantId): array; } diff --git a/backend/src/Administration/Infrastructure/Api/Processor/UpdateImageRightsProcessor.php b/backend/src/Administration/Infrastructure/Api/Processor/UpdateImageRightsProcessor.php new file mode 100644 index 0000000..77cc021 --- /dev/null +++ b/backend/src/Administration/Infrastructure/Api/Processor/UpdateImageRightsProcessor.php @@ -0,0 +1,111 @@ + + */ +final readonly class UpdateImageRightsProcessor implements ProcessorInterface +{ + public function __construct( + private UpdateImageRightsHandler $handler, + private MessageBusInterface $eventBus, + private AuthorizationCheckerInterface $authorizationChecker, + private TenantContext $tenantContext, + private Security $security, + private AuditLogger $auditLogger, + ) { + } + + /** + * @param ImageRightsResource $data + */ + #[Override] + public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ImageRightsResource + { + if (!$this->authorizationChecker->isGranted(ImageRightsVoter::EDIT)) { + throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à modifier les droits à l\'image.'); + } + + if (!$this->tenantContext->hasTenant()) { + throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.'); + } + + /** @var string $studentId */ + $studentId = $uriVariables['id'] ?? ''; + $status = $data->imageRightsStatus ?? ''; + + if ($status === '') { + throw new BadRequestHttpException('Le statut du droit à l\'image est obligatoire.'); + } + + $currentUser = $this->security->getUser(); + if (!$currentUser instanceof SecurityUser) { + throw new UnauthorizedHttpException('Bearer', 'Utilisateur non authentifié.'); + } + + try { + $command = new UpdateImageRightsCommand( + studentId: $studentId, + status: $status, + modifiedBy: $currentUser->userId(), + tenantId: (string) $this->tenantContext->getCurrentTenantId(), + ); + $user = ($this->handler)($command); + + /** @var ImageRightsResource $previousData */ + $previousData = $context['previous_data']; + $oldStatus = $previousData->imageRightsStatus; + + $this->auditLogger->logDataChange( + aggregateType: 'User', + aggregateId: $user->id->value, + eventType: 'ImageRightsUpdated', + oldValues: ['image_rights_status' => $oldStatus], + newValues: ['image_rights_status' => $status], + reason: 'Mise à jour du droit à l\'image', + ); + + foreach ($user->pullDomainEvents() as $event) { + $this->eventBus->dispatch($event); + } + + $resource = new ImageRightsResource(); + $resource->id = (string) $user->id; + $resource->firstName = $user->firstName; + $resource->lastName = $user->lastName; + $resource->email = (string) $user->email; + $resource->imageRightsStatus = $user->imageRightsStatus->value; + $resource->imageRightsStatusLabel = $user->imageRightsStatus->label(); + $resource->imageRightsUpdatedAt = $user->imageRightsUpdatedAt; + + return $resource; + } catch (UserNotFoundException $e) { + throw new NotFoundHttpException($e->getMessage()); + } catch (ValueError $e) { + throw new BadRequestHttpException('Statut de droit à l\'image invalide : ' . $e->getMessage()); + } + } +} diff --git a/backend/src/Administration/Infrastructure/Api/Provider/ImageRightsCollectionProvider.php b/backend/src/Administration/Infrastructure/Api/Provider/ImageRightsCollectionProvider.php new file mode 100644 index 0000000..c692f48 --- /dev/null +++ b/backend/src/Administration/Infrastructure/Api/Provider/ImageRightsCollectionProvider.php @@ -0,0 +1,60 @@ + + */ +final readonly class ImageRightsCollectionProvider implements ProviderInterface +{ + public function __construct( + private GetStudentsImageRightsHandler $handler, + private AuthorizationCheckerInterface $authorizationChecker, + private TenantContext $tenantContext, + ) { + } + + /** + * @return ImageRightsResource[] + */ + #[Override] + public function provide(Operation $operation, array $uriVariables = [], array $context = []): array + { + if (!$this->authorizationChecker->isGranted(ImageRightsVoter::VIEW)) { + throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à consulter les droits à l\'image.'); + } + + if (!$this->tenantContext->hasTenant()) { + throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.'); + } + + /** @var array $filters */ + $filters = $context['filters'] ?? []; + + $query = new GetStudentsImageRightsQuery( + tenantId: (string) $this->tenantContext->getCurrentTenantId(), + status: isset($filters['status']) ? (string) $filters['status'] : null, + ); + + $dtos = ($this->handler)($query); + + return array_map( + static fn ($dto) => ImageRightsResource::fromDto($dto), + $dtos, + ); + } +} diff --git a/backend/src/Administration/Infrastructure/Api/Provider/ImageRightsExportProvider.php b/backend/src/Administration/Infrastructure/Api/Provider/ImageRightsExportProvider.php new file mode 100644 index 0000000..6ffb9e7 --- /dev/null +++ b/backend/src/Administration/Infrastructure/Api/Provider/ImageRightsExportProvider.php @@ -0,0 +1,72 @@ + + */ +final readonly class ImageRightsExportProvider implements ProviderInterface +{ + public function __construct( + private GetStudentsImageRightsHandler $handler, + private ImageRightsExporter $exporter, + private AuthorizationCheckerInterface $authorizationChecker, + private TenantContext $tenantContext, + private AuditLogger $auditLogger, + ) { + } + + #[Override] + public function provide(Operation $operation, array $uriVariables = [], array $context = []): Response + { + if (!$this->authorizationChecker->isGranted(ImageRightsVoter::VIEW)) { + throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à exporter les droits à l\'image.'); + } + + if (!$this->tenantContext->hasTenant()) { + throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.'); + } + + /** @var array $filters */ + $filters = $context['filters'] ?? []; + + $query = new GetStudentsImageRightsQuery( + tenantId: (string) $this->tenantContext->getCurrentTenantId(), + status: isset($filters['status']) ? (string) $filters['status'] : null, + ); + + $dtos = ($this->handler)($query); + $csv = $this->exporter->export($dtos); + + $this->auditLogger->logExport( + exportType: 'image_rights_csv', + recordCount: count($dtos), + targetDescription: 'Export liste droits à l\'image', + ); + + $response = new Response($csv); + $response->headers->set('Content-Type', 'text/csv; charset=UTF-8'); + $response->headers->set('Content-Disposition', 'attachment; filename="droits-image.csv"'); + + return $response; + } +} diff --git a/backend/src/Administration/Infrastructure/Api/Provider/ImageRightsItemProvider.php b/backend/src/Administration/Infrastructure/Api/Provider/ImageRightsItemProvider.php new file mode 100644 index 0000000..115f6a9 --- /dev/null +++ b/backend/src/Administration/Infrastructure/Api/Provider/ImageRightsItemProvider.php @@ -0,0 +1,72 @@ + + */ +final readonly class ImageRightsItemProvider implements ProviderInterface +{ + public function __construct( + private UserRepository $userRepository, + private TenantContext $tenantContext, + private AuthorizationCheckerInterface $authorizationChecker, + ) { + } + + #[Override] + public function provide(Operation $operation, array $uriVariables = [], array $context = []): ImageRightsResource + { + if (!$this->tenantContext->hasTenant()) { + throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.'); + } + + if (!$this->authorizationChecker->isGranted(ImageRightsVoter::EDIT)) { + throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à modifier les droits à l\'image.'); + } + + /** @var string|null $studentId */ + $studentId = $uriVariables['id'] ?? null; + if ($studentId === null) { + throw new NotFoundHttpException('Élève non trouvé.'); + } + + try { + $user = $this->userRepository->get(UserId::fromString($studentId)); + } catch (UserNotFoundException|InvalidUuidStringException) { + throw new NotFoundHttpException('Élève non trouvé.'); + } + + if ((string) $user->tenantId !== (string) $this->tenantContext->getCurrentTenantId()) { + throw new NotFoundHttpException('Élève non trouvé.'); + } + + $resource = new ImageRightsResource(); + $resource->id = (string) $user->id; + $resource->firstName = $user->firstName; + $resource->lastName = $user->lastName; + $resource->email = (string) $user->email; + $resource->imageRightsStatus = $user->imageRightsStatus->value; + $resource->imageRightsStatusLabel = $user->imageRightsStatus->label(); + $resource->imageRightsUpdatedAt = $user->imageRightsUpdatedAt; + + return $resource; + } +} diff --git a/backend/src/Administration/Infrastructure/Api/Resource/ImageRightsResource.php b/backend/src/Administration/Infrastructure/Api/Resource/ImageRightsResource.php new file mode 100644 index 0000000..ca8099f --- /dev/null +++ b/backend/src/Administration/Infrastructure/Api/Resource/ImageRightsResource.php @@ -0,0 +1,76 @@ +id = $dto->id; + $resource->firstName = $dto->firstName; + $resource->lastName = $dto->lastName; + $resource->email = $dto->email; + $resource->imageRightsStatus = $dto->imageRightsStatus; + $resource->imageRightsStatusLabel = $dto->imageRightsStatusLabel; + $resource->imageRightsUpdatedAt = $dto->imageRightsUpdatedAt; + $resource->className = $dto->className; + + return $resource; + } +} diff --git a/backend/src/Administration/Infrastructure/Persistence/Cache/CacheUserRepository.php b/backend/src/Administration/Infrastructure/Persistence/Cache/CacheUserRepository.php index 3145048..6411f8e 100644 --- a/backend/src/Administration/Infrastructure/Persistence/Cache/CacheUserRepository.php +++ b/backend/src/Administration/Infrastructure/Persistence/Cache/CacheUserRepository.php @@ -7,6 +7,7 @@ namespace App\Administration\Infrastructure\Persistence\Cache; use App\Administration\Domain\Exception\UserNotFoundException; use App\Administration\Domain\Model\ConsentementParental\ConsentementParental; use App\Administration\Domain\Model\User\Email; +use App\Administration\Domain\Model\User\ImageRightsStatus; use App\Administration\Domain\Model\User\Role; use App\Administration\Domain\Model\User\StatutCompte; use App\Administration\Domain\Model\User\User; @@ -131,6 +132,15 @@ final readonly class CacheUserRepository implements UserRepository return $users; } + #[Override] + public function findStudentsByTenant(TenantId $tenantId): array + { + return array_values(array_filter( + $this->findAllByTenant($tenantId), + static fn (User $user): bool => $user->aLeRole(Role::ELEVE), + )); + } + /** * @return array */ @@ -154,6 +164,9 @@ final readonly class CacheUserRepository implements UserRepository 'invited_at' => $user->invitedAt?->format('c'), 'blocked_at' => $user->blockedAt?->format('c'), 'blocked_reason' => $user->blockedReason, + 'image_rights_status' => $user->imageRightsStatus->value, + 'image_rights_updated_at' => $user->imageRightsUpdatedAt?->format('c'), + 'image_rights_updated_by' => $user->imageRightsUpdatedBy !== null ? (string) $user->imageRightsUpdatedBy : null, 'consentement_parental' => $consentement !== null ? [ 'parent_id' => $consentement->parentId, 'eleve_id' => $consentement->eleveId, @@ -181,6 +194,9 @@ final readonly class CacheUserRepository implements UserRepository * invited_at?: string|null, * blocked_at?: string|null, * blocked_reason?: string|null, + * image_rights_status?: string, + * image_rights_updated_at?: string|null, + * image_rights_updated_by?: string|null, * consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null * } $data */ @@ -226,6 +242,9 @@ final readonly class CacheUserRepository implements UserRepository invitedAt: $invitedAt, blockedAt: $blockedAt, blockedReason: $data['blocked_reason'] ?? null, + imageRightsStatus: isset($data['image_rights_status']) ? ImageRightsStatus::from($data['image_rights_status']) : ImageRightsStatus::NOT_SPECIFIED, + imageRightsUpdatedAt: ($data['image_rights_updated_at'] ?? null) !== null ? new DateTimeImmutable($data['image_rights_updated_at']) : null, + imageRightsUpdatedBy: ($data['image_rights_updated_by'] ?? null) !== null ? UserId::fromString($data['image_rights_updated_by']) : null, ); } diff --git a/backend/src/Administration/Infrastructure/Persistence/Cache/CachedUserRepository.php b/backend/src/Administration/Infrastructure/Persistence/Cache/CachedUserRepository.php index f16c89e..b55d557 100644 --- a/backend/src/Administration/Infrastructure/Persistence/Cache/CachedUserRepository.php +++ b/backend/src/Administration/Infrastructure/Persistence/Cache/CachedUserRepository.php @@ -7,6 +7,7 @@ namespace App\Administration\Infrastructure\Persistence\Cache; use App\Administration\Domain\Exception\UserNotFoundException; use App\Administration\Domain\Model\ConsentementParental\ConsentementParental; use App\Administration\Domain\Model\User\Email; +use App\Administration\Domain\Model\User\ImageRightsStatus; use App\Administration\Domain\Model\User\Role; use App\Administration\Domain\Model\User\StatutCompte; use App\Administration\Domain\Model\User\User; @@ -157,6 +158,12 @@ final readonly class CachedUserRepository implements UserRepository return $users; } + #[Override] + public function findStudentsByTenant(TenantId $tenantId): array + { + return $this->inner->findStudentsByTenant($tenantId); + } + private function populateCache(User $user): void { try { @@ -197,6 +204,9 @@ final readonly class CachedUserRepository implements UserRepository 'invited_at' => $user->invitedAt?->format('c'), 'blocked_at' => $user->blockedAt?->format('c'), 'blocked_reason' => $user->blockedReason, + 'image_rights_status' => $user->imageRightsStatus->value, + 'image_rights_updated_at' => $user->imageRightsUpdatedAt?->format('c'), + 'image_rights_updated_by' => $user->imageRightsUpdatedBy !== null ? (string) $user->imageRightsUpdatedBy : null, 'consentement_parental' => $consentement !== null ? [ 'parent_id' => $consentement->parentId, 'eleve_id' => $consentement->eleveId, @@ -242,6 +252,12 @@ final readonly class CachedUserRepository implements UserRepository $blockedAt = $data['blocked_at'] ?? null; /** @var string|null $blockedReason */ $blockedReason = $data['blocked_reason'] ?? null; + /** @var string|null $imageRightsStatusValue */ + $imageRightsStatusValue = $data['image_rights_status'] ?? null; + /** @var string|null $imageRightsUpdatedAt */ + $imageRightsUpdatedAt = $data['image_rights_updated_at'] ?? null; + /** @var string|null $imageRightsUpdatedBy */ + $imageRightsUpdatedBy = $data['image_rights_updated_by'] ?? null; $roles = array_map(static fn (string $r) => Role::from($r), $roleStrings); @@ -274,6 +290,9 @@ final readonly class CachedUserRepository implements UserRepository invitedAt: $invitedAt !== null ? new DateTimeImmutable($invitedAt) : null, blockedAt: $blockedAt !== null ? new DateTimeImmutable($blockedAt) : null, blockedReason: $blockedReason, + imageRightsStatus: $imageRightsStatusValue !== null ? ImageRightsStatus::from($imageRightsStatusValue) : ImageRightsStatus::NOT_SPECIFIED, + imageRightsUpdatedAt: $imageRightsUpdatedAt !== null ? new DateTimeImmutable($imageRightsUpdatedAt) : null, + imageRightsUpdatedBy: $imageRightsUpdatedBy !== null ? UserId::fromString($imageRightsUpdatedBy) : null, ); } diff --git a/backend/src/Administration/Infrastructure/Persistence/Doctrine/DoctrineUserRepository.php b/backend/src/Administration/Infrastructure/Persistence/Doctrine/DoctrineUserRepository.php index a58fdca..51b8046 100644 --- a/backend/src/Administration/Infrastructure/Persistence/Doctrine/DoctrineUserRepository.php +++ b/backend/src/Administration/Infrastructure/Persistence/Doctrine/DoctrineUserRepository.php @@ -7,6 +7,7 @@ namespace App\Administration\Infrastructure\Persistence\Doctrine; use App\Administration\Domain\Exception\UserNotFoundException; use App\Administration\Domain\Model\ConsentementParental\ConsentementParental; use App\Administration\Domain\Model\User\Email; +use App\Administration\Domain\Model\User\ImageRightsStatus; use App\Administration\Domain\Model\User\Role; use App\Administration\Domain\Model\User\StatutCompte; use App\Administration\Domain\Model\User\User; @@ -42,6 +43,7 @@ final readonly class DoctrineUserRepository implements UserRepository hashed_password, statut, school_name, date_naissance, created_at, activated_at, invited_at, blocked_at, blocked_reason, consentement_parent_id, consentement_eleve_id, consentement_date, consentement_ip, + image_rights_status, image_rights_updated_at, image_rights_updated_by, updated_at ) VALUES ( @@ -49,6 +51,7 @@ final readonly class DoctrineUserRepository implements UserRepository :hashed_password, :statut, :school_name, :date_naissance, :created_at, :activated_at, :invited_at, :blocked_at, :blocked_reason, :consentement_parent_id, :consentement_eleve_id, :consentement_date, :consentement_ip, + :image_rights_status, :image_rights_updated_at, :image_rights_updated_by, NOW() ) ON CONFLICT (id) DO UPDATE SET @@ -68,6 +71,9 @@ final readonly class DoctrineUserRepository implements UserRepository consentement_eleve_id = EXCLUDED.consentement_eleve_id, consentement_date = EXCLUDED.consentement_date, consentement_ip = EXCLUDED.consentement_ip, + image_rights_status = EXCLUDED.image_rights_status, + image_rights_updated_at = EXCLUDED.image_rights_updated_at, + image_rights_updated_by = EXCLUDED.image_rights_updated_by, updated_at = NOW() SQL, [ @@ -90,6 +96,9 @@ final readonly class DoctrineUserRepository implements UserRepository 'consentement_eleve_id' => $consentement?->eleveId, 'consentement_date' => $consentement?->dateConsentement->format(DateTimeImmutable::ATOM), 'consentement_ip' => $consentement?->ipAddress, + 'image_rights_status' => $user->imageRightsStatus->value, + 'image_rights_updated_at' => $user->imageRightsUpdatedAt?->format(DateTimeImmutable::ATOM), + 'image_rights_updated_by' => $user->imageRightsUpdatedBy !== null ? (string) $user->imageRightsUpdatedBy : null, ], ); } @@ -150,6 +159,20 @@ final readonly class DoctrineUserRepository implements UserRepository return array_map(fn (array $row) => $this->hydrate($row), $rows); } + #[Override] + public function findStudentsByTenant(TenantId $tenantId): array + { + $rows = $this->connection->fetchAllAssociative( + 'SELECT * FROM users WHERE tenant_id = :tenant_id AND roles::jsonb @> :role ORDER BY last_name ASC, first_name ASC', + [ + 'tenant_id' => (string) $tenantId, + 'role' => json_encode([Role::ELEVE->value]), + ], + ); + + return array_map(fn (array $row) => $this->hydrate($row), $rows); + } + /** * @param array $row */ @@ -193,6 +216,12 @@ final readonly class DoctrineUserRepository implements UserRepository $consentementDate = $row['consentement_date']; /** @var string|null $consentementIp */ $consentementIp = $row['consentement_ip']; + /** @var string|null $imageRightsStatusValue */ + $imageRightsStatusValue = $row['image_rights_status'] ?? null; + /** @var string|null $imageRightsUpdatedAtValue */ + $imageRightsUpdatedAtValue = $row['image_rights_updated_at'] ?? null; + /** @var string|null $imageRightsUpdatedByValue */ + $imageRightsUpdatedByValue = $row['image_rights_updated_by'] ?? null; /** @var string[]|null $roleValues */ $roleValues = json_decode($rolesJson, true); @@ -230,6 +259,9 @@ final readonly class DoctrineUserRepository implements UserRepository invitedAt: $invitedAt !== null ? new DateTimeImmutable($invitedAt) : null, blockedAt: $blockedAt !== null ? new DateTimeImmutable($blockedAt) : null, blockedReason: $blockedReason, + imageRightsStatus: $imageRightsStatusValue !== null ? ImageRightsStatus::from($imageRightsStatusValue) : ImageRightsStatus::NOT_SPECIFIED, + imageRightsUpdatedAt: $imageRightsUpdatedAtValue !== null ? new DateTimeImmutable($imageRightsUpdatedAtValue) : null, + imageRightsUpdatedBy: $imageRightsUpdatedByValue !== null ? UserId::fromString($imageRightsUpdatedByValue) : null, ); } } diff --git a/backend/src/Administration/Infrastructure/Persistence/InMemory/InMemoryUserRepository.php b/backend/src/Administration/Infrastructure/Persistence/InMemory/InMemoryUserRepository.php index 938870c..18ac7d3 100644 --- a/backend/src/Administration/Infrastructure/Persistence/InMemory/InMemoryUserRepository.php +++ b/backend/src/Administration/Infrastructure/Persistence/InMemory/InMemoryUserRepository.php @@ -6,6 +6,7 @@ namespace App\Administration\Infrastructure\Persistence\InMemory; use App\Administration\Domain\Exception\UserNotFoundException; use App\Administration\Domain\Model\User\Email; +use App\Administration\Domain\Model\User\Role; use App\Administration\Domain\Model\User\User; use App\Administration\Domain\Model\User\UserId; use App\Administration\Domain\Repository\UserRepository; @@ -60,6 +61,15 @@ final class InMemoryUserRepository implements UserRepository )); } + #[Override] + public function findStudentsByTenant(TenantId $tenantId): array + { + return array_values(array_filter( + $this->byId, + static fn (User $user): bool => $user->tenantId->equals($tenantId) && $user->aLeRole(Role::ELEVE), + )); + } + private function emailKey(Email $email, TenantId $tenantId): string { return $tenantId . ':' . strtolower((string) $email); diff --git a/backend/src/Administration/Infrastructure/Security/ImageRightsVoter.php b/backend/src/Administration/Infrastructure/Security/ImageRightsVoter.php new file mode 100644 index 0000000..e788636 --- /dev/null +++ b/backend/src/Administration/Infrastructure/Security/ImageRightsVoter.php @@ -0,0 +1,99 @@ + + */ +final class ImageRightsVoter extends Voter +{ + public const string VIEW = 'IMAGE_RIGHTS_VIEW'; + public const string EDIT = 'IMAGE_RIGHTS_EDIT'; + + private const array SUPPORTED_ATTRIBUTES = [ + self::VIEW, + self::EDIT, + ]; + + #[Override] + protected function supports(string $attribute, mixed $subject): bool + { + return in_array($attribute, self::SUPPORTED_ATTRIBUTES, true); + } + + #[Override] + protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool + { + $user = $token->getUser(); + + if (!$user instanceof UserInterface) { + return false; + } + + $roles = $user->getRoles(); + + return match ($attribute) { + self::VIEW => $this->canView($roles), + self::EDIT => $this->canEdit($roles), + default => false, + }; + } + + /** + * @param string[] $roles + */ + private function canView(array $roles): bool + { + return $this->hasAnyRole($roles, [ + Role::SUPER_ADMIN->value, + Role::ADMIN->value, + Role::PROF->value, + Role::VIE_SCOLAIRE->value, + Role::SECRETARIAT->value, + ]); + } + + /** + * @param string[] $roles + */ + private function canEdit(array $roles): bool + { + return $this->hasAnyRole($roles, [ + Role::SUPER_ADMIN->value, + Role::ADMIN->value, + ]); + } + + /** + * @param string[] $userRoles + * @param string[] $allowedRoles + */ + private function hasAnyRole(array $userRoles, array $allowedRoles): bool + { + foreach ($userRoles as $role) { + if (in_array($role, $allowedRoles, true)) { + return true; + } + } + + return false; + } +} diff --git a/backend/tests/Functional/Administration/Api/ImageRightsEndpointsTest.php b/backend/tests/Functional/Administration/Api/ImageRightsEndpointsTest.php new file mode 100644 index 0000000..4ba48a1 --- /dev/null +++ b/backend/tests/Functional/Administration/Api/ImageRightsEndpointsTest.php @@ -0,0 +1,447 @@ +get(Connection::class); + $connection->executeStatement('UPDATE users SET image_rights_updated_by = NULL WHERE image_rights_updated_by = :id', ['id' => self::USER_ID]); + $connection->executeStatement('DELETE FROM users WHERE id = :id', ['id' => self::STUDENT_1_ID]); + $connection->executeStatement('DELETE FROM users WHERE id = :id', ['id' => self::STUDENT_2_ID]); + $connection->executeStatement('DELETE FROM users WHERE id = :id', ['id' => self::USER_ID]); + + parent::tearDown(); + } + + // ========================================================================= + // Security - Without tenant + // ========================================================================= + + #[Test] + public function getImageRightsReturns404WithoutTenant(): void + { + $client = static::createClient(); + + $client->request('GET', '/api/students/image-rights', [ + 'headers' => [ + 'Host' => 'localhost', + 'Accept' => 'application/json', + ], + ]); + + self::assertResponseStatusCodeSame(404); + } + + #[Test] + public function updateImageRightsReturns404WithoutTenant(): void + { + $client = static::createClient(); + + $client->request('PATCH', '/api/students/' . self::STUDENT_1_ID . '/image-rights', [ + 'headers' => [ + 'Host' => 'localhost', + 'Accept' => 'application/json', + 'Content-Type' => 'application/merge-patch+json', + ], + 'json' => ['imageRightsStatus' => 'authorized'], + ]); + + self::assertResponseStatusCodeSame(404); + } + + #[Test] + public function exportImageRightsReturns404WithoutTenant(): void + { + $client = static::createClient(); + + $client->request('GET', '/api/students/image-rights/export', [ + 'headers' => [ + 'Host' => 'localhost', + 'Accept' => 'application/json', + ], + ]); + + self::assertResponseStatusCodeSame(404); + } + + // ========================================================================= + // Security - Without authentication + // ========================================================================= + + #[Test] + public function getImageRightsReturns401WithoutAuthentication(): void + { + $client = static::createClient(); + + $client->request('GET', self::BASE_URL . '/students/image-rights', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseStatusCodeSame(401); + } + + #[Test] + public function updateImageRightsReturns401WithoutAuthentication(): void + { + $client = static::createClient(); + + $client->request('PATCH', self::BASE_URL . '/students/' . self::STUDENT_1_ID . '/image-rights', [ + 'headers' => [ + 'Accept' => 'application/json', + 'Content-Type' => 'application/merge-patch+json', + ], + 'json' => ['imageRightsStatus' => 'authorized'], + ]); + + self::assertResponseStatusCodeSame(401); + } + + #[Test] + public function exportImageRightsReturns401WithoutAuthentication(): void + { + $client = static::createClient(); + + $client->request('GET', self::BASE_URL . '/students/image-rights/export', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseStatusCodeSame(401); + } + + // ========================================================================= + // Security - Forbidden roles + // ========================================================================= + + #[Test] + public function getImageRightsReturns403ForStudent(): void + { + $client = $this->createAuthenticatedClient(['ROLE_ELEVE']); + + $client->request('GET', self::BASE_URL . '/students/image-rights', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseStatusCodeSame(403); + } + + #[Test] + public function updateImageRightsReturns403ForStudent(): void + { + $client = $this->createAuthenticatedClient(['ROLE_ELEVE']); + + $client->request('PATCH', self::BASE_URL . '/students/' . self::STUDENT_1_ID . '/image-rights', [ + 'headers' => [ + 'Accept' => 'application/json', + 'Content-Type' => 'application/merge-patch+json', + ], + 'json' => ['imageRightsStatus' => 'authorized'], + ]); + + self::assertResponseStatusCodeSame(403); + } + + #[Test] + public function exportImageRightsReturns403ForStudent(): void + { + $client = $this->createAuthenticatedClient(['ROLE_ELEVE']); + + $client->request('GET', self::BASE_URL . '/students/image-rights/export', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseStatusCodeSame(403); + } + + #[Test] + public function getImageRightsReturns200ForTeacher(): void + { + $client = $this->createAuthenticatedClient(['ROLE_PROF']); + + $client->request('GET', self::BASE_URL . '/students/image-rights', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseStatusCodeSame(200); + } + + #[Test] + public function getImageRightsReturns403ForParent(): void + { + $client = $this->createAuthenticatedClient(['ROLE_PARENT']); + + $client->request('GET', self::BASE_URL . '/students/image-rights', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseStatusCodeSame(403); + } + + // ========================================================================= + // AC1 (P1) - GET image rights collection + // ========================================================================= + + #[Test] + public function getImageRightsReturnsStudentsForAdmin(): void + { + $this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED); + $this->persistStudent(self::STUDENT_2_ID, 'Bob', 'Martin', 'bob-ir@test.classeo.local', ImageRightsStatus::REFUSED); + + $client = $this->createAuthenticatedClient(['ROLE_ADMIN']); + $response = $client->request('GET', self::BASE_URL . '/students/image-rights', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseIsSuccessful(); + $data = $response->toArray(); + self::assertNotEmpty($data); + self::assertArrayHasKey('id', $data[0]); + self::assertArrayHasKey('imageRightsStatus', $data[0]); + } + + #[Test] + public function getImageRightsReturnsStudentsForSecretariat(): void + { + $this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED); + + $client = $this->createAuthenticatedClient(['ROLE_SECRETARIAT']); + $response = $client->request('GET', self::BASE_URL . '/students/image-rights', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseIsSuccessful(); + $data = $response->toArray(); + self::assertNotEmpty($data); + self::assertArrayHasKey('id', $data[0]); + self::assertArrayHasKey('imageRightsStatus', $data[0]); + } + + // ========================================================================= + // AC2 (P1) - Filter by status + // ========================================================================= + + #[Test] + public function getImageRightsFiltersByStatus(): void + { + $this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED); + $this->persistStudent(self::STUDENT_2_ID, 'Bob', 'Martin', 'bob-ir@test.classeo.local', ImageRightsStatus::REFUSED); + + $client = $this->createAuthenticatedClient(['ROLE_ADMIN']); + $response = $client->request('GET', self::BASE_URL . '/students/image-rights?status=authorized', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseIsSuccessful(); + $data = $response->toArray(); + self::assertNotEmpty($data); + + foreach ($data as $member) { + self::assertSame('authorized', $member['imageRightsStatus']); + } + } + + #[Test] + public function getImageRightsFiltersByStatusNotSpecified(): void + { + $this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::NOT_SPECIFIED); + $this->persistStudent(self::STUDENT_2_ID, 'Bob', 'Martin', 'bob-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED); + + $client = $this->createAuthenticatedClient(['ROLE_ADMIN']); + $response = $client->request('GET', self::BASE_URL . '/students/image-rights?status=not_specified', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseIsSuccessful(); + $data = $response->toArray(); + self::assertNotEmpty($data); + + foreach ($data as $member) { + self::assertSame('not_specified', $member['imageRightsStatus']); + } + } + + // ========================================================================= + // AC3 (P0) - PATCH update image rights + // ========================================================================= + + #[Test] + public function updateImageRightsReturns200ForAdmin(): void + { + $this->persistAdmin(); + $this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::NOT_SPECIFIED); + + $client = $this->createAuthenticatedClient(['ROLE_ADMIN']); + $response = $client->request('PATCH', self::BASE_URL . '/students/' . self::STUDENT_1_ID . '/image-rights', [ + 'headers' => [ + 'Accept' => 'application/json', + 'Content-Type' => 'application/merge-patch+json', + ], + 'json' => ['imageRightsStatus' => 'authorized'], + ]); + + self::assertResponseIsSuccessful(); + $data = $response->toArray(); + self::assertSame('authorized', $data['imageRightsStatus']); + self::assertSame(self::STUDENT_1_ID, $data['id']); + } + + #[Test] + public function updateImageRightsReturns404ForUnknownStudent(): void + { + $client = $this->createAuthenticatedClient(['ROLE_ADMIN']); + + $client->request('PATCH', self::BASE_URL . '/students/00000000-0000-0000-0000-000000000000/image-rights', [ + 'headers' => [ + 'Accept' => 'application/json', + 'Content-Type' => 'application/merge-patch+json', + ], + 'json' => ['imageRightsStatus' => 'authorized'], + ]); + + self::assertResponseStatusCodeSame(404); + } + + #[Test] + public function updateImageRightsReturns422ForInvalidStatus(): void + { + $this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::NOT_SPECIFIED); + + $client = $this->createAuthenticatedClient(['ROLE_ADMIN']); + + $client->request('PATCH', self::BASE_URL . '/students/' . self::STUDENT_1_ID . '/image-rights', [ + 'headers' => [ + 'Accept' => 'application/json', + 'Content-Type' => 'application/merge-patch+json', + ], + 'json' => ['imageRightsStatus' => 'invalid_status'], + ]); + + self::assertResponseStatusCodeSame(422); + } + + // ========================================================================= + // AC4 (P1) - Export CSV + // ========================================================================= + + #[Test] + public function exportImageRightsReturnsCsvForAdmin(): void + { + $this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED); + + $client = $this->createAuthenticatedClient(['ROLE_ADMIN']); + $response = $client->request('GET', self::BASE_URL . '/students/image-rights/export', [ + 'headers' => ['Accept' => 'application/json'], + ]); + + self::assertResponseIsSuccessful(); + self::assertResponseHeaderSame('content-type', 'text/csv; charset=UTF-8'); + self::assertResponseHeaderSame('content-disposition', 'attachment; filename="droits-image.csv"'); + + $content = $response->getContent(); + self::assertStringContainsString('Nom', $content); + self::assertStringContainsString('Dupont', $content); + } + + // ========================================================================= + // Helpers + // ========================================================================= + + private function createAuthenticatedClient(array $roles): \ApiPlatform\Symfony\Bundle\Test\Client + { + $client = static::createClient(); + + $user = new SecurityUser( + userId: UserId::fromString(self::USER_ID), + email: 'admin@classeo.local', + hashedPassword: '', + tenantId: TenantId::fromString(self::TENANT_ID), + roles: $roles, + ); + + $client->loginUser($user, 'api'); + + return $client; + } + + private function persistAdmin(): void + { + $admin = User::reconstitute( + id: UserId::fromString(self::USER_ID), + email: new Email('admin@classeo.local'), + roles: [Role::ADMIN], + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: 'École Alpha', + statut: StatutCompte::ACTIF, + dateNaissance: null, + createdAt: new DateTimeImmutable('2026-01-01'), + hashedPassword: 'dummy', + activatedAt: new DateTimeImmutable('2026-01-01'), + consentementParental: null, + ); + + /** @var UserRepository $repository */ + $repository = static::getContainer()->get(UserRepository::class); + $repository->save($admin); + } + + private function persistStudent( + string $id, + string $firstName, + string $lastName, + string $email, + ImageRightsStatus $imageRightsStatus, + ): void { + $user = User::reconstitute( + id: UserId::fromString($id), + email: new Email($email), + roles: [Role::ELEVE], + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: 'École Alpha', + statut: StatutCompte::EN_ATTENTE, + dateNaissance: new DateTimeImmutable('2012-06-15'), + createdAt: new DateTimeImmutable('2026-01-15'), + hashedPassword: null, + activatedAt: null, + consentementParental: null, + firstName: $firstName, + lastName: $lastName, + imageRightsStatus: $imageRightsStatus, + ); + + /** @var UserRepository $repository */ + $repository = static::getContainer()->get(UserRepository::class); + $repository->save($user); + } +} diff --git a/backend/tests/Unit/Administration/Application/Command/UpdateImageRights/UpdateImageRightsHandlerTest.php b/backend/tests/Unit/Administration/Application/Command/UpdateImageRights/UpdateImageRightsHandlerTest.php new file mode 100644 index 0000000..9b0424e --- /dev/null +++ b/backend/tests/Unit/Administration/Application/Command/UpdateImageRights/UpdateImageRightsHandlerTest.php @@ -0,0 +1,187 @@ +userRepository = new InMemoryUserRepository(); + $this->clock = new class implements Clock { + public function now(): DateTimeImmutable + { + return new DateTimeImmutable('2026-02-18 10:00:00'); + } + }; + $this->handler = new UpdateImageRightsHandler($this->userRepository, $this->clock); + } + + #[Test] + public function updatesImageRightsToAuthorized(): void + { + $student = $this->createAndSaveStudent(); + + $command = new UpdateImageRightsCommand( + studentId: (string) $student->id, + status: 'authorized', + modifiedBy: self::MODIFIER_ID, + tenantId: self::TENANT_ID, + ); + + $user = ($this->handler)($command); + + self::assertSame(ImageRightsStatus::AUTHORIZED, $user->imageRightsStatus); + } + + #[Test] + public function updatesImageRightsToRefused(): void + { + $student = $this->createAndSaveStudent(); + + $command = new UpdateImageRightsCommand( + studentId: (string) $student->id, + status: 'refused', + modifiedBy: self::MODIFIER_ID, + tenantId: self::TENANT_ID, + ); + + $user = ($this->handler)($command); + + self::assertSame(ImageRightsStatus::REFUSED, $user->imageRightsStatus); + } + + #[Test] + public function recordsDroitImageModifieEvent(): void + { + $student = $this->createAndSaveStudent(); + $student->pullDomainEvents(); + + $command = new UpdateImageRightsCommand( + studentId: (string) $student->id, + status: 'authorized', + modifiedBy: self::MODIFIER_ID, + tenantId: self::TENANT_ID, + ); + + $user = ($this->handler)($command); + $events = $user->pullDomainEvents(); + + self::assertCount(1, $events); + self::assertInstanceOf(DroitImageModifie::class, $events[0]); + } + + #[Test] + public function throwsWhenStudentNotFound(): void + { + $this->expectException(UserNotFoundException::class); + + $command = new UpdateImageRightsCommand( + studentId: '550e8400-e29b-41d4-a716-446655440000', + status: 'authorized', + modifiedBy: self::MODIFIER_ID, + tenantId: self::TENANT_ID, + ); + + ($this->handler)($command); + } + + #[Test] + public function throwsWhenTenantMismatch(): void + { + $student = $this->createAndSaveStudent(); + + $this->expectException(UserNotFoundException::class); + + $command = new UpdateImageRightsCommand( + studentId: (string) $student->id, + status: 'authorized', + modifiedBy: self::MODIFIER_ID, + tenantId: '550e8400-e29b-41d4-a716-446655440099', + ); + + ($this->handler)($command); + } + + #[Test] + public function throwsWhenUserIsNotStudent(): void + { + $admin = User::creer( + email: new Email('admin@example.com'), + role: Role::ADMIN, + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: 'École Alpha', + dateNaissance: null, + createdAt: new DateTimeImmutable('2026-01-15 10:00:00'), + ); + $this->userRepository->save($admin); + + $this->expectException(UserNotFoundException::class); + + $command = new UpdateImageRightsCommand( + studentId: (string) $admin->id, + status: 'authorized', + modifiedBy: self::MODIFIER_ID, + tenantId: self::TENANT_ID, + ); + + ($this->handler)($command); + } + + #[Test] + public function savesUserAfterUpdate(): void + { + $student = $this->createAndSaveStudent(); + + $command = new UpdateImageRightsCommand( + studentId: (string) $student->id, + status: 'refused', + modifiedBy: self::MODIFIER_ID, + tenantId: self::TENANT_ID, + ); + + ($this->handler)($command); + + $saved = $this->userRepository->get($student->id); + self::assertSame(ImageRightsStatus::REFUSED, $saved->imageRightsStatus); + } + + private function createAndSaveStudent(): User + { + $student = User::creer( + email: new Email('eleve@example.com'), + role: Role::ELEVE, + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: 'École Alpha', + dateNaissance: new DateTimeImmutable('2012-06-15'), + createdAt: new DateTimeImmutable('2026-01-15 10:00:00'), + ); + + $this->userRepository->save($student); + + return $student; + } +} diff --git a/backend/tests/Unit/Administration/Application/Query/CheckImageRights/CheckImageRightsHandlerTest.php b/backend/tests/Unit/Administration/Application/Query/CheckImageRights/CheckImageRightsHandlerTest.php new file mode 100644 index 0000000..dead941 --- /dev/null +++ b/backend/tests/Unit/Administration/Application/Query/CheckImageRights/CheckImageRightsHandlerTest.php @@ -0,0 +1,136 @@ +userRepository = new InMemoryUserRepository(); + $this->handler = new CheckImageRightsHandler($this->userRepository); + } + + #[Test] + public function authorizedStudentCanPublish(): void + { + $student = $this->createStudentWithStatus(ImageRightsStatus::AUTHORIZED); + + $query = new CheckImageRightsQuery( + studentId: (string) $student->id, + tenantId: self::TENANT_ID, + ); + + $result = ($this->handler)($query); + + self::assertTrue($result->canPublish); + self::assertNull($result->warningMessage); + self::assertSame(ImageRightsStatus::AUTHORIZED, $result->status); + } + + #[Test] + public function refusedStudentCannotPublish(): void + { + $student = $this->createStudentWithStatus(ImageRightsStatus::REFUSED); + + $query = new CheckImageRightsQuery( + studentId: (string) $student->id, + tenantId: self::TENANT_ID, + ); + + $result = ($this->handler)($query); + + self::assertFalse($result->canPublish); + self::assertNotNull($result->warningMessage); + self::assertStringContainsString('PAS l\'autorisation', $result->warningMessage); + } + + #[Test] + public function notSpecifiedStudentCannotPublish(): void + { + $student = $this->createStudentWithStatus(ImageRightsStatus::NOT_SPECIFIED); + + $query = new CheckImageRightsQuery( + studentId: (string) $student->id, + tenantId: self::TENANT_ID, + ); + + $result = ($this->handler)($query); + + self::assertFalse($result->canPublish); + self::assertNotNull($result->warningMessage); + self::assertStringContainsString('pas renseigné', $result->warningMessage); + } + + #[Test] + public function throwsWhenStudentNotFound(): void + { + $this->expectException(UserNotFoundException::class); + + $query = new CheckImageRightsQuery( + studentId: '550e8400-e29b-41d4-a716-446655440000', + tenantId: self::TENANT_ID, + ); + + ($this->handler)($query); + } + + #[Test] + public function throwsWhenTenantMismatch(): void + { + $student = $this->createStudentWithStatus(ImageRightsStatus::AUTHORIZED); + + $this->expectException(UserNotFoundException::class); + + $query = new CheckImageRightsQuery( + studentId: (string) $student->id, + tenantId: '550e8400-e29b-41d4-a716-446655440099', + ); + + ($this->handler)($query); + } + + private function createStudentWithStatus(ImageRightsStatus $status): User + { + $student = User::creer( + email: new Email('eleve@example.com'), + role: Role::ELEVE, + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: 'École Alpha', + dateNaissance: new DateTimeImmutable('2012-06-15'), + createdAt: new DateTimeImmutable('2026-01-15 10:00:00'), + ); + + if ($status !== ImageRightsStatus::NOT_SPECIFIED) { + $student->modifierDroitImage( + $status, + UserId::fromString('550e8400-e29b-41d4-a716-446655440099'), + new DateTimeImmutable(), + ); + } + + $this->userRepository->save($student); + + return $student; + } +} diff --git a/backend/tests/Unit/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsHandlerTest.php b/backend/tests/Unit/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsHandlerTest.php new file mode 100644 index 0000000..e62d154 --- /dev/null +++ b/backend/tests/Unit/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsHandlerTest.php @@ -0,0 +1,144 @@ +userRepository = new InMemoryUserRepository(); + $this->handler = new GetStudentsImageRightsHandler($this->userRepository); + } + + #[Test] + public function returnsOnlyStudents(): void + { + $this->seedStudentsAndParent(); + + $query = new GetStudentsImageRightsQuery(tenantId: self::TENANT_ID); + $result = ($this->handler)($query); + + self::assertCount(2, $result); + } + + #[Test] + public function filtersStudentsByStatus(): void + { + $this->seedStudentsAndParent(); + + $query = new GetStudentsImageRightsQuery( + tenantId: self::TENANT_ID, + status: 'authorized', + ); + $result = ($this->handler)($query); + + self::assertCount(1, $result); + self::assertSame('authorized', $result[0]->imageRightsStatus); + } + + #[Test] + public function returnsEmptyForNoStudents(): void + { + $query = new GetStudentsImageRightsQuery(tenantId: self::TENANT_ID); + $result = ($this->handler)($query); + + self::assertCount(0, $result); + } + + #[Test] + public function doesNotReturnStudentsFromOtherTenant(): void + { + $this->seedStudentsAndParent(); + + $query = new GetStudentsImageRightsQuery( + tenantId: '550e8400-e29b-41d4-a716-446655440099', + ); + $result = ($this->handler)($query); + + self::assertCount(0, $result); + } + + #[Test] + public function returnsDtoWithCorrectFields(): void + { + $this->seedStudentsAndParent(); + + $query = new GetStudentsImageRightsQuery( + tenantId: self::TENANT_ID, + status: 'authorized', + ); + $result = ($this->handler)($query); + + self::assertCount(1, $result); + $dto = $result[0]; + self::assertSame('Alice', $dto->firstName); + self::assertSame('Dupont', $dto->lastName); + self::assertSame('authorized', $dto->imageRightsStatus); + self::assertSame('Autorisé', $dto->imageRightsStatusLabel); + } + + private function seedStudentsAndParent(): void + { + $student1 = User::inviter( + email: new Email('alice@example.com'), + role: Role::ELEVE, + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: 'École Alpha', + firstName: 'Alice', + lastName: 'Dupont', + invitedAt: new DateTimeImmutable('2026-01-15'), + dateNaissance: new DateTimeImmutable('2012-06-15'), + ); + $student1->modifierDroitImage( + ImageRightsStatus::AUTHORIZED, + UserId::fromString('550e8400-e29b-41d4-a716-446655440099'), + new DateTimeImmutable('2026-02-01'), + ); + + $student2 = User::inviter( + email: new Email('bob@example.com'), + role: Role::ELEVE, + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: 'École Alpha', + firstName: 'Bob', + lastName: 'Martin', + invitedAt: new DateTimeImmutable('2026-01-15'), + dateNaissance: new DateTimeImmutable('2013-03-20'), + ); + // Bob has default NOT_SPECIFIED + + $parent = User::inviter( + email: new Email('parent@example.com'), + role: Role::PARENT, + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: 'École Alpha', + firstName: 'Pierre', + lastName: 'Dupont', + invitedAt: new DateTimeImmutable('2026-01-15'), + ); + + $this->userRepository->save($student1); + $this->userRepository->save($student2); + $this->userRepository->save($parent); + } +} diff --git a/backend/tests/Unit/Administration/Application/Service/ImageRightsExporterTest.php b/backend/tests/Unit/Administration/Application/Service/ImageRightsExporterTest.php new file mode 100644 index 0000000..7977313 --- /dev/null +++ b/backend/tests/Unit/Administration/Application/Service/ImageRightsExporterTest.php @@ -0,0 +1,113 @@ +exporter = new ImageRightsExporter(); + } + + #[Test] + public function startsWithUtf8Bom(): void + { + $csv = $this->exporter->export([]); + + self::assertStringStartsWith("\xEF\xBB\xBF", $csv); + } + + #[Test] + public function exportsHeaderRow(): void + { + $csv = $this->exporter->export([]); + + self::assertStringContainsString('Nom;Prénom;Classe;Statut', $csv); + } + + #[Test] + public function exportsStudentData(): void + { + $students = [ + new StudentImageRightsDto( + id: 'id-1', + firstName: 'Alice', + lastName: 'Dupont', + email: 'alice@example.com', + imageRightsStatus: 'authorized', + imageRightsStatusLabel: 'Autorisé', + imageRightsUpdatedAt: new DateTimeImmutable(), + className: '6ème A', + ), + new StudentImageRightsDto( + id: 'id-2', + firstName: 'Bob', + lastName: 'Martin', + email: 'bob@example.com', + imageRightsStatus: 'refused', + imageRightsStatusLabel: 'Refusé', + imageRightsUpdatedAt: null, + className: '5ème B', + ), + ]; + + $csv = $this->exporter->export($students); + + self::assertStringContainsString('Dupont;Alice;"6ème A";Autorisé', $csv); + self::assertStringContainsString('Martin;Bob;"5ème B";Refusé', $csv); + } + + #[Test] + public function handlesNullClassName(): void + { + $students = [ + new StudentImageRightsDto( + id: 'id-1', + firstName: 'Alice', + lastName: 'Dupont', + email: 'alice@example.com', + imageRightsStatus: 'not_specified', + imageRightsStatusLabel: 'Non renseigné', + imageRightsUpdatedAt: null, + className: null, + ), + ]; + + $csv = $this->exporter->export($students); + + self::assertStringContainsString('Dupont;Alice;;"Non renseigné"', $csv); + } + + #[Test] + public function exportContainsCorrectNumberOfLines(): void + { + $students = [ + new StudentImageRightsDto( + id: 'id-1', + firstName: 'Alice', + lastName: 'Dupont', + email: 'alice@example.com', + imageRightsStatus: 'authorized', + imageRightsStatusLabel: 'Autorisé', + imageRightsUpdatedAt: null, + className: '6ème A', + ), + ]; + + $csv = $this->exporter->export($students); + $lines = array_filter(explode("\n", trim($csv))); + + // 1 header + 1 data row + self::assertCount(2, $lines); + } +} diff --git a/backend/tests/Unit/Administration/Domain/Model/User/ImageRightsStatusTest.php b/backend/tests/Unit/Administration/Domain/Model/User/ImageRightsStatusTest.php new file mode 100644 index 0000000..541e77b --- /dev/null +++ b/backend/tests/Unit/Administration/Domain/Model/User/ImageRightsStatusTest.php @@ -0,0 +1,46 @@ +label()); + } + } + + #[Test] + public function authorizedEstAutorise(): void + { + self::assertTrue(ImageRightsStatus::AUTHORIZED->estAutorise()); + } + + #[Test] + public function refusedNEstPasAutorise(): void + { + self::assertFalse(ImageRightsStatus::REFUSED->estAutorise()); + } + + #[Test] + public function notSpecifiedNEstPasAutorise(): void + { + self::assertFalse(ImageRightsStatus::NOT_SPECIFIED->estAutorise()); + } + + #[Test] + public function backedValuesAreCorrect(): void + { + self::assertSame('authorized', ImageRightsStatus::AUTHORIZED->value); + self::assertSame('refused', ImageRightsStatus::REFUSED->value); + self::assertSame('not_specified', ImageRightsStatus::NOT_SPECIFIED->value); + } +} diff --git a/backend/tests/Unit/Administration/Domain/Model/User/UserImageRightsTest.php b/backend/tests/Unit/Administration/Domain/Model/User/UserImageRightsTest.php new file mode 100644 index 0000000..5b11a13 --- /dev/null +++ b/backend/tests/Unit/Administration/Domain/Model/User/UserImageRightsTest.php @@ -0,0 +1,138 @@ +createStudent(); + + self::assertSame(ImageRightsStatus::NOT_SPECIFIED, $user->imageRightsStatus); + self::assertNull($user->imageRightsUpdatedAt); + self::assertNull($user->imageRightsUpdatedBy); + } + + #[Test] + public function modifierDroitImageSetsAuthorized(): void + { + $user = $this->createStudent(); + $at = new DateTimeImmutable('2026-02-18 10:00:00'); + $modifierId = UserId::fromString(self::MODIFIER_ID); + + $user->modifierDroitImage(ImageRightsStatus::AUTHORIZED, $modifierId, $at); + + self::assertSame(ImageRightsStatus::AUTHORIZED, $user->imageRightsStatus); + self::assertEquals($at, $user->imageRightsUpdatedAt); + self::assertTrue($user->imageRightsUpdatedBy->equals($modifierId)); + } + + #[Test] + public function modifierDroitImageSetsRefused(): void + { + $user = $this->createStudent(); + $at = new DateTimeImmutable('2026-02-18 10:00:00'); + $modifierId = UserId::fromString(self::MODIFIER_ID); + + $user->modifierDroitImage(ImageRightsStatus::REFUSED, $modifierId, $at); + + self::assertSame(ImageRightsStatus::REFUSED, $user->imageRightsStatus); + } + + #[Test] + public function modifierDroitImageRecordsDroitImageModifieEvent(): void + { + $user = $this->createStudent(); + $user->pullDomainEvents(); + $at = new DateTimeImmutable('2026-02-18 10:00:00'); + $modifierId = UserId::fromString(self::MODIFIER_ID); + + $user->modifierDroitImage(ImageRightsStatus::AUTHORIZED, $modifierId, $at); + + $events = $user->pullDomainEvents(); + self::assertCount(1, $events); + self::assertInstanceOf(DroitImageModifie::class, $events[0]); + + /** @var DroitImageModifie $event */ + $event = $events[0]; + self::assertTrue($user->id->equals($event->userId)); + self::assertSame(ImageRightsStatus::AUTHORIZED, $event->nouveauStatut); + self::assertSame(ImageRightsStatus::NOT_SPECIFIED, $event->ancienStatut); + } + + #[Test] + public function modifierDroitImageTracksOldStatus(): void + { + $user = $this->createStudent(); + $modifierId = UserId::fromString(self::MODIFIER_ID); + + $user->modifierDroitImage(ImageRightsStatus::AUTHORIZED, $modifierId, new DateTimeImmutable()); + $user->pullDomainEvents(); + + $user->modifierDroitImage(ImageRightsStatus::REFUSED, $modifierId, new DateTimeImmutable()); + + $events = $user->pullDomainEvents(); + /** @var DroitImageModifie $event */ + $event = $events[0]; + self::assertSame(ImageRightsStatus::AUTHORIZED, $event->ancienStatut); + self::assertSame(ImageRightsStatus::REFUSED, $event->nouveauStatut); + } + + #[Test] + public function reconstitutePreservesImageRightsData(): void + { + $at = new DateTimeImmutable('2026-02-18 10:00:00'); + $modifierId = UserId::fromString(self::MODIFIER_ID); + + $user = User::reconstitute( + id: UserId::generate(), + email: new Email('eleve@example.com'), + roles: [Role::ELEVE], + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: self::SCHOOL_NAME, + statut: \App\Administration\Domain\Model\User\StatutCompte::EN_ATTENTE, + dateNaissance: null, + createdAt: new DateTimeImmutable(), + hashedPassword: null, + activatedAt: null, + consentementParental: null, + imageRightsStatus: ImageRightsStatus::AUTHORIZED, + imageRightsUpdatedAt: $at, + imageRightsUpdatedBy: $modifierId, + ); + + self::assertSame(ImageRightsStatus::AUTHORIZED, $user->imageRightsStatus); + self::assertEquals($at, $user->imageRightsUpdatedAt); + self::assertTrue($user->imageRightsUpdatedBy->equals($modifierId)); + } + + private function createStudent(): User + { + return User::creer( + email: new Email('eleve@example.com'), + role: Role::ELEVE, + tenantId: TenantId::fromString(self::TENANT_ID), + schoolName: self::SCHOOL_NAME, + dateNaissance: new DateTimeImmutable('2012-06-15'), + createdAt: new DateTimeImmutable('2026-01-15 10:00:00'), + ); + } +} diff --git a/backend/tests/Unit/Administration/Infrastructure/Api/Processor/ActivateAccountProcessorTest.php b/backend/tests/Unit/Administration/Infrastructure/Api/Processor/ActivateAccountProcessorTest.php index 35964c8..ea606a7 100644 --- a/backend/tests/Unit/Administration/Infrastructure/Api/Processor/ActivateAccountProcessorTest.php +++ b/backend/tests/Unit/Administration/Infrastructure/Api/Processor/ActivateAccountProcessorTest.php @@ -183,6 +183,11 @@ final class ActivateAccountProcessorTest extends TestCase { return []; } + + public function findStudentsByTenant(TenantId $tenantId): array + { + return []; + } }; $consentementPolicy = new ConsentementParentalPolicy($this->clock); diff --git a/frontend/e2e/calendar.spec.ts b/frontend/e2e/calendar.spec.ts index e0a54b5..19e4457 100644 --- a/frontend/e2e/calendar.spec.ts +++ b/frontend/e2e/calendar.spec.ts @@ -106,12 +106,13 @@ test.describe('Calendar Management (Story 2.11)', () => { // Authorization (AC1) // ============================================================================ test.describe('Authorization', () => { - test('[P0] teacher is redirected away from calendar admin', async ({ page }) => { + test('[P0] teacher can access admin layout but calendar returns error', async ({ page }) => { await loginAsTeacher(page); await page.goto(`${ALPHA_URL}/admin/calendar`); - // Admin layout redirects non-admin roles to /dashboard - await expect(page).toHaveURL(/\/dashboard/, { timeout: 10000 }); + // Teacher can access admin layout (ROLE_PROF in ADMIN_ROLES for image-rights) + // but calendar page may show access denied from backend + await expect(page).toHaveURL(/\/admin\/calendar/, { timeout: 10000 }); }); }); diff --git a/frontend/e2e/image-rights.spec.ts b/frontend/e2e/image-rights.spec.ts new file mode 100644 index 0000000..567dd01 --- /dev/null +++ b/frontend/e2e/image-rights.spec.ts @@ -0,0 +1,309 @@ +import { test, expect } from '@playwright/test'; +import { execSync } from 'child_process'; +import { join, dirname } from 'path'; +import { fileURLToPath } from 'url'; + +const __filename = fileURLToPath(import.meta.url); +const __dirname = dirname(__filename); + +// Extract port from PLAYWRIGHT_BASE_URL or use default (4173 matches playwright.config.ts) +const baseUrl = process.env.PLAYWRIGHT_BASE_URL || 'http://localhost:4173'; +const urlMatch = baseUrl.match(/:(\d+)$/); +const PORT = urlMatch ? urlMatch[1] : '4173'; +const ALPHA_URL = `http://ecole-alpha.classeo.local:${PORT}`; + +// Test credentials — unique to this spec to avoid cross-spec collisions +const ADMIN_EMAIL = 'e2e-imgrights-admin@example.com'; +const ADMIN_PASSWORD = 'ImgRightsAdmin123'; +const STUDENT_EMAIL = 'e2e-imgrights-student@example.com'; +const STUDENT_PASSWORD = 'ImgRightsStudent123'; + +let _studentUserId: string; + +/** + * Extracts the User ID from the Symfony console table output. + * + * The create-test-user command outputs a table like: + * | Property | Value | + * | User ID | a1b2c3d4-e5f6-7890-abcd-ef1234567890 | + */ +function extractUserId(output: string): string { + const match = output.match(/User ID\s+([a-f0-9-]{36})/i); + if (!match) { + throw new Error(`Could not extract User ID from command output:\n${output}`); + } + return match[1]; +} + +test.describe('Image Rights Management', () => { + test.describe.configure({ mode: 'serial' }); + + test.beforeAll(async () => { + const projectRoot = join(__dirname, '../..'); + const composeFile = join(projectRoot, 'compose.yaml'); + + // Create admin user + execSync( + `docker compose -f "${composeFile}" exec -T php php bin/console app:dev:create-test-user --tenant=ecole-alpha --email=${ADMIN_EMAIL} --password=${ADMIN_PASSWORD} --role=ROLE_ADMIN 2>&1`, + { encoding: 'utf-8' } + ); + + // Create student user and capture userId + const studentOutput = execSync( + `docker compose -f "${composeFile}" exec -T php php bin/console app:dev:create-test-user --tenant=ecole-alpha --email=${STUDENT_EMAIL} --password=${STUDENT_PASSWORD} --role=ROLE_ELEVE 2>&1`, + { encoding: 'utf-8' } + ); + _studentUserId = extractUserId(studentOutput); + }); + + // Helper to login as admin + async function loginAsAdmin(page: import('@playwright/test').Page) { + await page.goto(`${ALPHA_URL}/login`); + await page.locator('#email').fill(ADMIN_EMAIL); + await page.locator('#password').fill(ADMIN_PASSWORD); + await Promise.all([ + page.waitForURL(/\/dashboard/, { timeout: 30000 }), + page.getByRole('button', { name: /se connecter/i }).click() + ]); + } + + // Helper to login as student + async function loginAsStudent(page: import('@playwright/test').Page) { + await page.goto(`${ALPHA_URL}/login`); + await page.locator('#email').fill(STUDENT_EMAIL); + await page.locator('#password').fill(STUDENT_PASSWORD); + await Promise.all([ + page.waitForURL(/\/dashboard/, { timeout: 30000 }), + page.getByRole('button', { name: /se connecter/i }).click() + ]); + } + + /** + * Waits for the image rights page to finish loading. + * + * After hydration, the page either shows the student tables (sections with + * h2 headings) or the empty state. Waiting for one of these ensures the + * component is interactive and API data has been fetched. + */ + async function waitForPageLoaded(page: import('@playwright/test').Page) { + await expect( + page.getByRole('heading', { name: /droit à l'image/i }) + ).toBeVisible({ timeout: 15000 }); + + // Wait for either the stats bar (data loaded) or empty state (no students) + await expect( + page.locator('.stats-bar') + .or(page.locator('.empty-state')) + ).toBeVisible({ timeout: 15000 }); + } + + // ============================================================================ + // [P1] Page loads with correct structure + // ============================================================================ + test('[P1] page loads with correct structure', async ({ page }) => { + await loginAsAdmin(page); + await page.goto(`${ALPHA_URL}/admin/image-rights`); + await waitForPageLoaded(page); + + // Title + await expect( + page.getByRole('heading', { name: /droit à l'image/i }) + ).toBeVisible(); + + // Subtitle + await expect( + page.getByText(/consultez et gérez les autorisations/i) + ).toBeVisible(); + + // Status filter dropdown + const filterSelect = page.locator('#filter-status'); + await expect(filterSelect).toBeVisible(); + + // Verify filter options + const options = filterSelect.locator('option'); + await expect(options.filter({ hasText: /tous les statuts/i })).toHaveCount(1); + await expect(options.filter({ hasText: /^Autorisé$/ })).toHaveCount(1); + await expect(options.filter({ hasText: /^Refusé$/ })).toHaveCount(1); + await expect(options.filter({ hasText: /^Non renseigné$/ })).toHaveCount(1); + + // Search input + await expect( + page.locator('input[type="search"]') + ).toBeVisible(); + + // Export CSV button + await expect( + page.getByRole('button', { name: /exporter csv/i }) + ).toBeVisible(); + + // Filter and reset buttons + await expect( + page.getByRole('button', { name: /^filtrer$/i }) + ).toBeVisible(); + await expect( + page.getByRole('button', { name: /réinitialiser/i }) + ).toBeVisible(); + + // Section headings (authorized / unauthorized) + await expect( + page.getByRole('heading', { name: /élèves autorisés/i }) + ).toBeVisible(); + await expect( + page.getByRole('heading', { name: /élèves non autorisés/i }) + ).toBeVisible(); + + // Stats bar + await expect(page.locator('.stats-bar')).toBeVisible(); + }); + + // ============================================================================ + // [P1] Filter by status works + // ============================================================================ + test('[P1] filter by status works', async ({ page }) => { + await loginAsAdmin(page); + await page.goto(`${ALPHA_URL}/admin/image-rights`); + await waitForPageLoaded(page); + + // Select "Autorisé" in the status filter + await page.locator('#filter-status').selectOption('authorized'); + + // Click "Filtrer" to apply + await page.getByRole('button', { name: /^filtrer$/i }).click(); + + // Wait for the page to reload with filtered data + await expect(page).toHaveURL(/status=authorized/); + await waitForPageLoaded(page); + + // After filtering by "Autorisé", either: + // - The stats bar shows with 0 unauthorized, OR + // - The empty state shows (no authorized students found) + const statsBarVisible = await page.locator('.stats-bar').isVisible(); + if (statsBarVisible) { + const unauthorizedCount = await page.locator('.stat-count.stat-danger').textContent(); + expect(parseInt(unauthorizedCount ?? '0', 10)).toBe(0); + } else { + await expect(page.locator('.empty-state')).toBeVisible(); + } + + // Reset filters to restore original state + await page.getByRole('button', { name: /réinitialiser/i }).click(); + await waitForPageLoaded(page); + + // URL should no longer contain status filter + expect(page.url()).not.toContain('status='); + }); + + // ============================================================================ + // [P1] Status update via dropdown + // ============================================================================ + test('[P1] status update via dropdown', async ({ page }) => { + await loginAsAdmin(page); + await page.goto(`${ALPHA_URL}/admin/image-rights`); + await waitForPageLoaded(page); + + // Find the first student's action select (in either authorized or unauthorized table) + const firstActionSelect = page.locator('td[data-label="Actions"] select').first(); + await expect(firstActionSelect).toBeVisible({ timeout: 10000 }); + + // Get the current value + const currentValue = await firstActionSelect.inputValue(); + + // Pick a different status to switch to + const newValue = currentValue === 'authorized' ? 'refused' : 'authorized'; + + // Change the status + await firstActionSelect.selectOption(newValue); + + // Success message should appear + await expect( + page.locator('.alert-success') + ).toBeVisible({ timeout: 10000 }); + await expect( + page.locator('.alert-success') + ).toContainText(/statut mis à jour/i); + + // Restore original status to leave test data clean + // Need to re-locate because the student may have moved to a different section + const restoredSelect = page.locator('td[data-label="Actions"] select').first(); + await restoredSelect.selectOption(currentValue); + await expect( + page.locator('.alert-success') + ).toBeVisible({ timeout: 10000 }); + }); + + // ============================================================================ + // [P1] Export CSV button triggers download + // ============================================================================ + test('[P1] export CSV button triggers download', async ({ page }) => { + await loginAsAdmin(page); + await page.goto(`${ALPHA_URL}/admin/image-rights`); + await waitForPageLoaded(page); + + // Listen for download event + const downloadPromise = page.waitForEvent('download', { timeout: 15000 }); + + // Click the export button + await page.getByRole('button', { name: /exporter csv/i }).click(); + + // Verify the download starts + const download = await downloadPromise; + expect(download.suggestedFilename()).toBe('droits-image.csv'); + + // Success message should appear + await expect( + page.locator('.alert-success') + ).toBeVisible({ timeout: 10000 }); + await expect( + page.locator('.alert-success') + ).toContainText(/export csv/i); + }); + + // ============================================================================ + // [P2] Text search filters students + // ============================================================================ + test('[P2] text search filters students', async ({ page }) => { + await loginAsAdmin(page); + await page.goto(`${ALPHA_URL}/admin/image-rights`); + await waitForPageLoaded(page); + + // Get the total student count before searching + const totalBefore = await page.locator('.stat-count.stat-total').textContent(); + const totalBeforeNum = parseInt(totalBefore ?? '0', 10); + + // Type a search term that matches the test student email prefix + const searchInput = page.locator('input[type="search"]'); + await searchInput.fill('e2e-imgrights'); + + // Wait for the debounced search to apply (300ms debounce + some margin) + await page.waitForTimeout(500); + + // The URL should be updated with the search parameter + await expect(page).toHaveURL(/search=e2e-imgrights/); + + // The filtered count should be less than or equal to the total + // and specifically should find our test student + const totalAfter = await page.locator('.stat-count.stat-total').textContent(); + const totalAfterNum = parseInt(totalAfter ?? '0', 10); + expect(totalAfterNum).toBeGreaterThanOrEqual(1); + expect(totalAfterNum).toBeLessThanOrEqual(totalBeforeNum); + + // Clear the search + await searchInput.clear(); + await page.waitForTimeout(500); + + // Total should be restored + expect(page.url()).not.toContain('search='); + }); + + // ============================================================================ + // [P2] Unauthorized role redirected + // ============================================================================ + test('[P2] student role cannot access image rights page', async ({ page }) => { + await loginAsStudent(page); + await page.goto(`${ALPHA_URL}/admin/image-rights`); + + // Admin guard in +layout.svelte redirects non-admin users to /dashboard + await page.waitForURL(/\/dashboard/, { timeout: 30000 }); + expect(page.url()).toContain('/dashboard'); + }); +}); diff --git a/frontend/e2e/role-access-control.spec.ts b/frontend/e2e/role-access-control.spec.ts index 09c176c..7d31a73 100644 --- a/frontend/e2e/role-access-control.spec.ts +++ b/frontend/e2e/role-access-control.spec.ts @@ -105,25 +105,17 @@ test.describe('Role-Based Access Control [P0]', () => { }); // ============================================================================ - // Teacher access - should NOT have access to /admin pages + // Teacher access - CAN access /admin layout (for image-rights, pedagogy) + // but backend protects sensitive pages (users, classes, etc.) with 403 // ============================================================================ test.describe('Teacher Access Restrictions', () => { - test('[P0] teacher cannot access /admin/users page', async ({ page }) => { + test('[P0] teacher can access /admin layout', async ({ page }) => { await loginAs(page, TEACHER_EMAIL, TEACHER_PASSWORD); - await page.goto(`${ALPHA_URL}/admin/users`); + await page.goto(`${ALPHA_URL}/admin/image-rights`); - // Admin guard redirects non-admin users to /dashboard - await page.waitForURL(/\/dashboard/, { timeout: 30000 }); - expect(page.url()).toContain('/dashboard'); - }); - - test('[P0] teacher cannot access /admin page', async ({ page }) => { - await loginAs(page, TEACHER_EMAIL, TEACHER_PASSWORD); - await page.goto(`${ALPHA_URL}/admin`); - - // Admin guard redirects non-admin users to /dashboard - await page.waitForURL(/\/dashboard/, { timeout: 30000 }); - expect(page.url()).toContain('/dashboard'); + // Teacher can access admin layout for authorized pages + await page.waitForURL(/\/admin\/image-rights/, { timeout: 30000 }); + expect(page.url()).toContain('/admin/image-rights'); }); }); diff --git a/frontend/eslint.config.js b/frontend/eslint.config.js index b443b8f..957910d 100644 --- a/frontend/eslint.config.js +++ b/frontend/eslint.config.js @@ -78,9 +78,10 @@ export default tseslint.config( SubmitEvent: 'readonly', fetch: 'readonly', HTMLElement: 'readonly', - HTMLDivElement: 'readonly', + HTMLDivElement: 'readonly', setInterval: 'readonly', clearInterval: 'readonly', + URL: 'readonly', URLSearchParams: 'readonly', HTMLInputElement: 'readonly', KeyboardEvent: 'readonly', diff --git a/frontend/src/lib/components/organisms/Dashboard/DashboardAdmin.svelte b/frontend/src/lib/components/organisms/Dashboard/DashboardAdmin.svelte index c32795f..d12c127 100644 --- a/frontend/src/lib/components/organisms/Dashboard/DashboardAdmin.svelte +++ b/frontend/src/lib/components/organisms/Dashboard/DashboardAdmin.svelte @@ -61,6 +61,11 @@ Calendrier scolaire Fériés et vacances + + 📷 + Droit à l'image + Autorisations élèves + 🎓 Pédagogie diff --git a/frontend/src/routes/admin/+layout.svelte b/frontend/src/routes/admin/+layout.svelte index b24edd3..cd9cea3 100644 --- a/frontend/src/routes/admin/+layout.svelte +++ b/frontend/src/routes/admin/+layout.svelte @@ -15,6 +15,7 @@ const ADMIN_ROLES = [ 'ROLE_SUPER_ADMIN', 'ROLE_ADMIN', + 'ROLE_PROF', 'ROLE_VIE_SCOLAIRE', 'ROLE_SECRETARIAT' ]; @@ -28,6 +29,7 @@ { href: '/admin/replacements', label: 'Remplacements', isActive: () => isReplacementsActive }, { href: '/admin/academic-year/periods', label: 'Périodes', isActive: () => isPeriodsActive }, { href: '/admin/calendar', label: 'Calendrier', isActive: () => isCalendarActive }, + { href: '/admin/image-rights', label: 'Droit à l\'image', isActive: () => isImageRightsActive }, { href: '/admin/pedagogy', label: 'Pédagogie', isActive: () => isPedagogyActive } ]; @@ -80,6 +82,7 @@ const isAssignmentsActive = $derived(page.url.pathname.startsWith('/admin/assignments')); const isReplacementsActive = $derived(page.url.pathname.startsWith('/admin/replacements')); const isCalendarActive = $derived(page.url.pathname.startsWith('/admin/calendar')); + const isImageRightsActive = $derived(page.url.pathname.startsWith('/admin/image-rights')); const isPedagogyActive = $derived(page.url.pathname.startsWith('/admin/pedagogy')); const currentSectionLabel = $derived.by(() => { diff --git a/frontend/src/routes/admin/image-rights/+page.svelte b/frontend/src/routes/admin/image-rights/+page.svelte new file mode 100644 index 0000000..7bda8b3 --- /dev/null +++ b/frontend/src/routes/admin/image-rights/+page.svelte @@ -0,0 +1,729 @@ + + +
+
+
+

Droit à l'image

+

+ Consultez et gérez les autorisations de droit à l'image des élèves +

+
+ +
+ + {#if error} + + {/if} + + {#if successMessage} +
+ {successMessage} + +
+ {/if} + +
+
+ +
+
+ + +
+
+ + +
+
+ + {#if isLoading} +
+ +

Chargement...

+
+ {:else if students.length === 0} +
+
📷
+

Aucun élève inscrit

+

Commencez par créer des comptes élèves pour pouvoir gérer leurs autorisations de droit à l'image.

+ Gérer les utilisateurs +
+ {:else if filteredStudents.length === 0} +
+
🔍
+

Aucun résultat

+

Aucun élève ne correspond aux critères de recherche. Essayez de modifier vos filtres.

+ +
+ {:else} +
+ + {authorizedStudents.length} autorisé{authorizedStudents.length > 1 ? 's' : ''} + + + {unauthorizedStudents.length} non autorisé{unauthorizedStudents.length > 1 ? 's' : ''} + + + {filteredStudents.length} total + +
+ +
+

Élèves autorisés ({authorizedStudents.length})

+ {#if authorizedStudents.length > 0} +
+ + + + + + + + + + + + {#each authorizedStudents as student} + + + + + + + + {/each} + +
NomPrénomClasseStatutActions
{student.lastName}{student.firstName}{student.className ?? '—'} + + {student.imageRightsStatusLabel} + + + +
+
+ {:else} +

Aucun élève autorisé.

+ {/if} +
+ +
+

Élèves non autorisés ({unauthorizedStudents.length})

+ {#if unauthorizedStudents.length > 0} +
+ + + + + + + + + + + + {#each unauthorizedStudents as student} + + + + + + + + {/each} + +
NomPrénomClasseStatutActions
{student.lastName}{student.firstName}{student.className ?? '—'} + + {student.imageRightsStatusLabel} + + + +
+
+ {:else} +

Tous les élèves sont autorisés.

+ {/if} +
+ {/if} +
+ +