feat: Permettre la consultation et gestion des droits à l'image des élèves
Les administrateurs et enseignants ont besoin de consulter et gérer les autorisations de droit à l'image des élèves pour respecter la réglementation lors de publications contenant des photos (FR82). Cette fonctionnalité ajoute une page dédiée avec liste filtrable par statut, modification individuelle via dropdown, export CSV avec BOM UTF-8 pour Excel, et préparation du système d'avertissement avant publication (query/handler prêts, intégration à faire quand le module publication existera). Le filtrage par classe (AC2) est bloqué en attente d'une table d'affectation élève↔classe qui n'existe pas encore.
This commit is contained in:
@@ -0,0 +1,111 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Administration\Infrastructure\Api\Processor;
|
||||
|
||||
use ApiPlatform\Metadata\Operation;
|
||||
use ApiPlatform\State\ProcessorInterface;
|
||||
use App\Administration\Application\Command\UpdateImageRights\UpdateImageRightsCommand;
|
||||
use App\Administration\Application\Command\UpdateImageRights\UpdateImageRightsHandler;
|
||||
use App\Administration\Domain\Exception\UserNotFoundException;
|
||||
use App\Administration\Infrastructure\Api\Resource\ImageRightsResource;
|
||||
use App\Administration\Infrastructure\Security\ImageRightsVoter;
|
||||
use App\Administration\Infrastructure\Security\SecurityUser;
|
||||
use App\Shared\Application\Port\AuditLogger;
|
||||
use App\Shared\Infrastructure\Tenant\TenantContext;
|
||||
use Override;
|
||||
use Symfony\Bundle\SecurityBundle\Security;
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
|
||||
use Symfony\Component\Messenger\MessageBusInterface;
|
||||
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
|
||||
use ValueError;
|
||||
|
||||
/**
|
||||
* @implements ProcessorInterface<ImageRightsResource, ImageRightsResource>
|
||||
*/
|
||||
final readonly class UpdateImageRightsProcessor implements ProcessorInterface
|
||||
{
|
||||
public function __construct(
|
||||
private UpdateImageRightsHandler $handler,
|
||||
private MessageBusInterface $eventBus,
|
||||
private AuthorizationCheckerInterface $authorizationChecker,
|
||||
private TenantContext $tenantContext,
|
||||
private Security $security,
|
||||
private AuditLogger $auditLogger,
|
||||
) {
|
||||
}
|
||||
|
||||
/**
|
||||
* @param ImageRightsResource $data
|
||||
*/
|
||||
#[Override]
|
||||
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ImageRightsResource
|
||||
{
|
||||
if (!$this->authorizationChecker->isGranted(ImageRightsVoter::EDIT)) {
|
||||
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à modifier les droits à l\'image.');
|
||||
}
|
||||
|
||||
if (!$this->tenantContext->hasTenant()) {
|
||||
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
|
||||
}
|
||||
|
||||
/** @var string $studentId */
|
||||
$studentId = $uriVariables['id'] ?? '';
|
||||
$status = $data->imageRightsStatus ?? '';
|
||||
|
||||
if ($status === '') {
|
||||
throw new BadRequestHttpException('Le statut du droit à l\'image est obligatoire.');
|
||||
}
|
||||
|
||||
$currentUser = $this->security->getUser();
|
||||
if (!$currentUser instanceof SecurityUser) {
|
||||
throw new UnauthorizedHttpException('Bearer', 'Utilisateur non authentifié.');
|
||||
}
|
||||
|
||||
try {
|
||||
$command = new UpdateImageRightsCommand(
|
||||
studentId: $studentId,
|
||||
status: $status,
|
||||
modifiedBy: $currentUser->userId(),
|
||||
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
|
||||
);
|
||||
$user = ($this->handler)($command);
|
||||
|
||||
/** @var ImageRightsResource $previousData */
|
||||
$previousData = $context['previous_data'];
|
||||
$oldStatus = $previousData->imageRightsStatus;
|
||||
|
||||
$this->auditLogger->logDataChange(
|
||||
aggregateType: 'User',
|
||||
aggregateId: $user->id->value,
|
||||
eventType: 'ImageRightsUpdated',
|
||||
oldValues: ['image_rights_status' => $oldStatus],
|
||||
newValues: ['image_rights_status' => $status],
|
||||
reason: 'Mise à jour du droit à l\'image',
|
||||
);
|
||||
|
||||
foreach ($user->pullDomainEvents() as $event) {
|
||||
$this->eventBus->dispatch($event);
|
||||
}
|
||||
|
||||
$resource = new ImageRightsResource();
|
||||
$resource->id = (string) $user->id;
|
||||
$resource->firstName = $user->firstName;
|
||||
$resource->lastName = $user->lastName;
|
||||
$resource->email = (string) $user->email;
|
||||
$resource->imageRightsStatus = $user->imageRightsStatus->value;
|
||||
$resource->imageRightsStatusLabel = $user->imageRightsStatus->label();
|
||||
$resource->imageRightsUpdatedAt = $user->imageRightsUpdatedAt;
|
||||
|
||||
return $resource;
|
||||
} catch (UserNotFoundException $e) {
|
||||
throw new NotFoundHttpException($e->getMessage());
|
||||
} catch (ValueError $e) {
|
||||
throw new BadRequestHttpException('Statut de droit à l\'image invalide : ' . $e->getMessage());
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,60 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Administration\Infrastructure\Api\Provider;
|
||||
|
||||
use ApiPlatform\Metadata\Operation;
|
||||
use ApiPlatform\State\ProviderInterface;
|
||||
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsHandler;
|
||||
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsQuery;
|
||||
use App\Administration\Infrastructure\Api\Resource\ImageRightsResource;
|
||||
use App\Administration\Infrastructure\Security\ImageRightsVoter;
|
||||
use App\Shared\Infrastructure\Tenant\TenantContext;
|
||||
use Override;
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
|
||||
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
|
||||
|
||||
/**
|
||||
* @implements ProviderInterface<ImageRightsResource>
|
||||
*/
|
||||
final readonly class ImageRightsCollectionProvider implements ProviderInterface
|
||||
{
|
||||
public function __construct(
|
||||
private GetStudentsImageRightsHandler $handler,
|
||||
private AuthorizationCheckerInterface $authorizationChecker,
|
||||
private TenantContext $tenantContext,
|
||||
) {
|
||||
}
|
||||
|
||||
/**
|
||||
* @return ImageRightsResource[]
|
||||
*/
|
||||
#[Override]
|
||||
public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
|
||||
{
|
||||
if (!$this->authorizationChecker->isGranted(ImageRightsVoter::VIEW)) {
|
||||
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à consulter les droits à l\'image.');
|
||||
}
|
||||
|
||||
if (!$this->tenantContext->hasTenant()) {
|
||||
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
|
||||
}
|
||||
|
||||
/** @var array<string, string> $filters */
|
||||
$filters = $context['filters'] ?? [];
|
||||
|
||||
$query = new GetStudentsImageRightsQuery(
|
||||
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
|
||||
status: isset($filters['status']) ? (string) $filters['status'] : null,
|
||||
);
|
||||
|
||||
$dtos = ($this->handler)($query);
|
||||
|
||||
return array_map(
|
||||
static fn ($dto) => ImageRightsResource::fromDto($dto),
|
||||
$dtos,
|
||||
);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,72 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Administration\Infrastructure\Api\Provider;
|
||||
|
||||
use ApiPlatform\Metadata\Operation;
|
||||
use ApiPlatform\State\ProviderInterface;
|
||||
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsHandler;
|
||||
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsQuery;
|
||||
use App\Administration\Application\Service\ImageRightsExporter;
|
||||
use App\Administration\Infrastructure\Security\ImageRightsVoter;
|
||||
use App\Shared\Application\Port\AuditLogger;
|
||||
use App\Shared\Infrastructure\Tenant\TenantContext;
|
||||
|
||||
use function count;
|
||||
|
||||
use Override;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
|
||||
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
|
||||
|
||||
/**
|
||||
* @implements ProviderInterface<Response>
|
||||
*/
|
||||
final readonly class ImageRightsExportProvider implements ProviderInterface
|
||||
{
|
||||
public function __construct(
|
||||
private GetStudentsImageRightsHandler $handler,
|
||||
private ImageRightsExporter $exporter,
|
||||
private AuthorizationCheckerInterface $authorizationChecker,
|
||||
private TenantContext $tenantContext,
|
||||
private AuditLogger $auditLogger,
|
||||
) {
|
||||
}
|
||||
|
||||
#[Override]
|
||||
public function provide(Operation $operation, array $uriVariables = [], array $context = []): Response
|
||||
{
|
||||
if (!$this->authorizationChecker->isGranted(ImageRightsVoter::VIEW)) {
|
||||
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à exporter les droits à l\'image.');
|
||||
}
|
||||
|
||||
if (!$this->tenantContext->hasTenant()) {
|
||||
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
|
||||
}
|
||||
|
||||
/** @var array<string, string> $filters */
|
||||
$filters = $context['filters'] ?? [];
|
||||
|
||||
$query = new GetStudentsImageRightsQuery(
|
||||
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
|
||||
status: isset($filters['status']) ? (string) $filters['status'] : null,
|
||||
);
|
||||
|
||||
$dtos = ($this->handler)($query);
|
||||
$csv = $this->exporter->export($dtos);
|
||||
|
||||
$this->auditLogger->logExport(
|
||||
exportType: 'image_rights_csv',
|
||||
recordCount: count($dtos),
|
||||
targetDescription: 'Export liste droits à l\'image',
|
||||
);
|
||||
|
||||
$response = new Response($csv);
|
||||
$response->headers->set('Content-Type', 'text/csv; charset=UTF-8');
|
||||
$response->headers->set('Content-Disposition', 'attachment; filename="droits-image.csv"');
|
||||
|
||||
return $response;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,72 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Administration\Infrastructure\Api\Provider;
|
||||
|
||||
use ApiPlatform\Metadata\Operation;
|
||||
use ApiPlatform\State\ProviderInterface;
|
||||
use App\Administration\Domain\Exception\UserNotFoundException;
|
||||
use App\Administration\Domain\Model\User\UserId;
|
||||
use App\Administration\Domain\Repository\UserRepository;
|
||||
use App\Administration\Infrastructure\Api\Resource\ImageRightsResource;
|
||||
use App\Administration\Infrastructure\Security\ImageRightsVoter;
|
||||
use App\Shared\Infrastructure\Tenant\TenantContext;
|
||||
use Override;
|
||||
use Ramsey\Uuid\Exception\InvalidUuidStringException;
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
|
||||
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
|
||||
|
||||
/**
|
||||
* @implements ProviderInterface<ImageRightsResource>
|
||||
*/
|
||||
final readonly class ImageRightsItemProvider implements ProviderInterface
|
||||
{
|
||||
public function __construct(
|
||||
private UserRepository $userRepository,
|
||||
private TenantContext $tenantContext,
|
||||
private AuthorizationCheckerInterface $authorizationChecker,
|
||||
) {
|
||||
}
|
||||
|
||||
#[Override]
|
||||
public function provide(Operation $operation, array $uriVariables = [], array $context = []): ImageRightsResource
|
||||
{
|
||||
if (!$this->tenantContext->hasTenant()) {
|
||||
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
|
||||
}
|
||||
|
||||
if (!$this->authorizationChecker->isGranted(ImageRightsVoter::EDIT)) {
|
||||
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à modifier les droits à l\'image.');
|
||||
}
|
||||
|
||||
/** @var string|null $studentId */
|
||||
$studentId = $uriVariables['id'] ?? null;
|
||||
if ($studentId === null) {
|
||||
throw new NotFoundHttpException('Élève non trouvé.');
|
||||
}
|
||||
|
||||
try {
|
||||
$user = $this->userRepository->get(UserId::fromString($studentId));
|
||||
} catch (UserNotFoundException|InvalidUuidStringException) {
|
||||
throw new NotFoundHttpException('Élève non trouvé.');
|
||||
}
|
||||
|
||||
if ((string) $user->tenantId !== (string) $this->tenantContext->getCurrentTenantId()) {
|
||||
throw new NotFoundHttpException('Élève non trouvé.');
|
||||
}
|
||||
|
||||
$resource = new ImageRightsResource();
|
||||
$resource->id = (string) $user->id;
|
||||
$resource->firstName = $user->firstName;
|
||||
$resource->lastName = $user->lastName;
|
||||
$resource->email = (string) $user->email;
|
||||
$resource->imageRightsStatus = $user->imageRightsStatus->value;
|
||||
$resource->imageRightsStatusLabel = $user->imageRightsStatus->label();
|
||||
$resource->imageRightsUpdatedAt = $user->imageRightsUpdatedAt;
|
||||
|
||||
return $resource;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,76 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Administration\Infrastructure\Api\Resource;
|
||||
|
||||
use ApiPlatform\Metadata\ApiProperty;
|
||||
use ApiPlatform\Metadata\ApiResource;
|
||||
use ApiPlatform\Metadata\Get;
|
||||
use ApiPlatform\Metadata\GetCollection;
|
||||
use ApiPlatform\Metadata\Patch;
|
||||
use App\Administration\Application\Query\GetStudentsImageRights\StudentImageRightsDto;
|
||||
use App\Administration\Infrastructure\Api\Processor\UpdateImageRightsProcessor;
|
||||
use App\Administration\Infrastructure\Api\Provider\ImageRightsCollectionProvider;
|
||||
use App\Administration\Infrastructure\Api\Provider\ImageRightsExportProvider;
|
||||
use App\Administration\Infrastructure\Api\Provider\ImageRightsItemProvider;
|
||||
use DateTimeImmutable;
|
||||
use Symfony\Component\Validator\Constraints as Assert;
|
||||
|
||||
#[ApiResource(
|
||||
shortName: 'ImageRights',
|
||||
operations: [
|
||||
new GetCollection(
|
||||
uriTemplate: '/students/image-rights',
|
||||
provider: ImageRightsCollectionProvider::class,
|
||||
name: 'get_students_image_rights',
|
||||
),
|
||||
new Get(
|
||||
uriTemplate: '/students/image-rights/export',
|
||||
provider: ImageRightsExportProvider::class,
|
||||
name: 'export_students_image_rights',
|
||||
),
|
||||
new Patch(
|
||||
uriTemplate: '/students/{id}/image-rights',
|
||||
provider: ImageRightsItemProvider::class,
|
||||
processor: UpdateImageRightsProcessor::class,
|
||||
name: 'update_student_image_rights',
|
||||
),
|
||||
],
|
||||
)]
|
||||
final class ImageRightsResource
|
||||
{
|
||||
#[ApiProperty(identifier: true)]
|
||||
public ?string $id = null;
|
||||
|
||||
public ?string $firstName = null;
|
||||
|
||||
public ?string $lastName = null;
|
||||
|
||||
public ?string $email = null;
|
||||
|
||||
#[Assert\NotBlank(message: 'Le statut est requis.')]
|
||||
#[Assert\Choice(choices: ['authorized', 'refused', 'not_specified'], message: 'Statut invalide.')]
|
||||
public ?string $imageRightsStatus = null;
|
||||
|
||||
public ?string $imageRightsStatusLabel = null;
|
||||
|
||||
public ?DateTimeImmutable $imageRightsUpdatedAt = null;
|
||||
|
||||
public ?string $className = null;
|
||||
|
||||
public static function fromDto(StudentImageRightsDto $dto): self
|
||||
{
|
||||
$resource = new self();
|
||||
$resource->id = $dto->id;
|
||||
$resource->firstName = $dto->firstName;
|
||||
$resource->lastName = $dto->lastName;
|
||||
$resource->email = $dto->email;
|
||||
$resource->imageRightsStatus = $dto->imageRightsStatus;
|
||||
$resource->imageRightsStatusLabel = $dto->imageRightsStatusLabel;
|
||||
$resource->imageRightsUpdatedAt = $dto->imageRightsUpdatedAt;
|
||||
$resource->className = $dto->className;
|
||||
|
||||
return $resource;
|
||||
}
|
||||
}
|
||||
@@ -7,6 +7,7 @@ namespace App\Administration\Infrastructure\Persistence\Cache;
|
||||
use App\Administration\Domain\Exception\UserNotFoundException;
|
||||
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
|
||||
use App\Administration\Domain\Model\User\Email;
|
||||
use App\Administration\Domain\Model\User\ImageRightsStatus;
|
||||
use App\Administration\Domain\Model\User\Role;
|
||||
use App\Administration\Domain\Model\User\StatutCompte;
|
||||
use App\Administration\Domain\Model\User\User;
|
||||
@@ -131,6 +132,15 @@ final readonly class CacheUserRepository implements UserRepository
|
||||
return $users;
|
||||
}
|
||||
|
||||
#[Override]
|
||||
public function findStudentsByTenant(TenantId $tenantId): array
|
||||
{
|
||||
return array_values(array_filter(
|
||||
$this->findAllByTenant($tenantId),
|
||||
static fn (User $user): bool => $user->aLeRole(Role::ELEVE),
|
||||
));
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
@@ -154,6 +164,9 @@ final readonly class CacheUserRepository implements UserRepository
|
||||
'invited_at' => $user->invitedAt?->format('c'),
|
||||
'blocked_at' => $user->blockedAt?->format('c'),
|
||||
'blocked_reason' => $user->blockedReason,
|
||||
'image_rights_status' => $user->imageRightsStatus->value,
|
||||
'image_rights_updated_at' => $user->imageRightsUpdatedAt?->format('c'),
|
||||
'image_rights_updated_by' => $user->imageRightsUpdatedBy !== null ? (string) $user->imageRightsUpdatedBy : null,
|
||||
'consentement_parental' => $consentement !== null ? [
|
||||
'parent_id' => $consentement->parentId,
|
||||
'eleve_id' => $consentement->eleveId,
|
||||
@@ -181,6 +194,9 @@ final readonly class CacheUserRepository implements UserRepository
|
||||
* invited_at?: string|null,
|
||||
* blocked_at?: string|null,
|
||||
* blocked_reason?: string|null,
|
||||
* image_rights_status?: string,
|
||||
* image_rights_updated_at?: string|null,
|
||||
* image_rights_updated_by?: string|null,
|
||||
* consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null
|
||||
* } $data
|
||||
*/
|
||||
@@ -226,6 +242,9 @@ final readonly class CacheUserRepository implements UserRepository
|
||||
invitedAt: $invitedAt,
|
||||
blockedAt: $blockedAt,
|
||||
blockedReason: $data['blocked_reason'] ?? null,
|
||||
imageRightsStatus: isset($data['image_rights_status']) ? ImageRightsStatus::from($data['image_rights_status']) : ImageRightsStatus::NOT_SPECIFIED,
|
||||
imageRightsUpdatedAt: ($data['image_rights_updated_at'] ?? null) !== null ? new DateTimeImmutable($data['image_rights_updated_at']) : null,
|
||||
imageRightsUpdatedBy: ($data['image_rights_updated_by'] ?? null) !== null ? UserId::fromString($data['image_rights_updated_by']) : null,
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@ namespace App\Administration\Infrastructure\Persistence\Cache;
|
||||
use App\Administration\Domain\Exception\UserNotFoundException;
|
||||
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
|
||||
use App\Administration\Domain\Model\User\Email;
|
||||
use App\Administration\Domain\Model\User\ImageRightsStatus;
|
||||
use App\Administration\Domain\Model\User\Role;
|
||||
use App\Administration\Domain\Model\User\StatutCompte;
|
||||
use App\Administration\Domain\Model\User\User;
|
||||
@@ -157,6 +158,12 @@ final readonly class CachedUserRepository implements UserRepository
|
||||
return $users;
|
||||
}
|
||||
|
||||
#[Override]
|
||||
public function findStudentsByTenant(TenantId $tenantId): array
|
||||
{
|
||||
return $this->inner->findStudentsByTenant($tenantId);
|
||||
}
|
||||
|
||||
private function populateCache(User $user): void
|
||||
{
|
||||
try {
|
||||
@@ -197,6 +204,9 @@ final readonly class CachedUserRepository implements UserRepository
|
||||
'invited_at' => $user->invitedAt?->format('c'),
|
||||
'blocked_at' => $user->blockedAt?->format('c'),
|
||||
'blocked_reason' => $user->blockedReason,
|
||||
'image_rights_status' => $user->imageRightsStatus->value,
|
||||
'image_rights_updated_at' => $user->imageRightsUpdatedAt?->format('c'),
|
||||
'image_rights_updated_by' => $user->imageRightsUpdatedBy !== null ? (string) $user->imageRightsUpdatedBy : null,
|
||||
'consentement_parental' => $consentement !== null ? [
|
||||
'parent_id' => $consentement->parentId,
|
||||
'eleve_id' => $consentement->eleveId,
|
||||
@@ -242,6 +252,12 @@ final readonly class CachedUserRepository implements UserRepository
|
||||
$blockedAt = $data['blocked_at'] ?? null;
|
||||
/** @var string|null $blockedReason */
|
||||
$blockedReason = $data['blocked_reason'] ?? null;
|
||||
/** @var string|null $imageRightsStatusValue */
|
||||
$imageRightsStatusValue = $data['image_rights_status'] ?? null;
|
||||
/** @var string|null $imageRightsUpdatedAt */
|
||||
$imageRightsUpdatedAt = $data['image_rights_updated_at'] ?? null;
|
||||
/** @var string|null $imageRightsUpdatedBy */
|
||||
$imageRightsUpdatedBy = $data['image_rights_updated_by'] ?? null;
|
||||
|
||||
$roles = array_map(static fn (string $r) => Role::from($r), $roleStrings);
|
||||
|
||||
@@ -274,6 +290,9 @@ final readonly class CachedUserRepository implements UserRepository
|
||||
invitedAt: $invitedAt !== null ? new DateTimeImmutable($invitedAt) : null,
|
||||
blockedAt: $blockedAt !== null ? new DateTimeImmutable($blockedAt) : null,
|
||||
blockedReason: $blockedReason,
|
||||
imageRightsStatus: $imageRightsStatusValue !== null ? ImageRightsStatus::from($imageRightsStatusValue) : ImageRightsStatus::NOT_SPECIFIED,
|
||||
imageRightsUpdatedAt: $imageRightsUpdatedAt !== null ? new DateTimeImmutable($imageRightsUpdatedAt) : null,
|
||||
imageRightsUpdatedBy: $imageRightsUpdatedBy !== null ? UserId::fromString($imageRightsUpdatedBy) : null,
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@ namespace App\Administration\Infrastructure\Persistence\Doctrine;
|
||||
use App\Administration\Domain\Exception\UserNotFoundException;
|
||||
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
|
||||
use App\Administration\Domain\Model\User\Email;
|
||||
use App\Administration\Domain\Model\User\ImageRightsStatus;
|
||||
use App\Administration\Domain\Model\User\Role;
|
||||
use App\Administration\Domain\Model\User\StatutCompte;
|
||||
use App\Administration\Domain\Model\User\User;
|
||||
@@ -42,6 +43,7 @@ final readonly class DoctrineUserRepository implements UserRepository
|
||||
hashed_password, statut, school_name, date_naissance,
|
||||
created_at, activated_at, invited_at, blocked_at, blocked_reason,
|
||||
consentement_parent_id, consentement_eleve_id, consentement_date, consentement_ip,
|
||||
image_rights_status, image_rights_updated_at, image_rights_updated_by,
|
||||
updated_at
|
||||
)
|
||||
VALUES (
|
||||
@@ -49,6 +51,7 @@ final readonly class DoctrineUserRepository implements UserRepository
|
||||
:hashed_password, :statut, :school_name, :date_naissance,
|
||||
:created_at, :activated_at, :invited_at, :blocked_at, :blocked_reason,
|
||||
:consentement_parent_id, :consentement_eleve_id, :consentement_date, :consentement_ip,
|
||||
:image_rights_status, :image_rights_updated_at, :image_rights_updated_by,
|
||||
NOW()
|
||||
)
|
||||
ON CONFLICT (id) DO UPDATE SET
|
||||
@@ -68,6 +71,9 @@ final readonly class DoctrineUserRepository implements UserRepository
|
||||
consentement_eleve_id = EXCLUDED.consentement_eleve_id,
|
||||
consentement_date = EXCLUDED.consentement_date,
|
||||
consentement_ip = EXCLUDED.consentement_ip,
|
||||
image_rights_status = EXCLUDED.image_rights_status,
|
||||
image_rights_updated_at = EXCLUDED.image_rights_updated_at,
|
||||
image_rights_updated_by = EXCLUDED.image_rights_updated_by,
|
||||
updated_at = NOW()
|
||||
SQL,
|
||||
[
|
||||
@@ -90,6 +96,9 @@ final readonly class DoctrineUserRepository implements UserRepository
|
||||
'consentement_eleve_id' => $consentement?->eleveId,
|
||||
'consentement_date' => $consentement?->dateConsentement->format(DateTimeImmutable::ATOM),
|
||||
'consentement_ip' => $consentement?->ipAddress,
|
||||
'image_rights_status' => $user->imageRightsStatus->value,
|
||||
'image_rights_updated_at' => $user->imageRightsUpdatedAt?->format(DateTimeImmutable::ATOM),
|
||||
'image_rights_updated_by' => $user->imageRightsUpdatedBy !== null ? (string) $user->imageRightsUpdatedBy : null,
|
||||
],
|
||||
);
|
||||
}
|
||||
@@ -150,6 +159,20 @@ final readonly class DoctrineUserRepository implements UserRepository
|
||||
return array_map(fn (array $row) => $this->hydrate($row), $rows);
|
||||
}
|
||||
|
||||
#[Override]
|
||||
public function findStudentsByTenant(TenantId $tenantId): array
|
||||
{
|
||||
$rows = $this->connection->fetchAllAssociative(
|
||||
'SELECT * FROM users WHERE tenant_id = :tenant_id AND roles::jsonb @> :role ORDER BY last_name ASC, first_name ASC',
|
||||
[
|
||||
'tenant_id' => (string) $tenantId,
|
||||
'role' => json_encode([Role::ELEVE->value]),
|
||||
],
|
||||
);
|
||||
|
||||
return array_map(fn (array $row) => $this->hydrate($row), $rows);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $row
|
||||
*/
|
||||
@@ -193,6 +216,12 @@ final readonly class DoctrineUserRepository implements UserRepository
|
||||
$consentementDate = $row['consentement_date'];
|
||||
/** @var string|null $consentementIp */
|
||||
$consentementIp = $row['consentement_ip'];
|
||||
/** @var string|null $imageRightsStatusValue */
|
||||
$imageRightsStatusValue = $row['image_rights_status'] ?? null;
|
||||
/** @var string|null $imageRightsUpdatedAtValue */
|
||||
$imageRightsUpdatedAtValue = $row['image_rights_updated_at'] ?? null;
|
||||
/** @var string|null $imageRightsUpdatedByValue */
|
||||
$imageRightsUpdatedByValue = $row['image_rights_updated_by'] ?? null;
|
||||
|
||||
/** @var string[]|null $roleValues */
|
||||
$roleValues = json_decode($rolesJson, true);
|
||||
@@ -230,6 +259,9 @@ final readonly class DoctrineUserRepository implements UserRepository
|
||||
invitedAt: $invitedAt !== null ? new DateTimeImmutable($invitedAt) : null,
|
||||
blockedAt: $blockedAt !== null ? new DateTimeImmutable($blockedAt) : null,
|
||||
blockedReason: $blockedReason,
|
||||
imageRightsStatus: $imageRightsStatusValue !== null ? ImageRightsStatus::from($imageRightsStatusValue) : ImageRightsStatus::NOT_SPECIFIED,
|
||||
imageRightsUpdatedAt: $imageRightsUpdatedAtValue !== null ? new DateTimeImmutable($imageRightsUpdatedAtValue) : null,
|
||||
imageRightsUpdatedBy: $imageRightsUpdatedByValue !== null ? UserId::fromString($imageRightsUpdatedByValue) : null,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,7 @@ namespace App\Administration\Infrastructure\Persistence\InMemory;
|
||||
|
||||
use App\Administration\Domain\Exception\UserNotFoundException;
|
||||
use App\Administration\Domain\Model\User\Email;
|
||||
use App\Administration\Domain\Model\User\Role;
|
||||
use App\Administration\Domain\Model\User\User;
|
||||
use App\Administration\Domain\Model\User\UserId;
|
||||
use App\Administration\Domain\Repository\UserRepository;
|
||||
@@ -60,6 +61,15 @@ final class InMemoryUserRepository implements UserRepository
|
||||
));
|
||||
}
|
||||
|
||||
#[Override]
|
||||
public function findStudentsByTenant(TenantId $tenantId): array
|
||||
{
|
||||
return array_values(array_filter(
|
||||
$this->byId,
|
||||
static fn (User $user): bool => $user->tenantId->equals($tenantId) && $user->aLeRole(Role::ELEVE),
|
||||
));
|
||||
}
|
||||
|
||||
private function emailKey(Email $email, TenantId $tenantId): string
|
||||
{
|
||||
return $tenantId . ':' . strtolower((string) $email);
|
||||
|
||||
@@ -0,0 +1,99 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Administration\Infrastructure\Security;
|
||||
|
||||
use App\Administration\Domain\Model\User\Role;
|
||||
|
||||
use function in_array;
|
||||
|
||||
use Override;
|
||||
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
|
||||
use Symfony\Component\Security\Core\Authorization\Voter\Vote;
|
||||
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
|
||||
use Symfony\Component\Security\Core\User\UserInterface;
|
||||
|
||||
/**
|
||||
* Voter pour les autorisations sur les droits à l'image.
|
||||
*
|
||||
* Règles d'accès :
|
||||
* - ADMIN et SUPER_ADMIN : accès complet (lecture + modification)
|
||||
* - PROF, VIE_SCOLAIRE, SECRETARIAT : lecture seule
|
||||
*
|
||||
* @extends Voter<string, null>
|
||||
*/
|
||||
final class ImageRightsVoter extends Voter
|
||||
{
|
||||
public const string VIEW = 'IMAGE_RIGHTS_VIEW';
|
||||
public const string EDIT = 'IMAGE_RIGHTS_EDIT';
|
||||
|
||||
private const array SUPPORTED_ATTRIBUTES = [
|
||||
self::VIEW,
|
||||
self::EDIT,
|
||||
];
|
||||
|
||||
#[Override]
|
||||
protected function supports(string $attribute, mixed $subject): bool
|
||||
{
|
||||
return in_array($attribute, self::SUPPORTED_ATTRIBUTES, true);
|
||||
}
|
||||
|
||||
#[Override]
|
||||
protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
|
||||
{
|
||||
$user = $token->getUser();
|
||||
|
||||
if (!$user instanceof UserInterface) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$roles = $user->getRoles();
|
||||
|
||||
return match ($attribute) {
|
||||
self::VIEW => $this->canView($roles),
|
||||
self::EDIT => $this->canEdit($roles),
|
||||
default => false,
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string[] $roles
|
||||
*/
|
||||
private function canView(array $roles): bool
|
||||
{
|
||||
return $this->hasAnyRole($roles, [
|
||||
Role::SUPER_ADMIN->value,
|
||||
Role::ADMIN->value,
|
||||
Role::PROF->value,
|
||||
Role::VIE_SCOLAIRE->value,
|
||||
Role::SECRETARIAT->value,
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string[] $roles
|
||||
*/
|
||||
private function canEdit(array $roles): bool
|
||||
{
|
||||
return $this->hasAnyRole($roles, [
|
||||
Role::SUPER_ADMIN->value,
|
||||
Role::ADMIN->value,
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string[] $userRoles
|
||||
* @param string[] $allowedRoles
|
||||
*/
|
||||
private function hasAnyRole(array $userRoles, array $allowedRoles): bool
|
||||
{
|
||||
foreach ($userRoles as $role) {
|
||||
if (in_array($role, $allowedRoles, true)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user