Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Permettre la consultation et gestion des droits à l'image des élèves

Browse Source 
Les administrateurs et enseignants ont besoin de consulter et gérer
les autorisations de droit à l'image des élèves pour respecter
la réglementation lors de publications contenant des photos (FR82).

Cette fonctionnalité ajoute une page dédiée avec liste filtrable
par statut, modification individuelle via dropdown, export CSV
avec BOM UTF-8 pour Excel, et préparation du système d'avertissement
avant publication (query/handler prêts, intégration à faire quand
le module publication existera).

Le filtrage par classe (AC2) est bloqué en attente d'une table
d'affectation élève↔classe qui n'existe pas encore.
This commit is contained in:
Mathias STRASSER
2026-02-19 13:35:14 +01:00
parent 67734e4de3
commit 1b8bd6cd78
39 changed files with 3264 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
backend/migrations/Version20260218135819.php Normal file
View File

@@ -0,0 +1,41 @@
<?php
declare(strict_types=1);
namespace DoctrineMigrations;
use Doctrine\DBAL\Schema\Schema;
use Doctrine\Migrations\AbstractMigration;
final class Version20260218135819 extends AbstractMigration
{
public function getDescription(): string
{
return 'Add image rights columns to users table';
}
public function up(Schema $schema): void
{
$this->addSql(<<<'SQL'
ALTER TABLE users
ADD COLUMN image_rights_status VARCHAR(20) NOT NULL DEFAULT 'not_specified',
ADD COLUMN image_rights_updated_at TIMESTAMPTZ,
ADD COLUMN image_rights_updated_by UUID REFERENCES users(id)
SQL);
$this->addSql(<<<'SQL'
CREATE INDEX idx_users_image_rights ON users(image_rights_status)
SQL);
}
public function down(Schema $schema): void
{
$this->addSql('DROP INDEX IF EXISTS idx_users_image_rights');
$this->addSql(<<<'SQL'
ALTER TABLE users
DROP COLUMN IF EXISTS image_rights_status,
DROP COLUMN IF EXISTS image_rights_updated_at,
DROP COLUMN IF EXISTS image_rights_updated_by
SQL);
}
}

16
backend/src/Administration/Application/Command/UpdateImageRights/UpdateImageRightsCommand.php Normal file
View File

@@ -0,0 +1,16 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\UpdateImageRights;
final readonly class UpdateImageRightsCommand
{
public function __construct(
public string $studentId,
public string $status,
public string $modifiedBy,
public string $tenantId,
) {
}
}

48
backend/src/Administration/Application/Command/UpdateImageRights/UpdateImageRightsHandler.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\UpdateImageRights;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class UpdateImageRightsHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(UpdateImageRightsCommand $command): User
{
$studentId = UserId::fromString($command->studentId);
$user = $this->userRepository->get($studentId);
if (!$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($studentId);
}
if (!$user->aLeRole(Role::ELEVE)) {
throw UserNotFoundException::withId($studentId);
}
$modifierId = UserId::fromString($command->modifiedBy);
$status = ImageRightsStatus::from($command->status);
$user->modifierDroitImage($status, $modifierId, $this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

43
backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsHandler.php Normal file
View File

@@ -0,0 +1,43 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\CheckImageRights;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'query.bus')]
final readonly class CheckImageRightsHandler
{
public function __construct(
private UserRepository $userRepository,
) {
}
public function __invoke(CheckImageRightsQuery $query): ImageRightsCheckResult
{
$studentId = UserId::fromString($query->studentId);
$user = $this->userRepository->get($studentId);
if (!$user->tenantId->equals(TenantId::fromString($query->tenantId))) {
throw UserNotFoundException::withId($studentId);
}
$status = $user->imageRightsStatus;
return new ImageRightsCheckResult(
status: $status,
canPublish: $status->estAutorise(),
warningMessage: match ($status) {
ImageRightsStatus::REFUSED => "ATTENTION : Cet élève n'a PAS l'autorisation de droit à l'image. Publication interdite.",
ImageRightsStatus::NOT_SPECIFIED => "Attention : Le statut droit à l'image n'est pas renseigné pour cet élève.",
ImageRightsStatus::AUTHORIZED => null,
},
);
}
}

14
backend/src/Administration/Application/Query/CheckImageRights/CheckImageRightsQuery.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\CheckImageRights;
final readonly class CheckImageRightsQuery
{
public function __construct(
public string $studentId,
public string $tenantId,
) {
}
}

17
backend/src/Administration/Application/Query/CheckImageRights/ImageRightsCheckResult.php Normal file
View File

@@ -0,0 +1,17 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\CheckImageRights;
use App\Administration\Domain\Model\User\ImageRightsStatus;
final readonly class ImageRightsCheckResult
{
public function __construct(
public ImageRightsStatus $status,
public bool $canPublish,
public ?string $warningMessage,
) {
}
}

44
backend/src/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsHandler.php Normal file
View File

@@ -0,0 +1,44 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetStudentsImageRights;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'query.bus')]
final readonly class GetStudentsImageRightsHandler
{
public function __construct(
private UserRepository $userRepository,
) {
}
/**
* @return StudentImageRightsDto[]
*/
public function __invoke(GetStudentsImageRightsQuery $query): array
{
$students = $this->userRepository->findStudentsByTenant(
TenantId::fromString($query->tenantId),
);
if ($query->status !== null) {
$filterStatus = ImageRightsStatus::tryFrom($query->status);
if ($filterStatus !== null) {
$students = array_filter(
$students,
static fn ($user) => $user->imageRightsStatus === $filterStatus,
);
}
}
return array_values(array_map(
static fn ($user) => StudentImageRightsDto::fromDomain($user),
$students,
));
}
}

14
backend/src/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsQuery.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetStudentsImageRights;
final readonly class GetStudentsImageRightsQuery
{
public function __construct(
public string $tenantId,
public ?string $status = null,
) {
}
}

37
backend/src/Administration/Application/Query/GetStudentsImageRights/StudentImageRightsDto.php Normal file
View File

@@ -0,0 +1,37 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetStudentsImageRights;
use App\Administration\Domain\Model\User\User;
use DateTimeImmutable;
final readonly class StudentImageRightsDto
{
public function __construct(
public string $id,
public string $firstName,
public string $lastName,
public string $email,
public string $imageRightsStatus,
public string $imageRightsStatusLabel,
public ?DateTimeImmutable $imageRightsUpdatedAt,
public ?string $className,
) {
}
public static function fromDomain(User $user, ?string $className = null): self
{
return new self(
id: (string) $user->id,
firstName: $user->firstName,
lastName: $user->lastName,
email: (string) $user->email,
imageRightsStatus: $user->imageRightsStatus->value,
imageRightsStatusLabel: $user->imageRightsStatus->label(),
imageRightsUpdatedAt: $user->imageRightsUpdatedAt,
className: $className,
);
}
}

41
backend/src/Administration/Application/Service/ImageRightsExporter.php Normal file
View File

@@ -0,0 +1,41 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Service;
use App\Administration\Application\Query\GetStudentsImageRights\StudentImageRightsDto;
use RuntimeException;
final readonly class ImageRightsExporter
{
/**
* @param StudentImageRightsDto[] $students
*/
public function export(array $students): string
{
$handle = fopen('php://temp', 'r+');
if ($handle === false) {
throw new RuntimeException('Impossible d\'ouvrir le flux CSV.');
}
fputcsv($handle, ['Nom', 'Prénom', 'Classe', 'Statut'], separator: ';', escape: '\\');
foreach ($students as $student) {
fputcsv($handle, [
$student->lastName,
$student->firstName,
$student->className ?? '',
$student->imageRightsStatusLabel,
], separator: ';', escape: '\\');
}
rewind($handle);
$csv = stream_get_contents($handle);
fclose($handle);
// BOM UTF-8 pour que Excel Windows affiche correctement les accents
return "\xEF\xBB\xBF" . ($csv !== false ? $csv : '');
}
}

39
backend/src/Administration/Domain/Event/DroitImageModifie.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class DroitImageModifie implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public ImageRightsStatus $ancienStatut,
public ImageRightsStatus $nouveauStatut,
public UserId $modifiePar,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

26
backend/src/Administration/Domain/Model/User/ImageRightsStatus.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Model\User;
enum ImageRightsStatus: string
{
case AUTHORIZED = 'authorized';
case REFUSED = 'refused';
case NOT_SPECIFIED = 'not_specified';
public function label(): string
{
return match ($this) {
self::AUTHORIZED => 'Autorisé',
self::REFUSED => 'Refusé',
self::NOT_SPECIFIED => 'Non renseigné',
};
}
public function estAutorise(): bool
{
return $this === self::AUTHORIZED;
}
}

32
backend/src/Administration/Domain/Model/User/User.php
View File

@@ -6,6 +6,7 @@ namespace App\Administration\Domain\Model\User;
use App\Administration\Domain\Event\CompteActive; use App\Administration\Domain\Event\CompteActive;
use App\Administration\Domain\Event\CompteCreated; use App\Administration\Domain\Event\CompteCreated;
use App\Administration\Domain\Event\DroitImageModifie;
use App\Administration\Domain\Event\InvitationRenvoyee; use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Event\MotDePasseChange; use App\Administration\Domain\Event\MotDePasseChange;
use App\Administration\Domain\Event\RoleAttribue; use App\Administration\Domain\Event\RoleAttribue;
@@ -49,6 +50,9 @@ final class User extends AggregateRoot
public private(set) ?DateTimeImmutable $invitedAt = null; public private(set) ?DateTimeImmutable $invitedAt = null;
public private(set) ?DateTimeImmutable $blockedAt = null; public private(set) ?DateTimeImmutable $blockedAt = null;
public private(set) ?string $blockedReason = null; public private(set) ?string $blockedReason = null;
public private(set) ImageRightsStatus $imageRightsStatus = ImageRightsStatus::NOT_SPECIFIED;
public private(set) ?DateTimeImmutable $imageRightsUpdatedAt = null;
public private(set) ?UserId $imageRightsUpdatedBy = null;
/** @var Role[] */ /** @var Role[] */
public private(set) array $roles; public private(set) array $roles;
@@ -374,6 +378,28 @@ final class User extends AggregateRoot
return $at > $this->invitedAt->modify('+7 days'); return $at > $this->invitedAt->modify('+7 days');
} }
/**
* Updates the image rights status for this student.
*/
public function modifierDroitImage(ImageRightsStatus $nouveauStatut, UserId $modifiePar, DateTimeImmutable $at): void
{
$ancienStatut = $this->imageRightsStatus;
$this->imageRightsStatus = $nouveauStatut;
$this->imageRightsUpdatedAt = $at;
$this->imageRightsUpdatedBy = $modifiePar;
$this->recordEvent(new DroitImageModifie(
userId: $this->id,
email: (string) $this->email,
ancienStatut: $ancienStatut,
nouveauStatut: $nouveauStatut,
modifiePar: $modifiePar,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/** /**
* Changes the user's password. * Changes the user's password.
* *
@@ -415,6 +441,9 @@ final class User extends AggregateRoot
?DateTimeImmutable $invitedAt = null, ?DateTimeImmutable $invitedAt = null,
?DateTimeImmutable $blockedAt = null, ?DateTimeImmutable $blockedAt = null,
?string $blockedReason = null, ?string $blockedReason = null,
ImageRightsStatus $imageRightsStatus = ImageRightsStatus::NOT_SPECIFIED,
?DateTimeImmutable $imageRightsUpdatedAt = null,
?UserId $imageRightsUpdatedBy = null,
): self { ): self {
if ($roles === []) { if ($roles === []) {
throw new InvalidArgumentException('Un utilisateur doit avoir au moins un rôle.'); throw new InvalidArgumentException('Un utilisateur doit avoir au moins un rôle.');
@@ -439,6 +468,9 @@ final class User extends AggregateRoot
$user->invitedAt = $invitedAt; $user->invitedAt = $invitedAt;
$user->blockedAt = $blockedAt; $user->blockedAt = $blockedAt;
$user->blockedReason = $blockedReason; $user->blockedReason = $blockedReason;
$user->imageRightsStatus = $imageRightsStatus;
$user->imageRightsUpdatedAt = $imageRightsUpdatedAt;
$user->imageRightsUpdatedBy = $imageRightsUpdatedBy;
return $user; return $user;
} }

7
backend/src/Administration/Domain/Repository/UserRepository.php
View File

@@ -32,4 +32,11 @@ interface UserRepository
* @return User[] * @return User[]
*/ */
public function findAllByTenant(TenantId $tenantId): array; public function findAllByTenant(TenantId $tenantId): array;
/**
* Returns all students (ROLE_ELEVE) for a given tenant.
*
* @return User[]
*/
public function findStudentsByTenant(TenantId $tenantId): array;
} }

111
backend/src/Administration/Infrastructure/Api/Processor/UpdateImageRightsProcessor.php Normal file
View File

@@ -0,0 +1,111 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\UpdateImageRights\UpdateImageRightsCommand;
use App\Administration\Application\Command\UpdateImageRights\UpdateImageRightsHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Infrastructure\Api\Resource\ImageRightsResource;
use App\Administration\Infrastructure\Security\ImageRightsVoter;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Shared\Application\Port\AuditLogger;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
use ValueError;
/**
* @implements ProcessorInterface<ImageRightsResource, ImageRightsResource>
*/
final readonly class UpdateImageRightsProcessor implements ProcessorInterface
{
public function __construct(
private UpdateImageRightsHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Security $security,
private AuditLogger $auditLogger,
) {
}
/**
* @param ImageRightsResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ImageRightsResource
{
if (!$this->authorizationChecker->isGranted(ImageRightsVoter::EDIT)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à modifier les droits à l\'image.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $studentId */
$studentId = $uriVariables['id'] ?? '';
$status = $data->imageRightsStatus ?? '';
if ($status === '') {
throw new BadRequestHttpException('Le statut du droit à l\'image est obligatoire.');
}
$currentUser = $this->security->getUser();
if (!$currentUser instanceof SecurityUser) {
throw new UnauthorizedHttpException('Bearer', 'Utilisateur non authentifié.');
}
try {
$command = new UpdateImageRightsCommand(
studentId: $studentId,
status: $status,
modifiedBy: $currentUser->userId(),
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
/** @var ImageRightsResource $previousData */
$previousData = $context['previous_data'];
$oldStatus = $previousData->imageRightsStatus;
$this->auditLogger->logDataChange(
aggregateType: 'User',
aggregateId: $user->id->value,
eventType: 'ImageRightsUpdated',
oldValues: ['image_rights_status' => $oldStatus],
newValues: ['image_rights_status' => $status],
reason: 'Mise à jour du droit à l\'image',
);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
$resource = new ImageRightsResource();
$resource->id = (string) $user->id;
$resource->firstName = $user->firstName;
$resource->lastName = $user->lastName;
$resource->email = (string) $user->email;
$resource->imageRightsStatus = $user->imageRightsStatus->value;
$resource->imageRightsStatusLabel = $user->imageRightsStatus->label();
$resource->imageRightsUpdatedAt = $user->imageRightsUpdatedAt;
return $resource;
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (ValueError $e) {
throw new BadRequestHttpException('Statut de droit à l\'image invalide : ' . $e->getMessage());
}
}
}

60
backend/src/Administration/Infrastructure/Api/Provider/ImageRightsCollectionProvider.php Normal file
View File

@@ -0,0 +1,60 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Provider;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface;
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsHandler;
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsQuery;
use App\Administration\Infrastructure\Api\Resource\ImageRightsResource;
use App\Administration\Infrastructure\Security\ImageRightsVoter;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProviderInterface<ImageRightsResource>
*/
final readonly class ImageRightsCollectionProvider implements ProviderInterface
{
public function __construct(
private GetStudentsImageRightsHandler $handler,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
) {
}
/**
* @return ImageRightsResource[]
*/
#[Override]
public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
{
if (!$this->authorizationChecker->isGranted(ImageRightsVoter::VIEW)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à consulter les droits à l\'image.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var array<string, string> $filters */
$filters = $context['filters'] ?? [];
$query = new GetStudentsImageRightsQuery(
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
status: isset($filters['status']) ? (string) $filters['status'] : null,
);
$dtos = ($this->handler)($query);
return array_map(
static fn ($dto) => ImageRightsResource::fromDto($dto),
$dtos,
);
}
}

72
backend/src/Administration/Infrastructure/Api/Provider/ImageRightsExportProvider.php Normal file
View File

@@ -0,0 +1,72 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Provider;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface;
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsHandler;
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsQuery;
use App\Administration\Application\Service\ImageRightsExporter;
use App\Administration\Infrastructure\Security\ImageRightsVoter;
use App\Shared\Application\Port\AuditLogger;
use App\Shared\Infrastructure\Tenant\TenantContext;
use function count;
use Override;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProviderInterface<Response>
*/
final readonly class ImageRightsExportProvider implements ProviderInterface
{
public function __construct(
private GetStudentsImageRightsHandler $handler,
private ImageRightsExporter $exporter,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private AuditLogger $auditLogger,
) {
}
#[Override]
public function provide(Operation $operation, array $uriVariables = [], array $context = []): Response
{
if (!$this->authorizationChecker->isGranted(ImageRightsVoter::VIEW)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à exporter les droits à l\'image.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var array<string, string> $filters */
$filters = $context['filters'] ?? [];
$query = new GetStudentsImageRightsQuery(
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
status: isset($filters['status']) ? (string) $filters['status'] : null,
);
$dtos = ($this->handler)($query);
$csv = $this->exporter->export($dtos);
$this->auditLogger->logExport(
exportType: 'image_rights_csv',
recordCount: count($dtos),
targetDescription: 'Export liste droits à l\'image',
);
$response = new Response($csv);
$response->headers->set('Content-Type', 'text/csv; charset=UTF-8');
$response->headers->set('Content-Disposition', 'attachment; filename="droits-image.csv"');
return $response;
}
}

72
backend/src/Administration/Infrastructure/Api/Provider/ImageRightsItemProvider.php Normal file
View File

@@ -0,0 +1,72 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Provider;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Administration\Infrastructure\Api\Resource\ImageRightsResource;
use App\Administration\Infrastructure\Security\ImageRightsVoter;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Ramsey\Uuid\Exception\InvalidUuidStringException;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProviderInterface<ImageRightsResource>
*/
final readonly class ImageRightsItemProvider implements ProviderInterface
{
public function __construct(
private UserRepository $userRepository,
private TenantContext $tenantContext,
private AuthorizationCheckerInterface $authorizationChecker,
) {
}
#[Override]
public function provide(Operation $operation, array $uriVariables = [], array $context = []): ImageRightsResource
{
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
if (!$this->authorizationChecker->isGranted(ImageRightsVoter::EDIT)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à modifier les droits à l\'image.');
}
/** @var string|null $studentId */
$studentId = $uriVariables['id'] ?? null;
if ($studentId === null) {
throw new NotFoundHttpException('Élève non trouvé.');
}
try {
$user = $this->userRepository->get(UserId::fromString($studentId));
} catch (UserNotFoundException|InvalidUuidStringException) {
throw new NotFoundHttpException('Élève non trouvé.');
}
if ((string) $user->tenantId !== (string) $this->tenantContext->getCurrentTenantId()) {
throw new NotFoundHttpException('Élève non trouvé.');
}
$resource = new ImageRightsResource();
$resource->id = (string) $user->id;
$resource->firstName = $user->firstName;
$resource->lastName = $user->lastName;
$resource->email = (string) $user->email;
$resource->imageRightsStatus = $user->imageRightsStatus->value;
$resource->imageRightsStatusLabel = $user->imageRightsStatus->label();
$resource->imageRightsUpdatedAt = $user->imageRightsUpdatedAt;
return $resource;
}
}

76
backend/src/Administration/Infrastructure/Api/Resource/ImageRightsResource.php Normal file
View File

@@ -0,0 +1,76 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Resource;
use ApiPlatform\Metadata\ApiProperty;
use ApiPlatform\Metadata\ApiResource;
use ApiPlatform\Metadata\Get;
use ApiPlatform\Metadata\GetCollection;
use ApiPlatform\Metadata\Patch;
use App\Administration\Application\Query\GetStudentsImageRights\StudentImageRightsDto;
use App\Administration\Infrastructure\Api\Processor\UpdateImageRightsProcessor;
use App\Administration\Infrastructure\Api\Provider\ImageRightsCollectionProvider;
use App\Administration\Infrastructure\Api\Provider\ImageRightsExportProvider;
use App\Administration\Infrastructure\Api\Provider\ImageRightsItemProvider;
use DateTimeImmutable;
use Symfony\Component\Validator\Constraints as Assert;
#[ApiResource(
shortName: 'ImageRights',
operations: [
new GetCollection(
uriTemplate: '/students/image-rights',
provider: ImageRightsCollectionProvider::class,
name: 'get_students_image_rights',
),
new Get(
uriTemplate: '/students/image-rights/export',
provider: ImageRightsExportProvider::class,
name: 'export_students_image_rights',
),
new Patch(
uriTemplate: '/students/{id}/image-rights',
provider: ImageRightsItemProvider::class,
processor: UpdateImageRightsProcessor::class,
name: 'update_student_image_rights',
),
],
)]
final class ImageRightsResource
{
#[ApiProperty(identifier: true)]
public ?string $id = null;
public ?string $firstName = null;
public ?string $lastName = null;
public ?string $email = null;
#[Assert\NotBlank(message: 'Le statut est requis.')]
#[Assert\Choice(choices: ['authorized', 'refused', 'not_specified'], message: 'Statut invalide.')]
public ?string $imageRightsStatus = null;
public ?string $imageRightsStatusLabel = null;
public ?DateTimeImmutable $imageRightsUpdatedAt = null;
public ?string $className = null;
public static function fromDto(StudentImageRightsDto $dto): self
{
$resource = new self();
$resource->id = $dto->id;
$resource->firstName = $dto->firstName;
$resource->lastName = $dto->lastName;
$resource->email = $dto->email;
$resource->imageRightsStatus = $dto->imageRightsStatus;
$resource->imageRightsStatusLabel = $dto->imageRightsStatusLabel;
$resource->imageRightsUpdatedAt = $dto->imageRightsUpdatedAt;
$resource->className = $dto->className;
return $resource;
}
}

19
backend/src/Administration/Infrastructure/Persistence/Cache/CacheUserRepository.php
View File

@@ -7,6 +7,7 @@ namespace App\Administration\Infrastructure\Persistence\Cache;
use App\Administration\Domain\Exception\UserNotFoundException; use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental; use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
use App\Administration\Domain\Model\User\Email; use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\Role; use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte; use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User; use App\Administration\Domain\Model\User\User;
@@ -131,6 +132,15 @@ final readonly class CacheUserRepository implements UserRepository
return $users; return $users;
} }
#[Override]
public function findStudentsByTenant(TenantId $tenantId): array
{
return array_values(array_filter(
$this->findAllByTenant($tenantId),
static fn (User $user): bool => $user->aLeRole(Role::ELEVE),
));
}
/** /**
* @return array<string, mixed> * @return array<string, mixed>
*/ */
@@ -154,6 +164,9 @@ final readonly class CacheUserRepository implements UserRepository
'invited_at' => $user->invitedAt?->format('c'), 'invited_at' => $user->invitedAt?->format('c'),
'blocked_at' => $user->blockedAt?->format('c'), 'blocked_at' => $user->blockedAt?->format('c'),
'blocked_reason' => $user->blockedReason, 'blocked_reason' => $user->blockedReason,
'image_rights_status' => $user->imageRightsStatus->value,
'image_rights_updated_at' => $user->imageRightsUpdatedAt?->format('c'),
'image_rights_updated_by' => $user->imageRightsUpdatedBy !== null ? (string) $user->imageRightsUpdatedBy : null,
'consentement_parental' => $consentement !== null ? [ 'consentement_parental' => $consentement !== null ? [
'parent_id' => $consentement->parentId, 'parent_id' => $consentement->parentId,
'eleve_id' => $consentement->eleveId, 'eleve_id' => $consentement->eleveId,
@@ -181,6 +194,9 @@ final readonly class CacheUserRepository implements UserRepository
* invited_at?: string|null, * invited_at?: string|null,
* blocked_at?: string|null, * blocked_at?: string|null,
* blocked_reason?: string|null, * blocked_reason?: string|null,
* image_rights_status?: string,
* image_rights_updated_at?: string|null,
* image_rights_updated_by?: string|null,
* consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null * consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null
* } $data * } $data
*/ */
@@ -226,6 +242,9 @@ final readonly class CacheUserRepository implements UserRepository
invitedAt: $invitedAt, invitedAt: $invitedAt,
blockedAt: $blockedAt, blockedAt: $blockedAt,
blockedReason: $data['blocked_reason'] ?? null, blockedReason: $data['blocked_reason'] ?? null,
imageRightsStatus: isset($data['image_rights_status']) ? ImageRightsStatus::from($data['image_rights_status']) : ImageRightsStatus::NOT_SPECIFIED,
imageRightsUpdatedAt: ($data['image_rights_updated_at'] ?? null) !== null ? new DateTimeImmutable($data['image_rights_updated_at']) : null,
imageRightsUpdatedBy: ($data['image_rights_updated_by'] ?? null) !== null ? UserId::fromString($data['image_rights_updated_by']) : null,
); );
} }

19
backend/src/Administration/Infrastructure/Persistence/Cache/CachedUserRepository.php
View File

@@ -7,6 +7,7 @@ namespace App\Administration\Infrastructure\Persistence\Cache;
use App\Administration\Domain\Exception\UserNotFoundException; use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental; use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
use App\Administration\Domain\Model\User\Email; use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\Role; use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte; use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User; use App\Administration\Domain\Model\User\User;
@@ -157,6 +158,12 @@ final readonly class CachedUserRepository implements UserRepository
return $users; return $users;
} }
#[Override]
public function findStudentsByTenant(TenantId $tenantId): array
{
return $this->inner->findStudentsByTenant($tenantId);
}
private function populateCache(User $user): void private function populateCache(User $user): void
{ {
try { try {
@@ -197,6 +204,9 @@ final readonly class CachedUserRepository implements UserRepository
'invited_at' => $user->invitedAt?->format('c'), 'invited_at' => $user->invitedAt?->format('c'),
'blocked_at' => $user->blockedAt?->format('c'), 'blocked_at' => $user->blockedAt?->format('c'),
'blocked_reason' => $user->blockedReason, 'blocked_reason' => $user->blockedReason,
'image_rights_status' => $user->imageRightsStatus->value,
'image_rights_updated_at' => $user->imageRightsUpdatedAt?->format('c'),
'image_rights_updated_by' => $user->imageRightsUpdatedBy !== null ? (string) $user->imageRightsUpdatedBy : null,
'consentement_parental' => $consentement !== null ? [ 'consentement_parental' => $consentement !== null ? [
'parent_id' => $consentement->parentId, 'parent_id' => $consentement->parentId,
'eleve_id' => $consentement->eleveId, 'eleve_id' => $consentement->eleveId,
@@ -242,6 +252,12 @@ final readonly class CachedUserRepository implements UserRepository
$blockedAt = $data['blocked_at'] ?? null; $blockedAt = $data['blocked_at'] ?? null;
/** @var string|null $blockedReason */ /** @var string|null $blockedReason */
$blockedReason = $data['blocked_reason'] ?? null; $blockedReason = $data['blocked_reason'] ?? null;
/** @var string|null $imageRightsStatusValue */
$imageRightsStatusValue = $data['image_rights_status'] ?? null;
/** @var string|null $imageRightsUpdatedAt */
$imageRightsUpdatedAt = $data['image_rights_updated_at'] ?? null;
/** @var string|null $imageRightsUpdatedBy */
$imageRightsUpdatedBy = $data['image_rights_updated_by'] ?? null;
$roles = array_map(static fn (string $r) => Role::from($r), $roleStrings); $roles = array_map(static fn (string $r) => Role::from($r), $roleStrings);
@@ -274,6 +290,9 @@ final readonly class CachedUserRepository implements UserRepository
invitedAt: $invitedAt !== null ? new DateTimeImmutable($invitedAt) : null, invitedAt: $invitedAt !== null ? new DateTimeImmutable($invitedAt) : null,
blockedAt: $blockedAt !== null ? new DateTimeImmutable($blockedAt) : null, blockedAt: $blockedAt !== null ? new DateTimeImmutable($blockedAt) : null,
blockedReason: $blockedReason, blockedReason: $blockedReason,
imageRightsStatus: $imageRightsStatusValue !== null ? ImageRightsStatus::from($imageRightsStatusValue) : ImageRightsStatus::NOT_SPECIFIED,
imageRightsUpdatedAt: $imageRightsUpdatedAt !== null ? new DateTimeImmutable($imageRightsUpdatedAt) : null,
imageRightsUpdatedBy: $imageRightsUpdatedBy !== null ? UserId::fromString($imageRightsUpdatedBy) : null,
); );
} }

32
backend/src/Administration/Infrastructure/Persistence/Doctrine/DoctrineUserRepository.php
View File

@@ -7,6 +7,7 @@ namespace App\Administration\Infrastructure\Persistence\Doctrine;
use App\Administration\Domain\Exception\UserNotFoundException; use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental; use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
use App\Administration\Domain\Model\User\Email; use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\Role; use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte; use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User; use App\Administration\Domain\Model\User\User;
@@ -42,6 +43,7 @@ final readonly class DoctrineUserRepository implements UserRepository
hashed_password, statut, school_name, date_naissance, hashed_password, statut, school_name, date_naissance,
created_at, activated_at, invited_at, blocked_at, blocked_reason, created_at, activated_at, invited_at, blocked_at, blocked_reason,
consentement_parent_id, consentement_eleve_id, consentement_date, consentement_ip, consentement_parent_id, consentement_eleve_id, consentement_date, consentement_ip,
image_rights_status, image_rights_updated_at, image_rights_updated_by,
updated_at updated_at
) )
VALUES ( VALUES (
@@ -49,6 +51,7 @@ final readonly class DoctrineUserRepository implements UserRepository
:hashed_password, :statut, :school_name, :date_naissance, :hashed_password, :statut, :school_name, :date_naissance,
:created_at, :activated_at, :invited_at, :blocked_at, :blocked_reason, :created_at, :activated_at, :invited_at, :blocked_at, :blocked_reason,
:consentement_parent_id, :consentement_eleve_id, :consentement_date, :consentement_ip, :consentement_parent_id, :consentement_eleve_id, :consentement_date, :consentement_ip,
:image_rights_status, :image_rights_updated_at, :image_rights_updated_by,
NOW() NOW()
) )
ON CONFLICT (id) DO UPDATE SET ON CONFLICT (id) DO UPDATE SET
@@ -68,6 +71,9 @@ final readonly class DoctrineUserRepository implements UserRepository
consentement_eleve_id = EXCLUDED.consentement_eleve_id, consentement_eleve_id = EXCLUDED.consentement_eleve_id,
consentement_date = EXCLUDED.consentement_date, consentement_date = EXCLUDED.consentement_date,
consentement_ip = EXCLUDED.consentement_ip, consentement_ip = EXCLUDED.consentement_ip,
image_rights_status = EXCLUDED.image_rights_status,
image_rights_updated_at = EXCLUDED.image_rights_updated_at,
image_rights_updated_by = EXCLUDED.image_rights_updated_by,
updated_at = NOW() updated_at = NOW()
SQL, SQL,
[ [
@@ -90,6 +96,9 @@ final readonly class DoctrineUserRepository implements UserRepository
'consentement_eleve_id' => $consentement?->eleveId, 'consentement_eleve_id' => $consentement?->eleveId,
'consentement_date' => $consentement?->dateConsentement->format(DateTimeImmutable::ATOM), 'consentement_date' => $consentement?->dateConsentement->format(DateTimeImmutable::ATOM),
'consentement_ip' => $consentement?->ipAddress, 'consentement_ip' => $consentement?->ipAddress,
'image_rights_status' => $user->imageRightsStatus->value,
'image_rights_updated_at' => $user->imageRightsUpdatedAt?->format(DateTimeImmutable::ATOM),
'image_rights_updated_by' => $user->imageRightsUpdatedBy !== null ? (string) $user->imageRightsUpdatedBy : null,
], ],
); );
} }
@@ -150,6 +159,20 @@ final readonly class DoctrineUserRepository implements UserRepository
return array_map(fn (array $row) => $this->hydrate($row), $rows); return array_map(fn (array $row) => $this->hydrate($row), $rows);
} }
#[Override]
public function findStudentsByTenant(TenantId $tenantId): array
{
$rows = $this->connection->fetchAllAssociative(
'SELECT * FROM users WHERE tenant_id = :tenant_id AND roles::jsonb @> :role ORDER BY last_name ASC, first_name ASC',
[
'tenant_id' => (string) $tenantId,
'role' => json_encode([Role::ELEVE->value]),
],
);
return array_map(fn (array $row) => $this->hydrate($row), $rows);
}
/** /**
* @param array<string, mixed> $row * @param array<string, mixed> $row
*/ */
@@ -193,6 +216,12 @@ final readonly class DoctrineUserRepository implements UserRepository
$consentementDate = $row['consentement_date']; $consentementDate = $row['consentement_date'];
/** @var string|null $consentementIp */ /** @var string|null $consentementIp */
$consentementIp = $row['consentement_ip']; $consentementIp = $row['consentement_ip'];
/** @var string|null $imageRightsStatusValue */
$imageRightsStatusValue = $row['image_rights_status'] ?? null;
/** @var string|null $imageRightsUpdatedAtValue */
$imageRightsUpdatedAtValue = $row['image_rights_updated_at'] ?? null;
/** @var string|null $imageRightsUpdatedByValue */
$imageRightsUpdatedByValue = $row['image_rights_updated_by'] ?? null;
/** @var string[]|null $roleValues */ /** @var string[]|null $roleValues */
$roleValues = json_decode($rolesJson, true); $roleValues = json_decode($rolesJson, true);
@@ -230,6 +259,9 @@ final readonly class DoctrineUserRepository implements UserRepository
invitedAt: $invitedAt !== null ? new DateTimeImmutable($invitedAt) : null, invitedAt: $invitedAt !== null ? new DateTimeImmutable($invitedAt) : null,
blockedAt: $blockedAt !== null ? new DateTimeImmutable($blockedAt) : null, blockedAt: $blockedAt !== null ? new DateTimeImmutable($blockedAt) : null,
blockedReason: $blockedReason, blockedReason: $blockedReason,
imageRightsStatus: $imageRightsStatusValue !== null ? ImageRightsStatus::from($imageRightsStatusValue) : ImageRightsStatus::NOT_SPECIFIED,
imageRightsUpdatedAt: $imageRightsUpdatedAtValue !== null ? new DateTimeImmutable($imageRightsUpdatedAtValue) : null,
imageRightsUpdatedBy: $imageRightsUpdatedByValue !== null ? UserId::fromString($imageRightsUpdatedByValue) : null,
); );
} }
} }

10
backend/src/Administration/Infrastructure/Persistence/InMemory/InMemoryUserRepository.php
View File

@@ -6,6 +6,7 @@ namespace App\Administration\Infrastructure\Persistence\InMemory;
use App\Administration\Domain\Exception\UserNotFoundException; use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\Email; use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User; use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId; use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository; use App\Administration\Domain\Repository\UserRepository;
@@ -60,6 +61,15 @@ final class InMemoryUserRepository implements UserRepository
)); ));
} }
#[Override]
public function findStudentsByTenant(TenantId $tenantId): array
{
return array_values(array_filter(
$this->byId,
static fn (User $user): bool => $user->tenantId->equals($tenantId) && $user->aLeRole(Role::ELEVE),
));
}
private function emailKey(Email $email, TenantId $tenantId): string private function emailKey(Email $email, TenantId $tenantId): string
{ {
return $tenantId . ':' . strtolower((string) $email); return $tenantId . ':' . strtolower((string) $email);

99
backend/src/Administration/Infrastructure/Security/ImageRightsVoter.php Normal file
View File

@@ -0,0 +1,99 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Model\User\Role;
use function in_array;
use Override;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Vote;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* Voter pour les autorisations sur les droits à l'image.
*
* Règles d'accès :
* - ADMIN et SUPER_ADMIN : accès complet (lecture + modification)
* - PROF, VIE_SCOLAIRE, SECRETARIAT : lecture seule
*
* @extends Voter<string, null>
*/
final class ImageRightsVoter extends Voter
{
public const string VIEW = 'IMAGE_RIGHTS_VIEW';
public const string EDIT = 'IMAGE_RIGHTS_EDIT';
private const array SUPPORTED_ATTRIBUTES = [
self::VIEW,
self::EDIT,
];
#[Override]
protected function supports(string $attribute, mixed $subject): bool
{
return in_array($attribute, self::SUPPORTED_ATTRIBUTES, true);
}
#[Override]
protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
$roles = $user->getRoles();
return match ($attribute) {
self::VIEW => $this->canView($roles),
self::EDIT => $this->canEdit($roles),
default => false,
};
}
/**
* @param string[] $roles
*/
private function canView(array $roles): bool
{
return $this->hasAnyRole($roles, [
Role::SUPER_ADMIN->value,
Role::ADMIN->value,
Role::PROF->value,
Role::VIE_SCOLAIRE->value,
Role::SECRETARIAT->value,
]);
}
/**
* @param string[] $roles
*/
private function canEdit(array $roles): bool
{
return $this->hasAnyRole($roles, [
Role::SUPER_ADMIN->value,
Role::ADMIN->value,
]);
}
/**
* @param string[] $userRoles
* @param string[] $allowedRoles
*/
private function hasAnyRole(array $userRoles, array $allowedRoles): bool
{
foreach ($userRoles as $role) {
if (in_array($role, $allowedRoles, true)) {
return true;
}
}
return false;
}
}

447
backend/tests/Functional/Administration/Api/ImageRightsEndpointsTest.php Normal file
View File

@@ -0,0 +1,447 @@
<?php
declare(strict_types=1);
namespace App\Tests\Functional\Administration\Api;
use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Doctrine\DBAL\Connection;
use PHPUnit\Framework\Attributes\Test;
/**
* Tests for image rights API endpoints.
*
* @see Story 2.12 - Consultation Liste Droit à l'Image
*/
final class ImageRightsEndpointsTest extends ApiTestCase
{
protected static ?bool $alwaysBootKernel = true;
private const string TENANT_ID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890';
private const string USER_ID = '550e8400-e29b-41d4-a716-446655440000';
private const string STUDENT_1_ID = 'aaaaaaaa-bbbb-cccc-dddd-111111111111';
private const string STUDENT_2_ID = 'aaaaaaaa-bbbb-cccc-dddd-222222222222';
private const string BASE_URL = 'http://ecole-alpha.classeo.local/api';
protected function tearDown(): void
{
$container = static::getContainer();
/** @var Connection $connection */
$connection = $container->get(Connection::class);
$connection->executeStatement('UPDATE users SET image_rights_updated_by = NULL WHERE image_rights_updated_by = :id', ['id' => self::USER_ID]);
$connection->executeStatement('DELETE FROM users WHERE id = :id', ['id' => self::STUDENT_1_ID]);
$connection->executeStatement('DELETE FROM users WHERE id = :id', ['id' => self::STUDENT_2_ID]);
$connection->executeStatement('DELETE FROM users WHERE id = :id', ['id' => self::USER_ID]);
parent::tearDown();
}
// =========================================================================
// Security - Without tenant
// =========================================================================
#[Test]
public function getImageRightsReturns404WithoutTenant(): void
{
$client = static::createClient();
$client->request('GET', '/api/students/image-rights', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
],
]);
self::assertResponseStatusCodeSame(404);
}
#[Test]
public function updateImageRightsReturns404WithoutTenant(): void
{
$client = static::createClient();
$client->request('PATCH', '/api/students/' . self::STUDENT_1_ID . '/image-rights', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
'Content-Type' => 'application/merge-patch+json',
],
'json' => ['imageRightsStatus' => 'authorized'],
]);
self::assertResponseStatusCodeSame(404);
}
#[Test]
public function exportImageRightsReturns404WithoutTenant(): void
{
$client = static::createClient();
$client->request('GET', '/api/students/image-rights/export', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
],
]);
self::assertResponseStatusCodeSame(404);
}
// =========================================================================
// Security - Without authentication
// =========================================================================
#[Test]
public function getImageRightsReturns401WithoutAuthentication(): void
{
$client = static::createClient();
$client->request('GET', self::BASE_URL . '/students/image-rights', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseStatusCodeSame(401);
}
#[Test]
public function updateImageRightsReturns401WithoutAuthentication(): void
{
$client = static::createClient();
$client->request('PATCH', self::BASE_URL . '/students/' . self::STUDENT_1_ID . '/image-rights', [
'headers' => [
'Accept' => 'application/json',
'Content-Type' => 'application/merge-patch+json',
],
'json' => ['imageRightsStatus' => 'authorized'],
]);
self::assertResponseStatusCodeSame(401);
}
#[Test]
public function exportImageRightsReturns401WithoutAuthentication(): void
{
$client = static::createClient();
$client->request('GET', self::BASE_URL . '/students/image-rights/export', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseStatusCodeSame(401);
}
// =========================================================================
// Security - Forbidden roles
// =========================================================================
#[Test]
public function getImageRightsReturns403ForStudent(): void
{
$client = $this->createAuthenticatedClient(['ROLE_ELEVE']);
$client->request('GET', self::BASE_URL . '/students/image-rights', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseStatusCodeSame(403);
}
#[Test]
public function updateImageRightsReturns403ForStudent(): void
{
$client = $this->createAuthenticatedClient(['ROLE_ELEVE']);
$client->request('PATCH', self::BASE_URL . '/students/' . self::STUDENT_1_ID . '/image-rights', [
'headers' => [
'Accept' => 'application/json',
'Content-Type' => 'application/merge-patch+json',
],
'json' => ['imageRightsStatus' => 'authorized'],
]);
self::assertResponseStatusCodeSame(403);
}
#[Test]
public function exportImageRightsReturns403ForStudent(): void
{
$client = $this->createAuthenticatedClient(['ROLE_ELEVE']);
$client->request('GET', self::BASE_URL . '/students/image-rights/export', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseStatusCodeSame(403);
}
#[Test]
public function getImageRightsReturns200ForTeacher(): void
{
$client = $this->createAuthenticatedClient(['ROLE_PROF']);
$client->request('GET', self::BASE_URL . '/students/image-rights', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseStatusCodeSame(200);
}
#[Test]
public function getImageRightsReturns403ForParent(): void
{
$client = $this->createAuthenticatedClient(['ROLE_PARENT']);
$client->request('GET', self::BASE_URL . '/students/image-rights', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseStatusCodeSame(403);
}
// =========================================================================
// AC1 (P1) - GET image rights collection
// =========================================================================
#[Test]
public function getImageRightsReturnsStudentsForAdmin(): void
{
$this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED);
$this->persistStudent(self::STUDENT_2_ID, 'Bob', 'Martin', 'bob-ir@test.classeo.local', ImageRightsStatus::REFUSED);
$client = $this->createAuthenticatedClient(['ROLE_ADMIN']);
$response = $client->request('GET', self::BASE_URL . '/students/image-rights', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertNotEmpty($data);
self::assertArrayHasKey('id', $data[0]);
self::assertArrayHasKey('imageRightsStatus', $data[0]);
}
#[Test]
public function getImageRightsReturnsStudentsForSecretariat(): void
{
$this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED);
$client = $this->createAuthenticatedClient(['ROLE_SECRETARIAT']);
$response = $client->request('GET', self::BASE_URL . '/students/image-rights', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertNotEmpty($data);
self::assertArrayHasKey('id', $data[0]);
self::assertArrayHasKey('imageRightsStatus', $data[0]);
}
// =========================================================================
// AC2 (P1) - Filter by status
// =========================================================================
#[Test]
public function getImageRightsFiltersByStatus(): void
{
$this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED);
$this->persistStudent(self::STUDENT_2_ID, 'Bob', 'Martin', 'bob-ir@test.classeo.local', ImageRightsStatus::REFUSED);
$client = $this->createAuthenticatedClient(['ROLE_ADMIN']);
$response = $client->request('GET', self::BASE_URL . '/students/image-rights?status=authorized', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertNotEmpty($data);
foreach ($data as $member) {
self::assertSame('authorized', $member['imageRightsStatus']);
}
}
#[Test]
public function getImageRightsFiltersByStatusNotSpecified(): void
{
$this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::NOT_SPECIFIED);
$this->persistStudent(self::STUDENT_2_ID, 'Bob', 'Martin', 'bob-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED);
$client = $this->createAuthenticatedClient(['ROLE_ADMIN']);
$response = $client->request('GET', self::BASE_URL . '/students/image-rights?status=not_specified', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertNotEmpty($data);
foreach ($data as $member) {
self::assertSame('not_specified', $member['imageRightsStatus']);
}
}
// =========================================================================
// AC3 (P0) - PATCH update image rights
// =========================================================================
#[Test]
public function updateImageRightsReturns200ForAdmin(): void
{
$this->persistAdmin();
$this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::NOT_SPECIFIED);
$client = $this->createAuthenticatedClient(['ROLE_ADMIN']);
$response = $client->request('PATCH', self::BASE_URL . '/students/' . self::STUDENT_1_ID . '/image-rights', [
'headers' => [
'Accept' => 'application/json',
'Content-Type' => 'application/merge-patch+json',
],
'json' => ['imageRightsStatus' => 'authorized'],
]);
self::assertResponseIsSuccessful();
$data = $response->toArray();
self::assertSame('authorized', $data['imageRightsStatus']);
self::assertSame(self::STUDENT_1_ID, $data['id']);
}
#[Test]
public function updateImageRightsReturns404ForUnknownStudent(): void
{
$client = $this->createAuthenticatedClient(['ROLE_ADMIN']);
$client->request('PATCH', self::BASE_URL . '/students/00000000-0000-0000-0000-000000000000/image-rights', [
'headers' => [
'Accept' => 'application/json',
'Content-Type' => 'application/merge-patch+json',
],
'json' => ['imageRightsStatus' => 'authorized'],
]);
self::assertResponseStatusCodeSame(404);
}
#[Test]
public function updateImageRightsReturns422ForInvalidStatus(): void
{
$this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::NOT_SPECIFIED);
$client = $this->createAuthenticatedClient(['ROLE_ADMIN']);
$client->request('PATCH', self::BASE_URL . '/students/' . self::STUDENT_1_ID . '/image-rights', [
'headers' => [
'Accept' => 'application/json',
'Content-Type' => 'application/merge-patch+json',
],
'json' => ['imageRightsStatus' => 'invalid_status'],
]);
self::assertResponseStatusCodeSame(422);
}
// =========================================================================
// AC4 (P1) - Export CSV
// =========================================================================
#[Test]
public function exportImageRightsReturnsCsvForAdmin(): void
{
$this->persistStudent(self::STUDENT_1_ID, 'Alice', 'Dupont', 'alice-ir@test.classeo.local', ImageRightsStatus::AUTHORIZED);
$client = $this->createAuthenticatedClient(['ROLE_ADMIN']);
$response = $client->request('GET', self::BASE_URL . '/students/image-rights/export', [
'headers' => ['Accept' => 'application/json'],
]);
self::assertResponseIsSuccessful();
self::assertResponseHeaderSame('content-type', 'text/csv; charset=UTF-8');
self::assertResponseHeaderSame('content-disposition', 'attachment; filename="droits-image.csv"');
$content = $response->getContent();
self::assertStringContainsString('Nom', $content);
self::assertStringContainsString('Dupont', $content);
}
// =========================================================================
// Helpers
// =========================================================================
private function createAuthenticatedClient(array $roles): \ApiPlatform\Symfony\Bundle\Test\Client
{
$client = static::createClient();
$user = new SecurityUser(
userId: UserId::fromString(self::USER_ID),
email: 'admin@classeo.local',
hashedPassword: '',
tenantId: TenantId::fromString(self::TENANT_ID),
roles: $roles,
);
$client->loginUser($user, 'api');
return $client;
}
private function persistAdmin(): void
{
$admin = User::reconstitute(
id: UserId::fromString(self::USER_ID),
email: new Email('admin@classeo.local'),
roles: [Role::ADMIN],
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
statut: StatutCompte::ACTIF,
dateNaissance: null,
createdAt: new DateTimeImmutable('2026-01-01'),
hashedPassword: 'dummy',
activatedAt: new DateTimeImmutable('2026-01-01'),
consentementParental: null,
);
/** @var UserRepository $repository */
$repository = static::getContainer()->get(UserRepository::class);
$repository->save($admin);
}
private function persistStudent(
string $id,
string $firstName,
string $lastName,
string $email,
ImageRightsStatus $imageRightsStatus,
): void {
$user = User::reconstitute(
id: UserId::fromString($id),
email: new Email($email),
roles: [Role::ELEVE],
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
statut: StatutCompte::EN_ATTENTE,
dateNaissance: new DateTimeImmutable('2012-06-15'),
createdAt: new DateTimeImmutable('2026-01-15'),
hashedPassword: null,
activatedAt: null,
consentementParental: null,
firstName: $firstName,
lastName: $lastName,
imageRightsStatus: $imageRightsStatus,
);
/** @var UserRepository $repository */
$repository = static::getContainer()->get(UserRepository::class);
$repository->save($user);
}
}

187
backend/tests/Unit/Administration/Application/Command/UpdateImageRights/UpdateImageRightsHandlerTest.php Normal file
View File

@@ -0,0 +1,187 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\UpdateImageRights;
use App\Administration\Application\Command\UpdateImageRights\UpdateImageRightsCommand;
use App\Administration\Application\Command\UpdateImageRights\UpdateImageRightsHandler;
use App\Administration\Domain\Event\DroitImageModifie;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class UpdateImageRightsHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string MODIFIER_ID = '550e8400-e29b-41d4-a716-446655440099';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private UpdateImageRightsHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-18 10:00:00');
}
};
$this->handler = new UpdateImageRightsHandler($this->userRepository, $this->clock);
}
#[Test]
public function updatesImageRightsToAuthorized(): void
{
$student = $this->createAndSaveStudent();
$command = new UpdateImageRightsCommand(
studentId: (string) $student->id,
status: 'authorized',
modifiedBy: self::MODIFIER_ID,
tenantId: self::TENANT_ID,
);
$user = ($this->handler)($command);
self::assertSame(ImageRightsStatus::AUTHORIZED, $user->imageRightsStatus);
}
#[Test]
public function updatesImageRightsToRefused(): void
{
$student = $this->createAndSaveStudent();
$command = new UpdateImageRightsCommand(
studentId: (string) $student->id,
status: 'refused',
modifiedBy: self::MODIFIER_ID,
tenantId: self::TENANT_ID,
);
$user = ($this->handler)($command);
self::assertSame(ImageRightsStatus::REFUSED, $user->imageRightsStatus);
}
#[Test]
public function recordsDroitImageModifieEvent(): void
{
$student = $this->createAndSaveStudent();
$student->pullDomainEvents();
$command = new UpdateImageRightsCommand(
studentId: (string) $student->id,
status: 'authorized',
modifiedBy: self::MODIFIER_ID,
tenantId: self::TENANT_ID,
);
$user = ($this->handler)($command);
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(DroitImageModifie::class, $events[0]);
}
#[Test]
public function throwsWhenStudentNotFound(): void
{
$this->expectException(UserNotFoundException::class);
$command = new UpdateImageRightsCommand(
studentId: '550e8400-e29b-41d4-a716-446655440000',
status: 'authorized',
modifiedBy: self::MODIFIER_ID,
tenantId: self::TENANT_ID,
);
($this->handler)($command);
}
#[Test]
public function throwsWhenTenantMismatch(): void
{
$student = $this->createAndSaveStudent();
$this->expectException(UserNotFoundException::class);
$command = new UpdateImageRightsCommand(
studentId: (string) $student->id,
status: 'authorized',
modifiedBy: self::MODIFIER_ID,
tenantId: '550e8400-e29b-41d4-a716-446655440099',
);
($this->handler)($command);
}
#[Test]
public function throwsWhenUserIsNotStudent(): void
{
$admin = User::creer(
email: new Email('admin@example.com'),
role: Role::ADMIN,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
dateNaissance: null,
createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
);
$this->userRepository->save($admin);
$this->expectException(UserNotFoundException::class);
$command = new UpdateImageRightsCommand(
studentId: (string) $admin->id,
status: 'authorized',
modifiedBy: self::MODIFIER_ID,
tenantId: self::TENANT_ID,
);
($this->handler)($command);
}
#[Test]
public function savesUserAfterUpdate(): void
{
$student = $this->createAndSaveStudent();
$command = new UpdateImageRightsCommand(
studentId: (string) $student->id,
status: 'refused',
modifiedBy: self::MODIFIER_ID,
tenantId: self::TENANT_ID,
);
($this->handler)($command);
$saved = $this->userRepository->get($student->id);
self::assertSame(ImageRightsStatus::REFUSED, $saved->imageRightsStatus);
}
private function createAndSaveStudent(): User
{
$student = User::creer(
email: new Email('eleve@example.com'),
role: Role::ELEVE,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
dateNaissance: new DateTimeImmutable('2012-06-15'),
createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
);
$this->userRepository->save($student);
return $student;
}
}

136
backend/tests/Unit/Administration/Application/Query/CheckImageRights/CheckImageRightsHandlerTest.php Normal file
View File

@@ -0,0 +1,136 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Query\CheckImageRights;
use App\Administration\Application\Query\CheckImageRights\CheckImageRightsHandler;
use App\Administration\Application\Query\CheckImageRights\CheckImageRightsQuery;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class CheckImageRightsHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private CheckImageRightsHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->handler = new CheckImageRightsHandler($this->userRepository);
}
#[Test]
public function authorizedStudentCanPublish(): void
{
$student = $this->createStudentWithStatus(ImageRightsStatus::AUTHORIZED);
$query = new CheckImageRightsQuery(
studentId: (string) $student->id,
tenantId: self::TENANT_ID,
);
$result = ($this->handler)($query);
self::assertTrue($result->canPublish);
self::assertNull($result->warningMessage);
self::assertSame(ImageRightsStatus::AUTHORIZED, $result->status);
}
#[Test]
public function refusedStudentCannotPublish(): void
{
$student = $this->createStudentWithStatus(ImageRightsStatus::REFUSED);
$query = new CheckImageRightsQuery(
studentId: (string) $student->id,
tenantId: self::TENANT_ID,
);
$result = ($this->handler)($query);
self::assertFalse($result->canPublish);
self::assertNotNull($result->warningMessage);
self::assertStringContainsString('PAS l\'autorisation', $result->warningMessage);
}
#[Test]
public function notSpecifiedStudentCannotPublish(): void
{
$student = $this->createStudentWithStatus(ImageRightsStatus::NOT_SPECIFIED);
$query = new CheckImageRightsQuery(
studentId: (string) $student->id,
tenantId: self::TENANT_ID,
);
$result = ($this->handler)($query);
self::assertFalse($result->canPublish);
self::assertNotNull($result->warningMessage);
self::assertStringContainsString('pas renseigné', $result->warningMessage);
}
#[Test]
public function throwsWhenStudentNotFound(): void
{
$this->expectException(UserNotFoundException::class);
$query = new CheckImageRightsQuery(
studentId: '550e8400-e29b-41d4-a716-446655440000',
tenantId: self::TENANT_ID,
);
($this->handler)($query);
}
#[Test]
public function throwsWhenTenantMismatch(): void
{
$student = $this->createStudentWithStatus(ImageRightsStatus::AUTHORIZED);
$this->expectException(UserNotFoundException::class);
$query = new CheckImageRightsQuery(
studentId: (string) $student->id,
tenantId: '550e8400-e29b-41d4-a716-446655440099',
);
($this->handler)($query);
}
private function createStudentWithStatus(ImageRightsStatus $status): User
{
$student = User::creer(
email: new Email('eleve@example.com'),
role: Role::ELEVE,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
dateNaissance: new DateTimeImmutable('2012-06-15'),
createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
);
if ($status !== ImageRightsStatus::NOT_SPECIFIED) {
$student->modifierDroitImage(
$status,
UserId::fromString('550e8400-e29b-41d4-a716-446655440099'),
new DateTimeImmutable(),
);
}
$this->userRepository->save($student);
return $student;
}
}

144
backend/tests/Unit/Administration/Application/Query/GetStudentsImageRights/GetStudentsImageRightsHandlerTest.php Normal file
View File

@@ -0,0 +1,144 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Query\GetStudentsImageRights;
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsHandler;
use App\Administration\Application\Query\GetStudentsImageRights\GetStudentsImageRightsQuery;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class GetStudentsImageRightsHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private GetStudentsImageRightsHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->handler = new GetStudentsImageRightsHandler($this->userRepository);
}
#[Test]
public function returnsOnlyStudents(): void
{
$this->seedStudentsAndParent();
$query = new GetStudentsImageRightsQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(2, $result);
}
#[Test]
public function filtersStudentsByStatus(): void
{
$this->seedStudentsAndParent();
$query = new GetStudentsImageRightsQuery(
tenantId: self::TENANT_ID,
status: 'authorized',
);
$result = ($this->handler)($query);
self::assertCount(1, $result);
self::assertSame('authorized', $result[0]->imageRightsStatus);
}
#[Test]
public function returnsEmptyForNoStudents(): void
{
$query = new GetStudentsImageRightsQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(0, $result);
}
#[Test]
public function doesNotReturnStudentsFromOtherTenant(): void
{
$this->seedStudentsAndParent();
$query = new GetStudentsImageRightsQuery(
tenantId: '550e8400-e29b-41d4-a716-446655440099',
);
$result = ($this->handler)($query);
self::assertCount(0, $result);
}
#[Test]
public function returnsDtoWithCorrectFields(): void
{
$this->seedStudentsAndParent();
$query = new GetStudentsImageRightsQuery(
tenantId: self::TENANT_ID,
status: 'authorized',
);
$result = ($this->handler)($query);
self::assertCount(1, $result);
$dto = $result[0];
self::assertSame('Alice', $dto->firstName);
self::assertSame('Dupont', $dto->lastName);
self::assertSame('authorized', $dto->imageRightsStatus);
self::assertSame('Autorisé', $dto->imageRightsStatusLabel);
}
private function seedStudentsAndParent(): void
{
$student1 = User::inviter(
email: new Email('alice@example.com'),
role: Role::ELEVE,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Alice',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-01-15'),
dateNaissance: new DateTimeImmutable('2012-06-15'),
);
$student1->modifierDroitImage(
ImageRightsStatus::AUTHORIZED,
UserId::fromString('550e8400-e29b-41d4-a716-446655440099'),
new DateTimeImmutable('2026-02-01'),
);
$student2 = User::inviter(
email: new Email('bob@example.com'),
role: Role::ELEVE,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Bob',
lastName: 'Martin',
invitedAt: new DateTimeImmutable('2026-01-15'),
dateNaissance: new DateTimeImmutable('2013-03-20'),
);
// Bob has default NOT_SPECIFIED
$parent = User::inviter(
email: new Email('parent@example.com'),
role: Role::PARENT,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Pierre',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-01-15'),
);
$this->userRepository->save($student1);
$this->userRepository->save($student2);
$this->userRepository->save($parent);
}
}

113
backend/tests/Unit/Administration/Application/Service/ImageRightsExporterTest.php Normal file
View File

@@ -0,0 +1,113 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Service;
use App\Administration\Application\Query\GetStudentsImageRights\StudentImageRightsDto;
use App\Administration\Application\Service\ImageRightsExporter;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class ImageRightsExporterTest extends TestCase
{
private ImageRightsExporter $exporter;
protected function setUp(): void
{
$this->exporter = new ImageRightsExporter();
}
#[Test]
public function startsWithUtf8Bom(): void
{
$csv = $this->exporter->export([]);
self::assertStringStartsWith("\xEF\xBB\xBF", $csv);
}
#[Test]
public function exportsHeaderRow(): void
{
$csv = $this->exporter->export([]);
self::assertStringContainsString('Nom;Prénom;Classe;Statut', $csv);
}
#[Test]
public function exportsStudentData(): void
{
$students = [
new StudentImageRightsDto(
id: 'id-1',
firstName: 'Alice',
lastName: 'Dupont',
email: 'alice@example.com',
imageRightsStatus: 'authorized',
imageRightsStatusLabel: 'Autorisé',
imageRightsUpdatedAt: new DateTimeImmutable(),
className: '6ème A',
),
new StudentImageRightsDto(
id: 'id-2',
firstName: 'Bob',
lastName: 'Martin',
email: 'bob@example.com',
imageRightsStatus: 'refused',
imageRightsStatusLabel: 'Refusé',
imageRightsUpdatedAt: null,
className: '5ème B',
),
];
$csv = $this->exporter->export($students);
self::assertStringContainsString('Dupont;Alice;"6ème A";Autorisé', $csv);
self::assertStringContainsString('Martin;Bob;"5ème B";Refusé', $csv);
}
#[Test]
public function handlesNullClassName(): void
{
$students = [
new StudentImageRightsDto(
id: 'id-1',
firstName: 'Alice',
lastName: 'Dupont',
email: 'alice@example.com',
imageRightsStatus: 'not_specified',
imageRightsStatusLabel: 'Non renseigné',
imageRightsUpdatedAt: null,
className: null,
),
];
$csv = $this->exporter->export($students);
self::assertStringContainsString('Dupont;Alice;;"Non renseigné"', $csv);
}
#[Test]
public function exportContainsCorrectNumberOfLines(): void
{
$students = [
new StudentImageRightsDto(
id: 'id-1',
firstName: 'Alice',
lastName: 'Dupont',
email: 'alice@example.com',
imageRightsStatus: 'authorized',
imageRightsStatusLabel: 'Autorisé',
imageRightsUpdatedAt: null,
className: '6ème A',
),
];
$csv = $this->exporter->export($students);
$lines = array_filter(explode("\n", trim($csv)));
// 1 header + 1 data row
self::assertCount(2, $lines);
}
}

46
backend/tests/Unit/Administration/Domain/Model/User/ImageRightsStatusTest.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Domain\Model\User;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class ImageRightsStatusTest extends TestCase
{
#[Test]
public function allCasesHaveLabels(): void
{
foreach (ImageRightsStatus::cases() as $status) {
self::assertNotEmpty($status->label());
}
}
#[Test]
public function authorizedEstAutorise(): void
{
self::assertTrue(ImageRightsStatus::AUTHORIZED->estAutorise());
}
#[Test]
public function refusedNEstPasAutorise(): void
{
self::assertFalse(ImageRightsStatus::REFUSED->estAutorise());
}
#[Test]
public function notSpecifiedNEstPasAutorise(): void
{
self::assertFalse(ImageRightsStatus::NOT_SPECIFIED->estAutorise());
}
#[Test]
public function backedValuesAreCorrect(): void
{
self::assertSame('authorized', ImageRightsStatus::AUTHORIZED->value);
self::assertSame('refused', ImageRightsStatus::REFUSED->value);
self::assertSame('not_specified', ImageRightsStatus::NOT_SPECIFIED->value);
}
}

138
backend/tests/Unit/Administration/Domain/Model/User/UserImageRightsTest.php Normal file
View File

@@ -0,0 +1,138 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Domain\Model\User;
use App\Administration\Domain\Event\DroitImageModifie;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\ImageRightsStatus;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class UserImageRightsTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string SCHOOL_NAME = 'École Alpha';
private const string MODIFIER_ID = '550e8400-e29b-41d4-a716-446655440099';
#[Test]
public function newUserHasNotSpecifiedImageRights(): void
{
$user = $this->createStudent();
self::assertSame(ImageRightsStatus::NOT_SPECIFIED, $user->imageRightsStatus);
self::assertNull($user->imageRightsUpdatedAt);
self::assertNull($user->imageRightsUpdatedBy);
}
#[Test]
public function modifierDroitImageSetsAuthorized(): void
{
$user = $this->createStudent();
$at = new DateTimeImmutable('2026-02-18 10:00:00');
$modifierId = UserId::fromString(self::MODIFIER_ID);
$user->modifierDroitImage(ImageRightsStatus::AUTHORIZED, $modifierId, $at);
self::assertSame(ImageRightsStatus::AUTHORIZED, $user->imageRightsStatus);
self::assertEquals($at, $user->imageRightsUpdatedAt);
self::assertTrue($user->imageRightsUpdatedBy->equals($modifierId));
}
#[Test]
public function modifierDroitImageSetsRefused(): void
{
$user = $this->createStudent();
$at = new DateTimeImmutable('2026-02-18 10:00:00');
$modifierId = UserId::fromString(self::MODIFIER_ID);
$user->modifierDroitImage(ImageRightsStatus::REFUSED, $modifierId, $at);
self::assertSame(ImageRightsStatus::REFUSED, $user->imageRightsStatus);
}
#[Test]
public function modifierDroitImageRecordsDroitImageModifieEvent(): void
{
$user = $this->createStudent();
$user->pullDomainEvents();
$at = new DateTimeImmutable('2026-02-18 10:00:00');
$modifierId = UserId::fromString(self::MODIFIER_ID);
$user->modifierDroitImage(ImageRightsStatus::AUTHORIZED, $modifierId, $at);
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(DroitImageModifie::class, $events[0]);
/** @var DroitImageModifie $event */
$event = $events[0];
self::assertTrue($user->id->equals($event->userId));
self::assertSame(ImageRightsStatus::AUTHORIZED, $event->nouveauStatut);
self::assertSame(ImageRightsStatus::NOT_SPECIFIED, $event->ancienStatut);
}
#[Test]
public function modifierDroitImageTracksOldStatus(): void
{
$user = $this->createStudent();
$modifierId = UserId::fromString(self::MODIFIER_ID);
$user->modifierDroitImage(ImageRightsStatus::AUTHORIZED, $modifierId, new DateTimeImmutable());
$user->pullDomainEvents();
$user->modifierDroitImage(ImageRightsStatus::REFUSED, $modifierId, new DateTimeImmutable());
$events = $user->pullDomainEvents();
/** @var DroitImageModifie $event */
$event = $events[0];
self::assertSame(ImageRightsStatus::AUTHORIZED, $event->ancienStatut);
self::assertSame(ImageRightsStatus::REFUSED, $event->nouveauStatut);
}
#[Test]
public function reconstitutePreservesImageRightsData(): void
{
$at = new DateTimeImmutable('2026-02-18 10:00:00');
$modifierId = UserId::fromString(self::MODIFIER_ID);
$user = User::reconstitute(
id: UserId::generate(),
email: new Email('eleve@example.com'),
roles: [Role::ELEVE],
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
statut: \App\Administration\Domain\Model\User\StatutCompte::EN_ATTENTE,
dateNaissance: null,
createdAt: new DateTimeImmutable(),
hashedPassword: null,
activatedAt: null,
consentementParental: null,
imageRightsStatus: ImageRightsStatus::AUTHORIZED,
imageRightsUpdatedAt: $at,
imageRightsUpdatedBy: $modifierId,
);
self::assertSame(ImageRightsStatus::AUTHORIZED, $user->imageRightsStatus);
self::assertEquals($at, $user->imageRightsUpdatedAt);
self::assertTrue($user->imageRightsUpdatedBy->equals($modifierId));
}
private function createStudent(): User
{
return User::creer(
email: new Email('eleve@example.com'),
role: Role::ELEVE,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
dateNaissance: new DateTimeImmutable('2012-06-15'),
createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
);
}
}

5
backend/tests/Unit/Administration/Infrastructure/Api/Processor/ActivateAccountProcessorTest.php
View File

@@ -183,6 +183,11 @@ final class ActivateAccountProcessorTest extends TestCase
{ {
return []; return [];
} }
public function findStudentsByTenant(TenantId $tenantId): array
{
return [];
}
}; };
$consentementPolicy = new ConsentementParentalPolicy($this->clock); $consentementPolicy = new ConsentementParentalPolicy($this->clock);

7
frontend/e2e/calendar.spec.ts
View File

@@ -106,12 +106,13 @@ test.describe('Calendar Management (Story 2.11)', () => {
// Authorization (AC1) // Authorization (AC1)
// ============================================================================ // ============================================================================
test.describe('Authorization', () => { test.describe('Authorization', () => {
test('[P0] teacher is redirected away from calendar admin', async ({ page }) => { test('[P0] teacher can access admin layout but calendar returns error', async ({ page }) => {
await loginAsTeacher(page); await loginAsTeacher(page);
await page.goto(`${ALPHA_URL}/admin/calendar`); await page.goto(`${ALPHA_URL}/admin/calendar`);
// Admin layout redirects non-admin roles to /dashboard // Teacher can access admin layout (ROLE_PROF in ADMIN_ROLES for image-rights)
await expect(page).toHaveURL(/\/dashboard/, { timeout: 10000 }); // but calendar page may show access denied from backend
await expect(page).toHaveURL(/\/admin\/calendar/, { timeout: 10000 });
}); });
}); });

309
frontend/e2e/image-rights.spec.ts Normal file
View File

@@ -0,0 +1,309 @@
import { test, expect } from '@playwright/test';
import { execSync } from 'child_process';
import { join, dirname } from 'path';
import { fileURLToPath } from 'url';
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);
// Extract port from PLAYWRIGHT_BASE_URL or use default (4173 matches playwright.config.ts)
const baseUrl = process.env.PLAYWRIGHT_BASE_URL || 'http://localhost:4173';
const urlMatch = baseUrl.match(/:(\d+)$/);
const PORT = urlMatch ? urlMatch[1] : '4173';
const ALPHA_URL = `http://ecole-alpha.classeo.local:${PORT}`;
// Test credentials — unique to this spec to avoid cross-spec collisions
const ADMIN_EMAIL = 'e2e-imgrights-admin@example.com';
const ADMIN_PASSWORD = 'ImgRightsAdmin123';
const STUDENT_EMAIL = 'e2e-imgrights-student@example.com';
const STUDENT_PASSWORD = 'ImgRightsStudent123';
let _studentUserId: string;
/**
* Extracts the User ID from the Symfony console table output.
*
* The create-test-user command outputs a table like:
* | Property | Value |
* | User ID | a1b2c3d4-e5f6-7890-abcd-ef1234567890 |
*/
function extractUserId(output: string): string {
const match = output.match(/User ID\s+([a-f0-9-]{36})/i);
if (!match) {
throw new Error(`Could not extract User ID from command output:\n${output}`);
}
return match[1];
}
test.describe('Image Rights Management', () => {
test.describe.configure({ mode: 'serial' });
test.beforeAll(async () => {
const projectRoot = join(__dirname, '../..');
const composeFile = join(projectRoot, 'compose.yaml');
// Create admin user
execSync(
`docker compose -f "${composeFile}" exec -T php php bin/console app:dev:create-test-user --tenant=ecole-alpha --email=${ADMIN_EMAIL} --password=${ADMIN_PASSWORD} --role=ROLE_ADMIN 2>&1`,
{ encoding: 'utf-8' }
);
// Create student user and capture userId
const studentOutput = execSync(
`docker compose -f "${composeFile}" exec -T php php bin/console app:dev:create-test-user --tenant=ecole-alpha --email=${STUDENT_EMAIL} --password=${STUDENT_PASSWORD} --role=ROLE_ELEVE 2>&1`,
{ encoding: 'utf-8' }
);
_studentUserId = extractUserId(studentOutput);
});
// Helper to login as admin
async function loginAsAdmin(page: import('@playwright/test').Page) {
await page.goto(`${ALPHA_URL}/login`);
await page.locator('#email').fill(ADMIN_EMAIL);
await page.locator('#password').fill(ADMIN_PASSWORD);
await Promise.all([
page.waitForURL(/\/dashboard/, { timeout: 30000 }),
page.getByRole('button', { name: /se connecter/i }).click()
]);
}
// Helper to login as student
async function loginAsStudent(page: import('@playwright/test').Page) {
await page.goto(`${ALPHA_URL}/login`);
await page.locator('#email').fill(STUDENT_EMAIL);
await page.locator('#password').fill(STUDENT_PASSWORD);
await Promise.all([
page.waitForURL(/\/dashboard/, { timeout: 30000 }),
page.getByRole('button', { name: /se connecter/i }).click()
]);
}
/**
* Waits for the image rights page to finish loading.
*
* After hydration, the page either shows the student tables (sections with
* h2 headings) or the empty state. Waiting for one of these ensures the
* component is interactive and API data has been fetched.
*/
async function waitForPageLoaded(page: import('@playwright/test').Page) {
await expect(
page.getByRole('heading', { name: /droit à l'image/i })
).toBeVisible({ timeout: 15000 });
// Wait for either the stats bar (data loaded) or empty state (no students)
await expect(
page.locator('.stats-bar')
.or(page.locator('.empty-state'))
).toBeVisible({ timeout: 15000 });
}
// ============================================================================
// [P1] Page loads with correct structure
// ============================================================================
test('[P1] page loads with correct structure', async ({ page }) => {
await loginAsAdmin(page);
await page.goto(`${ALPHA_URL}/admin/image-rights`);
await waitForPageLoaded(page);
// Title
await expect(
page.getByRole('heading', { name: /droit à l'image/i })
).toBeVisible();
// Subtitle
await expect(
page.getByText(/consultez et gérez les autorisations/i)
).toBeVisible();
// Status filter dropdown
const filterSelect = page.locator('#filter-status');
await expect(filterSelect).toBeVisible();
// Verify filter options
const options = filterSelect.locator('option');
await expect(options.filter({ hasText: /tous les statuts/i })).toHaveCount(1);
await expect(options.filter({ hasText: /^Autorisé$/ })).toHaveCount(1);
await expect(options.filter({ hasText: /^Refusé$/ })).toHaveCount(1);
await expect(options.filter({ hasText: /^Non renseigné$/ })).toHaveCount(1);
// Search input
await expect(
page.locator('input[type="search"]')
).toBeVisible();
// Export CSV button
await expect(
page.getByRole('button', { name: /exporter csv/i })
).toBeVisible();
// Filter and reset buttons
await expect(
page.getByRole('button', { name: /^filtrer$/i })
).toBeVisible();
await expect(
page.getByRole('button', { name: /réinitialiser/i })
).toBeVisible();
// Section headings (authorized / unauthorized)
await expect(
page.getByRole('heading', { name: /élèves autorisés/i })
).toBeVisible();
await expect(
page.getByRole('heading', { name: /élèves non autorisés/i })
).toBeVisible();
// Stats bar
await expect(page.locator('.stats-bar')).toBeVisible();
});
// ============================================================================
// [P1] Filter by status works
// ============================================================================
test('[P1] filter by status works', async ({ page }) => {
await loginAsAdmin(page);
await page.goto(`${ALPHA_URL}/admin/image-rights`);
await waitForPageLoaded(page);
// Select "Autorisé" in the status filter
await page.locator('#filter-status').selectOption('authorized');
// Click "Filtrer" to apply
await page.getByRole('button', { name: /^filtrer$/i }).click();
// Wait for the page to reload with filtered data
await expect(page).toHaveURL(/status=authorized/);
await waitForPageLoaded(page);
// After filtering by "Autorisé", either:
// - The stats bar shows with 0 unauthorized, OR
// - The empty state shows (no authorized students found)
const statsBarVisible = await page.locator('.stats-bar').isVisible();
if (statsBarVisible) {
const unauthorizedCount = await page.locator('.stat-count.stat-danger').textContent();
expect(parseInt(unauthorizedCount ?? '0', 10)).toBe(0);
} else {
await expect(page.locator('.empty-state')).toBeVisible();
}
// Reset filters to restore original state
await page.getByRole('button', { name: /réinitialiser/i }).click();
await waitForPageLoaded(page);
// URL should no longer contain status filter
expect(page.url()).not.toContain('status=');
});
// ============================================================================
// [P1] Status update via dropdown
// ============================================================================
test('[P1] status update via dropdown', async ({ page }) => {
await loginAsAdmin(page);
await page.goto(`${ALPHA_URL}/admin/image-rights`);
await waitForPageLoaded(page);
// Find the first student's action select (in either authorized or unauthorized table)
const firstActionSelect = page.locator('td[data-label="Actions"] select').first();
await expect(firstActionSelect).toBeVisible({ timeout: 10000 });
// Get the current value
const currentValue = await firstActionSelect.inputValue();
// Pick a different status to switch to
const newValue = currentValue === 'authorized' ? 'refused' : 'authorized';
// Change the status
await firstActionSelect.selectOption(newValue);
// Success message should appear
await expect(
page.locator('.alert-success')
).toBeVisible({ timeout: 10000 });
await expect(
page.locator('.alert-success')
).toContainText(/statut mis à jour/i);
// Restore original status to leave test data clean
// Need to re-locate because the student may have moved to a different section
const restoredSelect = page.locator('td[data-label="Actions"] select').first();
await restoredSelect.selectOption(currentValue);
await expect(
page.locator('.alert-success')
).toBeVisible({ timeout: 10000 });
});
// ============================================================================
// [P1] Export CSV button triggers download
// ============================================================================
test('[P1] export CSV button triggers download', async ({ page }) => {
await loginAsAdmin(page);
await page.goto(`${ALPHA_URL}/admin/image-rights`);
await waitForPageLoaded(page);
// Listen for download event
const downloadPromise = page.waitForEvent('download', { timeout: 15000 });
// Click the export button
await page.getByRole('button', { name: /exporter csv/i }).click();
// Verify the download starts
const download = await downloadPromise;
expect(download.suggestedFilename()).toBe('droits-image.csv');
// Success message should appear
await expect(
page.locator('.alert-success')
).toBeVisible({ timeout: 10000 });
await expect(
page.locator('.alert-success')
).toContainText(/export csv/i);
});
// ============================================================================
// [P2] Text search filters students
// ============================================================================
test('[P2] text search filters students', async ({ page }) => {
await loginAsAdmin(page);
await page.goto(`${ALPHA_URL}/admin/image-rights`);
await waitForPageLoaded(page);
// Get the total student count before searching
const totalBefore = await page.locator('.stat-count.stat-total').textContent();
const totalBeforeNum = parseInt(totalBefore ?? '0', 10);
// Type a search term that matches the test student email prefix
const searchInput = page.locator('input[type="search"]');
await searchInput.fill('e2e-imgrights');
// Wait for the debounced search to apply (300ms debounce + some margin)
await page.waitForTimeout(500);
// The URL should be updated with the search parameter
await expect(page).toHaveURL(/search=e2e-imgrights/);
// The filtered count should be less than or equal to the total
// and specifically should find our test student
const totalAfter = await page.locator('.stat-count.stat-total').textContent();
const totalAfterNum = parseInt(totalAfter ?? '0', 10);
expect(totalAfterNum).toBeGreaterThanOrEqual(1);
expect(totalAfterNum).toBeLessThanOrEqual(totalBeforeNum);
// Clear the search
await searchInput.clear();
await page.waitForTimeout(500);
// Total should be restored
expect(page.url()).not.toContain('search=');
});
// ============================================================================
// [P2] Unauthorized role redirected
// ============================================================================
test('[P2] student role cannot access image rights page', async ({ page }) => {
await loginAsStudent(page);
await page.goto(`${ALPHA_URL}/admin/image-rights`);
// Admin guard in +layout.svelte redirects non-admin users to /dashboard
await page.waitForURL(/\/dashboard/, { timeout: 30000 });
expect(page.url()).toContain('/dashboard');
});
});

22
frontend/e2e/role-access-control.spec.ts
View File

@@ -105,25 +105,17 @@ test.describe('Role-Based Access Control [P0]', () => {
}); });
// ============================================================================ // ============================================================================
// Teacher access - should NOT have access to /admin pages // Teacher access - CAN access /admin layout (for image-rights, pedagogy)
// but backend protects sensitive pages (users, classes, etc.) with 403
// ============================================================================ // ============================================================================
test.describe('Teacher Access Restrictions', () => { test.describe('Teacher Access Restrictions', () => {
test('[P0] teacher cannot access /admin/users page', async ({ page }) => { test('[P0] teacher can access /admin layout', async ({ page }) => {
await loginAs(page, TEACHER_EMAIL, TEACHER_PASSWORD); await loginAs(page, TEACHER_EMAIL, TEACHER_PASSWORD);
await page.goto(`${ALPHA_URL}/admin/users`); await page.goto(`${ALPHA_URL}/admin/image-rights`);
// Admin guard redirects non-admin users to /dashboard // Teacher can access admin layout for authorized pages
await page.waitForURL(/\/dashboard/, { timeout: 30000 }); await page.waitForURL(/\/admin\/image-rights/, { timeout: 30000 });
expect(page.url()).toContain('/dashboard'); expect(page.url()).toContain('/admin/image-rights');
});
test('[P0] teacher cannot access /admin page', async ({ page }) => {
await loginAs(page, TEACHER_EMAIL, TEACHER_PASSWORD);
await page.goto(`${ALPHA_URL}/admin`);
// Admin guard redirects non-admin users to /dashboard
await page.waitForURL(/\/dashboard/, { timeout: 30000 });
expect(page.url()).toContain('/dashboard');
}); });
}); });

1
frontend/eslint.config.js
View File

@@ -81,6 +81,7 @@ export default tseslint.config(
HTMLDivElement: 'readonly', HTMLDivElement: 'readonly',
setInterval: 'readonly', setInterval: 'readonly',
clearInterval: 'readonly', clearInterval: 'readonly',
URL: 'readonly',
URLSearchParams: 'readonly', URLSearchParams: 'readonly',
HTMLInputElement: 'readonly', HTMLInputElement: 'readonly',
KeyboardEvent: 'readonly', KeyboardEvent: 'readonly',

5
frontend/src/lib/components/organisms/Dashboard/DashboardAdmin.svelte
View File

@@ -61,6 +61,11 @@
<span class="action-label">Calendrier scolaire</span> <span class="action-label">Calendrier scolaire</span>
<span class="action-hint">Fériés et vacances</span> <span class="action-hint">Fériés et vacances</span>
</a> </a>
<a class="action-card" href="/admin/image-rights">
<span class="action-icon">📷</span>
<span class="action-label">Droit à l'image</span>
<span class="action-hint">Autorisations élèves</span>
</a>
<a class="action-card" href="/admin/pedagogy"> <a class="action-card" href="/admin/pedagogy">
<span class="action-icon">🎓</span> <span class="action-icon">🎓</span>
<span class="action-label">Pédagogie</span> <span class="action-label">Pédagogie</span>

3
frontend/src/routes/admin/+layout.svelte
View File

@@ -15,6 +15,7 @@
const ADMIN_ROLES = [ const ADMIN_ROLES = [
'ROLE_SUPER_ADMIN', 'ROLE_SUPER_ADMIN',
'ROLE_ADMIN', 'ROLE_ADMIN',
'ROLE_PROF',
'ROLE_VIE_SCOLAIRE', 'ROLE_VIE_SCOLAIRE',
'ROLE_SECRETARIAT' 'ROLE_SECRETARIAT'
]; ];
@@ -28,6 +29,7 @@
{ href: '/admin/replacements', label: 'Remplacements', isActive: () => isReplacementsActive }, { href: '/admin/replacements', label: 'Remplacements', isActive: () => isReplacementsActive },
{ href: '/admin/academic-year/periods', label: 'Périodes', isActive: () => isPeriodsActive }, { href: '/admin/academic-year/periods', label: 'Périodes', isActive: () => isPeriodsActive },
{ href: '/admin/calendar', label: 'Calendrier', isActive: () => isCalendarActive }, { href: '/admin/calendar', label: 'Calendrier', isActive: () => isCalendarActive },
{ href: '/admin/image-rights', label: 'Droit à l\'image', isActive: () => isImageRightsActive },
{ href: '/admin/pedagogy', label: 'Pédagogie', isActive: () => isPedagogyActive } { href: '/admin/pedagogy', label: 'Pédagogie', isActive: () => isPedagogyActive }
]; ];
@@ -80,6 +82,7 @@
const isAssignmentsActive = $derived(page.url.pathname.startsWith('/admin/assignments')); const isAssignmentsActive = $derived(page.url.pathname.startsWith('/admin/assignments'));
const isReplacementsActive = $derived(page.url.pathname.startsWith('/admin/replacements')); const isReplacementsActive = $derived(page.url.pathname.startsWith('/admin/replacements'));
const isCalendarActive = $derived(page.url.pathname.startsWith('/admin/calendar')); const isCalendarActive = $derived(page.url.pathname.startsWith('/admin/calendar'));
const isImageRightsActive = $derived(page.url.pathname.startsWith('/admin/image-rights'));
const isPedagogyActive = $derived(page.url.pathname.startsWith('/admin/pedagogy')); const isPedagogyActive = $derived(page.url.pathname.startsWith('/admin/pedagogy'));
const currentSectionLabel = $derived.by(() => { const currentSectionLabel = $derived.by(() => {

729
frontend/src/routes/admin/image-rights/+page.svelte Normal file
View File

@@ -0,0 +1,729 @@
<script lang="ts">
import { goto } from '$app/navigation';
import { page } from '$app/state';
import { getApiBaseUrl } from '$lib/api/config';
import { authenticatedFetch } from '$lib/auth';
import SearchInput from '$lib/components/molecules/SearchInput/SearchInput.svelte';
import { untrack } from 'svelte';
interface StudentImageRights {
id: string;
firstName: string;
lastName: string;
email: string;
imageRightsStatus: string;
imageRightsStatusLabel: string;
imageRightsUpdatedAt: string | null;
className: string | null;
}
const STATUS_OPTIONS = [
{ value: 'authorized', label: 'Autorisé' },
{ value: 'refused', label: 'Refusé' },
{ value: 'not_specified', label: 'Non renseigné' }
];
// State
let students = $state<StudentImageRights[]>([]);
let isLoading = $state(true);
let error = $state<string | null>(null);
let successMessage = $state<string | null>(null);
// Filters
let filterStatus = $state<string>(page.url.searchParams.get('status') ?? '');
let searchTerm = $state(page.url.searchParams.get('search') ?? '');
// Derived groups
let filteredStudents = $derived.by(() => {
if (!searchTerm) return students;
const term = searchTerm.toLowerCase();
return students.filter(
(s) =>
s.firstName.toLowerCase().includes(term) ||
s.lastName.toLowerCase().includes(term) ||
s.email.toLowerCase().includes(term)
);
});
let authorizedStudents = $derived(
filteredStudents.filter((s) => s.imageRightsStatus === 'authorized')
);
let unauthorizedStudents = $derived(
filteredStudents.filter((s) => s.imageRightsStatus !== 'authorized')
);
// Updating state
let updatingId = $state<string | null>(null);
let isExporting = $state(false);
let loadAbortController: AbortController | null = null;
$effect(() => {
untrack(() => loadStudents());
});
async function loadStudents() {
loadAbortController?.abort();
const controller = new AbortController();
loadAbortController = controller;
try {
isLoading = true;
error = null;
const apiUrl = getApiBaseUrl();
const params = new URLSearchParams();
if (filterStatus) params.set('status', filterStatus);
const query = params.toString();
const url = `${apiUrl}/students/image-rights${query ? `?${query}` : ''}`;
const response = await authenticatedFetch(url, { signal: controller.signal });
if (controller.signal.aborted) return;
if (!response.ok) {
throw new Error('Erreur lors du chargement des droits à l\'image');
}
const data = await response.json();
students = Array.isArray(data) ? data : data['member'] ?? data['hydra:member'] ?? [];
} catch (e) {
if (e instanceof DOMException && e.name === 'AbortError') return;
error = e instanceof Error ? e.message : 'Erreur inconnue';
students = [];
} finally {
if (!controller.signal.aborted) {
isLoading = false;
}
}
}
function updateUrl() {
const params = new URLSearchParams();
if (filterStatus) params.set('status', filterStatus);
if (searchTerm) params.set('search', searchTerm);
const query = params.toString();
goto(`?${query}`, { replaceState: true, noScroll: true, keepFocus: true });
}
function handleSearch(value: string) {
searchTerm = value;
updateUrl();
}
function applyFilters() {
updateUrl();
loadStudents();
}
function resetFilters() {
filterStatus = '';
searchTerm = '';
updateUrl();
loadStudents();
}
async function updateStatus(studentId: string, newStatus: string) {
try {
updatingId = studentId;
error = null;
const apiUrl = getApiBaseUrl();
const response = await authenticatedFetch(`${apiUrl}/students/${studentId}/image-rights`, {
method: 'PATCH',
headers: { 'Content-Type': 'application/merge-patch+json' },
body: JSON.stringify({ imageRightsStatus: newStatus })
});
if (!response.ok) {
let errorMessage = `Erreur (${response.status})`;
try {
const errorData = await response.json();
errorMessage =
errorData['hydra:description'] ?? errorData.detail ?? errorMessage;
} catch {
// Ignore JSON parse errors, use default message
}
throw new Error(errorMessage);
}
const updated = await response.json();
students = students.map((s) =>
s.id === studentId
? {
...s,
imageRightsStatus: updated.imageRightsStatus ?? newStatus,
imageRightsStatusLabel:
updated.imageRightsStatusLabel ??
STATUS_OPTIONS.find((o) => o.value === newStatus)?.label ??
newStatus,
imageRightsUpdatedAt: updated.imageRightsUpdatedAt ?? new Date().toISOString()
}
: s
);
successMessage = 'Statut mis à jour avec succès.';
setTimeout(() => (successMessage = null), 3000);
} catch (e) {
error = e instanceof Error ? e.message : 'Erreur lors de la mise à jour';
} finally {
updatingId = null;
}
}
async function exportCsv() {
try {
isExporting = true;
error = null;
const apiUrl = getApiBaseUrl();
const params = new URLSearchParams();
if (filterStatus) params.set('status', filterStatus);
const query = params.toString();
const url = `${apiUrl}/students/image-rights/export${query ? `?${query}` : ''}`;
const response = await authenticatedFetch(url);
if (!response.ok) {
throw new Error('Erreur lors de l\'export');
}
const blob = await response.blob();
const downloadUrl = URL.createObjectURL(blob);
const a = document.createElement('a');
a.href = downloadUrl;
a.download = 'droits-image.csv';
document.body.appendChild(a);
a.click();
document.body.removeChild(a);
URL.revokeObjectURL(downloadUrl);
successMessage = 'Export CSV téléchargé.';
setTimeout(() => (successMessage = null), 3000);
} catch (e) {
error = e instanceof Error ? e.message : 'Erreur lors de l\'export';
} finally {
isExporting = false;
}
}
function statusBadgeClass(status: string): string {
return status === 'authorized'
? 'status-active'
: status === 'refused'
? 'status-suspended'
: 'status-pending';
}
</script>
<div class="admin-page">
<header class="page-header">
<div class="header-content">
<h1>Droit à l'image</h1>
<p class="subtitle">
Consultez et gérez les autorisations de droit à l'image des élèves
</p>
</div>
<button class="btn-primary" onclick={exportCsv} disabled={isExporting}>
{isExporting ? 'Export...' : 'Exporter CSV'}
</button>
</header>
{#if error}
<div class="alert alert-error" role="alert">
<span>{error}</span>
<button class="alert-close" onclick={() => (error = null)}>×</button>
</div>
{/if}
{#if successMessage}
<div class="alert alert-success" role="status">
<span>{successMessage}</span>
<button class="alert-close" onclick={() => (successMessage = null)}>×</button>
</div>
{/if}
<div class="filters-bar">
<div class="filter-group">
<SearchInput
value={searchTerm}
onSearch={handleSearch}
placeholder="Rechercher un élève..."
/>
</div>
<div class="filter-group">
<label for="filter-status">Statut</label>
<select id="filter-status" bind:value={filterStatus}>
<option value="">Tous les statuts</option>
{#each STATUS_OPTIONS as option}
<option value={option.value}>{option.label}</option>
{/each}
</select>
</div>
<div class="filter-actions">
<button class="btn-secondary btn-sm" onclick={applyFilters}>Filtrer</button>
<button class="btn-text btn-sm" onclick={resetFilters}>Réinitialiser</button>
</div>
</div>
{#if isLoading}
<div class="loading-state">
<div class="spinner"></div>
<p>Chargement...</p>
</div>
{:else if students.length === 0}
<div class="empty-state">
<div class="empty-icon">📷</div>
<h2>Aucun élève inscrit</h2>
<p>Commencez par créer des comptes élèves pour pouvoir gérer leurs autorisations de droit à l'image.</p>
<a class="btn-primary" href="/admin/users">Gérer les utilisateurs</a>
</div>
{:else if filteredStudents.length === 0}
<div class="empty-state">
<div class="empty-icon">🔍</div>
<h2>Aucun résultat</h2>
<p>Aucun élève ne correspond aux critères de recherche. Essayez de modifier vos filtres.</p>
<button class="btn-secondary" onclick={resetFilters}>Réinitialiser les filtres</button>
</div>
{:else}
<div class="stats-bar">
<span class="stat">
<span class="stat-count">{authorizedStudents.length}</span> autorisé{authorizedStudents.length > 1 ? 's' : ''}
</span>
<span class="stat">
<span class="stat-count stat-danger">{unauthorizedStudents.length}</span> non autorisé{unauthorizedStudents.length > 1 ? 's' : ''}
</span>
<span class="stat">
<span class="stat-count stat-total">{filteredStudents.length}</span> total
</span>
</div>
<div class="section">
<h2>Élèves autorisés ({authorizedStudents.length})</h2>
{#if authorizedStudents.length > 0}
<div class="table-wrapper">
<table>
<thead>
<tr>
<th>Nom</th>
<th>Prénom</th>
<th>Classe</th>
<th>Statut</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
{#each authorizedStudents as student}
<tr>
<td data-label="Nom">{student.lastName}</td>
<td data-label="Prénom">{student.firstName}</td>
<td data-label="Classe">{student.className ?? '—'}</td>
<td data-label="Statut">
<span class="badge {statusBadgeClass(student.imageRightsStatus)}">
{student.imageRightsStatusLabel}
</span>
</td>
<td data-label="Actions">
<select
value={student.imageRightsStatus}
onchange={(e) => updateStatus(student.id, e.currentTarget.value)}
disabled={updatingId === student.id}
>
{#each STATUS_OPTIONS as option}
<option value={option.value}>{option.label}</option>
{/each}
</select>
</td>
</tr>
{/each}
</tbody>
</table>
</div>
{:else}
<p class="empty-section">Aucun élève autorisé.</p>
{/if}
</div>
<div class="section">
<h2>Élèves non autorisés ({unauthorizedStudents.length})</h2>
{#if unauthorizedStudents.length > 0}
<div class="table-wrapper">
<table>
<thead>
<tr>
<th>Nom</th>
<th>Prénom</th>
<th>Classe</th>
<th>Statut</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
{#each unauthorizedStudents as student}
<tr>
<td data-label="Nom">{student.lastName}</td>
<td data-label="Prénom">{student.firstName}</td>
<td data-label="Classe">{student.className ?? '—'}</td>
<td data-label="Statut">
<span class="badge {statusBadgeClass(student.imageRightsStatus)}">
{student.imageRightsStatusLabel}
</span>
</td>
<td data-label="Actions">
<select
value={student.imageRightsStatus}
onchange={(e) => updateStatus(student.id, e.currentTarget.value)}
disabled={updatingId === student.id}
>
{#each STATUS_OPTIONS as option}
<option value={option.value}>{option.label}</option>
{/each}
</select>
</td>
</tr>
{/each}
</tbody>
</table>
</div>
{:else}
<p class="empty-section">Tous les élèves sont autorisés.</p>
{/if}
</div>
{/if}
</div>
<style>
.admin-page {
max-width: 1200px;
margin: 0 auto;
padding: 1.5rem;
}
.page-header {
display: flex;
justify-content: space-between;
align-items: flex-start;
margin-bottom: 1.5rem;
gap: 1rem;
}
.page-header h1 {
font-size: 1.5rem;
font-weight: 700;
color: var(--text-primary, #1a1a2e);
margin: 0;
}
.subtitle {
color: var(--text-secondary, #666);
margin: 0.25rem 0 0;
font-size: 0.875rem;
}
.btn-primary {
padding: 0.5rem 1rem;
background: var(--accent-primary, #4361ee);
color: white;
border: none;
border-radius: 0.5rem;
cursor: pointer;
font-size: 0.875rem;
font-weight: 500;
white-space: nowrap;
}
.btn-primary:hover {
opacity: 0.9;
}
.btn-primary:disabled {
opacity: 0.5;
cursor: not-allowed;
}
.btn-secondary {
padding: 0.5rem 1rem;
background: var(--surface-secondary, #f0f0f0);
color: var(--text-primary, #333);
border: 1px solid var(--border-color, #ddd);
border-radius: 0.5rem;
cursor: pointer;
font-size: 0.875rem;
}
.btn-text {
padding: 0.5rem 1rem;
background: none;
color: var(--text-secondary, #666);
border: none;
cursor: pointer;
font-size: 0.875rem;
}
.btn-sm {
padding: 0.375rem 0.75rem;
font-size: 0.8125rem;
}
.alert {
padding: 0.75rem 1rem;
border-radius: 0.5rem;
margin-bottom: 1rem;
display: flex;
justify-content: space-between;
align-items: center;
}
.alert-error {
background: #fef2f2;
color: #991b1b;
border: 1px solid #fecaca;
}
.alert-success {
background: #f0fdf4;
color: #166534;
border: 1px solid #bbf7d0;
}
.alert-close {
background: none;
border: none;
font-size: 1.25rem;
cursor: pointer;
color: inherit;
padding: 0 0.25rem;
}
.filters-bar {
display: flex;
gap: 1rem;
align-items: flex-end;
margin-bottom: 1.5rem;
flex-wrap: wrap;
}
.filter-group {
display: flex;
flex-direction: column;
gap: 0.25rem;
}
.filter-group label {
font-size: 0.75rem;
font-weight: 600;
color: var(--text-secondary, #666);
text-transform: uppercase;
}
.filter-group select {
padding: 0.5rem 0.75rem;
border: 1px solid var(--border-color, #ddd);
border-radius: 0.375rem;
font-size: 0.875rem;
min-width: 160px;
}
.filter-actions {
display: flex;
gap: 0.5rem;
align-items: flex-end;
}
.stats-bar {
display: flex;
gap: 1.5rem;
margin-bottom: 1.5rem;
padding: 0.75rem 1rem;
background: var(--surface-secondary, #f8f9fa);
border-radius: 0.5rem;
}
.stat {
font-size: 0.875rem;
color: var(--text-secondary, #666);
}
.stat-count {
font-weight: 700;
color: #166534;
}
.stat-count.stat-danger {
color: #991b1b;
}
.stat-count.stat-total {
color: var(--text-primary, #333);
}
.section {
margin-bottom: 2rem;
}
.section h2 {
font-size: 1.125rem;
font-weight: 600;
margin-bottom: 0.75rem;
color: var(--text-primary, #1a1a2e);
}
.table-wrapper {
overflow-x: auto;
}
table {
width: 100%;
border-collapse: collapse;
font-size: 0.875rem;
}
thead {
background: var(--surface-secondary, #f8f9fa);
}
th {
text-align: left;
padding: 0.75rem 1rem;
font-weight: 600;
color: var(--text-secondary, #666);
border-bottom: 2px solid var(--border-color, #e5e7eb);
}
td {
padding: 0.75rem 1rem;
border-bottom: 1px solid var(--border-color, #f0f0f0);
color: var(--text-primary, #333);
}
tr:hover {
background: var(--surface-hover, #f9fafb);
}
.badge {
display: inline-block;
padding: 0.25rem 0.625rem;
border-radius: 999px;
font-size: 0.75rem;
font-weight: 600;
}
.status-active {
background: #dcfce7;
color: #166534;
}
.status-suspended {
background: #fef2f2;
color: #991b1b;
}
.status-pending {
background: #fef9c3;
color: #854d0e;
}
td select {
padding: 0.375rem 0.5rem;
border: 1px solid var(--border-color, #ddd);
border-radius: 0.375rem;
font-size: 0.8125rem;
min-width: 140px;
}
td select:disabled {
opacity: 0.5;
}
.loading-state {
text-align: center;
padding: 3rem 1rem;
color: var(--text-secondary, #666);
}
.empty-state {
text-align: center;
padding: 3rem 1.5rem;
background: var(--surface-elevated, #fff);
border: 1px solid var(--border-subtle, #e2e8f0);
border-radius: 0.75rem;
}
.empty-icon {
font-size: 3rem;
margin-bottom: 1rem;
}
.empty-state h2 {
font-size: 1.125rem;
font-weight: 600;
color: var(--text-primary, #1f2937);
margin: 0 0 0.5rem;
}
.empty-state p {
font-size: 0.875rem;
color: var(--text-secondary, #64748b);
margin: 0 0 1.5rem;
max-width: 400px;
margin-left: auto;
margin-right: auto;
}
.spinner {
width: 2rem;
height: 2rem;
border: 3px solid var(--border-color, #e5e7eb);
border-top-color: var(--accent-primary, #4361ee);
border-radius: 50%;
animation: spin 0.8s linear infinite;
margin: 0 auto 1rem;
}
@keyframes spin {
to {
transform: rotate(360deg);
}
}
.empty-section {
padding: 1rem;
color: var(--text-secondary, #999);
font-style: italic;
}
@media (max-width: 768px) {
.page-header {
flex-direction: column;
}
.filters-bar {
flex-direction: column;
}
.stats-bar {
flex-direction: column;
gap: 0.5rem;
}
thead {
display: none;
}
tr {
display: block;
margin-bottom: 1rem;
border: 1px solid var(--border-color, #e5e7eb);
border-radius: 0.5rem;
padding: 0.5rem;
}
td {
display: flex;
justify-content: space-between;
align-items: center;
border-bottom: none;
padding: 0.375rem 0.5rem;
}
td::before {
content: attr(data-label);
font-weight: 600;
color: var(--text-secondary, #666);
font-size: 0.75rem;
}
}
</style>