Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Gestion des utilisateurs (invitation, blocage, déblocage)

Browse Source 
Permet aux administrateurs d'un établissement de gérer le cycle de vie
des comptes utilisateurs : inviter de nouveaux membres, bloquer/débloquer
des comptes actifs, et renvoyer des invitations en attente.

Chaque mutation vérifie l'appartenance au tenant courant pour empêcher
les accès cross-tenant. Le blocage est restreint aux comptes actifs
uniquement et un administrateur ne peut pas bloquer son propre compte.

Les comptes suspendus reçoivent une erreur 403 spécifique au login
(sans déclencher l'escalade du rate limiting) et les tentatives sont
tracées dans les métriques Prometheus.
This commit is contained in:
Mathias STRASSER
2026-02-07 16:44:30 +01:00
parent ff18850a43
commit 4005c70082
58 changed files with 4443 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
backend/src/Administration/Application/Command/BlockUser/BlockUserCommand.php Normal file
View File

@@ -0,0 +1,15 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\BlockUser;
final readonly class BlockUserCommand
{
public function __construct(
public string $userId,
public string $reason,
public string $tenantId = '',
) {
}
}

39
backend/src/Administration/Application/Command/BlockUser/BlockUserHandler.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\BlockUser;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class BlockUserHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(BlockUserCommand $command): User
{
$userId = UserId::fromString($command->userId);
$user = $this->userRepository->get($userId);
if ($command->tenantId !== '' && !$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($userId);
}
$user->bloquer($command->reason, $this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

19
backend/src/Administration/Application/Command/InviteUser/InviteUserCommand.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\InviteUser;
final readonly class InviteUserCommand
{
public function __construct(
public string $tenantId,
public string $schoolName,
public string $email,
public string $role,
public string $firstName,
public string $lastName,
public ?string $dateNaissance = null,
) {
}
}

63
backend/src/Administration/Application/Command/InviteUser/InviteUserHandler.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\InviteUser;
use App\Administration\Domain\Exception\EmailDejaUtiliseeException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use InvalidArgumentException;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class InviteUserHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
/**
* @throws EmailDejaUtiliseeException if email is already used in this tenant
* @throws InvalidArgumentException if the role is invalid
*/
public function __invoke(InviteUserCommand $command): User
{
$tenantId = TenantId::fromString($command->tenantId);
$email = new Email($command->email);
$role = Role::tryFrom($command->role);
if ($role === null) {
throw new InvalidArgumentException("Rôle invalide : \"{$command->role}\".");
}
$existingUser = $this->userRepository->findByEmail($email, $tenantId);
if ($existingUser !== null) {
throw EmailDejaUtiliseeException::dansTenant($email, $tenantId);
}
$user = User::inviter(
email: $email,
role: $role,
tenantId: $tenantId,
schoolName: $command->schoolName,
firstName: $command->firstName,
lastName: $command->lastName,
invitedAt: $this->clock->now(),
dateNaissance: $command->dateNaissance !== null
? new DateTimeImmutable($command->dateNaissance)
: null,
);
$this->userRepository->save($user);
return $user;
}
}

14
backend/src/Administration/Application/Command/ResendInvitation/ResendInvitationCommand.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\ResendInvitation;
final readonly class ResendInvitationCommand
{
public function __construct(
public string $userId,
public string $tenantId = '',
) {
}
}

39
backend/src/Administration/Application/Command/ResendInvitation/ResendInvitationHandler.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\ResendInvitation;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class ResendInvitationHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(ResendInvitationCommand $command): User
{
$userId = UserId::fromString($command->userId);
$user = $this->userRepository->get($userId);
if ($command->tenantId !== '' && !$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($userId);
}
$user->renvoyerInvitation($this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

14
backend/src/Administration/Application/Command/UnblockUser/UnblockUserCommand.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\UnblockUser;
final readonly class UnblockUserCommand
{
public function __construct(
public string $userId,
public string $tenantId = '',
) {
}
}

39
backend/src/Administration/Application/Command/UnblockUser/UnblockUserHandler.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\UnblockUser;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class UnblockUserHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(UnblockUserCommand $command): User
{
$userId = UserId::fromString($command->userId);
$user = $this->userRepository->get($userId);
if ($command->tenantId !== '' && !$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($userId);
}
$user->debloquer($this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

58
backend/src/Administration/Application/Query/GetUsers/GetUsersHandler.php Normal file
View File

@@ -0,0 +1,58 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetUsers;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'query.bus')]
final readonly class GetUsersHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
/**
* @return UserDto[]
*/
public function __invoke(GetUsersQuery $query): array
{
$users = $this->userRepository->findAllByTenant(
TenantId::fromString($query->tenantId),
);
// Apply filters
if ($query->role !== null) {
$filterRole = Role::tryFrom($query->role);
if ($filterRole !== null) {
$users = array_filter(
$users,
static fn ($user) => $user->role === $filterRole,
);
}
}
if ($query->statut !== null) {
$filterStatut = StatutCompte::tryFrom($query->statut);
if ($filterStatut !== null) {
$users = array_filter(
$users,
static fn ($user) => $user->statut === $filterStatut,
);
}
}
return array_values(array_map(
fn ($user) => UserDto::fromDomain($user, $this->clock),
$users,
));
}
}

15
backend/src/Administration/Application/Query/GetUsers/GetUsersQuery.php Normal file
View File

@@ -0,0 +1,15 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetUsers;
final readonly class GetUsersQuery
{
public function __construct(
public string $tenantId,
public ?string $role = null,
public ?string $statut = null,
) {
}
}

48
backend/src/Administration/Application/Query/GetUsers/UserDto.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetUsers;
use App\Administration\Domain\Model\User\User;
use App\Shared\Domain\Clock;
use DateTimeImmutable;
final readonly class UserDto
{
public function __construct(
public string $id,
public string $email,
public string $role,
public string $roleLabel,
public string $firstName,
public string $lastName,
public string $statut,
public DateTimeImmutable $createdAt,
public ?DateTimeImmutable $invitedAt,
public ?DateTimeImmutable $activatedAt,
public ?DateTimeImmutable $blockedAt,
public ?string $blockedReason,
public bool $invitationExpiree,
) {
}
public static function fromDomain(User $user, Clock $clock): self
{
return new self(
id: (string) $user->id,
email: (string) $user->email,
role: $user->role->value,
roleLabel: $user->role->label(),
firstName: $user->firstName,
lastName: $user->lastName,
statut: $user->statut->value,
createdAt: $user->createdAt,
invitedAt: $user->invitedAt,
activatedAt: $user->activatedAt,
blockedAt: $user->blockedAt,
blockedReason: $user->blockedReason,
invitationExpiree: $user->estInvitationExpiree($clock->now()),
);
}
}

35
backend/src/Administration/Domain/Event/InvitationRenvoyee.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class InvitationRenvoyee implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

36
backend/src/Administration/Domain/Event/UtilisateurBloque.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurBloque implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public string $reason,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

35
backend/src/Administration/Domain/Event/UtilisateurDebloque.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurDebloque implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

38
backend/src/Administration/Domain/Event/UtilisateurInvite.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurInvite implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public string $role,
public string $firstName,
public string $lastName,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

23
backend/src/Administration/Domain/Exception/EmailDejaUtiliseeException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\Email;
use App\Shared\Domain\Tenant\TenantId;
use RuntimeException;
use function sprintf;
final class EmailDejaUtiliseeException extends RuntimeException
{
public static function dansTenant(Email $email, TenantId $tenantId): self
{
return new self(sprintf(
'L\'email "%s" est déjà utilisé dans l\'établissement "%s".',
$email,
$tenantId,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurDejaInviteException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurDejaInviteException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de renvoyer l\'invitation pour "%s" : le compte est en statut "%s".',
$userId,
$statut->value,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurNonBlocableException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurNonBlocableException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de bloquer l\'utilisateur "%s" : le compte est déjà en statut "%s".',
$userId,
$statut->value,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurNonDeblocableException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurNonDeblocableException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de débloquer l\'utilisateur "%s" : le compte est en statut "%s".',
$userId,
$statut->value,
));
}
}

150
backend/src/Administration/Domain/Model/User/User.php
View File

@@ -6,8 +6,15 @@ namespace App\Administration\Domain\Model\User;
use App\Administration\Domain\Event\CompteActive;
use App\Administration\Domain\Event\CompteCreated;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Event\MotDePasseChange;
use App\Administration\Domain\Event\UtilisateurBloque;
use App\Administration\Domain\Event\UtilisateurDebloque;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Exception\CompteNonActivableException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Shared\Domain\AggregateRoot;
@@ -26,6 +33,9 @@ final class User extends AggregateRoot
public private(set) ?string $hashedPassword = null;
public private(set) ?DateTimeImmutable $activatedAt = null;
public private(set) ?ConsentementParental $consentementParental = null;
public private(set) ?DateTimeImmutable $invitedAt = null;
public private(set) ?DateTimeImmutable $blockedAt = null;
public private(set) ?string $blockedReason = null;
private function __construct(
public private(set) UserId $id,
@@ -36,6 +46,8 @@ final class User extends AggregateRoot
public private(set) StatutCompte $statut,
public private(set) ?DateTimeImmutable $dateNaissance,
public private(set) DateTimeImmutable $createdAt,
public private(set) string $firstName = '',
public private(set) string $lastName = '',
) {
}
@@ -136,6 +148,134 @@ final class User extends AggregateRoot
return $this->statut->peutSeConnecter();
}
/**
* Creates a new user via admin invitation.
*
* Unlike creer() which is for self-registration, inviter() is used
* when an admin creates a user account from the management interface.
*/
public static function inviter(
Email $email,
Role $role,
TenantId $tenantId,
string $schoolName,
string $firstName,
string $lastName,
DateTimeImmutable $invitedAt,
?DateTimeImmutable $dateNaissance = null,
): self {
$user = new self(
id: UserId::generate(),
email: $email,
role: $role,
tenantId: $tenantId,
schoolName: $schoolName,
statut: StatutCompte::EN_ATTENTE,
dateNaissance: $dateNaissance,
createdAt: $invitedAt,
firstName: $firstName,
lastName: $lastName,
);
$user->invitedAt = $invitedAt;
$user->recordEvent(new UtilisateurInvite(
userId: $user->id,
email: (string) $user->email,
role: $user->role->value,
firstName: $firstName,
lastName: $lastName,
tenantId: $user->tenantId,
occurredOn: $invitedAt,
));
return $user;
}
/**
* Resends the invitation for a user still awaiting activation.
*
* @throws UtilisateurDejaInviteException if user is no longer in a pending state
*/
public function renvoyerInvitation(DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::EN_ATTENTE && $this->statut !== StatutCompte::CONSENTEMENT_REQUIS) {
throw UtilisateurDejaInviteException::carStatutIncompatible($this->id, $this->statut);
}
$this->invitedAt = $at;
$this->recordEvent(new InvitationRenvoyee(
userId: $this->id,
email: (string) $this->email,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Blocks a user account.
*
* @throws UtilisateurNonBlocableException if user is already suspended or archived
*/
public function bloquer(string $reason, DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::ACTIF) {
throw UtilisateurNonBlocableException::carStatutIncompatible($this->id, $this->statut);
}
$this->statut = StatutCompte::SUSPENDU;
$this->blockedAt = $at;
$this->blockedReason = $reason;
$this->recordEvent(new UtilisateurBloque(
userId: $this->id,
email: (string) $this->email,
reason: $reason,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Unblocks a suspended user account, restoring it to active status.
*
* @throws UtilisateurNonDeblocableException if user is not suspended
*/
public function debloquer(DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::SUSPENDU) {
throw UtilisateurNonDeblocableException::carStatutIncompatible($this->id, $this->statut);
}
$this->statut = StatutCompte::ACTIF;
$this->blockedAt = null;
$this->blockedReason = null;
$this->recordEvent(new UtilisateurDebloque(
userId: $this->id,
email: (string) $this->email,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Checks if the invitation has expired (> 7 days since last invitation).
*/
public function estInvitationExpiree(DateTimeImmutable $at): bool
{
if ($this->statut !== StatutCompte::EN_ATTENTE && $this->statut !== StatutCompte::CONSENTEMENT_REQUIS) {
return false;
}
if ($this->invitedAt === null) {
return false;
}
return $at > $this->invitedAt->modify('+7 days');
}
/**
* Changes the user's password.
*
@@ -170,6 +310,11 @@ final class User extends AggregateRoot
?string $hashedPassword,
?DateTimeImmutable $activatedAt,
?ConsentementParental $consentementParental,
string $firstName = '',
string $lastName = '',
?DateTimeImmutable $invitedAt = null,
?DateTimeImmutable $blockedAt = null,
?string $blockedReason = null,
): self {
$user = new self(
id: $id,
@@ -180,11 +325,16 @@ final class User extends AggregateRoot
statut: $statut,
dateNaissance: $dateNaissance,
createdAt: $createdAt,
firstName: $firstName,
lastName: $lastName,
);
$user->hashedPassword = $hashedPassword;
$user->activatedAt = $activatedAt;
$user->consentementParental = $consentementParental;
$user->invitedAt = $invitedAt;
$user->blockedAt = $blockedAt;
$user->blockedReason = $blockedReason;
return $user;
}

7
backend/src/Administration/Domain/Repository/UserRepository.php
View File

@@ -23,4 +23,11 @@ interface UserRepository
* Returns null if user doesn't exist in that tenant.
*/
public function findByEmail(Email $email, TenantId $tenantId): ?User;
/**
* Returns all users for a given tenant.
*
* @return User[]
*/
public function findAllByTenant(TenantId $tenantId): array;
}

88
backend/src/Administration/Infrastructure/Api/Processor/BlockUserProcessor.php Normal file
View File

@@ -0,0 +1,88 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\BlockUser\BlockUserCommand;
use App\Administration\Application\Command\BlockUser\BlockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class BlockUserProcessor implements ProcessorInterface
{
public function __construct(
private BlockUserHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Security $security,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::BLOCK)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à bloquer un utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
$currentUser = $this->security->getUser();
if ($currentUser instanceof SecurityUser && $currentUser->userId() === $userId) {
throw new BadRequestHttpException('Vous ne pouvez pas bloquer votre propre compte.');
}
$reason = trim($data->reason ?? '');
if ($reason === '') {
throw new BadRequestHttpException('La raison du blocage est obligatoire.');
}
try {
$command = new BlockUserCommand(
userId: $userId,
reason: $reason,
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (UtilisateurNonBlocableException $e) {
throw new BadRequestHttpException($e->getMessage());
}
}
}

80
backend/src/Administration/Infrastructure/Api/Processor/InviteUserProcessor.php Normal file
View File

@@ -0,0 +1,80 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\InviteUser\InviteUserCommand;
use App\Administration\Application\Command\InviteUser\InviteUserHandler;
use App\Administration\Domain\Exception\EmailDejaUtiliseeException;
use App\Administration\Domain\Exception\EmailInvalideException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use InvalidArgumentException;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\ConflictHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class InviteUserProcessor implements ProcessorInterface
{
public function __construct(
private InviteUserHandler $handler,
private TenantContext $tenantContext,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::CREATE)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à créer un utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
$tenantId = (string) $this->tenantContext->getCurrentTenantId();
$tenantConfig = $this->tenantContext->getCurrentTenantConfig();
try {
$command = new InviteUserCommand(
tenantId: $tenantId,
schoolName: $tenantConfig->subdomain,
email: $data->email ?? '',
role: $data->role ?? '',
firstName: $data->firstName ?? '',
lastName: $data->lastName ?? '',
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (EmailInvalideException|InvalidArgumentException $e) {
throw new BadRequestHttpException($e->getMessage());
} catch (EmailDejaUtiliseeException $e) {
throw new ConflictHttpException($e->getMessage());
}
}
}

74
backend/src/Administration/Infrastructure/Api/Processor/ResendInvitationProcessor.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationCommand;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class ResendInvitationProcessor implements ProcessorInterface
{
public function __construct(
private ResendInvitationHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::RESEND_INVITATION)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à renvoyer une invitation.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
try {
$command = new ResendInvitationCommand(
userId: $userId,
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (UtilisateurDejaInviteException $e) {
throw new BadRequestHttpException($e->getMessage());
}
}
}

74
backend/src/Administration/Infrastructure/Api/Processor/UnblockUserProcessor.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\UnblockUser\UnblockUserCommand;
use App\Administration\Application\Command\UnblockUser\UnblockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class UnblockUserProcessor implements ProcessorInterface
{
public function __construct(
private UnblockUserHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::UNBLOCK)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à débloquer un utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
try {
$command = new UnblockUserCommand(
userId: $userId,
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (UtilisateurNonDeblocableException $e) {
throw new BadRequestHttpException($e->getMessage());
}
}
}

64
backend/src/Administration/Infrastructure/Api/Provider/UserCollectionProvider.php Normal file
View File

@@ -0,0 +1,64 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Provider;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface;
use App\Administration\Application\Query\GetUsers\GetUsersHandler;
use App\Administration\Application\Query\GetUsers\GetUsersQuery;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Infrastructure\Tenant\TenantContext;
use function array_map;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* State Provider pour récupérer la liste des utilisateurs avec filtres.
*
* @implements ProviderInterface<UserResource>
*/
final readonly class UserCollectionProvider implements ProviderInterface
{
public function __construct(
private GetUsersHandler $handler,
private TenantContext $tenantContext,
private AuthorizationCheckerInterface $authorizationChecker,
) {
}
/**
* @return UserResource[]
*/
#[Override]
public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
{
if (!$this->authorizationChecker->isGranted(UserVoter::VIEW)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à voir les utilisateurs.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
$tenantId = (string) $this->tenantContext->getCurrentTenantId();
/** @var array<string, string> $filters */
$filters = $context['filters'] ?? [];
$query = new GetUsersQuery(
tenantId: $tenantId,
role: isset($filters['role']) ? (string) $filters['role'] : null,
statut: isset($filters['statut']) ? (string) $filters['statut'] : null,
);
$userDtos = ($this->handler)($query);
return array_map(UserResource::fromDto(...), $userDtos);
}
}

63
backend/src/Administration/Infrastructure/Api/Provider/UserItemProvider.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Provider;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* State Provider pour récupérer un utilisateur par ID.
*
* @implements ProviderInterface<UserResource>
*/
final readonly class UserItemProvider implements ProviderInterface
{
public function __construct(
private UserRepository $userRepository,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Clock $clock,
) {
}
#[Override]
public function provide(Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::VIEW)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à voir cet utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
try {
$user = $this->userRepository->get(UserId::fromString($userId));
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
}
if (!$user->tenantId->equals($this->tenantContext->getCurrentTenantId())) {
throw new NotFoundHttpException('User not found.');
}
return UserResource::fromDomain($user, $this->clock->now());
}
}

142
backend/src/Administration/Infrastructure/Api/Resource/UserResource.php Normal file
View File

@@ -0,0 +1,142 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Resource;
use ApiPlatform\Metadata\ApiProperty;
use ApiPlatform\Metadata\ApiResource;
use ApiPlatform\Metadata\Get;
use ApiPlatform\Metadata\GetCollection;
use ApiPlatform\Metadata\Post;
use App\Administration\Application\Query\GetUsers\UserDto;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Api\Processor\BlockUserProcessor;
use App\Administration\Infrastructure\Api\Processor\InviteUserProcessor;
use App\Administration\Infrastructure\Api\Processor\ResendInvitationProcessor;
use App\Administration\Infrastructure\Api\Processor\UnblockUserProcessor;
use App\Administration\Infrastructure\Api\Provider\UserCollectionProvider;
use App\Administration\Infrastructure\Api\Provider\UserItemProvider;
use DateTimeImmutable;
use Symfony\Component\Validator\Constraints as Assert;
/**
* API Resource pour la gestion des utilisateurs.
*
* @see Story 2.5 - Création Comptes Utilisateurs
*/
#[ApiResource(
shortName: 'User',
operations: [
new GetCollection(
uriTemplate: '/users',
provider: UserCollectionProvider::class,
name: 'get_users',
),
new Get(
uriTemplate: '/users/{id}',
provider: UserItemProvider::class,
name: 'get_user',
),
new Post(
uriTemplate: '/users',
processor: InviteUserProcessor::class,
validationContext: ['groups' => ['Default', 'create']],
name: 'invite_user',
),
new Post(
uriTemplate: '/users/{id}/resend-invitation',
processor: ResendInvitationProcessor::class,
name: 'resend_invitation',
),
new Post(
uriTemplate: '/users/{id}/block',
processor: BlockUserProcessor::class,
validationContext: ['groups' => ['Default', 'block']],
name: 'block_user',
),
new Post(
uriTemplate: '/users/{id}/unblock',
processor: UnblockUserProcessor::class,
name: 'unblock_user',
),
],
)]
final class UserResource
{
#[ApiProperty(identifier: true)]
public ?string $id = null;
#[Assert\NotBlank(message: 'L\'email est requis.', groups: ['create'])]
#[Assert\Email(message: 'L\'email n\'est pas valide.')]
public ?string $email = null;
#[Assert\NotBlank(message: 'Le rôle est requis.', groups: ['create'])]
public ?string $role = null;
public ?string $roleLabel = null;
#[Assert\NotBlank(message: 'Le prénom est requis.', groups: ['create'])]
public ?string $firstName = null;
#[Assert\NotBlank(message: 'Le nom est requis.', groups: ['create'])]
public ?string $lastName = null;
public ?string $statut = null;
public ?DateTimeImmutable $createdAt = null;
public ?DateTimeImmutable $invitedAt = null;
public ?DateTimeImmutable $activatedAt = null;
public ?DateTimeImmutable $blockedAt = null;
public ?string $blockedReason = null;
#[ApiProperty(readable: true, writable: false)]
public ?bool $invitationExpiree = null;
#[Assert\NotBlank(message: 'La raison de blocage est requise.', groups: ['block'])]
public ?string $reason = null;
public static function fromDomain(User $user, ?DateTimeImmutable $now = null): self
{
$resource = new self();
$resource->id = (string) $user->id;
$resource->email = (string) $user->email;
$resource->role = $user->role->value;
$resource->roleLabel = $user->role->label();
$resource->firstName = $user->firstName;
$resource->lastName = $user->lastName;
$resource->statut = $user->statut->value;
$resource->createdAt = $user->createdAt;
$resource->invitedAt = $user->invitedAt;
$resource->activatedAt = $user->activatedAt;
$resource->blockedAt = $user->blockedAt;
$resource->blockedReason = $user->blockedReason;
$resource->invitationExpiree = $now !== null ? $user->estInvitationExpiree($now) : false;
return $resource;
}
public static function fromDto(UserDto $dto): self
{
$resource = new self();
$resource->id = $dto->id;
$resource->email = $dto->email;
$resource->role = $dto->role;
$resource->roleLabel = $dto->roleLabel;
$resource->firstName = $dto->firstName;
$resource->lastName = $dto->lastName;
$resource->statut = $dto->statut;
$resource->createdAt = $dto->createdAt;
$resource->invitedAt = $dto->invitedAt;
$resource->activatedAt = $dto->activatedAt;
$resource->blockedAt = $dto->blockedAt;
$resource->blockedReason = $dto->blockedReason;
$resource->invitationExpiree = $dto->invitationExpiree;
return $resource;
}
}

33
backend/src/Administration/Infrastructure/Console/CreateTestActivationTokenCommand.php
View File

@@ -147,22 +147,29 @@ final class CreateTestActivationTokenCommand extends Command
}
$now = $this->clock->now();
$emailVO = new Email($email);
// Create user
$dateNaissance = $isMinor
? $now->modify('-13 years') // 13 ans = mineur
: null;
// Check if user already exists for this tenant
$user = $this->userRepository->findByEmail($emailVO, $tenantId);
$user = User::creer(
email: new Email($email),
role: $role,
tenantId: $tenantId,
schoolName: $schoolName,
dateNaissance: $dateNaissance,
createdAt: $now,
);
if ($user !== null) {
$io->note(sprintf('User "%s" already exists, reusing existing account.', $email));
} else {
$dateNaissance = $isMinor
? $now->modify('-13 years') // 13 ans = mineur
: null;
$this->userRepository->save($user);
$user = User::creer(
email: $emailVO,
role: $role,
tenantId: $tenantId,
schoolName: $schoolName,
dateNaissance: $dateNaissance,
createdAt: $now,
);
$this->userRepository->save($user);
}
// Create activation token
$token = ActivationToken::generate(

74
backend/src/Administration/Infrastructure/Messaging/SendInvitationEmailHandler.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Messaging;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Model\ActivationToken\ActivationToken;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\ActivationTokenRepository;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantUrlBuilder;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
use Symfony\Component\Mime\Email;
use Twig\Environment;
/**
* Sends an invitation email when a user is invited by an admin.
*
* Creates an activation token and emails the user with an activation link.
*/
#[AsMessageHandler(bus: 'event.bus')]
final readonly class SendInvitationEmailHandler
{
public function __construct(
private MailerInterface $mailer,
private Environment $twig,
private ActivationTokenRepository $tokenRepository,
private UserRepository $userRepository,
private TenantUrlBuilder $tenantUrlBuilder,
private Clock $clock,
private string $fromEmail = 'noreply@classeo.fr',
) {
}
public function __invoke(UtilisateurInvite $event): void
{
$user = $this->userRepository->get(UserId::fromString((string) $event->userId));
$token = ActivationToken::generate(
userId: (string) $event->userId,
email: $event->email,
tenantId: $event->tenantId,
role: $event->role,
schoolName: $user->schoolName,
createdAt: $this->clock->now(),
);
$this->tokenRepository->save($token);
$roleEnum = Role::tryFrom($event->role);
$roleLabel = $roleEnum?->label() ?? $event->role;
$activationUrl = $this->tenantUrlBuilder->build($event->tenantId, '/activate/' . $token->tokenValue);
$html = $this->twig->render('emails/invitation.html.twig', [
'firstName' => $event->firstName,
'lastName' => $event->lastName,
'role' => $roleLabel,
'activationUrl' => $activationUrl,
]);
$email = (new Email())
->from($this->fromEmail)
->to($event->email)
->subject('Invitation à rejoindre Classeo')
->html($html);
$this->mailer->send($email);
}
}

83
backend/src/Administration/Infrastructure/Messaging/SendResendInvitationEmailHandler.php Normal file
View File

@@ -0,0 +1,83 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Messaging;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\ActivationToken\ActivationToken;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\ActivationTokenRepository;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantUrlBuilder;
use Psr\Log\LoggerInterface;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
use Symfony\Component\Mime\Email;
use Twig\Environment;
/**
* Sends a new invitation email when an invitation is resent.
*
* Creates a fresh activation token and emails the user with a new activation link.
*/
#[AsMessageHandler(bus: 'event.bus')]
final readonly class SendResendInvitationEmailHandler
{
public function __construct(
private MailerInterface $mailer,
private Environment $twig,
private ActivationTokenRepository $tokenRepository,
private UserRepository $userRepository,
private TenantUrlBuilder $tenantUrlBuilder,
private Clock $clock,
private LoggerInterface $logger,
private string $fromEmail = 'noreply@classeo.fr',
) {
}
public function __invoke(InvitationRenvoyee $event): void
{
try {
$user = $this->userRepository->get(UserId::fromString((string) $event->userId));
} catch (UserNotFoundException $e) {
$this->logger->warning('User no longer exists when processing resend invitation event, skipping.', [
'userId' => (string) $event->userId,
'email' => $event->email,
'exception' => $e->getMessage(),
]);
return;
}
$token = ActivationToken::generate(
userId: (string) $event->userId,
email: $event->email,
tenantId: $event->tenantId,
role: $user->role->value,
schoolName: $user->schoolName,
createdAt: $this->clock->now(),
);
$this->tokenRepository->save($token);
$activationUrl = $this->tenantUrlBuilder->build($event->tenantId, '/activate/' . $token->tokenValue);
$html = $this->twig->render('emails/invitation.html.twig', [
'firstName' => $user->firstName,
'lastName' => $user->lastName,
'role' => $user->role->label(),
'activationUrl' => $activationUrl,
]);
$email = (new Email())
->from($this->fromEmail)
->to($event->email)
->subject('Rappel : Invitation à rejoindre Classeo')
->html($html);
$this->mailer->send($email);
}
}

59
backend/src/Administration/Infrastructure/Persistence/Cache/CacheUserRepository.php
View File

@@ -14,6 +14,9 @@ use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use function in_array;
use Psr\Cache\CacheItemPoolInterface;
/**
@@ -27,6 +30,7 @@ final readonly class CacheUserRepository implements UserRepository
{
private const string KEY_PREFIX = 'user:';
private const string EMAIL_INDEX_PREFIX = 'user_email:';
private const string TENANT_INDEX_PREFIX = 'user_tenant:';
public function __construct(
private CacheItemPoolInterface $usersCache,
@@ -45,6 +49,18 @@ final readonly class CacheUserRepository implements UserRepository
$emailItem = $this->usersCache->getItem($emailKey);
$emailItem->set((string) $user->id);
$this->usersCache->save($emailItem);
// Save tenant index for listing users
$tenantKey = self::TENANT_INDEX_PREFIX . $user->tenantId;
$tenantItem = $this->usersCache->getItem($tenantKey);
/** @var string[] $userIds */
$userIds = $tenantItem->isHit() ? $tenantItem->get() : [];
$userId = (string) $user->id;
if (!in_array($userId, $userIds, true)) {
$userIds[] = $userId;
}
$tenantItem->set($userIds);
$this->usersCache->save($tenantItem);
}
public function findById(UserId $id): ?User
@@ -55,7 +71,7 @@ final readonly class CacheUserRepository implements UserRepository
return null;
}
/** @var array{id: string, email: string, role: string, tenant_id: string, school_name: string, statut: string, hashed_password: string|null, date_naissance: string|null, created_at: string, activated_at: string|null, consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null} $data */
/** @var array{id: string, email: string, role: string, tenant_id: string, school_name: string, statut: string, hashed_password: string|null, date_naissance: string|null, created_at: string, activated_at: string|null, first_name?: string, last_name?: string, invited_at?: string|null, blocked_at?: string|null, blocked_reason?: string|null, consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null} $data */
$data = $item->get();
return $this->deserialize($data);
@@ -87,6 +103,29 @@ final readonly class CacheUserRepository implements UserRepository
return $user;
}
public function findAllByTenant(TenantId $tenantId): array
{
$tenantKey = self::TENANT_INDEX_PREFIX . $tenantId;
$tenantItem = $this->usersCache->getItem($tenantKey);
if (!$tenantItem->isHit()) {
return [];
}
/** @var string[] $userIds */
$userIds = $tenantItem->get();
$users = [];
foreach ($userIds as $userId) {
$user = $this->findById(UserId::fromString($userId));
if ($user !== null) {
$users[] = $user;
}
}
return $users;
}
/**
* @return array<string, mixed>
*/
@@ -105,6 +144,11 @@ final readonly class CacheUserRepository implements UserRepository
'date_naissance' => $user->dateNaissance?->format('Y-m-d'),
'created_at' => $user->createdAt->format('c'),
'activated_at' => $user->activatedAt?->format('c'),
'first_name' => $user->firstName,
'last_name' => $user->lastName,
'invited_at' => $user->invitedAt?->format('c'),
'blocked_at' => $user->blockedAt?->format('c'),
'blocked_reason' => $user->blockedReason,
'consentement_parental' => $consentement !== null ? [
'parent_id' => $consentement->parentId,
'eleve_id' => $consentement->eleveId,
@@ -126,6 +170,11 @@ final readonly class CacheUserRepository implements UserRepository
* date_naissance: string|null,
* created_at: string,
* activated_at: string|null,
* first_name?: string,
* last_name?: string,
* invited_at?: string|null,
* blocked_at?: string|null,
* blocked_reason?: string|null,
* consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null
* } $data
*/
@@ -142,6 +191,9 @@ final readonly class CacheUserRepository implements UserRepository
);
}
$invitedAt = ($data['invited_at'] ?? null) !== null ? new DateTimeImmutable($data['invited_at']) : null;
$blockedAt = ($data['blocked_at'] ?? null) !== null ? new DateTimeImmutable($data['blocked_at']) : null;
return User::reconstitute(
id: UserId::fromString($data['id']),
email: new Email($data['email']),
@@ -154,6 +206,11 @@ final readonly class CacheUserRepository implements UserRepository
hashedPassword: $data['hashed_password'],
activatedAt: $data['activated_at'] !== null ? new DateTimeImmutable($data['activated_at']) : null,
consentementParental: $consentement,
firstName: $data['first_name'] ?? '',
lastName: $data['last_name'] ?? '',
invitedAt: $invitedAt,
blockedAt: $blockedAt,
blockedReason: $data['blocked_reason'] ?? null,
);
}

9
backend/src/Administration/Infrastructure/Persistence/InMemory/InMemoryUserRepository.php
View File

@@ -45,6 +45,15 @@ final class InMemoryUserRepository implements UserRepository
return $this->byTenantEmail[$this->emailKey($email, $tenantId)] ?? null;
}
#[Override]
public function findAllByTenant(TenantId $tenantId): array
{
return array_values(array_filter(
$this->byId,
static fn (User $user): bool => $user->tenantId->equals($tenantId),
));
}
private function emailKey(Email $email, TenantId $tenantId): string
{
return $tenantId . ':' . strtolower((string) $email);

12
backend/src/Administration/Infrastructure/Security/DatabaseUserProvider.php
View File

@@ -6,12 +6,14 @@ namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Exception\EmailInvalideException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantResolver;
use InvalidArgumentException;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException as SymfonyUserNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -55,7 +57,15 @@ final readonly class DatabaseUserProvider implements UserProviderInterface
throw new SymfonyUserNotFoundException();
}
// Do not allow login if the account is not active
// Blocked account: specific message so the user understands why they can't log in
if ($user->statut === StatutCompte::SUSPENDU) {
throw new CustomUserMessageAccountStatusException(
'Votre compte a été suspendu. Contactez votre établissement.',
messageData: ['statut' => 'suspended'],
);
}
// Other non-active statuses (pending, consent, archived): generic error
if (!$user->peutSeConnecter()) {
throw new SymfonyUserNotFoundException();
}

20
backend/src/Administration/Infrastructure/Security/LoginFailureHandler.php
View File

@@ -22,6 +22,7 @@ use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
use Throwable;
@@ -48,6 +49,15 @@ final readonly class LoginFailureHandler implements AuthenticationFailureHandler
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
{
// Suspended account: return a specific message without recording a rate-limit failure.
// This prevents blocked users from triggering CAPTCHA/delay escalation
// while informing them clearly why they cannot log in.
if ($exception instanceof CustomUserMessageAccountStatusException) {
$this->metricsCollector->recordLoginFailure('account_suspended');
return $this->createSuspendedResponse($exception);
}
$content = json_decode($request->getContent(), true);
$email = is_array($content) && isset($content['email']) && is_string($content['email'])
? $content['email']
@@ -92,6 +102,16 @@ final readonly class LoginFailureHandler implements AuthenticationFailureHandler
return $this->createFailureResponse($result);
}
private function createSuspendedResponse(CustomUserMessageAccountStatusException $exception): JsonResponse
{
return new JsonResponse([
'type' => '/errors/account-suspended',
'title' => 'Compte suspendu',
'status' => Response::HTTP_FORBIDDEN,
'detail' => $exception->getMessageKey(),
], Response::HTTP_FORBIDDEN);
}
private function createBlockedResponse(LoginRateLimitResult $result): JsonResponse
{
$response = new JsonResponse([

111
backend/src/Administration/Infrastructure/Security/UserVoter.php Normal file
View File

@@ -0,0 +1,111 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use function in_array;
use Override;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Vote;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* Voter pour les autorisations sur la gestion des utilisateurs.
*
* Seuls ADMIN et SUPER_ADMIN peuvent gérer les utilisateurs.
*
* @extends Voter<string, User|UserResource>
*/
final class UserVoter extends Voter
{
public const string VIEW = 'USER_VIEW';
public const string CREATE = 'USER_CREATE';
public const string BLOCK = 'USER_BLOCK';
public const string UNBLOCK = 'USER_UNBLOCK';
public const string RESEND_INVITATION = 'USER_RESEND_INVITATION';
private const array SUPPORTED_ATTRIBUTES = [
self::VIEW,
self::CREATE,
self::BLOCK,
self::UNBLOCK,
self::RESEND_INVITATION,
];
#[Override]
protected function supports(string $attribute, mixed $subject): bool
{
if (!in_array($attribute, self::SUPPORTED_ATTRIBUTES, true)) {
return false;
}
if ($subject === null) {
return true;
}
return $subject instanceof User || $subject instanceof UserResource;
}
#[Override]
protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
$roles = $user->getRoles();
return match ($attribute) {
self::VIEW => $this->canView($roles),
self::CREATE, self::BLOCK, self::UNBLOCK, self::RESEND_INVITATION => $this->canManage($roles),
default => false,
};
}
/**
* @param string[] $roles
*/
private function canView(array $roles): bool
{
return $this->hasAnyRole($roles, [
Role::SUPER_ADMIN->value,
Role::ADMIN->value,
Role::SECRETARIAT->value,
]);
}
/**
* @param string[] $roles
*/
private function canManage(array $roles): bool
{
return $this->hasAnyRole($roles, [
Role::SUPER_ADMIN->value,
Role::ADMIN->value,
]);
}
/**
* @param string[] $userRoles
* @param string[] $allowedRoles
*/
private function hasAnyRole(array $userRoles, array $allowedRoles): bool
{
foreach ($userRoles as $role) {
if (in_array($role, $allowedRoles, true)) {
return true;
}
}
return false;
}
}

33
backend/src/Shared/Infrastructure/Tenant/TenantUrlBuilder.php Normal file
View File

@@ -0,0 +1,33 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\Tenant;
use App\Shared\Domain\Tenant\TenantId as DomainTenantId;
/**
* Builds tenant-aware URLs using the tenant subdomain and base domain.
*/
final readonly class TenantUrlBuilder
{
public function __construct(
private TenantRegistry $tenantRegistry,
private string $appUrl,
private string $baseDomain,
) {
}
public function build(DomainTenantId $tenantId, string $path): string
{
$tenantConfig = $this->tenantRegistry->getConfig(
TenantId::fromString((string) $tenantId),
);
$parsed = parse_url($this->appUrl);
$scheme = $parsed['scheme'] ?? 'https';
$port = isset($parsed['port']) ? ':' . $parsed['port'] : '';
return $scheme . '://' . $tenantConfig->subdomain . '.' . $this->baseDomain . $port . $path;
}
}