Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Gestion des utilisateurs (invitation, blocage, déblocage)

Browse Source 
Permet aux administrateurs d'un établissement de gérer le cycle de vie
des comptes utilisateurs : inviter de nouveaux membres, bloquer/débloquer
des comptes actifs, et renvoyer des invitations en attente.

Chaque mutation vérifie l'appartenance au tenant courant pour empêcher
les accès cross-tenant. Le blocage est restreint aux comptes actifs
uniquement et un administrateur ne peut pas bloquer son propre compte.

Les comptes suspendus reçoivent une erreur 403 spécifique au login
(sans déclencher l'escalade du rate limiting) et les tentatives sont
tracées dans les métriques Prometheus.
This commit is contained in:
Mathias STRASSER
2026-02-07 16:44:30 +01:00
parent ff18850a43
commit 4005c70082
58 changed files with 4443 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
backend/src/Administration/Domain/Event/InvitationRenvoyee.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class InvitationRenvoyee implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

36
backend/src/Administration/Domain/Event/UtilisateurBloque.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurBloque implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public string $reason,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

35
backend/src/Administration/Domain/Event/UtilisateurDebloque.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurDebloque implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

38
backend/src/Administration/Domain/Event/UtilisateurInvite.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurInvite implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public string $role,
public string $firstName,
public string $lastName,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

23
backend/src/Administration/Domain/Exception/EmailDejaUtiliseeException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\Email;
use App\Shared\Domain\Tenant\TenantId;
use RuntimeException;
use function sprintf;
final class EmailDejaUtiliseeException extends RuntimeException
{
public static function dansTenant(Email $email, TenantId $tenantId): self
{
return new self(sprintf(
'L\'email "%s" est déjà utilisé dans l\'établissement "%s".',
$email,
$tenantId,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurDejaInviteException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurDejaInviteException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de renvoyer l\'invitation pour "%s" : le compte est en statut "%s".',
$userId,
$statut->value,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurNonBlocableException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurNonBlocableException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de bloquer l\'utilisateur "%s" : le compte est déjà en statut "%s".',
$userId,
$statut->value,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurNonDeblocableException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurNonDeblocableException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de débloquer l\'utilisateur "%s" : le compte est en statut "%s".',
$userId,
$statut->value,
));
}
}

150
backend/src/Administration/Domain/Model/User/User.php
View File

@@ -6,8 +6,15 @@ namespace App\Administration\Domain\Model\User;
use App\Administration\Domain\Event\CompteActive;
use App\Administration\Domain\Event\CompteCreated;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Event\MotDePasseChange;
use App\Administration\Domain\Event\UtilisateurBloque;
use App\Administration\Domain\Event\UtilisateurDebloque;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Exception\CompteNonActivableException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Shared\Domain\AggregateRoot;
@@ -26,6 +33,9 @@ final class User extends AggregateRoot
public private(set) ?string $hashedPassword = null;
public private(set) ?DateTimeImmutable $activatedAt = null;
public private(set) ?ConsentementParental $consentementParental = null;
public private(set) ?DateTimeImmutable $invitedAt = null;
public private(set) ?DateTimeImmutable $blockedAt = null;
public private(set) ?string $blockedReason = null;
private function __construct(
public private(set) UserId $id,
@@ -36,6 +46,8 @@ final class User extends AggregateRoot
public private(set) StatutCompte $statut,
public private(set) ?DateTimeImmutable $dateNaissance,
public private(set) DateTimeImmutable $createdAt,
public private(set) string $firstName = '',
public private(set) string $lastName = '',
) {
}
@@ -136,6 +148,134 @@ final class User extends AggregateRoot
return $this->statut->peutSeConnecter();
}
/**
* Creates a new user via admin invitation.
*
* Unlike creer() which is for self-registration, inviter() is used
* when an admin creates a user account from the management interface.
*/
public static function inviter(
Email $email,
Role $role,
TenantId $tenantId,
string $schoolName,
string $firstName,
string $lastName,
DateTimeImmutable $invitedAt,
?DateTimeImmutable $dateNaissance = null,
): self {
$user = new self(
id: UserId::generate(),
email: $email,
role: $role,
tenantId: $tenantId,
schoolName: $schoolName,
statut: StatutCompte::EN_ATTENTE,
dateNaissance: $dateNaissance,
createdAt: $invitedAt,
firstName: $firstName,
lastName: $lastName,
);
$user->invitedAt = $invitedAt;
$user->recordEvent(new UtilisateurInvite(
userId: $user->id,
email: (string) $user->email,
role: $user->role->value,
firstName: $firstName,
lastName: $lastName,
tenantId: $user->tenantId,
occurredOn: $invitedAt,
));
return $user;
}
/**
* Resends the invitation for a user still awaiting activation.
*
* @throws UtilisateurDejaInviteException if user is no longer in a pending state
*/
public function renvoyerInvitation(DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::EN_ATTENTE && $this->statut !== StatutCompte::CONSENTEMENT_REQUIS) {
throw UtilisateurDejaInviteException::carStatutIncompatible($this->id, $this->statut);
}
$this->invitedAt = $at;
$this->recordEvent(new InvitationRenvoyee(
userId: $this->id,
email: (string) $this->email,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Blocks a user account.
*
* @throws UtilisateurNonBlocableException if user is already suspended or archived
*/
public function bloquer(string $reason, DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::ACTIF) {
throw UtilisateurNonBlocableException::carStatutIncompatible($this->id, $this->statut);
}
$this->statut = StatutCompte::SUSPENDU;
$this->blockedAt = $at;
$this->blockedReason = $reason;
$this->recordEvent(new UtilisateurBloque(
userId: $this->id,
email: (string) $this->email,
reason: $reason,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Unblocks a suspended user account, restoring it to active status.
*
* @throws UtilisateurNonDeblocableException if user is not suspended
*/
public function debloquer(DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::SUSPENDU) {
throw UtilisateurNonDeblocableException::carStatutIncompatible($this->id, $this->statut);
}
$this->statut = StatutCompte::ACTIF;
$this->blockedAt = null;
$this->blockedReason = null;
$this->recordEvent(new UtilisateurDebloque(
userId: $this->id,
email: (string) $this->email,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Checks if the invitation has expired (> 7 days since last invitation).
*/
public function estInvitationExpiree(DateTimeImmutable $at): bool
{
if ($this->statut !== StatutCompte::EN_ATTENTE && $this->statut !== StatutCompte::CONSENTEMENT_REQUIS) {
return false;
}
if ($this->invitedAt === null) {
return false;
}
return $at > $this->invitedAt->modify('+7 days');
}
/**
* Changes the user's password.
*
@@ -170,6 +310,11 @@ final class User extends AggregateRoot
?string $hashedPassword,
?DateTimeImmutable $activatedAt,
?ConsentementParental $consentementParental,
string $firstName = '',
string $lastName = '',
?DateTimeImmutable $invitedAt = null,
?DateTimeImmutable $blockedAt = null,
?string $blockedReason = null,
): self {
$user = new self(
id: $id,
@@ -180,11 +325,16 @@ final class User extends AggregateRoot
statut: $statut,
dateNaissance: $dateNaissance,
createdAt: $createdAt,
firstName: $firstName,
lastName: $lastName,
);
$user->hashedPassword = $hashedPassword;
$user->activatedAt = $activatedAt;
$user->consentementParental = $consentementParental;
$user->invitedAt = $invitedAt;
$user->blockedAt = $blockedAt;
$user->blockedReason = $blockedReason;
return $user;
}

7
backend/src/Administration/Domain/Repository/UserRepository.php
View File

@@ -23,4 +23,11 @@ interface UserRepository
* Returns null if user doesn't exist in that tenant.
*/
public function findByEmail(Email $email, TenantId $tenantId): ?User;
/**
* Returns all users for a given tenant.
*
* @return User[]
*/
public function findAllByTenant(TenantId $tenantId): array;
}