feat: Gestion des utilisateurs (invitation, blocage, déblocage)

Permet aux administrateurs d'un établissement de gérer le cycle de vie des comptes utilisateurs : inviter de nouveaux membres, bloquer/débloquer des comptes actifs, et renvoyer des invitations en attente. Chaque mutation vérifie l'appartenance au tenant courant pour empêcher les accès cross-tenant. Le blocage est restreint aux comptes actifs uniquement et un administrateur ne peut pas bloquer son propre compte. Les comptes suspendus reçoivent une erreur 403 spécifique au login (sans déclencher l'escalade du rate limiting) et les tentatives sont tracées dans les métriques Prometheus.
2026-02-07 16:44:30 +01:00
parent ff18850a43
commit 4005c70082
58 changed files with 4443 additions and 29 deletions
--- a/backend/tests/Unit/Administration/Application/Command/UnblockUser/UnblockUserHandlerTest.php
+++ b/backend/tests/Unit/Administration/Application/Command/UnblockUser/UnblockUserHandlerTest.php
@@ -0,0 +1,107 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Application\Command\UnblockUser;
+
+use App\Administration\Application\Command\UnblockUser\UnblockUserCommand;
+use App\Administration\Application\Command\UnblockUser\UnblockUserHandler;
+use App\Administration\Domain\Exception\UserNotFoundException;
+use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
+use App\Administration\Domain\Model\User\Email;
+use App\Administration\Domain\Model\User\Role;
+use App\Administration\Domain\Model\User\StatutCompte;
+use App\Administration\Domain\Model\User\User;
+use App\Administration\Domain\Model\User\UserId;
+use App\Administration\Domain\Policy\ConsentementParentalPolicy;
+use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
+use App\Shared\Domain\Clock;
+use App\Shared\Domain\Tenant\TenantId;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class UnblockUserHandlerTest extends TestCase
+{
+    private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
+
+    private InMemoryUserRepository $userRepository;
+    private Clock $clock;
+    private UnblockUserHandler $handler;
+
+    protected function setUp(): void
+    {
+        $this->userRepository = new InMemoryUserRepository();
+        $this->clock = new class implements Clock {
+            public function now(): DateTimeImmutable
+            {
+                return new DateTimeImmutable('2026-02-12 10:00:00');
+            }
+        };
+        $this->handler = new UnblockUserHandler($this->userRepository, $this->clock);
+    }
+
+    #[Test]
+    public function unblocksUserSuccessfully(): void
+    {
+        $user = User::inviter(
+            email: new Email('teacher@example.com'),
+            role: Role::PROF,
+            tenantId: TenantId::fromString(self::TENANT_ID),
+            schoolName: 'École Alpha',
+            firstName: 'Jean',
+            lastName: 'Dupont',
+            invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
+        );
+        $user->activer(
+            '$argon2id$hashed',
+            new DateTimeImmutable('2026-02-02 10:00:00'),
+            new ConsentementParentalPolicy($this->clock),
+        );
+        $user->bloquer('Comportement inapproprié', new DateTimeImmutable('2026-02-10 15:00:00'));
+        $this->userRepository->save($user);
+
+        $command = new UnblockUserCommand(
+            userId: (string) $user->id,
+        );
+
+        ($this->handler)($command);
+
+        $updated = $this->userRepository->get($user->id);
+        self::assertSame(StatutCompte::ACTIF, $updated->statut);
+        self::assertNull($updated->blockedAt);
+        self::assertNull($updated->blockedReason);
+    }
+
+    #[Test]
+    public function throwsWhenUserNotSuspendu(): void
+    {
+        $user = User::inviter(
+            email: new Email('teacher@example.com'),
+            role: Role::PROF,
+            tenantId: TenantId::fromString(self::TENANT_ID),
+            schoolName: 'École Alpha',
+            firstName: 'Jean',
+            lastName: 'Dupont',
+            invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
+        );
+        $user->activer(
+            '$argon2id$hashed',
+            new DateTimeImmutable('2026-02-02 10:00:00'),
+            new ConsentementParentalPolicy($this->clock),
+        );
+        $this->userRepository->save($user);
+
+        $this->expectException(UtilisateurNonDeblocableException::class);
+
+        ($this->handler)(new UnblockUserCommand(userId: (string) $user->id));
+    }
+
+    #[Test]
+    public function throwsWhenUserNotFound(): void
+    {
+        $this->expectException(UserNotFoundException::class);
+
+        ($this->handler)(new UnblockUserCommand(userId: (string) UserId::generate()));
+    }
+}