feat: Liaison parents-enfants avec gestion des tuteurs

Les parents doivent pouvoir suivre la scolarité de leurs enfants (notes, emploi du temps, devoirs). Cela nécessite un lien formalisé entre le compte parent et le compte élève, géré par les administrateurs. Le lien est établi soit manuellement via l'interface d'administration, soit automatiquement lors de l'activation du compte parent lorsque l'invitation inclut un élève cible. Ce lien conditionne l'accès aux données scolaires de l'enfant (autorisations vérifiées par un voter dédié).
2026-02-12 08:38:19 +01:00
parent e930c505df
commit 44ebe5e511
91 changed files with 10071 additions and 39 deletions
--- a/backend/tests/Unit/Administration/Infrastructure/Security/StudentGuardianVoterTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Security/StudentGuardianVoterTest.php
@@ -0,0 +1,265 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Infrastructure\Security;
+
+use App\Administration\Domain\Model\StudentGuardian\RelationshipType;
+use App\Administration\Domain\Model\StudentGuardian\StudentGuardian;
+use App\Administration\Domain\Model\User\UserId;
+use App\Administration\Infrastructure\Persistence\InMemory\InMemoryStudentGuardianRepository;
+use App\Administration\Infrastructure\Security\SecurityUser;
+use App\Administration\Infrastructure\Security\StudentGuardianVoter;
+use App\Shared\Domain\Tenant\TenantId;
+use App\Shared\Infrastructure\Tenant\TenantConfig;
+use App\Shared\Infrastructure\Tenant\TenantContext;
+use App\Shared\Infrastructure\Tenant\TenantId as InfraTenantId;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+final class StudentGuardianVoterTest extends TestCase
+{
+    private InMemoryStudentGuardianRepository $repository;
+    private TenantContext $tenantContext;
+    private StudentGuardianVoter $voter;
+    private TenantId $tenantId;
+
+    protected function setUp(): void
+    {
+        $this->repository = new InMemoryStudentGuardianRepository();
+        $this->tenantContext = new TenantContext();
+        $this->tenantId = TenantId::generate();
+        $this->tenantContext->setCurrentTenant(new TenantConfig(
+            tenantId: InfraTenantId::fromString((string) $this->tenantId),
+            subdomain: 'test',
+            databaseUrl: 'sqlite:///:memory:',
+        ));
+        $this->voter = new StudentGuardianVoter($this->repository, $this->tenantContext);
+    }
+
+    #[Test]
+    public function itAbstainsForUnrelatedAttributes(): void
+    {
+        $token = $this->tokenWithSecurityUser('ROLE_ADMIN');
+
+        $result = $this->voter->vote($token, 'some-student-id', ['SOME_OTHER_ATTRIBUTE']);
+
+        self::assertSame(Voter::ACCESS_ABSTAIN, $result);
+    }
+
+    #[Test]
+    public function itAbstainsWhenSubjectIsNotAString(): void
+    {
+        $token = $this->tokenWithSecurityUser('ROLE_ADMIN');
+
+        $result = $this->voter->vote($token, null, [StudentGuardianVoter::VIEW_STUDENT]);
+
+        self::assertSame(Voter::ACCESS_ABSTAIN, $result);
+    }
+
+    #[Test]
+    public function itDeniesAccessToUnauthenticatedUsers(): void
+    {
+        $token = $this->createMock(TokenInterface::class);
+        $token->method('getUser')->willReturn(null);
+
+        $result = $this->voter->vote($token, 'some-student-id', [StudentGuardianVoter::VIEW_STUDENT]);
+
+        self::assertSame(Voter::ACCESS_DENIED, $result);
+    }
+
+    #[Test]
+    public function itDeniesAccessToNonSecurityUser(): void
+    {
+        $user = $this->createMock(UserInterface::class);
+        $user->method('getRoles')->willReturn(['ROLE_ADMIN']);
+
+        $token = $this->createMock(TokenInterface::class);
+        $token->method('getUser')->willReturn($user);
+
+        $result = $this->voter->vote($token, 'some-student-id', [StudentGuardianVoter::VIEW_STUDENT]);
+
+        self::assertSame(Voter::ACCESS_DENIED, $result);
+    }
+
+    #[Test]
+    public function itGrantsViewToSuperAdmin(): void
+    {
+        $result = $this->voteWithRole('ROLE_SUPER_ADMIN');
+        self::assertSame(Voter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itGrantsViewToAdmin(): void
+    {
+        $result = $this->voteWithRole('ROLE_ADMIN');
+        self::assertSame(Voter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itGrantsViewToSecretariat(): void
+    {
+        $result = $this->voteWithRole('ROLE_SECRETARIAT');
+        self::assertSame(Voter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itGrantsViewToProf(): void
+    {
+        $result = $this->voteWithRole('ROLE_PROF');
+        self::assertSame(Voter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itGrantsViewToVieScolaire(): void
+    {
+        $result = $this->voteWithRole('ROLE_VIE_SCOLAIRE');
+        self::assertSame(Voter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itGrantsViewToLinkedParent(): void
+    {
+        $parentId = UserId::generate();
+        $studentId = UserId::generate();
+
+        $link = StudentGuardian::lier(
+            studentId: $studentId,
+            guardianId: $parentId,
+            relationshipType: RelationshipType::MOTHER,
+            tenantId: $this->tenantId,
+            createdAt: new DateTimeImmutable(),
+        );
+        $this->repository->save($link);
+
+        $token = $this->tokenWithSecurityUser('ROLE_PARENT', $parentId);
+
+        $result = $this->voter->vote($token, (string) $studentId, [StudentGuardianVoter::VIEW_STUDENT]);
+
+        self::assertSame(Voter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itDeniesViewToUnlinkedParent(): void
+    {
+        $parentId = UserId::generate();
+        $otherStudentId = UserId::generate();
+
+        $token = $this->tokenWithSecurityUser('ROLE_PARENT', $parentId);
+
+        $result = $this->voter->vote($token, (string) $otherStudentId, [StudentGuardianVoter::VIEW_STUDENT]);
+
+        self::assertSame(Voter::ACCESS_DENIED, $result);
+    }
+
+    #[Test]
+    public function itDeniesViewToEleve(): void
+    {
+        $result = $this->voteWithRole('ROLE_ELEVE');
+        self::assertSame(Voter::ACCESS_DENIED, $result);
+    }
+
+    #[Test]
+    public function itGrantsViewToEachSeparatedParent(): void
+    {
+        $parent1Id = UserId::generate();
+        $parent2Id = UserId::generate();
+        $studentId = UserId::generate();
+
+        $link1 = StudentGuardian::lier(
+            studentId: $studentId,
+            guardianId: $parent1Id,
+            relationshipType: RelationshipType::FATHER,
+            tenantId: $this->tenantId,
+            createdAt: new DateTimeImmutable(),
+        );
+        $link2 = StudentGuardian::lier(
+            studentId: $studentId,
+            guardianId: $parent2Id,
+            relationshipType: RelationshipType::MOTHER,
+            tenantId: $this->tenantId,
+            createdAt: new DateTimeImmutable(),
+        );
+        $this->repository->save($link1);
+        $this->repository->save($link2);
+
+        $token1 = $this->tokenWithSecurityUser('ROLE_PARENT', $parent1Id);
+        $token2 = $this->tokenWithSecurityUser('ROLE_PARENT', $parent2Id);
+
+        self::assertSame(Voter::ACCESS_GRANTED, $this->voter->vote($token1, (string) $studentId, [StudentGuardianVoter::VIEW_STUDENT]));
+        self::assertSame(Voter::ACCESS_GRANTED, $this->voter->vote($token2, (string) $studentId, [StudentGuardianVoter::VIEW_STUDENT]));
+    }
+
+    #[Test]
+    public function itDeniesParentWhenNoTenantSet(): void
+    {
+        $parentId = UserId::generate();
+        $studentId = UserId::generate();
+
+        $tenantContext = new TenantContext();
+        $voter = new StudentGuardianVoter($this->repository, $tenantContext);
+
+        $token = $this->tokenWithSecurityUser('ROLE_PARENT', $parentId);
+
+        $result = $voter->vote($token, (string) $studentId, [StudentGuardianVoter::VIEW_STUDENT]);
+
+        self::assertSame(Voter::ACCESS_DENIED, $result);
+    }
+
+    #[Test]
+    public function itGrantsManageToAdmin(): void
+    {
+        $token = $this->tokenWithSecurityUser('ROLE_ADMIN');
+
+        $result = $this->voter->vote($token, null, [StudentGuardianVoter::MANAGE]);
+
+        self::assertSame(Voter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itDeniesManageToParent(): void
+    {
+        $token = $this->tokenWithSecurityUser('ROLE_PARENT');
+
+        $result = $this->voter->vote($token, null, [StudentGuardianVoter::MANAGE]);
+
+        self::assertSame(Voter::ACCESS_DENIED, $result);
+    }
+
+    #[Test]
+    public function itDeniesManageToEleve(): void
+    {
+        $token = $this->tokenWithSecurityUser('ROLE_ELEVE');
+
+        $result = $this->voter->vote($token, null, [StudentGuardianVoter::MANAGE]);
+
+        self::assertSame(Voter::ACCESS_DENIED, $result);
+    }
+
+    private function voteWithRole(string $role): int
+    {
+        $token = $this->tokenWithSecurityUser($role);
+
+        return $this->voter->vote($token, (string) UserId::generate(), [StudentGuardianVoter::VIEW_STUDENT]);
+    }
+
+    private function tokenWithSecurityUser(string $role, ?UserId $userId = null): TokenInterface
+    {
+        $securityUser = new SecurityUser(
+            userId: $userId ?? UserId::generate(),
+            email: 'test@example.com',
+            hashedPassword: 'hashed',
+            tenantId: $this->tenantId,
+            roles: [$role],
+        );
+
+        $token = $this->createMock(TokenInterface::class);
+        $token->method('getUser')->willReturn($securityUser);
+
+        return $token;
+    }
+}